If you think that technical debt is scary, wait until you get to see your sec debt. Don't let the hacker penetrate your doors and locks. Start with continuous threat modeling at copi.owasp.org
How? Read all about it and how to threat model the cloud at: https://dev.to/owasp/no-need-to-fear-the-clouds-play-owasp-cumulus-d6g