Nerd Level Tech logo
|
Lesson 3 of 24

Cloud Security Foundations

Common Cloud Threats & Attack Vectors

4 min read

Understanding how attackers target cloud environments is essential for defense. The attack surface in the cloud is different from traditional infrastructure—and so are the threats.

The Cloud Threat Landscape

According to incident response data from 2023-2025:

  • Stolen credentials: 36% of cloud incidents (most common initial access)
  • Misconfigurations: 80% of breaches involve configuration errors
  • Poor password controls: 51% of cloud compromises (Google research)
  • AWS dominance: 96% of incidents investigated by Expel occurred in AWS

The pattern is clear: attackers don't hack the cloud—they log in with stolen credentials and exploit misconfigurations.

Top Cloud Attack Vectors

1. Credential Theft & Compromise

The most common entry point. Attackers obtain credentials through:

Method Description Example
Phishing Fake login pages Office 365 credential harvest
Leaked secrets Exposed in code AWS keys in GitHub
Malware Info-stealers TRIPLESTRENGTH (2024-2025)
Token theft Session hijacking Cookie stealing attacks

Real-world example (January 2025): The Codefinger ransomware group exploited compromised AWS credentials to encrypt S3 buckets using SSE-C (server-side encryption with customer keys). Victims couldn't decrypt without paying ransom.

2. Public Exposure & Misconfigurations

Resources accidentally exposed to the internet:

# Finding exposed S3 buckets
aws s3 ls s3://company-backup --no-sign-request
# If this works, the bucket is public

# Finding exposed Azure Blob Storage
curl "https://storageaccount.blob.core.windows.net/container?restype=container&comp=list"

Statistics:

  • 31% of S3 buckets are publicly accessible (Qualys research)
  • 46% of AWS S3 buckets could be misconfigured and unsafe
  • Football Australia (2024): 127 storage containers exposed via misconfigured S3

3. Over-Privileged IAM

Excessive permissions create blast radius problems:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }]
}

This "admin" policy appears in countless environments. One compromised credential = complete cloud takeover.

4. Metadata Service Exploitation (IMDS)

Cloud instances have metadata services that provide credentials:

# AWS Instance Metadata Service
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

# If SSRF vulnerability exists, attackers can reach this
# Result: Temporary AWS credentials for the instance role

Capital One breach (2019): SSRF vulnerability allowed attacker to query metadata service, retrieve credentials, and access 100+ million customer records.

5. Lateral Movement

Once inside, attackers move across the cloud:

Compromised EC2 → Instance Role Credentials → S3 Access → Data Exfiltration
Lambda Functions → Cross-Account Access → Additional Accounts
Secrets Manager → Database Credentials → Production Data

6. Cryptojacking

Attackers use compromised cloud resources for cryptocurrency mining:

  • TRIPLESTRENGTH (M-Trends 2025): Uses stolen credentials to spin up instances for mining
  • Cost explosion: Victims see $10,000+ bills overnight
  • Detection: Unusual compute usage, instances in unexpected regions

Cloud-Specific Attack Techniques

Technique Target Mitigation
Credential stuffing Cloud consoles MFA, conditional access
Instance metadata abuse EC2, VMs IMDSv2, block metadata access
Snapshot copying EBS, disks Encrypt snapshots, IAM controls
Lambda event injection Serverless Input validation, least privilege
Cross-account confusion IAM roles External ID, trust policies
Bucket enumeration S3, Blob Unique bucket names, access logs

Threat Actor Motivations

Understanding why attackers target clouds:

Motivation Target Example Groups
Data theft Customer data, IP APT groups, ransomware
Cryptomining Compute resources TRIPLESTRENGTH
Ransomware Business disruption Codefinger
Espionage Government, defense Nation-state actors
Hacktivism Public exposure Various

Defense Priorities

Based on threat intelligence, focus here first:

  1. Credential protection - MFA everywhere, rotate keys, monitor usage
  2. Configuration validation - Use CSPM tools, CIS benchmarks
  3. Least privilege - Review IAM policies, remove unused permissions
  4. Logging and detection - Enable CloudTrail, set up alerts
  5. Network segmentation - Restrict blast radius, use VPCs properly

Next, we'll explore the CIS Benchmarks and compliance frameworks that guide secure cloud configurations. :::

Quiz

Module 1: Cloud Security Foundations

Take Quiz