Cloud Security Fundamentals

beginner30 minWriteup

Understanding cloud security concepts and shared responsibility

Learning Objectives

  • Understand shared responsibility model
  • Know cloud security challenges
  • Learn cloud-specific attack surfaces
  • Understand multi-cloud considerations

Cloud security is fundamentally different from traditional security. You're no longer protecting physical servers in a datacenter you control - you're securing virtual resources running on someone else's infrastructure. Think of it like the difference between owning a house versus renting an apartment: you still need locks on your door, but you can't control who else has keys to the building.

The major cloud providers (AWS, Azure, GCP) handle billions of dollars in infrastructure, so their physical and platform security is excellent. But configuration mistakes, IAM misconfigurations, and exposed resources cause the vast majority of cloud breaches. The cloud is secure - your configuration might not be.

Cloud ≠ Someone Else's Computer

While technically true that cloud is "someone else's computer," cloud security requires completely different skills. Traditional network perimeters don't exist, everything is API-driven, and identity is the new perimeter.

The Shared Responsibility Model

1The Shared Responsibility Model:
2 
3┌─────────────────────────────────────────────────────────────────────┐
4│                    CUSTOMER RESPONSIBILITY                          │
5│  (What YOU must secure)                                             │
6├─────────────────────────────────────────────────────────────────────┤
7│  DATA                │ Encryption, classification, access control   │
8│  APPLICATIONS        │ Code security, input validation              │
9│  IDENTITY & ACCESS   │ IAM policies, MFA, least privilege          │
10│  OPERATING SYSTEM    │ Patching, hardening (for IaaS)               │
11│  NETWORK CONFIG      │ Security groups, NACLs, VPC design           │
12│  ENCRYPTION          │ Key management, TLS, at-rest encryption      │
13├─────────────────────────────────────────────────────────────────────┤
14│                    SHARED CONTROLS                                  │
15├─────────────────────────────────────────────────────────────────────┤
16│  Patch management, configuration management, awareness training     │
17├─────────────────────────────────────────────────────────────────────┤
18│                  PROVIDER RESPONSIBILITY                            │
19│  (What CLOUD PROVIDER secures)                                      │
20├─────────────────────────────────────────────────────────────────────┤
21│  PHYSICAL           │ Datacenters, hardware, environmental          │
22│  NETWORK            │ Infrastructure, DDoS protection               │
23│  HYPERVISOR         │ Isolation between tenants                     │
24│  COMPUTE/STORAGE    │ Hardware, firmware, host OS                   │
25│  GLOBAL INFRA       │ Regions, availability zones, edge locations   │
26└─────────────────────────────────────────────────────────────────────┘
27 
28The division changes based on service model:
29─────────────────────────────────────────────────────────────────────
30IaaS (EC2, VMs)     │ You manage: OS, apps, data, networking
31PaaS (Lambda, App)  │ You manage: Code, data, access
32SaaS (Office 365)   │ You manage: Data, access, settings

Most Breaches Are Configuration

Cloud providers have excellent platform security. Almost every cloud breach is due to customer misconfiguration - exposed S3 buckets, overly permissive IAM policies, or missing encryption. The provider won't save you from your own mistakes.

Cloud Attack Surface

1Cloud-Specific Attack Vectors:
2 
3IDENTITY & ACCESS (Most Critical!)
4─────────────────────────────────────────────────────────────────────
5├── Overly permissive IAM policies
6│   └── Example: iam:* or s3:* instead of specific permissions
7├── Long-term access keys exposed
8│   └── Check: GitHub, CI/CD configs, environment variables
9├── Cross-account trust abuse
10│   └── One compromised account pivots to others
11├── Service account/role exploitation
12│   └── Lambda roles, EC2 instance profiles
13└── Missing MFA on privileged accounts
14    └── Root account without MFA = game over
15 
16STORAGE EXPOSURE
17─────────────────────────────────────────────────────────────────────
18├── Public S3 buckets
19│   └── Customer data, backups, credentials
20├── Public Azure blob containers
21│   └── Anonymous access enabled
22├── Public GCS buckets
23│   └── allUsers or allAuthenticatedUsers access
24├── Unsecured database snapshots
25│   └── EBS snapshots, RDS snapshots made public
26└── Exposed backup files
27    └── .sql, .bak files in storage
28 
29COMPUTE & NETWORKING
30─────────────────────────────────────────────────────────────────────
31├── Security groups too permissive
32│   └── 0.0.0.0/0 on SSH/RDP, databases
33├── Metadata service exploitation
34│   └── SSRF to 169.254.169.254
35├── Exposed management interfaces
36│   └── Jenkins, Kubernetes dashboards
37├── Unpatched instances
38│   └── You patch, not AWS
39└── Container escapes
40    └── Privileged containers, host mounts
41 
42SERVERLESS & APPLICATIONS
43─────────────────────────────────────────────────────────────────────
44├── Injection in Lambda functions
45│   └── Event data to OS commands, SQL
46├── Secrets in environment variables
47│   └── Lambda env vars visible via API
48├── Overprivileged function roles
49│   └── Lambda with admin permissions
50├── API Gateway misconfig
51│   └── Missing authentication, auth bypass
52└── Event injection
53    └── Crafting malicious S3/SQS events

