Chapter 20 Quiz: Cloud Attack & Defense¶

C — Configuration of Security Groups and IAM policies

The shared responsibility model divides security into "security OF the cloud" (AWS's responsibility: physical, hypervisor, global infrastructure) and "security IN the cloud" (customer's responsibility: OS patching on EC2, IAM configuration, data classification, Security Group rules). Misconfigured IAM policies and overly permissive Security Groups are among the most common cloud breach root causes.

B — They have retrieved temporary IAM role credentials from the Instance Metadata Service (IMDS), enabling lateral movement to other AWS services the role can access

The EC2 Instance Metadata Service (IMDSv1) is accessible from within any EC2 instance at 169.254.169.254. If the instance has an IAM role attached, the credentials endpoint returns rotating temporary Access Key ID, Secret Access Key, and Session Token. Attackers use these to make API calls to S3, Secrets Manager, RDS, and other services — a critical lateral movement path. IMDSv2 (token-based) mitigates this.

B — AWS CloudTrail (management events) — monitoring for API calls from unusual source IPs, new geographic regions, or atypical time-of-day patterns

CloudTrail records every AWS API call with full context (caller identity, source IP, timestamp, parameters). For T1078.004, analysts look for: known IAM user calling APIs from a new country/ASN, access outside business hours, or an IAM user that hasn't been used in months suddenly enumerating resources. These patterns indicate credential theft and abuse of valid cloud accounts.

B — The bucket is publicly readable by anyone on the internet without authentication

Principal: "*" means any entity — any unauthenticated internet user — is allowed to perform s3:GetObject (download any object). This is one of the most common and consequential cloud misconfigurations, responsible for countless data breaches involving exposed customer PII, credentials, and intellectual property. CSPM tools like Prisma Cloud or AWS Security Hub flag this immediately.

B — Required existing iam:CreatePolicyVersion permission on their current IAM entity; achieved administrator-equivalent permissions by setting the new overpermissive version as default

This is a well-documented IAM privilege escalation path catalogued by Rhino Security Labs. If an IAM entity has iam:CreatePolicyVersion and iam:SetDefaultPolicyVersion on a policy attached to themselves or a role they can assume, they can add a permissive policy version granting full access. This is why least-privilege IAM enforcement and CSPM scanning for dangerous permission combinations is critical.

B — A potential container escape: if the hostPath is / or a sensitive directory, a compromised container can read/write the host node's filesystem

hostPath mounts allow a container to directly access the underlying node's filesystem. If a pod mounts / or /etc, an attacker who compromises the container can read the host's /etc/shadow, write to /etc/cron.d, or access Docker socket files — effectively escaping the container boundary. This is a critical misconfiguration that admission controllers (OPA/Gatekeeper, Kyverno) should block.

B — CloudTrail s3:CopyObject or s3:PutObject events where the destination bucket is in a different AWS account not owned by the organization

T1537 involves exfiltrating data by copying it to an attacker-controlled cloud storage account. In AWS, this manifests as S3 API calls that write data to buckets in external account IDs. CloudTrail records the destination bucket ARN including the account ID, making cross-account data staging detectable. Alerts should fire on any S3 write to non-organizational account IDs.

B — Code injection vulnerabilities — since Lambda functions often run with IAM roles, successful injection may allow an attacker to execute AWS API calls with the function's permissions

Serverless functions inherit all the application security vulnerabilities of traditional code (SQLi, command injection, SSRF) but with an amplified blast radius: the Lambda execution role may have broad permissions to AWS services. A command injection in a Lambda with s3:GetObject on sensitive buckets or ssm:GetParameter on secrets is a high-severity finding.

C — Attach an explicit deny policy to the IAM user or disable the access key, while preserving evidence by not deleting CloudTrail logs

The first step is to stop the bleeding without destroying evidence. Disabling the specific access key (not deleting it) or attaching an explicit deny policy immediately terminates the attacker's access. Deleting the IAM user before forensic investigation may remove information about what the user was authorized to access. CloudTrail logs must be preserved for the investigation timeline.

B — Automated compliance posture assessment — continuously checking whether AWS account configurations meet the CIS benchmark controls and aggregating findings from GuardDuty, Macie, and Inspector

AWS Security Hub acts as a CSPM aggregator and compliance dashboard: it evaluates account configurations against enabled standards (CIS, PCI-DSS, NIST 800-53), assigns severity-weighted findings scores, and aggregates findings from multiple AWS security services into a unified view. It does not auto-remediate; remediation requires Lambda-backed automations or manual action.