Executive Summary

Cloud is fast—but so are attackers. Most real breaches aren’t “0-days”; they’re identity abuse, misconfigurations, exposed keys, flat networks, and noisy pipelines. This guide shows how modern attackers compromise AWS/Azure/GCP and how to stop them with concrete controls: least-privilege IAM, strong auth, network isolation, secrets hygiene, hardened CI/CD, continuous monitoring, and fast incident response.

1) Cloud Threat Model in 2025

Primary adversary behaviors

• Identity attacks: credential theft, key reuse, OAuth/app consent abuse, role chaining.

• Misconfig abuse: public buckets, permissive IAM policies, weak organization guardrails.

• Edge → metadata pivot: SSRF to IMDS, token harvest, cross-account pivot.

• Build-pipeline poisoning: dependency confusion, malicious runners, artifact tampering.

• Control-plane recon: API enumeration (STS, IAM, Graph), tagging/asset discovery.

• Data exfil: object store syncs, snapshot exports, cross-region replication.

Attack flow (typical)

1. Phish a developer → obtain SSO cookie/API key.

2. Enumerate IAM and org policies → assume over-permissive roles.

3. Land in CI/CD → read secrets/env vars → deploy backdoored images.

4. Snapshot DBs or sync S3/Blob/GCS to attacker-owned account.

5. Persist via service principals, access keys, or scheduled functions.

2) Five Most Common Cloud Weaknesses (and the fixes)

1. Over-permissive IAM

   • Fix: enforce least privilege with role scoping, ABAC/tags, and deny-by-default SCPs/Org Policies.

2. Public data paths (buckets, snapshots, queues)

   • Fix: enable S3 Block Public Access / Azure Public Access = Off / GCS uniform bucket-level access, signed URLs only.

3. IMDS token theft (SSRF)

   • Fix: enforce AWS IMDSv2, metadata hop-limit=1, block 169.254.169.254 egress, GCP/Azure metadata restrictions.

4. Secrets in code/pipelines

   • Fix: centralized KMS + Secrets Manager/Vault, short-lived tokens, pre-commit/CI secret scanning.

5. Flat networks

   • Fix: VPC/NSG segmentation, private endpoints, Zero Trust access (IdP + device posture), no direct internet mgmt.

3) Identity & Access Management (the crown)

Non-negotiables

• MFA/Passkeys for all human identities; workload identity federation for apps (no long-lived keys).

• JIT/PIM for privileged roles; break-glass accounts hardware-key only.

• SCP/Org Policy guardrails: deny high-risk actions org-wide.

Example AWS SCP (deny root + key creation)

json
CopyEdit
{
  "Version": "2012-10-17",
  "Statement": [
    {"Effect":"Deny","Action":"*","Resource":"*","Condition":{"StringEquals":{"aws:PrincipalArn":"arn:aws:iam::*:root"}}},
    {"Effect":"Deny","Action":["iam:CreateAccessKey","iam:PutUserPolicy","iam:AttachUserPolicy"],"Resource":"*"}
  ]
}

Azure/Entra

• Conditional Access with phishing-resistant MFA, device compliance, and PIM for admin roles.

• Disable self-service app registrations; require admin consent for risky scopes.

GCP

• Organization Policy: restrict service account key creation, enforce VPC-Service Controls around data perimeters.

4) Data Security

• Envelope encryption with KMS keys; strict key policies (no wildcards), auto-rotation.

• Object storage controls: public access blocks, bucket policies with condition keys (IP, VPC endpoint, TLS).

• Backups/snapshots: encrypt + isolate to separate accounts/projects with limited trust.

S3 “private by default”

json
CopyEdit
{
  "Version":"2012-10-17",
  "Statement":[{
    "Effect":"Deny",
    "Principal":"*",
    "Action":"s3:*",
    "Resource":["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"],
    "Condition":{"Bool":{"aws:SecureTransport":"false"}}
  }]
}

5) Network Architecture (Zero Trust by design)

• Private subnets, NAT for egress, Transit Gateway/Hub-Spoke for multi-account.

• L7 WAF + mTLS / PrivateLink / Private Service Connect for service-to-service.

• Egress allow-listing with DNS + FQDN rules; block metadata ranges by default.

• VPC-SC (GCP) and Private Endpoints (AWS/Azure) for data stores and KMS.

6) Workload & Kubernetes Security

• Minimal base images, SBOM + image signing (Sigstore cosign), admission control (OPA/Gatekeeper/Kyverno).

• Pod security: runAsNonRoot, drop capabilities, readOnlyRootFS, seccomp profiles.

• Namespace & network policies: default deny; restrict to service DNS names.

