Cloud security monitoring: enable all logging (AWS CloudTrail, Azure Activity Logs, GCP Audit Logs), use cloud-native threat detection (AWS GuardDuty, Azure Defender), integrate into SIEM.
Alert on: new IAM roles/permissions, disabling logging (attacker evasion), unusual geographic access, resource creation in non-standard regions, API calls from Tor exit nodes. Cloud misconfiguration is best detected by continuous configuration scanning (CSPM).