Fundamentals
T1525Cloud Security Fundamentals
Cloud security concepts every analyst needs — shared responsibility model, IAM policies vs roles vs users, CloudTrail, CloudWatch, Azure Monitor, VPC flow logs, and S3 logging. Foundation for investigating cloud incidents.
View on Graph
The Shared Responsibility Model — What the Provider Secures vs. What You Secure
The shared responsibility model is the single most important cloud security concept. Misunderstanding it is the root cause of most cloud data breaches.
Who Secures What
| Layer | AWS | Azure | GCP | Your Responsibility |
|---|---|---|---|---|
| Physical security | ✅ Provider | ✅ Provider | ✅ Provider | None |
| Hypervisor | ✅ Provider | ✅ Provider | ✅ Provider | None |
| Network infrastructure | ✅ Provider | ✅ Provider | ✅ Provider | Provider-managed |
| Compute (EC2/VM/GCE) | Provider (host) | Provider (host) | Provider (host) | You configure: OS patching, firewall rules, access keys, IAM roles attached |
| Storage (S3/Blob/GCS) | Provider (infrastructure) | Provider (infrastructure) | Provider (infrastructure) | You configure: bucket policies, encryption, public access blocks, logging |
| Database (RDS/Azure SQL/Cloud SQL) | Provider (infrastructure, basic patching) | Provider (infrastructure, basic patching) | Provider (infrastructure, basic patching) | You configure: access controls, encryption at rest, backup retention |
| Identity (IAM/AAD/Cloud IAM) | Provider (auth infrastructure) | Provider (auth infrastructure) | Provider (auth infrastructure) | You configure: policies, roles, MFA, service account limits |
| Application code | You | You | You | Application security, dependency management, secrets handling |
Key insight for analysts: When investigating cloud incidents, look for IAM misconfigurations first. The Cloud Security Alliance reports that IAM misconfigurations are the leading cause of cloud data breaches — not provider vulnerabilities.
Common Shared Responsibility Mistakes
| Mistake | Example | Detection |
|---|---|---|
| Assuming IAM is the provider’s problem | Leaving S3 bucket public because “AWS manages infrastructure” | CloudTrail + bucket policy audit |
| Not patching cloud VMs | Assuming EC2/VM patching is automatic (unless you configure it) | AWS Systems Manager Patch Manager compliance report |
| Leaving default VPC settings | Default security group allows all outbound traffic | VPC Flow Logs showing unexpected outbound connections |
| Using root account | Daily operations from AWS root / Azure Global Admin / GCP org admin | CloudTrail RootActivity events |
IAM — Users vs. Roles vs. Policies (and Why the Difference Matters)
IAM is the control plane for who can do what in a cloud environment. Misconfigurations here account for the majority of cloud security incidents.
IAM Components
| Component | AWS | Azure | GCP |
|---|---|---|---|
| User | IAM User | Azure AD User | Google Account / Cloud Identity |
| Group | IAM Group | Azure AD Group | Google Group |
| Role | IAM Role (assumable) | Azure RBAC Role / Managed Identity | IAM Role / Service Account |
| Policy | IAM Policy (JSON document) | RBAC Role Definition | IAM Policy (bindings) |
| Service principal | IAM Role session | Service Principal (App Registration) | Service Account |
Users
A user is a long-term identity tied to a person. Users have static credentials (password, access keys).
Detection priority: Access keys used outside of automation. Every human user should use single sign-on (SSO) — not static access keys.
Roles
A role is an identity that can be assumed temporarily. Roles have no static credentials — they issue temporary credentials via AWS STS, Azure Managed Identity, or GCP Service Accounts.
Why roles matter for security:
- No static access keys — temporary credentials expire (default 1 hour for AWS STS)
- Least privilege is easier — assign roles to services, not users
- Cross-account access — trust relationships between accounts (AWS, Azure, GCP)
Policies
A policy is a document that defines what an identity can do. Understanding how policies work is essential for investigation.
AWS IAM Policy structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::important-bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
}
}
]
}Azure RBAC Role structure:
{
"Name": "Custom Storage Blob Data Reader",
"IsCustom": true,
"Actions": ["Microsoft.Storage/storageAccounts/blobServices/containers/read"],
"NotActions": [],
"AssignableScopes": ["/subscriptions/{sub-id}"]
}GCP IAM Policy structure:
{
"bindings": [
{
"role": "roles/storage.objectViewer",
"members": ["user:alice@example.com", "serviceAccount:sa@project.iam.gserviceaccount.com"]
}
]
}The Common Misconfiguration Pattern
Overly permissive policy: "Action": "*" and "Resource": "*" on a user or role = unfettered access to everything.
