Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Cloud-Sicherheit Glossary

Cloud Security - Sicherheit in AWS, Azure und GCP

Cloud security addresses the shared responsibility model: Cloud providers secure the infrastructure, while customers secure their data, configurations, identities, and applications. Most common vulnerabilities: misconfigurations (public S3 buckets, permissive security groups), excessive IAM permissions, lack of encryption, no MFA for root. CSPM tools (Defender for Cloud, AWS Security Hub, Wiz) detect deviations. CSMA, CWPP, and CIEM as security categories.

Cloud security is one of the most critical and most underestimated security challenges: An attacker only needs to find one misconfigured S3 bucket—while companies must configure thousands correctly.

Shared Responsibility Model

AWS Shared Responsibility

AWS secures ("Security of the Cloud"):

  • Physical data centers, hardware, network infrastructure
  • Hypervisor, host operating system
  • Core services (S3 infrastructure, EC2 hardware)

Customer secures ("Security IN the Cloud"):

  • Operating system on EC2 (patches!)
  • Application code
  • Configuration of AWS services
  • Data encryption (at rest + in transit)
  • IAM permissions (who is allowed to do what?)
  • Network configuration (Security Groups, NACLs)
  • Data and backups

> Misconception: 99% of cloud security incidents are caused by customer errors—AWS/Azure were NOT hacked. Gartner: "By 2025: 99% of all cloud security incidents will be caused by customer errors."

Responsibility by Service Type

Service TypeExamplesCustomer Responsible for
IaaS (Infrastructure as a Service)AWS EC2, Azure VMsOS, middleware, apps, data, config
PaaS (Platform as a Service)AWS RDS, Azure App ServiceApps, data, configuration (no OS patching!)
SaaS (Software as a Service)Microsoft 365, SalesforceData, access, configuration - NOTE: Create your own backup!

Most Common Cloud Misconfigurations

S3 Bucket Misconfigurations (AWS)

  • Public Read: Sensitive data visible to everyone
  • Public Write: Anyone can upload files (costs, content!)
  • No Encryption: Data stored unencrypted
# Check:
aws s3api get-bucket-policy --bucket my-bucket
aws s3api get-bucket-acl --bucket my-bucket

# Fix - Block Public Access to S3 (Account Level):
aws s3control put-public-access-block \
    --account-id 123456789012 \
    --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,\
    BlockPublicPolicy=true,RestrictPublicBuckets=true"

Security Group Misconfigurations

  • CRITICAL: SSH (Port 22) open to 0.0.0.0/0
  • CRITICAL: RDP (Port 3389) open to 0.0.0.0/0
  • CRITICAL: All ports open to 0.0.0.0/0
# Check:
aws ec2 describe-security-groups --query \
    "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]]"

# Fix: Bastion Host + SSH only from known IPs:
aws ec2 revoke-security-group-ingress \
    --group-id sg-xxx --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
    --group-id sg-xxx --protocol tcp --port 22 --cidr 10.0.1.0/24

IAM Misconfigurations

  • CRITICAL: Root account without MFA
  • CRITICAL: Access keys for root account
  • CRITICAL: IAM user with AdministratorAccess (does it really need EVERYTHING?)
  • CRITICAL: IAM keys committed to code (GitHub!)
# Check root MFA:
aws iam get-account-summary | grep AccountMFAEnabled
# Should be: 1 (enabled), not 0 (disabled!)

# IAM Credential Report:
aws iam generate-credential-report
aws iam get-credential-report --query Content --output text | base64 -d
# Shows: all users, last use, MFA status, keys

Missing Encryption

  • Unencrypted EBS volumes
  • RDS without Storage Encryption
  • S3 without SSE-KMS
  • Lambda environment variables containing secrets (without KMS)
# Fix: Enable default encryption:
aws ec2 enable-ebs-encryption-by-default

CSPM - Cloud Security Posture Management

AWS Security Hub

Aggregates findings from: AWS Config, GuardDuty, Inspector, Macie. Benchmarks: CIS AWS Foundations, AWS Foundational Security Best Practices.

# Enable:
aws securityhub enable-security-hub \
    --enable-default-standards

Important Controls (Examples):

  • [CIS] 1.1: Avoid root account usage
  • [CIS] 2.1: Ensure CloudTrail is enabled
  • [CIS] 2.3: Ensure CloudTrail log file validation is enabled
  • [FSBP] S3.1: S3 Block Public Access settings enabled

Microsoft Defender for Cloud

  • Azure + AWS + GCP (Multi-Cloud CSPM!)
  • Secure Score: security status as a percentage
  • Recommendations: prioritized by impact
  • Compliance: CIS, ISO 27001, PCI DSS, NIST
  • Integration: Microsoft Sentinel (SIEM)

Wiz (Next-Gen CSPM)

  • Agentless: no agent installation required!
  • Graph-based: shows attack paths across the cloud
  • Identifies combined risks (missing MFA + permissive security group + public S3)
  • "Attack Path": "S3 public → instance metadata → IAM Admin"

Prisma Cloud (Palo Alto)

  • CSPM + CWPP (Workload Protection) + CIEM combined
  • Code Security: Scan Terraform/CloudFormation before deployment
  • Shift-Left: Detect misconfigurations in the pipeline

Open Source Tools

# Prowler:
pip install prowler
prowler aws -M csv json-asff html
# Checks 300+ controls for AWS

# ScoutSuite:
pip install scoutsuite
scout aws
# Multi-Cloud: AWS, Azure, GCP, Alibaba

Cloud Penetration Testing

Recon / Enumeration

  • Company’s public S3 buckets: grayhatwarfare.com or aws s3 ls s3://company-*
  • Subdomain takeover: CNAME pointing to a non-existent cloud resource
  • DNS: Which cloud IPs are being used?
  • Certificate Transparency: Which subdomains?

IAM Analysis (using client credentials)

  • What permissions does the test user have?
  • Is privilege escalation possible? (IAM Playground by Rhino Security)
  • Unused permissions (Access Analyzer)
  • PassRole permission: potential escalation
# IAM Simulator:
aws iam simulate-principal-policy \
    --policy-source-arn arn:aws:iam::123456789012:user/test \
    --action-names s3:PutObject iam:CreateUser

Metadata Service (SSRF attack)

EC2 Instance Metadata Service (IMDSv1) is vulnerable to SSRF attacks - http://169.254.169.254/latest/meta-data/iam/security-credentials/ returns temporary credentials for the EC2 role.

# Fix: Force IMDSv2 (PUT request, token required):
aws ec2 modify-instance-metadata-options \
    --instance-id i-xxx \
    --http-tokens required \
    --http-endpoint enabled

Container Security (ECS/EKS)

  • Public container images: known vulnerabilities?
  • Pod security: privileged containers?
  • Kubernetes RBAC: overly broad permissions?
  • Secrets in Kubernetes Secrets (unencrypted in etcd!)

Typical Findings

  • S3 bucket with internal backups: publicly readable
  • EC2 with IMDSv1: SSRF → temporary AWS credentials
  • Lambda function: Secrets in environment variables (no KMS)
  • RDS: Security Group allows 0.0.0.0/0 on port 3306
  • IAM User: AdministratorAccess + no MFA + 2-year-old key
  • CloudTrail: not enabled in all regions (blind spots!)

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation