Cloud Security Best Practices for Indian Businesses — AWS, Azure & GCP Guide 2026
India is one of the fastest-growing cloud adoption markets globally. Over 80% of Indian enterprises now run workloads on at least one public cloud platform, and the majority use two or more cloud providers simultaneously. AWS, Microsoft Azure, and Google Cloud Platform (GCP) dominate the Indian enterprise market, with AWS leading in startup and tech company adoption, Azure dominant in enterprise and BFSI due to Microsoft’s existing footprint, and GCP growing rapidly in data analytics and AI workloads.
But cloud adoption and cloud security are not the same thing. The pace of migration to cloud in India has significantly outrun the maturity of cloud security practices, creating a massive attack surface of misconfigured buckets, over-privileged identities, unpatched instances, and unsecured APIs. This guide provides the definitive cloud security best practices framework for Indian businesses in 2026.
Understanding the Shared Responsibility Model
The most fundamental concept in cloud security — and the one most frequently misunderstood — is the shared responsibility model. All three major cloud providers operate on this principle, though the exact division differs by service type:
| Responsibility Area | Cloud Provider (AWS/Azure/GCP) | Customer (Your Organisation) |
|---|---|---|
| Physical data centre security | Yes | No |
| Hypervisor and host OS | Yes (IaaS) | No |
| Guest OS patching (on EC2/VM) | No | Yes |
| Application security | No | Yes |
| Identity and access management | No (platform only) | Yes (configuration) |
| Data encryption | Keys available; customer must enable | Yes — must configure |
| Network security groups / firewall rules | No | Yes |
| Compliance with Indian regulations | No | Yes |
The critical insight: the cloud provider secures of the cloud; you are responsible for security in the cloud. Misunderstanding this is the root cause of the majority of cloud breaches.
Top 10 Cloud Security Best Practices for Indian Businesses
1. Implement Strict Identity and Access Management (IAM)
IAM misconfiguration is the single most common cause of cloud data breaches. Best practices:
- Apply the principle of least privilege — every user, service account, and role should have only the minimum permissions needed
- Never use the root/administrator account for day-to-day operations; create separate administrative accounts
- Audit IAM policies quarterly and remove unused permissions
- Use IAM Access Analyzer (AWS), Azure AD PIM (Privileged Identity Management), or GCP’s Policy Analyzer to identify over-privileged identities
- Use service accounts for application-to-service communication, not human accounts
- Rotate access keys and service account credentials regularly
2. Enable Multi-Factor Authentication (MFA) Everywhere
MFA should be mandatory for all human users accessing the cloud console — no exceptions. This is particularly important for privileged accounts with administrative access. Most cloud-related account takeovers exploit the absence of MFA on root or admin accounts. AWS, Azure, and GCP all offer native MFA — enable it as a policy enforced requirement, not an optional user choice.
3. Encrypt Data at Rest and in Transit
- At rest: Enable server-side encryption on all storage services — S3 buckets (AWS), Azure Blob Storage, GCS buckets. Use customer-managed keys (CMK) via AWS KMS, Azure Key Vault, or GCP Cloud KMS for sensitive data
- In transit: Enforce HTTPS/TLS 1.2+ for all API calls, web traffic, and inter-service communication. Disable TLS 1.0 and 1.1. Use SSL/TLS certificates from trusted CAs
- Database encryption: Enable Transparent Data Encryption (TDE) on RDS, Azure SQL, and Cloud SQL instances
4. Enable Comprehensive Logging and Monitoring
- AWS: Enable AWS CloudTrail for all regions (all API calls logged); enable VPC Flow Logs; enable S3 access logging; route all logs to a centralised, immutable S3 bucket in a dedicated security account
- Azure: Enable Azure Activity Log and Azure Diagnostic Logs; use Azure Monitor and Log Analytics Workspace
- GCP: Enable Cloud Audit Logs (Admin Activity, Data Access); use Cloud Logging and export to Cloud Storage or BigQuery
- Retention: Keep logs for a minimum of 180 days (1 year recommended for compliance)
5. Secure Object Storage — No Public S3 Buckets or Blob Containers
Publicly accessible S3 buckets and Azure Blob containers are responsible for some of the largest data breaches in history. Indian companies have been no exception. Controls:
- Enable S3 Block Public Access at the account level — not just per-bucket
- Use AWS Config rule
s3-bucket-public-read-prohibitedto continuously detect violations - For Azure: Enable storage account-level “Deny public blob access” setting
- Audit all buckets/containers quarterly using Macie (AWS), Microsoft Defender for Storage, or Forseti Security (GCP)
- Use pre-signed URLs for temporary, time-limited access to specific objects instead of making buckets public
6. Network Segmentation with VPCs and Security Groups
- Deploy workloads in private subnets; only load balancers and bastion hosts should be in public subnets
- Apply security groups / NSGs with the principle of least privilege — deny all by default, whitelist specific ports and source IPs
- Never expose administrative ports (SSH port 22, RDP port 3389) directly to the internet; use bastion hosts or AWS Systems Manager Session Manager
- Use VPC peering or AWS PrivateLink / Azure Private Link for inter-service communication instead of routing through the public internet
- Implement Web Application Firewalls (WAF) — AWS WAF, Azure WAF, or GCP Cloud Armor — in front of all internet-facing applications
7. Patch and Vulnerability Management
- Use AWS Systems Manager Patch Manager, Azure Update Management, or GCP OS Config to automate OS and software patching
- Define patch SLAs: critical patches within 72 hours, high severity within 14 days