• Rotate service account tokens; use cloud Workload Identity (no node-local creds).

7) CI/CD, IaC & Software Supply Chain

• Isolated runners (no shared multi-tenant), no privileged Docker daemon access.

• Dependency pinning + private registries; verify checksums/signatures.

• IaC scanners (tfsec, Checkov) + policy-as-code (OPA/Sentinel) in PR gates.

• Artifact signing (Sigstore), provenance attestation (SLSA), quarantine on failed attestations.

OPA example: deny public buckets via policy

rego
CopyEdit
package s3.policy
deny[msg] {
  input.resource.type == "aws_s3_bucket"
  input.config.acl == "public-read"
  msg := sprintf("Public ACL not allowed: %v", [input.resource.name])
}

8) Monitoring, Detection & Response

Control-plane visibility

• AWS: CloudTrail (all regions + org), GuardDuty, Config, Detective.

• Azure: Activity/Sign-in Logs, Defender for Cloud, Sentinel.

• GCP: Admin/Access Transparency, Cloud Logging, Security Command Center.

Useful detections (copy/paste)

AWS Athena SQL (CloudTrail) — New AccessKey for user

sql
CopyEdit
SELECT userIdentity.principalId, eventTime, eventName, sourceIPAddress
FROM cloudtrail_logs
WHERE eventName='CreateAccessKey'
  AND userIdentity.type='IAMUser'
  AND eventTime > current_timestamp - interval '1' day;

Azure Sentinel (KQL) — Suspicious App Consent

kusto
CopyEdit
AuditLogs
| where OperationName in ("Consent to application", "Add app role assignment to service principal")
| project TimeGenerated, AppName=tostring(TargetResources[0].displayName), InitiatedBy, ResultReason

GCP Log Query — Public ACL change on GCS

pgsql
CopyEdit
resource.type="gcs_bucket"
protoPayload.methodName="storage.setIamPermissions"
protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
protoPayload.serviceData.policyDelta.bindingDeltas.role:"roles/storage.objectViewer"

EDR hints

• Cloud control-plane service spawning shells (e.g., java/w3wp → bash/powershell).

• New processes right after login from rare ASN/IP; curl/nc to unknown destinations.

Incident response (cloud-specific)

1. Contain identity: revoke refresh tokens, disable keys, force re-auth (CAE/Token revocation).

2. Freeze infrastructure: quarantine instances, lock buckets/snapshots, disable suspicious service principals.

3. Forensics: snapshot disks & memory, export CloudTrail/Activity logs, preserve K8s etcd state.

4. Eradication: rotate secrets/KMS grants, remove backdoors (Lambda/Functions, scheduled tasks, persistence images).

5. Lessons: add missing SCPs/Policies, patch IaC, expand detections.

9) Cloud-Specific Quick Wins (by provider)

AWS

• Organizations + SCPs; S3 Block Public Access; IMDSv2; GuardDuty + S3 protection; Access Analyzer; Key Policies with principals-only; rotate access keys to zero where possible.

Azure

• PIM + Conditional Access; disable legacy protocols; Defender for Cloud “High-severity” fixes; Storage firewall + private endpoints; Managed Identities instead of keys.

GCP

• Organization Policy: constraints/iam.disableServiceAccountKeyCreation=true; VPC-SC around sensitive projects; Cloud Armor + ALB; CMEK with restricted KMS.

10) Zero-Trust for Cloud (compressed)

• Strong identity (passkeys/WebAuthn, device posture).

• Continuous verification (risk signals → step-up).

• Least privilege & segmentation (tags/ABAC, VPC-level isolation).

• Assume breach (fast revocation, short TTL tokens, immutable infra).

KPIs & Governance

• % of identities with passkeys/MFA (target 100% humans, 0% static keys).

• % of resources behind private endpoints (target >90%).

• Mean Time to Revoke (MTR) compromised identities (<15 minutes).

• Policy drift findings from CSPM (trend to zero).

• Signed artifacts ratio in production (100%).

Final Checklist (printable)

• SSO + passkeys; no long-lived user keys.

• SCP/Org Policy denies for high-risk actions.

• IMDSv2 + metadata egress blocks.

• Object storage: public access blocked, TLS-only, KMS enforced.

• Private endpoints + network policies; no public management.

• Vault/Secrets Manager with rotation & envelope encryption.

• IaC scanning in PR; artifact signing and SBOMs.

• Org-wide logging; detections enabled; tested IR runbooks.

Closing

Cloud security is identity-first and automation-heavy. If you get IAM guardrails, private data paths, hardened pipelines, and continuous monitoring right, you’ll defang most real-world attack chains.