SPL query (via CloudTrail) — detect overly permissive policies being attached:
index=cloudtrail eventName="AttachUserPolicy" OR eventName="AttachRolePolicy" OR eventName="PutUserPolicy" OR eventName="PutRolePolicy"
| search requestParameters.policyArn="*:*:*:*:*"
| eval alert = "HIGH — Policy " . requestParameters.policyName . " attached to " . requestParameters.userName . " — verify least privilege"
| table _time, userIdentity.arn, requestParameters.policyArn, sourceIPAddress, alert
| sort - _timeCloudTrail, CloudWatch, and Azure Monitor — The Log Sources
AWS CloudTrail
CloudTrail records every API call made to AWS services — who, what, when, and from where.
Event types:
| Type | What It Captures | Retention |
|---|---|---|
| Management Events | Control-plane operations (CreateUser, RunInstances, ModifySecurityGroup) | 90 days (default), longer with trail in S3 |
| Data Events | Data-plane operations (GetObject, PutObject, Invoke) | Must be enabled per resource type |
| Insights Events | Anomalous API activity (unusual call volume, unusual API patterns) | Must be enabled separately |
Key CloudTrail fields for investigation:
| Field | Meaning | Detection Use |
|---|---|---|
userIdentity.arn | AWS ARN of the caller | Who did it — user, role, federated identity, root, assumed role |
eventName | API action (e.g., RunInstances, CreateAccessKey) | What did they do |
sourceIPAddress | Source IP of the API call | Where did they log in from |
userAgent | Client used (console, CLI, SDK, Lambda) | How did they access — automated vs. manual |
requestParameters | Parameters of the API call | What specific resource was targeted |
recipientAccountId | Target account | Cross-account access indicator |
errorCode | Error returned (e.g., AccessDenied, UnauthorizedOperation) | Failed attempts — attacker probing |
Common CloudTrail detection queries:
# Failed API calls — attacker probing permissions
index=cloudtrail errorCode="AccessDenied" OR errorCode="UnauthorizedOperation"
| stats count by userIdentity.arn, sourceIPAddress, eventName, errorCode
| sort - count
# Root account activity — should be rare
index=cloudtrail userIdentity.type="Root"
| stats count by sourceIPAddress, eventName, userAgent
| sort - _time
# Console logins from unusual geolocations
index=cloudtrail eventName="ConsoleLogin"
| iplocation sourceIPAddress
| where Country != "US" AND Country != "CA" (adjust for your org)
| stats count by userIdentity.arn, sourceIPAddress, CountryAzure Activity Log (Azure Monitor)
Azure’s equivalent of CloudTrail — records control-plane operations on Azure resources.
Key event types:
| Type | What It Captures |
|---|---|
| Administrative | Resource creation, modification, deletion (Create VM, Modify NSG) |
| Service Health | Azure service incidents and maintenance |
| Resource Health | Resource status changes (unhealthy, degraded) |
| Alert | Azure Monitor alert firings |
| Autoscale | Autoscale operation events |
| Recommendation | Azure Advisor recommendations |
Key fields:
| Field | Meaning |
|---|---|
caller | Who made the call (UPN, SPN, or Object ID) |
operationName | e.g., Microsoft.Compute/virtualMachines/write |
status | Succeeded, Failed, Accepted, Started |
httpRequest.clientIpAddress | Source IP |
properties | Event-specific details (resource changes, property values) |
Sample KQL query — detect NSG rule modifications:
AzureActivity
| where OperationNameValue == "MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE"
| project TimeGenerated, Caller, CallerIpAddress, Resource, OperationName, Status
| order by TimeGenerated descGCP Cloud Audit Logs
GCP’s Cloud Audit Logs capture administrative and data-access events.
Log types:
| Type | What It Captures |
|---|---|
| Admin Activity | Metadata changes (CreateServiceAccount, SetIamPolicy) — always enabled |
| Data Access | Read/write of user data (GetObject, ReadLogs) — must be enabled |
| System Events | Non-human GCP actions (automatic maintenance) |
| Policy Denied | Access denied by IAM — attacker probing |
Key fields:
| Field | Meaning |
|---|---|
protoPayload.authenticationInfo.principalEmail | Who did it |
protoPayload.methodName | e.g., google.iam.admin.v1.CreateKey |
protoPayload.requestMetadata.callerIp | Source IP |
protoPayload.status.code | 0 = success, 7 = PERMISSION_DENIED |
VPC Flow Logs — The Cloud Network Log
VPC Flow Logs capture network traffic metadata in cloud environments. They are the cloud equivalent of firewall logs.