Major Cloud Providers

1Cloud Provider Comparison for Security Testing:
2 
3AWS (Amazon Web Services)
4─────────────────────────────────────────────────────────────────────
5Market Share: ~32%
6Identity:      IAM Users, Roles, Policies, Identity Center (SSO)
7Compute:       EC2, Lambda, ECS, EKS
8Storage:       S3, EBS, EFS, Glacier
9Database:      RDS, DynamoDB, Aurora, Redshift
10Key Services:  CloudTrail (logs), GuardDuty (threats),
11               Security Hub, Config, WAF
12CLI:           aws-cli
13Metadata:      169.254.169.254 (IMDSv1/v2)
14 
15Azure (Microsoft)
16─────────────────────────────────────────────────────────────────────
17Market Share: ~22%
18Identity:      Entra ID (Azure AD), Managed Identities, RBAC
19Compute:       VMs, Functions, AKS, Container Instances
20Storage:       Blob Storage, Disk Storage, Files
21Database:      SQL Database, Cosmos DB
22Key Services:  Activity Log, Defender for Cloud, Sentinel,
23               Key Vault, Application Gateway (WAF)
24CLI:           az (Azure CLI), PowerShell
25Metadata:      169.254.169.254 (requires header)
26 
27GCP (Google Cloud Platform)
28─────────────────────────────────────────────────────────────────────
29Market Share: ~10%
30Identity:      Cloud IAM, Service Accounts, Workload Identity
31Compute:       Compute Engine, Cloud Functions, GKE, Cloud Run
32Storage:       Cloud Storage (GCS), Persistent Disk
33Database:      Cloud SQL, Firestore, BigQuery, Spanner
34Key Services:  Cloud Audit Logs, Security Command Center,
35               Cloud Armor (WAF), Secret Manager
36CLI:           gcloud
37Metadata:      metadata.google.internal (169.254.169.254)
38 
39Common Patterns Across All Providers:
40─────────────────────────────────────────────────────────────────────
41✓ Identity is the perimeter
42✓ Everything is API-driven
43✓ Metadata services for credentials
44✓ Storage buckets/containers with ACLs
45✓ Security groups/firewalls for network
46✓ Centralized logging capabilities
47✓ Encryption options (KMS)

Start with AWS

AWS has the largest market share and most documentation. Skills transfer between providers, but concepts like IAM policies, instance metadata, and storage ACLs work similarly everywhere. Master AWS first.

Identity is the New Perimeter

1Traditional vs Cloud Security Model:
2 
3TRADITIONAL (On-Prem)
4─────────────────────────────────────────────────────────────────────
5                     Internet
6
7                    [Firewall] ← Perimeter defense
8
9                 Internal Network
10
11         ┌───────────────┼───────────────┐
12      [Server1]      [Server2]      [Server3]
13 
14Network perimeter = primary defense
15Once inside, lateral movement is easy
16Physical access matters
17 
18 
19CLOUD (Modern)
20─────────────────────────────────────────────────────────────────────
21                     Internet
22
23            ┌────────────┼────────────┐
24            │            │            │
25         [API]        [API]        [API]
26            │            │            │
27       (Identity)   (Identity)   (Identity)
28            │            │            │
29      [Service]    [Service]    [Service]
30 
31No network perimeter - everything is API
32Identity (who you are) = primary defense
33Every request authenticated and authorized
34Network segmentation still matters, but secondary
bash
1606070;"># In cloud, identity credentials = keys to kingdom
2 
3606070;"># Traditional attack: Find open port → exploit service → pivot
4606070;"># Cloud attack: Find credentials → authenticate → access resources
5 
6606070;"># AWS credential types
7AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE        606070;"># Long-term user key
8AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG... 606070;"># Secret component
9AWS_SESSION_TOKEN=FwoGZXIvYXdz...              606070;"># Temporary (STS)
10 
11606070;"># Where credentials leak
12- GitHub repos (hardcoded)
13- CI/CD pipeline configs
14- Application logs
15- Environment variables
16- Metadata service (SSRF)
17- Compromised developer machines
18- Phishing attacks
19 
20606070;"># One leaked credential can compromise entire cloud environment!

