Cloud Security Foundations
Common Cloud Threats & Attack Vectors
Understanding how attackers target cloud environments is essential for defense. The attack surface in the cloud is different from traditional infrastructure—and so are the threats.
The Cloud Threat Landscape
According to incident response data from 2023-2025:
- Stolen credentials: 36% of cloud incidents (most common initial access)
- Misconfigurations: 80% of breaches involve configuration errors
- Poor password controls: 51% of cloud compromises (Google research)
- AWS dominance: 96% of incidents investigated by Expel occurred in AWS
The pattern is clear: attackers don't hack the cloud—they log in with stolen credentials and exploit misconfigurations.
Top Cloud Attack Vectors
1. Credential Theft & Compromise
The most common entry point. Attackers obtain credentials through:
| Method | Description | Example |
|---|---|---|
| Phishing | Fake login pages | Office 365 credential harvest |
| Leaked secrets | Exposed in code | AWS keys in GitHub |
| Malware | Info-stealers | TRIPLESTRENGTH (2024-2025) |
| Token theft | Session hijacking | Cookie stealing attacks |
Real-world example (January 2025): The Codefinger ransomware group exploited compromised AWS credentials to encrypt S3 buckets using SSE-C (server-side encryption with customer keys). Victims couldn't decrypt without paying ransom.
2. Public Exposure & Misconfigurations
Resources accidentally exposed to the internet:
# Finding exposed S3 buckets
aws s3 ls s3://company-backup --no-sign-request
# If this works, the bucket is public
# Finding exposed Azure Blob Storage
curl "https://storageaccount.blob.core.windows.net/container?restype=container&comp=list"
Statistics:
- 31% of S3 buckets are publicly accessible (Qualys research)
- 46% of AWS S3 buckets could be misconfigured and unsafe
- Football Australia (2024): 127 storage containers exposed via misconfigured S3
3. Over-Privileged IAM
Excessive permissions create blast radius problems:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}
This "admin" policy appears in countless environments. One compromised credential = complete cloud takeover.
4. Metadata Service Exploitation (IMDS)
Cloud instances have metadata services that provide credentials:
# AWS Instance Metadata Service
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# If SSRF vulnerability exists, attackers can reach this
# Result: Temporary AWS credentials for the instance role
Capital One breach (2019): SSRF vulnerability allowed attacker to query metadata service, retrieve credentials, and access 100+ million customer records.
5. Lateral Movement
Once inside, attackers move across the cloud:
Compromised EC2 → Instance Role Credentials → S3 Access → Data Exfiltration
↓
Lambda Functions → Cross-Account Access → Additional Accounts
↓
Secrets Manager → Database Credentials → Production Data
6. Cryptojacking
Attackers use compromised cloud resources for cryptocurrency mining:
- TRIPLESTRENGTH (M-Trends 2025): Uses stolen credentials to spin up instances for mining
- Cost explosion: Victims see $10,000+ bills overnight
- Detection: Unusual compute usage, instances in unexpected regions
Cloud-Specific Attack Techniques
| Technique | Target | Mitigation |
|---|---|---|
| Credential stuffing | Cloud consoles | MFA, conditional access |
| Instance metadata abuse | EC2, VMs | IMDSv2, block metadata access |
| Snapshot copying | EBS, disks | Encrypt snapshots, IAM controls |
| Lambda event injection | Serverless | Input validation, least privilege |
| Cross-account confusion | IAM roles | External ID, trust policies |
| Bucket enumeration | S3, Blob | Unique bucket names, access logs |
Threat Actor Motivations
Understanding why attackers target clouds:
| Motivation | Target | Example Groups |
|---|---|---|
| Data theft | Customer data, IP | APT groups, ransomware |
| Cryptomining | Compute resources | TRIPLESTRENGTH |
| Ransomware | Business disruption | Codefinger |
| Espionage | Government, defense | Nation-state actors |
| Hacktivism | Public exposure | Various |
Defense Priorities
Based on threat intelligence, focus here first:
- Credential protection - MFA everywhere, rotate keys, monitor usage
- Configuration validation - Use CSPM tools, CIS benchmarks
- Least privilege - Review IAM policies, remove unused permissions
- Logging and detection - Enable CloudTrail, set up alerts
- Network segmentation - Restrict blast radius, use VPCs properly
Next, we'll explore the CIS Benchmarks and compliance frameworks that guide secure cloud configurations. :::