Every Service Needs Its Own Lock: Cloud, Container, API and Microservices Security Explained
One leaked CI key exposes the full chain: cloud responsibility, IAM, secrets, container supply chain, Kubernetes, serverless, service identity, mTLS, API authorization, OWASP, and useful evidence.

A secure distributed system constrains every identity, artifact, request, service, secret, and data path, then preserves evidence when one control fails.
The incident begins with one leaked CI credential. It has no expiry and belongs to a role with far more permission than the build pipeline needs. An unverified container image is deployed. The running worker can read an object-storage bucket and call the payment API even though its job only requires processing notifications. When the team investigates, the logs cannot reliably show which identity performed which action.
There is no single magic root cause. The cloud provider kept the physical infrastructure running. Encryption was enabled. The cluster was private. Yet long-lived identity, excessive permission, weak artifact trust, broad runtime reach, and incomplete evidence combined into one path. Distributed security is difficult because every boundary can be individually reasonable while the complete chain remains dangerous.
We will resolve the incident in four acts. First, ownership and identity. Second, artifact and workload lifecycle. Third, service and API trust. Fourth, evidence and safe failure. Each act must remove one cause from the incident and state the cost of doing so.
Cloud security is not transferred to the provider; responsibility moves and changes shape with the service you choose.

Read the visual across service models. Provider responsibility expands as more infrastructure is managed, but customer responsibility for identities, data, configuration, application behavior, and access decisions never disappears. Follow the leaked CI identity to see which side owned the mistake.
Act One: Shared Responsibility Is a Boundary Map
Think of a rented building. The landlord maintains the structure, common power, and exterior security. The tenant still controls apartment keys, guests, valuables, and what is left near an open window. The analogy is useful only when mapped precisely: a cloud provider protects defined underlying infrastructure and managed-service layers; the customer protects what they configure, deploy, permit, and store.
Service style | Provider operates more of | Customer still owns | Typical mistake |
|---|---|---|---|
Infrastructure service | Facilities, hardware, core cloud fabric | OS/workload, network policy, identities, code, data | Unpatched host or broad security rule |
Managed platform/database | More runtime, patching, backups or control plane | Data model, access, client code, configuration, retention | Public endpoint or excessive database role |
Software service | Application and underlying stack | Users, sharing, tenant configuration, data use | Broad admin access or public share |
What this table is telling you is that the boundary changes by service, provider, feature, and configuration. Do not memorise one chart and apply it everywhere. For each resource, write who patches, who configures public access, who creates identities, who controls encryption keys, who monitors, and who recovers data.
The CI credential is ours. The provider may securely operate identity infrastructure, but it did not decide that one permanent key could deploy images, read storage, change network policy, and invoke payment operations. Shared responsibility is useful when it assigns that decision clearly rather than becoming a sentence used after an incident.
IAM Separates Humans, Pipelines, and Runtime Workloads
Identity and access management, or IAM, describes principals, roles, policies, permissions, conditions, credentials, and audit around cloud resources. Start by separating identity types. An employee uses federation and strong authentication. A CI pipeline uses a workload identity tied to the repository and workflow. A runtime service uses an identity tied to its deployment. An emergency administrator uses time-limited elevated access under a separate process.
Reusing one human access key for automation destroys attribution and expands lifetime. Prefer federation and temporary credentials where the platform supports them. A pipeline can exchange a signed workload assertion for a short-lived role rather than storing a permanent cloud secret. A runtime pod can receive an identity for its service account rather than borrowing node-wide credentials.
Least privilege is not achieved by writing `ReadOnly`. Which bucket, prefix, queue, secret, API action, environment, and time window? Explicit deny or default-deny guardrails can protect dangerous boundaries. Permission reviews should use actual access evidence, but absence of recent use is not always proof that a disaster-recovery permission is unnecessary.
In the incident, the pipeline needs permission to publish one verified image and update one deployment in one environment. It does not need data-plane access to customer objects or payment calls. The running notification worker needs a separate identity that can read its queue and call the notification provider, nothing more.
Secrets Need a Lifecycle, Not a Better Hiding Place
API keys, database passwords, signing keys, webhook secrets, certificates, and refresh tokens are security capabilities. Moving one from source code into an environment variable improves some exposure paths but does not complete the design. Environments can leak through debug pages, process inspection, crash reports, child processes, build logs, support bundles, and overly broad platform access.
