The next pattern is not specific to the Cloud, but is important enough to mention. When securing a system it is one thing to prevent or limit access, but that is only a small scope of a much broader assessment. Suppose your database does not allow connection from anything other than the web instance that is connected to it.

While this means that no outside system can directly access the instance, it does not mean that they cannot compromise it and change that assertion. A traditional firewall or even Security Groups will never prevent behavior from individuals such as SQL injection and exploiting bugs in software. While the system administrators had a firewall rule in place of the database, someone might be able ...