Cloud networks face traditional threats plus cloud-specific risks.
Defense in depth:
- Security groups on every resource
- NACLs for subnet blocking
- WAF for web applications
Least privilege:
- Default deny all inbound
- Open only required ports
- Reference security groups instead of CIDRs
Monitoring:
- Enable VPC flow logs
- Log load balancer access
- Alert on unusual patterns
Encryption:
- TLS for data in transit
- Use private connectivity over internet
Review configurations regularly. Cloud environments change quickly.