Runbook: Cloud Security Misconfiguration¶
Runbook Metadata¶
| Field | Value |
|---|---|
| Runbook ID | RB-003 |
| Title | Cloud Security Misconfiguration Alert |
| Version | 1.0 |
| Status | Approved |
| Owner | SOC Tier 2 / Cloud Security |
| MITRE ATT&CK | TA0001 (Initial Access via T1190), TA0004 (Privilege Escalation), TA0010 (Exfiltration) |
| Alert Sources | CSPM findings (Nexus SecOps-123), cloud security alerts, AWS Security Hub, Azure Defender, GCP SCC |
| Nexus SecOps Controls | Nexus SecOps-121, Nexus SecOps-123, Nexus SecOps-124, Nexus SecOps-129, Nexus SecOps-133 |
| SLA | Critical (public exposure): 15min; High: 30min; Medium: 4h |
Overview¶
What triggers this runbook: CSPM finding or cloud security alert indicating: publicly exposed storage bucket, overly permissive IAM policy, security group allowing unrestricted access (0.0.0.0/0), disabled cloud audit logging, exposed secrets in cloud configuration, or cloud admin activity from suspicious location.
Why this matters: Cloud misconfigurations are the leading cause of cloud data breaches. A publicly exposed S3 bucket or permissive IAM role can be exploited in minutes by automated scanning tools. Many misconfigurations go unnoticed for months.
Common causes:
| Cause | TP or FP | Frequency |
|---|---|---|
| Developer left bucket public by mistake | TP | High |
| Temporary test configuration not rolled back | TP | Medium |
| Approved external sharing configuration | FP | Medium |
| Legacy configuration from before policy | TP | Medium |
| CSPM false positive (known exception) | FP | Medium |
| Malicious insider creating backdoor | TP | Low |
Triage Steps (Tier 1)¶
Step 1: Alert Classification¶
- [ ] 1.1 Identify the finding type:
- ☐ Public storage (S3 bucket, Blob container, GCS bucket) — CRITICAL
- ☐ Overly permissive IAM policy (Admin to all, * resource)
- ☐ Security group: 0.0.0.0/0 on sensitive port (22, 3389, 1433, 3306)
- ☐ Cloud audit logging disabled
- ☐ MFA not enabled for privileged cloud users
- ☐ Secret in environment variable / config file
- ☐ Encryption disabled (at-rest, in-transit)
-
☐ Cross-account trust misconfiguration
-
[ ] 1.2 Identify the resource:
- Cloud account/subscription: ______
- Resource name: ______
- Region: ______
- Resource owner (tag lookup): ______
Step 2: Severity Assessment¶
| Finding | Severity | Why |
|---|---|---|
| Public storage with sensitive data | Critical | Data breach risk; external scanners find these in minutes |
| Public storage with non-sensitive data | High | Still a breach if data is exposed; scope unknown |
| 0.0.0.0/0 on SSH/RDP/DB port | High | Attack surface; brute-force and exploitation risk |
| Admin IAM policy with * resource | High | Privilege escalation path |
| Audit logging disabled | High | Detection evasion; compliance violation |
| MFA not required for cloud admin | High | Account takeover risk |
| Encryption disabled | Medium | Data exposure risk if resource accessed |
- [ ] 2.1 Has the misconfiguration been exploited? (Check access logs) ☐ Yes ☐ No ☐ Unknown
- [ ] 2.2 Is the resource tagged as containing sensitive or regulated data? ☐ Yes ☐ No
Step 3: Check for Existing Exception¶
- [ ] 3.1 Is this resource in the CSPM exception list with documented business justification?
- ☐ Yes — Close as known exception; confirm justification is current
- ☐ No — Proceed with investigation
Investigation Steps (Tier 2)¶
Step 4: Access Log Review¶
For public storage finding — check if data was already accessed externally:
AWS S3 Server Access Logs — check for external access in last 30 days:
SELECT requester, remote_ip, operation, key, bytes_sent
FROM s3_access_logs
WHERE bucket_name = '{BUCKET}'
AND requester NOT LIKE 'arn:aws:iam::{ACCOUNT_ID}%'
ORDER BY request_time DESC
Azure Blob storage diagnostics — external access:
StorageBlobLogs
| where AccountName == "{STORAGE_ACCOUNT}"
| where AuthenticationType == "Anonymous"
| where TimeGenerated > ago(30d)
| project TimeGenerated, CallerIpAddress, OperationName, Uri, ResponseMd
- [ ] 4.1 Were any external IPs accessing the resource in the last 30 days?
- [ ] 4.2 What data was accessed? (identify specific objects/files accessed)
- [ ] 4.3 What volume of data was downloaded? (bytes transferred)
- [ ] 4.4 Are the accessing IPs malicious? (check TIP)
Step 5: Timeline of Misconfiguration¶
- [ ] 5.1 When was the misconfiguration introduced? (check CloudTrail/Activity Log)
- [ ] 5.2 Who made the change? (user identity or service account)
- [ ] 5.3 Was there a corresponding change ticket? (check change management)
- [ ] 5.4 Was this introduced via automated deployment (IaC)? ☐ Yes ☐ No
Containment and Remediation¶
Immediate Containment (within 15 minutes for Critical)¶
Public S3 Bucket:
# Block all public access immediately
aws s3api put-public-access-block \
--bucket {BUCKET_NAME} \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Azure Public Blob Container:
Open Security Group (AWS):
# Remove overly permissive rule
aws ec2 revoke-security-group-ingress \
--group-id {SG_ID} \
--protocol tcp --port {PORT} --cidr 0.0.0.0/0
Overly Permissive IAM Policy: - Do NOT immediately remove — assess if any services depend on this policy - Scope-down to least privilege; coordinate with application owner - Timeline: within 24 hours for Critical, 72 hours for High
Notification Requirements¶
If data was confirmed accessed:
- [ ] Notify data owner immediately
- [ ] Engage legal/compliance if regulated data (PII, PHI, PCI data)
- [ ] Initiate data breach assessment process per Nexus SecOps-073
- [ ] Preserve CloudTrail/access logs as evidence per Nexus SecOps-071
Remediation Verification¶
After remediation, verify:
- [ ] CSPM re-scan confirms finding is resolved
- [ ] Access logs no longer show public access
- [ ] No evidence of ongoing exploitation
- [ ] Resource owner confirms intended configuration
- [ ] Exception documented if business requirement exists (with approval)
Root Cause and Prevention¶
Document to prevent recurrence:
| Root Cause | Prevention Measure |
|---|---|
| Manual misconfiguration | Add CSPM guardrail (preventive) |
| IaC template error | Add security scanning to CI/CD pipeline |
| Missing policy | Create SCPs / Azure Policy to deny by default |
| Knowledge gap | Developer security training |
| Exception not time-limited | Exception review process with expiry dates |
References¶
- T1190 — Exploit Public-Facing Application
- MITRE Cloud Security Overview
- Related: RB-004 — Data Exfiltration Suspected
RB-003 v1.0 | Reviewed: 2025-Q4 | Next review: 2026-Q4