Challenges of Applying Cloud Security Controls in an AWS Environment
Cloud security controls were created to enhance the security posture of systems; however, their application does not always have to be complicated. Users’ ability to configure and administer services plays a significant role in the overall security of systems hosted in an environment like Amazon Web Services (AWS). Therefore, organisations will commonly experience practical difficulties when implementing controls such as identity and access management (IAM) and logging. These challenges need to be understood so that the overall effectiveness of security control implementations can be evaluated.
Challenges Associated with Key Controls
A major challenge associated with IAM configurations is the complexity of configuring them. The combination of IAM policies, roles, and permissions can make managing user access and service access very complex in environments where many users and services are involved and require varying degrees of access. With increased complexity comes an increased probability that users will implement overly permissive IAM configurations which increase security risks to applications and data.
Another challenge is human error. Because cloud security is based on a shared responsibility model, customers are responsible for correctly configuring their environment. Incorrectly assigned permissions, disabled logging capabilities, and unused credentials are just some examples of common configuration errors caused by human error. When best practice guidance exists, it cannot always be followed consistently.
Another challenge is finding a balance between usability and security. Many security controls used today can limit the usability of a system or reduce productivity. Enforcing least-privilege concepts or limiting user access to resources necessary for completing tasks can limit user productivity and ultimately lead to relaxing previously enforced security controls to meet business needs and maintain usability, thereby increasing risk to the organisation.
Project Application
The challenges described above are being addressed through the implementation of controls in a controlled AWS lab environment. Using a testing environment minimises the potential damage from configuration errors and enables controlled deployment of IAM and logging controls.
By narrowing the focus of this project to only two key areas (identity and access management [IAM] and logging), the amount of complexity has been manageable, while at the same time allowing us to demonstrate how easily misconfiguration can occur and how we can mitigate those misconfigurations. Our method of evaluation also ensures that any improvement observed directly relates to the newly deployed controls; however, we recognise that there could exist other challenges in a real world environment.
Conclusion
Although cloud-based security controls are critical components in minimising security risk associated with hosting applications in a cloud-based environment, there are numerous practical obstacles that must be overcome before cloud-based security controls can be applied effectively. Obstacles include the complexity associated with configuring IAM solutions, the propensity for human error in both configuring cloud environments and deploying security controls, and the ongoing struggle to find a usable balance between security requirements and usability.
MSc student specialising in cloud security and applied cybersecurity research. My work focuses on evaluating cloud-based security controls, particularly within Amazon Web Services (AWS), with an emphasis on reducing misconfiguration risk through practical implementation and structured evaluation methods.
References
Amazon Web Services (n.d.-a) Shared responsibility model. Available at: https://aws.amazon.com/compliance/shared-responsibility-model/ (Accessed: 18 March 2026).
Jansen, W. and Grance, T. (2011) Guidelines on security and privacy in public cloud computing. NIST Special Publication 800-144. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf (Accessed: 17 March 2026).