- Use Amazon Inspector (AWS), Microsoft Defender for Cloud, or GCP Security Command Center for continuous vulnerability scanning of EC2 instances and container images
- Scan container images for vulnerabilities before deploying to production (Trivy, Clair, or native registry scanning)
8. Continuous Security Posture Management (CSPM)
CSPM tools continuously audit your cloud configuration against security benchmarks (CIS Benchmarks, NIST, ISO 27001) and alert on deviations. Options:
- AWS: AWS Security Hub + AWS Config (native); third-party options: Wiz, Prisma Cloud, Orca Security
- Azure: Microsoft Defender for Cloud (native CSPM capability)
- GCP: Security Command Center Premium
- Multi-cloud: Wiz, Prisma Cloud, or Lacework for unified visibility across AWS, Azure, and GCP
9. Threat Detection and Response
- AWS: Enable Amazon GuardDuty for threat detection (anomalous API calls, cryptocurrency mining, credential compromise, port scanning from EC2)
- Azure: Microsoft Defender for Cloud includes threat detection across VMs, storage, databases, and containers
- GCP: Security Command Center Event Threat Detection
- Integrate cloud threat detection alerts with your SIEM / SOC for centralised triage and response
- Define and test incident response playbooks specific to cloud attack scenarios (S3 bucket breach, EC2 cryptomining, IAM credential theft)
10. Backup, DR, and Business Continuity
- Follow the 3-2-1 backup rule: 3 copies, 2 different media, 1 offsite (in cloud: use cross-region replication)
- Enable versioning on S3 buckets and Azure Blob storage to protect against accidental deletion and ransomware
- Enable S3 Object Lock (Write-Once-Read-Many) for immutable backup storage
- Test restoration quarterly — backups that have never been tested are not reliable backups
- Define RTO and RPO for each critical workload and validate against your backup and replication configuration
Most Common Cloud Security Misconfigurations Found in Indian Companies
Based on cloud security assessments conducted by MDIT Services across Indian enterprises, the most frequently observed misconfigurations are:
- Publicly accessible S3 buckets containing sensitive data (customer PII, financial records)
- Root account used for day-to-day operations without MFA
- Over-permissive IAM policies — wildcard (*) resource permissions on non-administrative roles
- Security groups allowing inbound SSH (22) or RDP (3389) from 0.0.0.0/0
- CloudTrail not enabled in all regions, or logs stored in a bucket without access logging
- Unencrypted EBS volumes, RDS instances, or S3 buckets
- GuardDuty not enabled (AWS) or Defender for Cloud on free tier (Azure) — no threat detection active
- Default VPC in use for production workloads (no network segmentation)
- Outdated or unpatched EC2 instances / VM images
- No MFA enforced on IAM users — especially console users with broad permissions
DPDP Act and Cloud Data Residency Requirements for Indian Companies
India’s Digital Personal Data Protection Act 2023 (DPDP Act) introduces data localisation considerations for personal data of Indian residents. While the implementing rules are still being finalised in 2026, companies processing personal data of Indian residents should:
- Understand where personal data is stored and processed — data mapping is essential
- Ensure Indian resident personal data stored in cloud is in regions that comply with any forthcoming localisation requirements (currently AWS ap-south-1 Mumbai, Azure Central India, GCP asia-south1 Mumbai)
- Apply appropriate technical and organisational measures as required by DPDP Act Section 8
- Ensure cloud providers are processing personal data under a valid data processing agreement with appropriate security obligations
Cloud Compliance Frameworks
Indian businesses on cloud often need to demonstrate compliance with:
- ISO 27001: Controls for cloud environments are covered under ISO 27017 (cloud-specific guidance) and ISO 27018 (PII in public cloud)
- PCI DSS: Cloud environments storing or processing cardholder data must be PCI DSS compliant — the cloud provider offers PCI-compliant services, but configuration is your responsibility
- RBI Cloud Guidelines: Banks and NBFCs must comply with RBI’s 2023 Master Direction on IT, which includes specific requirements for cloud usage, data localisation, and exit strategy
- SEBI CSCRF: Regulated entities using cloud for critical operations must address data residency, third-party risk management, and security monitoring requirements
When to Get a Cloud Security Assessment
You should engage a cloud security assessment when:
- You have recently migrated workloads to cloud and want to validate the security configuration
- You are preparing for an ISO 27001, SOC 2, PCI DSS, or regulatory audit
- Your DevOps or engineering team has grown rapidly and cloud access controls may have drifted
- You have received an alert about a misconfiguration, or discovered a publicly exposed resource
- A regulator (RBI, SEBI) has questioned your cloud security practices
- You are onboarding a large enterprise client who requires evidence of cloud security controls
MDIT Services Cloud Security Assessment
MDIT Services provides comprehensive cloud security assessments for AWS, Azure, and GCP environments. Our CERT-In empanelled team combines cloud platform expertise with deep knowledge of Indian regulatory requirements to deliver actionable findings — not just a checklist.
Our cloud security services include:
- Cloud Security Posture Assessment (CSPA) — configuration review against CIS Benchmarks
- Cloud penetration testing — testing for exploitable misconfigurations and API vulnerabilities
- IAM privilege audit — mapping all permissions and identifying over-privileged accounts
- DPDP Act and RBI cloud compliance assessment
- Cloud security architecture review for new deployments
- CSPM tool implementation (Wiz, Prisma Cloud, Defender for Cloud)
Contact MDIT Services for a cloud security assessment proposal tailored to your cloud environment and compliance requirements.
Call us: +91-11-XXXX-XXXX | Email: info@mditservices.in | Website: mditservices.in