A secret lifecycle is create, distribute, use, rotate, revoke, audit, and recover. A secrets manager or vault can centralise encryption, access policy, versions, audit, and rotation. Prefer short-lived generated credentials or workload identity when a static secret is unnecessary. Limit which process receives the value, prevent it from entering images and logs, and practise rotation before an incident.
Recovery is part of security. If the only administrator loses access or the vault is unavailable, the team needs a controlled break-glass path. That path must be protected, monitored, tested, and prevented from becoming the daily shortcut. Secret deletion also needs dependency awareness so rotation does not create an outage.
Cloud object storage applies the same ownership model. Prevent unintended public access, scope identities to the required bucket and prefix, encrypt with an explicit key boundary where justified, log sensitive access, version or back up according to recovery needs, and review presigned access. Object Storage Explained covers the storage mechanics; cloud security decides who may exercise them.
Cloud Data Needs Classification, Guardrails, and Evidence
Classify data before choosing a service setting. Public marketing assets, customer addresses, payment events, identity documents, logs, model inputs, and backups do not share one risk. Classification should influence allowed regions, retention, encryption-key ownership, administrators, sharing methods, monitoring, and whether the data belongs in the service at all.
Use organization-level guardrails to prevent public buckets, unapproved regions, disabled audit, or unencrypted sensitive storage where the platform supports them. Guardrails reduce configuration drift but can also block emergency or unusual workloads. Provide an exception path with justification, time limit, owner, and review rather than encouraging teams to work around policy.
Separate control-plane and data-plane permissions. A role that configures a storage bucket does not automatically need to read every object. A support analyst who lists customer cases may not need raw document download. Monitor policy changes and sensitive reads differently. Backups, replicas, analytics exports, and log pipelines are new data copies with their own permissions and deletion behavior.
For customer-managed encryption keys, define who administers the key and who may use it for data operations. Keeping those roles separate can prevent one compromised identity from both changing policy and decrypting content. It also creates a recovery dependency that must be tested before key or account failure.
Act-one retrieval checkpoint
Assign the incident's leaked CI key to a responsible owner. Replace it with a short-lived identity, list the exact deployment permissions, and give the runtime worker a different identity. Then explain how those choices improve attribution and blast radius while adding setup and policy work.
Act Two: Container Security Starts Before the Container Runs
A container image is a sealed package, but a seal only tells us something when we know the builder, contents, process, and verification policy. A private registry controls distribution; it does not prove the image is free from vulnerabilities, built from reviewed source, or unchanged since an approved build.
Begin with trusted minimal base images, pinned and reviewed dependencies, isolated builds, no embedded secrets, and a software bill of materials that records important components. Scan dependencies and images, but remember that a clean scan means 'no known finding under this scanner and database now', not 'safe forever'. Patch source and rebuild immutable images rather than hand-editing running containers.
Provenance records how an artifact was produced. Signing and verification can prove that the artifact came from an approved build identity and has not changed under that trust model. It does not prove the code has no business-logic flaw. Admission policy can reject an unsigned, unapproved, or high-risk image before it runs.
These controls map directly to current OWASP Top 10:2025 themes such as Software Supply Chain Failures and Software or Data Integrity Failures. The official OWASP Top 10:2025 is an awareness map, not a guarantee produced by checking ten boxes.

Read left to right from source and dependencies to isolated build, SBOM, scan, signature, admission, restricted runtime, and monitoring. Split the memory line in two: trust the artifact before start; constrain and observe the process after start.
Runtime Controls Reduce the Consequence of a Vulnerability
Assume a vulnerability still reaches production. Running as a non-root user, dropping unnecessary Linux capabilities, preventing privilege escalation, using a read-only filesystem where practical, constraining writable mounts, applying seccomp or runtime profiles, and isolating host resources can reduce what exploitation achieves.
Resource limits protect neighbouring workloads and help contain accidental or malicious consumption, though limits can also cause throttling or termination under legitimate peaks. Network egress restrictions reduce unexpected calls. Sensitive host paths and container-engine sockets should not be casually mounted. The host kernel and runtime still matter because containers are not magically independent machines.