Common Cloud Misconfigurations

1Top Cloud Misconfigurations by Severity:
2 
3CRITICAL
4─────────────────────────────────────────────────────────────────────
51. Public storage buckets containing sensitive data
6   └── S3, Azure Blob, GCS with public access
7 
82. Root/admin accounts without MFA
9   └── Full account compromise possible
10 
113. Hardcoded credentials in code/configs
12   └── Long-term keys in GitHub, CI/CD
13 
144. Overprivileged IAM policies (*)
15   └── iam:*, s3:*, * resource access
16 
175. Exposed metadata service (IMDSv1)
18   └── SSRF leads to credential theft
19 
20HIGH
21─────────────────────────────────────────────────────────────────────
226. Security groups allowing 0.0.0.0/0
23   └── SSH, RDP, databases exposed to internet
24 
257. Unencrypted sensitive data
26   └── No server-side encryption enabled
27 
288. Missing CloudTrail/audit logging
29   └── Can't detect or investigate breaches
30 
319. Cross-account trust without conditions
32   └── Accounts can assume roles too easily
33 
3410. Exposed management interfaces
35    └── Jenkins, Kubernetes dashboard, admin panels
36 
37MEDIUM
38─────────────────────────────────────────────────────────────────────
3911. Overly permissive CORS settings
4012. Missing VPC flow logs
4113. Inactive/unused credentials not rotated
4214. Public AMIs/images with sensitive data
4315. Excessive Lambda/function permissions

Cloud Security Tools

bash
1606070;"># Cloud Security Assessment Tools
2 
3606070;"># AWS Enumeration & Security
4─────────────────────────────────────────────────────────────────────
5606070;"># Prowler - AWS security assessment
6prowler aws -M csv json-asff
7 
8606070;"># ScoutSuite - Multi-cloud security auditing
9scout aws -r us-east-1
10 
11606070;"># Pacu - AWS exploitation framework
12pacu
13> import_keys <profile>
14> run iam__enum_permissions
15 
16606070;"># CloudMapper - AWS visualization & analysis
17cloudmapper configure
18cloudmapper collect --account my_account
19 
20606070;"># truffleHog - Find secrets in repos
21trufflehog git https:606070;">//github.com/company/repo
22 
23606070;"># AWS CLI for enumeration
24aws sts get-caller-identity
25aws iam list-users
26aws s3 ls
27 
28 
29606070;"># Azure Enumeration & Security
30─────────────────────────────────────────────────────────────────────
31606070;"># AzureHound - Azure AD enumeration
32azurehound list --tenant <tenant-id>
33 
34606070;"># MicroBurst - Azure security toolkit
35Import-Module MicroBurst.psm1
36Invoke-EnumerateAzureBlobs -Base company
37 
38606070;"># ROADtools - Azure AD toolkit
39roadrecon gather --access-token <token>
40roadrecon gui
41 
42606070;"># Azure CLI
43az login
44az account list
45az group list
46 
47 
48606070;"># Multi-Cloud
49─────────────────────────────────────────────────────────────────────
50606070;"># CloudBrute - Cloud enumeration
51cloudbrute -d target.com -k wordlist.txt -m aws
52 
53606070;"># cloud_enum - Multi-cloud enumeration
54python3 cloud_enum.py -k company -k prod
55 
56606070;"># Nuclei - Cloud templates
57nuclei -t cloud/ -u target.com

Cloud Security Assessment Methodology

Cloud Security Assessment Flow

1
Scope & AuthorizationDefine which accounts, services, and regions are in scope. Get written authorization - cloud providers may detect testing as attacks.
2
ReconnaissanceFind cloud resources: S3 buckets, subdomains on cloud IPs, exposed services. Use cloud_enum, cloudbrute, or manual DNS enumeration.
3
Configuration ReviewAudit IAM policies, security groups, encryption settings, logging. Use Prowler, ScoutSuite, or native tools like AWS Config.
4
Credential DiscoverySearch for exposed credentials: GitHub, CI/CD, metadata service via SSRF, public AMIs, backup files in storage.
5
Privilege EscalationTest IAM privilege escalation paths, cross-account trust abuse, service role exploitation.
6
Data AccessAttempt to access sensitive data: storage buckets, databases, secrets managers, application data.
7
ReportingDocument findings with cloud-specific context: resource ARNs, IAM policies, configuration snippets.

Knowledge Check

Quick Quiz
Question 1 of 3

In the shared responsibility model, who is responsible for IAM policy configuration?

Challenges

Cloud Provider Comparison

Challenge
🌱 beginner

Research and create a comparison table of security services across AWS, Azure, and GCP. Map equivalent services (e.g., AWS GuardDuty ↔ Azure Defender ↔ GCP Security Command Center).

Need a hint? (3 available)

Key Takeaways

  • Shared responsibility: provider secures platform, you secure configuration
  • Most breaches are customer misconfiguration, not provider vulnerabilities
  • Identity is the new perimeter - credentials are keys to the kingdom
  • Storage exposure (S3/Blob) and IAM misconfigs are top attack vectors
  • Everything is API-driven - understand each provider's CLI and API
  • Use security scanning tools (Prowler, ScoutSuite) regularly