EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityCSACCMcloud-controls

Cloud Security Control Layers & CSA Cloud Controls Matrix

How cloud security controls are layered across preventive, detective, and corrective tiers — and a complete walkthrough of the 17 domains of the CSA Cloud Controls Matrix v4.

Ashish Revar3 July 202612 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

CSA Cloud Controls Matrix v4 Download

Official CCM v4 spreadsheet with all 197 controls, implementation guidance, and framework mappings.

paper
CSA Cloud Controls Matrix v4 Download

Official CCM v4 spreadsheet with all 197 controls, implementation guidance, and framework mappings.

paper
CSA STAR Program — Cloud Provider Assurance

CSA STAR registry where cloud providers publish their CCM-based security assessments.

paper
CSA STAR Program — Cloud Provider Assurance

CSA STAR registry where cloud providers publish their CCM-based security assessments.

paper
ISO/IEC 27017: Security Controls for Cloud Services

International standard providing cloud-specific implementation guidance for ISO 27001 controls.

paper
ISO/IEC 27017: Security Controls for Cloud Services

International standard providing cloud-specific implementation guidance for ISO 27001 controls.

paper
PCI-DSS v4.0 Cloud Computing Guidelines

PCI SSC supplemental guidance on applying PCI-DSS v4 requirements to cloud environments.

paper
PCI-DSS v4.0 Cloud Computing Guidelines

PCI SSC supplemental guidance on applying PCI-DSS v4 requirements to cloud environments.

paper
More articlesTest your knowledge

The Three Control Layers

Cloud security controls fall into three functional layers that work together to reduce risk:

LayerPurposeCloud Examples
PreventiveStop an attack before it succeedsMFA enforcement, IAM least privilege, encryption at rest, WAF rules
DetectiveIdentify an attack in progress or after the factCloudTrail, GuardDuty, VPC Flow Logs, SIEM alerting
CorrectiveRespond to and recover from an attackAutomated incident response, snapshot restoration, credential revocation

A common mistake is investing heavily in preventive controls while neglecting detective and corrective ones. Attackers adapt to prevention; detection and response determine how much damage occurs when prevention is bypassed.

Cloud Controls Matrix (CCM) v4: The 17 Domains

The Cloud Security Alliance (CSA) Cloud Controls Matrix is the most widely adopted cloud security framework for control mapping. Version 4 organises 197 controls across 17 domains:

#DomainAbbreviationFocus Area
1Application and Interface SecurityAISSecure SDLC, API security
2Audit Assurance and ComplianceAACAudit planning, evidence gathering
3Business Continuity Management and Operational ResilienceBCRRTO/RPO, DR planning
4Change Control and Configuration ManagementCCCChange management, baseline configs
5Cryptography, Encryption and Key ManagementCEKKey lifecycle, algorithm standards
6Data Center SecurityDCSPhysical security of provider facilities
7Data Security and Privacy Lifecycle ManagementDSPData classification, residency, deletion
8Governance, Risk and ComplianceGRCPolicy, risk management, regulatory compliance
9Human ResourcesHRSBackground checks, termination procedures
10Identity and Access ManagementIAMAuthentication, authorisation, privileged access
11Infrastructure and Virtualisation SecurityIVSHypervisor hardening, network segmentation
12Interoperability and PortabilityIPYVendor lock-in, data portability
13Logging and MonitoringLOGLog collection, retention, SIEM
14Security Incident Management, E-Discovery and Cloud ForensicsSEFIR planning, evidence preservation
15Supply Chain Management, Transparency and AccountabilitySTAThird-party risk, vendor auditing
16Threat and Vulnerability ManagementTVMVulnerability scanning, patch management
17Universal Endpoint ManagementUEMDevice management, endpoint security

Using the CCM for Cloud Security Assessments

The CCM is structured so each control maps to:

  • A control ID (e.g., CEK-01 for Encryption and Key Management policy)
  • A control specification describing the expected behaviour
  • Implementation guidance for customers and providers separately
  • Mappings to other frameworks (ISO 27001, NIST CSF, PCI-DSS, SOC 2)

This multi-framework mapping makes CCM exceptionally valuable for organisations that must demonstrate compliance across multiple standards simultaneously.

Sample Controls from High-Priority Domains

IAM-06 (User Access Provisioning): Establish a process for granting and revoking access rights based on least privilege. Access reviews must occur at minimum annually.

CEK-03 (Encryption Change Management): Cryptographic algorithms, key lengths, and protocols must align with industry standards and be reviewed when vulnerabilities are discovered.

LOG-05 (Audit Log Monitoring): Audit logs must be reviewed regularly for anomalous activity. Automated alerting must be configured for high-severity events.

SEF-05 (Incident Response Planning): Incident response plans must address cloud-specific scenarios including provider outages, data breaches, and account compromises.

Control Placement: Customer vs. Provider Responsibility

For each CCM control, the responsibility is tagged as:

  • Provider — the cloud service provider must implement
  • Customer — the cloud consumer must implement
  • Shared — both parties have obligations

In IaaS environments, the majority of CCM controls are customer responsibilities. In SaaS environments, significantly more fall to the provider — but customers remain responsible for identity, data classification, and configuration.

Key Takeaway

The CSA CCM gives security teams a structured vocabulary for cloud control requirements, a cross-framework mapping to simplify compliance, and a clear responsibility assignment for every control. It is the recommended starting point for any cloud security programme assessment.