Runtime detection watches for behavior that the deployment did not intend: unexpected shells, file changes, process trees, outbound connections, privilege attempts, or secret access. Alert quality matters. A flood of unactionable events trains operators to ignore the one event that explains the incident.
Build the expected behavior into the workload contract. Which executable starts, which files are writable, which ports listen, which destinations are contacted, which secrets are mounted, and which temporary directories are needed? Runtime hardening becomes easier when the application is designed to run without root and without writing across its entire filesystem.
When a container is compromised, response may isolate the pod, revoke its workload identity, block egress, preserve relevant runtime and audit evidence, replace the deployment from a trusted image, rotate exposed secrets, and investigate lateral calls. Restarting the pod alone can erase evidence and restore the same vulnerable image.
Kubernetes Controls Answer Different Questions
How is it so far?
Vote with other readers
Kubernetes is often taught as a list of security features. A better approach is to ask which decision each control owns. The control plane, admission path, workload identity, pod runtime, network data plane, secret storage, and audit system are different boundaries.
Question | Kubernetes control | Incident use | Important limit |
|---|---|---|---|
Who may call the API? | Authentication and RBAC | CI may update one deployment | RBAC does not constrain pod runtime behavior |
May this pod spec run? | Pod Security Admission and admission policy | Reject privileged or unverified workload | Policy must be tested and maintained |
Which identity runs? | Service account and workload identity | Worker gets narrow temporary access | Broad service accounts recreate the problem |
Which pods may connect? | NetworkPolicy | Worker cannot reach payment service | Requires supporting network implementation; not business authorization |
What happened? | Audit and workload telemetry | Trace deploy and secret/data access | Logs need retention, protection, and correlation |
What this table is telling you is that no control substitutes for the others. Kubernetes RBAC controls API operations such as reading a Secret object or updating a Deployment; it does not decide whether the process inside a pod may refund an order. Pod Security Admission constrains pod configuration; NetworkPolicy constrains paths; the service still authorizes business actions.
PodSecurityPolicy was removed in Kubernetes 1.25. Use current Pod Security Standards and Pod Security Admission terminology. The Restricted profile is a useful baseline direction, then workload-specific admission controls can add image provenance, allowed registries, capabilities, or other policy.
A Kubernetes Secret is base64-encoded for representation and, by default, stored unencrypted in etcd unless encryption at rest is configured. Protect API access, enable appropriate at-rest encryption, restrict how Secrets are mounted, avoid broad list/watch access, rotate values, and consider external secret delivery when it improves the boundary. Current guidance is summarised in the Kubernetes Security Checklist.
Namespaces help organise policy and tenancy boundaries but are not complete isolation by themselves. A cluster-level role, privileged pod, host mount, or shared node can cross assumptions. Strong multi-tenant risk may justify separate clusters or accounts. The decision balances isolation, cost, operational duplication, and the ability to apply consistent policy.

Read the visual as six questions around one pod: who deployed it, whether it may be admitted, which identity it receives, which peers it reaches, which secret it can read, and which evidence remains. The names become easier once the questions are separate.
Serverless Changes the Managed Boundary, Not the Security Need
A serverless platform operates more infrastructure and scaling, but the function still owns code, dependencies, trigger validation, identity, data access, secrets, outbound calls, and logs. Give each function a narrow role. Validate the source and schema of events, especially when queues, object events, or webhooks can be forged or replayed.
Use timeouts, concurrency limits, payload limits, and idempotency to bound resource and cost consumption. Protect public triggers through authentication, gateway policy, and abuse controls. Keep credentials out of packages and logs. Understand whether execution environments are reused, what temporary storage contains, and how updates rebuild dependencies.
The convenience tradeoff is less infrastructure ownership but more dependence on provider event semantics, IAM configuration, observability, and platform limits. Shared responsibility became narrower; it did not vanish.
Warm execution environments may reuse memory or temporary storage across invocations under the platform's isolation contract, so do not treat local state as a secret vault. Clear sensitive buffers where practical, avoid assuming one invocation owns the environment forever, and understand what the provider guarantees. Cold starts and concurrency bursts also affect authentication dependencies and connection pools.