What They Capture
| Field | Description |
|---|---|
srcaddr / dstaddr | Source and destination IPs |
srcport / dstport | Source and destination ports |
protocol | TCP (6), UDP (17), ICMP (1) |
packets / bytes | Traffic volume |
start / end | Window start and end timestamps |
action | ACCEPT or REJECT (AWS default deny / explicit allow) |
log-status | OK, NODATA, SKIPDATA |
Analyst Use Cases
- Beaconing detection: Consistent outbound connections to a single IP at regular intervals
- Data exfiltration: High outbound bytes to a destination that is not a known cloud service
- Lateral movement: Unexpected internal connections between subnets or accounts
- Scanning / recon: REJECT records from a single source targeting many ports or IPs
VPC Flow Logs are sampled by default (1 in 10,000 packets on AWS). For full visibility, enable 1:1 packet sampling or use a network tap solution.
Cross-Cloud Flow Log Setup
| Cloud | Service Name | Enable Via |
|---|---|---|
| AWS | VPC Flow Logs | VPC Console or CLI: aws ec2 create-flow-logs |
| Azure | NSG Flow Logs | Network Watcher > NSG Flow Logs |
| GCP | VPC Flow Logs | Enabled per subnet: gcloud compute networks subnets update |
S3 Logging — Server Access Logs vs. CloudTrail
S3 is the most common source of cloud data breaches. Two log sources exist:
S3 Server Access Logs
Granular logs for every request to S3, logged by the S3 data plane.
Enabled: Per-bucket destination in the same account (or another account).
Captures:
Bucket Owner,Bucket,Time,Remote IP,Requester ARNRequest ID,Operation(REST.GET.OBJECT, REST.PUT.OBJECT)Key(object key),Request-URI,HTTP Status,Error CodeBytes Sent,Object Size,Total Time,Turn-Around TimeReferrer,User-Agent,Version ID
S3 CloudTrail Data Events
Less granular than server access logs but integrated into CloudTrail and easier to search across accounts.
Enabled: Per-bucket in CloudTrail trail.
Captures:
- Standard CloudTrail fields + S3-specific:
bucketName,objectKey,eventName s3:prefix events:GetObject,PutObject,DeleteObject,ListBucket
When to Use Which
| Scenario | Use |
|---|---|
| Investigating known bucket breach | Both — Server Access Logs for full request audit, CloudTrail for user identity |
| Threat hunting for data access | CloudTrail Data Events — searchable in SIEM, cross-account |
| Compliance (who accessed which objects) | Server Access Logs — includes object key, requester IP, HTTP status |
| Anomaly detection (unusual object access) | CloudTrail + GuardDuty / Macie (not free) |
SPL query — detect public S3 object access (Server Access Logs):
index=s3_access
| search requester="Anonymous" (public access)
| stats count by bucket, key, remote_ip, operation
| where count > 1
| eval alert = "MEDIUM — Public S3 access to " . bucket . "/" . key . " — check if public access is intentional"
| table _time, bucket, key, remote_ip, operation, count, alertThe Cloud Incident Investigation Workflow
Phase 1: Identify the Entry Point
| Question | Log Source |
|---|---|
| Was it leaked keys? | CloudTrail — unusual source IP or user agent for a known user |
| Was it a misconfigured bucket? | S3 Access Logs — public access (anonymous requester) |
| Was it a compromised IAM role? | CloudTrail — API calls from an assumed role with unusual patterns |
| Was it a vulnerable app? | VPC Flow Logs + ALB/Azure Front Door/GCP HTTP LB logs — exploitation pattern |
Phase 2: Determine the Blast Radius
| Action | Log Source |
|---|---|
| What data was accessed? | S3 Access Logs — object keys accessed by attacker identity |
| What resources were created? | CloudTrail — RunInstances, CreateInstance, CreateFunction |
| Were permissions escalated? | CloudTrail — AttachRolePolicy, CreatePolicy, PassRole |
| Were credentials stolen? | CloudTrail — CreateAccessKey, CreateServiceAccountKey |
| What network connections? | VPC Flow Logs — outbound connections from compromised resources |
Phase 3: Containment
| Action | How |
|---|---|
| Revoke stolen keys | aws iam delete-access-key --access-key-id AKIA... |
| Disable compromised user | aws iam update-user --user-name compromised --no-login-profile |
| Detach permissive policies | aws iam detach-role-policy --role-name compromised --policy-arn... |
| Block network access | Update security groups / NSG rules / firewall rules |
| Rotate all credentials | Force new passwords, access keys, and service account keys |
Related
- Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques
- Cloud Incident Response — detection and response for T1525, T1526, T1078, T1530 techniques
- Container and Kubernetes Threats — detection and response for T1611, T1525, T1574.002 techniques
- Linux Security Fundamentals — detection and response for T1059, T1546, T1548 techniques
- Elastic Security — detection and response for T1654 techniques