AV-10 · Cloud misconfiguration and identity abuse

Cloud environments get compromised through over-permissioned roles, leaked keys, exposed storage, and control-plane actions that look like normal admin work until they're not. The control plane itself is the attack surface.

$ action: Harden cloud identities, reduce standing privilege, monitor control-plane changes continuously, and validate exposed resources and configuration drift on a regular cadence.

1. Why Cloud Misconfiguration Risk Persists

Cloud platforms offer speed and flexibility at the cost of configuration surface area. Access policies, IAM roles, storage permissions, networking rules, and managed service settings all change frequently — and any of them can become an attack path when defaults are too broad or changes aren't reviewed.

Cloud compromise often starts with identity abuse: a stolen access key, a leaked service account credential, an over-permissioned role attached to a public-facing compute instance. Once an attacker reaches the control plane, they may be able to enumerate resources, modify security controls, and create persistence — all through legitimate API calls.

Cloud governance is often split across teams, which means nobody has a complete picture. Security doesn't know what dev ops deployed. Platform doesn't know what the application team's CI/CD pipeline does. That fragmentation lets dangerous permissions accumulate until an attacker finds them.

2. What Attackers Can Do in Cloud Identity / Config Scenarios

Attackers with cloud control-plane access can enumerate buckets, read sensitive storage, create admin users or access keys, modify security groups to expose internal services, disable logging, snapshot and export data, or establish persistent IAM principals for re-entry. None of this requires endpoint compromise or custom malware.

Many cloud attacks blend into normal operations. An admin console login, an IAM policy update, a security group change — these happen legitimately every day. Detecting abuse means watching for the combination of who did it, from where, when, and whether it matches an approved change.

The most important evidence is in audit trails and identity logs, not endpoint telemetry. If you're not collecting cloud control-plane logs and retaining them long enough to investigate, you're effectively blind to this category of attack.

3. How Defenders Mitigate Cloud Attack Paths

Apply least privilege to cloud roles and service accounts. Reduce standing admin access for humans — use just-in-time elevation where the platform supports it. Require strong MFA for console access. Separate deployment, operations, and security administration duties where practical.

Build baselines for normal admin workflows and alert on deviations. The most useful signals are: who normally makes changes versus who just made this change, what resources they normally touch, and what time of day these changes typically happen.

Cloud security is operational, not a one-time configuration task. Expose drift continuously. Check permissions, public exposure, and control-plane changes on a cadence that matches how fast your environment changes.

detection-signals

$Cloud audit logs show a console login or API call from an IP or user agent not in the principal's recent history — especially for admin or IAM-privileged accounts.
$A new IAM user, access key, or role is created outside of a documented change window or by a principal that doesn't normally manage identity.
$Audit logging, CloudTrail, or equivalent is disabled, modified, or a monitoring guardrail is removed — particularly suspicious when paired with other activity.
$A storage bucket, database, or cloud service is made publicly accessible via a security group or policy change that wasn't present in the previous config review.
$Object listing, snapshotting, or bulk data access appears against sensitive resources by a principal that has never accessed them before.

telemetry-sources

$Cloud audit trails / control-plane logs (API calls, console actions, IAM changes).
$Identity provider and cloud SSO logs for admin authentication events.
$Cloud network flow logs and load balancer logs.
$Configuration drift / CSPM findings and infrastructure-as-code change reviews.
$Application and storage access logs for sensitive resources.

recommended-tools-and-guides

open Wazuh Aggregate host and cloud-integrated logs for correlation in hybrid environments. open Sigma Create portable detections for suspicious IAM and control-plane change patterns. open Nmap Validate externally exposed services related to cloud workloads and edge components. open SpiderFoot Support external exposure and asset discovery learning for internet-facing cloud assets. open /learning/frameworks/nist-csf-governance-operations Use framework structure to assign ownership for cloud governance, detect, and respond functions.

related-learning-modules

Build fundamentals and workflows that directly support defending against this threat pattern.

open /learning/exploit-informed-remediation-and-asset-criticality-tagging Exploit-Informed Remediation and Asset Criticality Tagging open /learning/linux-windows-logging-basics-for-defenders Linux and Windows Logging Basics for Defenders open /learning/threat-informed-defense-attack-technique-mapping Threat-Informed Defense Using ATT&CK-Style Technique Mapping

related-tool-pages

Use these detailed tool guides to practice safe validation, evidence collection, and triage workflows for this threat.

open /learning/tools/wazuh Wazuh open /learning/tools/sigma Sigma open /learning/tools/nmap Nmap open /learning/tools/spiderfoot SpiderFoot

lab-safe-detection-workflows

These commands are for learning, validation, and defensive triage in your own lab or authorized environment. Adapt to your tooling and log locations.

Cloud incident tracking worksheet (control-plane triage)

printf "time,actor,action,resource,expected_change,evidence,next_step\n" > cloud-control-plane-triage.csv
printf "resource,exposure,owner,criticality,last_review\n" > cloud-exposure-baseline.csv

$ why: Cloud incidents move quickly; structured tracking of who changed what and whether it was expected is essential for clean triage.

Internet-facing validation for cloud-hosted service (authorized target)

nmap -sV -Pn cloud-app.example.com
tshark -r cloud-app-sample.pcap -Y tls.handshake -T fields -e ip.dst -e tls.handshake.extensions_server_name || true

$ why: Pair cloud control-plane reviews with direct validation of exposed service behavior and TLS/application metadata.

triage-questions

?Was this control-plane action expected, approved, and performed by the correct identity from a recognized location?
?Did an IAM or network policy change create a new access path or expose a resource that was previously restricted?
?Were logging or guardrail controls modified before or during the suspicious activity — potentially to reduce visibility?
?What high-value data or resources were accessible to the abused role or account, and for how long?
?What's the fastest containment action: revoke the access key, disable the role, revert the policy change, or isolate the workload?

defender-actions.checklist

$Enforce MFA and strong controls for cloud administrators.
$Reduce over-permissioned roles and long-lived credentials.
$Monitor control-plane changes and logging/guardrail tampering.
$Continuously validate cloud exposure and configuration drift.
$Map cloud attack paths and response steps in runbooks before incidents occur.

study-workflow

Learn what normal behavior looks like for this area (auth, exposure, config, or internal traffic).
Identify the logs and telemetry that should show the behavior.
Practice one safe validation in a lab or authorized environment.
Write a short playbook for detection, triage, and response.
Review the related tool guides under /learning/tools.

<- previous threat AV-09 · DDoS and service exhaustion attacks -> next threat AV-11 · DNS abuse, tunneling, and command-and-control