Event-driven functions need provenance. An object-created event, queue message, scheduled event, or webhook should be accepted only from the expected source and account, with schema and replay/idempotency controls. A signed webhook is still untrusted input after authenticity is checked; parsing and business authorization remain.
Act-two retrieval checkpoint
Given an image that runs as root, contains a static API key, comes from an unverified build, and may call any destination, name one control before runtime and three controls during runtime. Then state which control would still not fix a broken refund authorization check.
Act Three: Microservices Multiply Security Decisions
Microservices are not inherently insecure. They create more independently deployed APIs, workload identities, network paths, secrets, dependencies, logs, and partial-compromise states. A monolith may make one in-process call; a distributed design makes a network request that needs peer identity, channel protection, action authorization, timeout, retry, and evidence.
In the incident, the notification worker could call the payment API because internal reachability was treated as permission. The first repair is not 'install a mesh'. It is to define the allowed business call. Does the notification worker ever need payment access? No. Remove the path and permission. For legitimate calls, define the caller identity, audience, action, object, lifetime, replay protection, and logs.
The architecture patterns in Software Architecture Patterns in System Design explain why distributed boundaries appear. Security work begins when each new boundary receives an explicit trust contract instead of inheriting the word 'internal'.
Service-to-Service Trust Has Five Separate Checks
Use one call: Order Worker to Payment Service. First, who is calling? Workload identity may come from platform-issued credentials, short-lived signed service tokens, or a certificate tied to an attested workload. Second, is the channel protected? TLS or mTLS can protect transport and authenticate peers. Third, is this caller allowed to invoke this API?
Fourth, is the caller allowed to perform this action on this resource? `payment:read-status` is different from `payment:refund`, and order 9182 may belong to another tenant. Fifth, can the request be replayed or abused? Short lifetime, audience, nonce/idempotency, request binding where justified, and server-side business rules complete the decision.
Forwarding an end-user token to every downstream service spreads claims and privilege beyond need. A service may instead exchange or derive a narrower audience token, use workload identity for its own operation, and carry only the user context needed for authorization and audit. The choice depends on whether the downstream action is delegated user work or an independent service responsibility.
Mechanism | Answers | Good fit | Does not answer |
|---|---|---|---|
Workload identity | Which deployed workload is this? | Platform-to-cloud or service identity | Business action permission by itself |
Short-lived service token | Which issuer/audience/claims apply? | API calls needing scoped claims | Channel confidentiality unless paired with TLS |
mTLS | Which transport peers and protected channel? | Service-to-service identity and encryption | Object-level authorization |
NetworkPolicy | May this network path exist? | Containment and least connectivity | Application identity and action semantics |
What this table is telling you is that secure service calls compose identity, channel, path, and business policy. Treating any one row as the entire answer recreates the incident at another layer.

Read the worker-to-payment call in order: path allowed, peer authenticated, token or identity audience checked, action and order authorized, replay bounded, decision logged. The memory line is who, channel, action, object, evidence.
Service Mesh Helps Repeated Transport Problems - With a Price
A service mesh adds infrastructure around service traffic through a data plane and control plane. It can automate workload certificates, mutual TLS, service identity, traffic and authorization policy, retries or routing, and telemetry. This can make consistent peer authentication and certificate rotation practical across many services.
The mesh does not understand every business rule. A policy may allow Order Service to call Payment Service while the application still needs to reject refunds for the wrong tenant or amount. Misconfigured broad identities, permissive namespaces, incomplete sidecar or ambient coverage, and control-plane compromise remain. Encryption can also hide traffic from tools that lack the right integration.
Operational costs include resource overhead, latency, certificate and trust-domain design, policy debugging, upgrades, failure modes, and a steeper mental model. Use a mesh when repeated service-to-service identity, mTLS, policy, and observability needs justify central infrastructure. Do not use it to avoid defining who may do what.
API Security Protects Objects, Actions, and Resource Consumption
Consider three requests. A user changes `/orders/123` to `/orders/124` and reads another customer's object. A normal employee calls an admin refund function. A client requests an unbounded export that consumes minutes of database and compute time. Authentication may succeed in all three; object, function, and resource-consumption authorization failed.
