Cloud Security: 12 Controls for KVKK Compliance on AWS and Azure

KVKK restricts transfers of data outside Turkey. On AWS pick `eu-central-1` (Frankfurt) or the newer Istanbul (`tr-central-1`) region. Azure offers Turkey North / Turkey West. Keep cross-region replication within the same jurisdiction.

CDN, analytics and email services often span globally — check data residency settings. Use CloudFront region restrictions or Azure Front Door geo-filters.

Enable default S3 bucket encryption (AES-256 or KMS-managed). TDE on RDS, EBS, Azure SQL. Prefer customer-managed KMS keys for auditability.

TLS 1.2 min in transit, ban public buckets (S3 Block Public Access account-level). VPC endpoints for internal traffic — AWS PrivateLink, Azure Private Endpoint.

One IAM role per service — don't reuse 'admin' in app code. Service-to-service auth via role assumption. Rotate access keys every 90 days. Root user has MFA and is only used in break-glass scenarios.

Azure: RBAC + Conditional Access. AWS: SCPs for organization-wide constraints (e.g., block non-approved regions). AWS Config and Azure Policy detect drift within minutes.

CloudTrail (AWS) / Activity Log (Azure) records every API call — critical evidence in a KVKK audit. Retain for 1 year minimum, encrypted log bucket, immutable storage (object lock).

GuardDuty / Azure Defender for threat detection. CloudWatch / Log Analytics for centralized dashboards. VefaSec deploys AWS Config + GuardDuty + SNS alerting as standard for clients.

Use AWS Backup / Azure Backup with automated policies. 3-2-1 still applies — replicate to a different region and keep an offsite copy (even on another provider). Test restores monthly.

For ransomware resilience: S3 Object Lock (compliance mode, 90 days), Azure Immutable Blob, versioning + MFA delete. KVKK may require 7 years of retention for customer data (confirm with counsel).