What is secure-by-default cloud resource configuration?

Secure-by-default means the baseline configuration of cloud resources automatically includes strong protections so security is in place without extra steps. This approach enforces least-privilege IAM roles so people and services only have what they strictly need, keeps network access tight with restricted security groups, requires encryption to protect data at rest (and ideally in transit), enables auditing and logging to track activity, and versions resources so changes can be tracked and rolled back if needed. Together, these practices reduce the risk of accidental exposure, data loss, or undetected changes. The other options would create gaps—public access by default exposes resources, no encryption leaves data vulnerable, and versioning without encryption still risks unprotected data.