The OWASP API Security Top 10:2023 highlights broken object-level authorization, broken authentication, broken property and function-level authorization, unrestricted resource consumption, sensitive business flows, server-side request forgery, misconfiguration, inventory problems, and unsafe consumption of third-party APIs. Use the OWASP API Security project to ask concrete questions, not to paste category names into a report.
The gateway can validate a token, schema, route, and coarse quota. The resource service knows order ownership, refund state, tenant, workflow, and side effects. Both layers contribute. Inventory every API version and environment, remove forgotten endpoints, validate outbound third-party responses, bound pagination and expensive filters, protect sensitive flows from automation, and log identifiers without leaking secrets.
Act-three retrieval checkpoint
Assume the worker can already reach the payment API. Explain why mTLS, a valid service token, and a gateway allow rule still do not prove that it may refund order 9182. Add the missing object/action decision and one replay or idempotency control.
Act Four: OWASP 2025 as Five Investigation Lenses
Ten independent mini-definitions would recreate the glossary problem. Group the current OWASP Top 10:2025 into five lenses and apply them to the incident. Identity and access includes Broken Access Control and Authentication Failures. The overprivileged CI key and worker-to-payment path live here.
Design and input includes Insecure Design and Injection. Configuration and cryptography includes Security Misconfiguration and Cryptographic Failures. Supply chain and integrity includes Software Supply Chain Failures and Software or Data Integrity Failures. Evidence and failure includes Security Logging and Alerting Failures and Mishandling of Exceptional Conditions.
The lenses help a review team ask whether an entire class of failure was ignored. They do not prove completeness, assign business priority automatically, or replace threat modelling. One issue may cross several lenses: an unsigned image accepted by permissive admission is supply-chain, integrity, and configuration risk at once.
Evidence Must Reconstruct the Action Without Leaking the Asset
Record authentication events, authorization denials, privilege and policy changes, secret access, deployment/provenance decisions, configuration changes, sensitive data access, suspicious API behavior, and administrator operations. Include stable actor and workload identity, resource, action, result, trusted time, and correlation context. Do not log passwords, tokens, private keys, or full sensitive payloads.
Centralise important logs under restricted access and tamper-aware retention. Correlate the CI deployment, workload identity, object read, and payment call. Alert on high-signal paths: a pipeline role reading customer data, a notification worker contacting payments, unusual secret versions, or denied admission repeatedly followed by a successful override.
Safe failure means predictable behavior when identity, KMS, admission, dependency, or logging systems fail. Default deny can protect a sensitive action but create an outage if its policy service disappears. Cached or local policy may preserve limited operation but risks stale decisions. Retries need bounds and idempotency. Errors should help operators without exposing internals to callers.
A control that blocks an attack but leaves no trustworthy evidence turns the next incident into guesswork.green
Rebuild the Architecture and Resolve Every Cause
The deployment path begins with reviewed source and dependencies, an isolated build, SBOM and scan, signed provenance, registry policy, and admission verification. Kubernetes accepts only the approved image under restricted pod policy. The pod runs non-root with narrow capabilities, bounded resources, a read-only filesystem where practical, and restricted egress.
The identity path replaces the permanent CI key with short-lived federation scoped to one deployment. The runtime worker receives its own workload identity and only queue/notification permissions. Secrets come through a managed lifecycle, not the image. Object storage denies the worker because its role and resource policy lack that action.
The request path sends users through edge and API policy into services. Service-to-service connections use explicit workload identity and protected channels. Network policy blocks the worker-to-payment path entirely. Legitimate payment callers still meet service-side action and object authorization. Central evidence links build, deployment, identity, policy, data, and API events.
The cost is real: policy ownership, build infrastructure, certificate or token operations, admission testing, network debugging, secret rotation, log storage, alert tuning, and emergency access. The design is worthwhile because each cost corresponds to a known incident path and a measurable business boundary, not to a desire for more security tools.

Read the deployment path separately from the runtime request path. They meet at the admitted workload and finish in shared evidence. The reconstruction target is trusted artifact, bounded identity, authorized request, protected data, and usable evidence.
Interview phrasing: I begin with shared responsibility and separate human, pipeline, and runtime identities. I verify artifacts before admission, constrain containers and Kubernetes paths at runtime, authenticate and authorize every service call, protect API objects and costly operations, and centralise evidence for safe failure and incident reconstruction.
Common Misunderstandings That Recreate the Incident
The cloud provider secures everything. The customer still owns identities, data use, configuration, code, and access decisions.
Long-lived keys are easiest for automation. Convenience expands theft lifetime and often destroys attribution; prefer short-lived workload identity.
Kubernetes Secrets are encrypted by default. They are base64-encoded and require configured etcd encryption and strict API access.
A private registry proves an image is safe. Distribution control is not provenance, vulnerability absence, or secure runtime behavior.
A scan proves the image is secure. It finds known detectable issues at a point in time, not every flaw.
Containers are complete security boundaries. Runtime privilege, kernel, mounts, host, identity, and network paths still matter.
Internal services trust each other. Reachability is not identity or action permission.
mTLS authorizes every operation. It authenticates transport peers; services still decide actions and objects.
A service mesh secures business logic. It can enforce transport and some policy, not application correctness.
The API gateway owns all authorization. Resource services must enforce object and business-action policy.
OWASP is a completion checklist. It is an awareness map that supports, but cannot replace, threat and risk analysis.
Explain It Back Without Looking
Reconstruct the incident in five moves: leaked CI key, excessive role, unverified image, broad runtime reach, incomplete evidence. Match lease agreement, temporary badge, key cabinet, sealed package, and locked departments to exact cloud and workload controls.
For each act, say one cause -> design choice -> consequence -> tradeoff chain.
Contrast human identity/workload identity, secret/configuration, image/runtime, RBAC/Pod Security/NetworkPolicy, and mTLS/business authorization.
Draw the deployment path from source to admitted restricted workload.
Draw the request path from user to API to service to protected data and central evidence.
Apply the design to a public API, background worker, payment service, object storage bucket, Kubernetes cluster, and serverless webhook handler.
A ninety-second retelling might sound like this: cloud security begins by assigning provider and customer responsibility. Humans, pipelines, and workloads get separate short-lived least-privileged identities; secrets have a managed lifecycle. Trusted builds produce verified images, admission controls pod configuration, runtime controls limit consequence, and Kubernetes network and secret policies bound reach. Services authenticate peers, authorize actions and objects, and protect API resources. OWASP lenses guide review, while central evidence and safe failure make incidents recoverable.
Lock in the takeaway
Frequently asked questions
What is the cloud shared responsibility model?
It divides security duties between provider and customer. The boundary changes by service model, but customers still own important decisions such as identities, data access, configuration, deployed code, and how managed features are used.
What is workload identity?
Workload identity represents a deployed application, pipeline, function, or service so it can obtain narrow, often short-lived credentials without borrowing a human identity or storing a permanent access key.
What is the safest way to manage application secrets?
Prefer eliminating static secrets through workload identity where possible. Otherwise use a managed lifecycle with narrow access, secure delivery, rotation, revocation, audit, recovery, and protection from source code, images, and logs.
Are Kubernetes Secrets encrypted by default?
No. Kubernetes Secret values are base64-encoded and are stored unencrypted in etcd by default unless encryption at rest is configured. API access, mounts, rotation, audit, and external secret integration also matter.
What is Pod Security Admission?
Pod Security Admission is Kubernetes' built-in mechanism for applying Pod Security Standards at namespace boundaries. It can enforce, warn, or audit pod configurations. It replaces the removed PodSecurityPolicy concept, though custom admission policy may add further controls.
How do you secure communication between microservices?
Use explicit workload identity, protected transport such as TLS/mTLS, audience-bound short-lived credentials where needed, least network connectivity, service-side action and object authorization, replay/idempotency controls, and audit evidence.
Does a service mesh make microservices secure?
A service mesh can automate mTLS, identity, traffic policy, and telemetry. It does not fix business logic, broken object authorization, broad workload identities, insecure artifacts, or operational misconfiguration.
What is the difference between OWASP Top 10 and OWASP API Security Top 10?
OWASP Top 10:2025 covers broad web application risk themes. OWASP API Security Top 10:2023 focuses on API-specific risks such as object/function authorization, resource consumption, sensitive flows, inventory, and unsafe API consumption.

