Cloud Provider responsible for:
→ Physical infrastructure
→ Hypervisor
→ Network controls
→ Managed service security
Customer responsible for:
→ Data encryption
→ IAM (identity & access)
→ OS patching (IaaS)
→ Application security
→ Network configuration
✓ Enable MFA on root account — always
✓ Never use root for daily tasks
✓ Grant least privilege
✓ Use IAM roles instead of access keys for EC2
✓ Rotate access keys regularly
✓ Use IAM Access Analyzer
✓ Enable CloudTrail in all regions
iam:* # Full IAM control
iam:CreateAccessKey # Create credentials for other users
iam:AttachUserPolicy # Attach admin policy to self
iam:PassRole # Pass a privileged role to a service
sts:AssumeRole # Assume other roles
lambda:CreateFunction + iam:PassRole # Privesc via Lambda
# Check bucket ACL
aws s3api get-bucket-acl --bucket bucket-name
# Check bucket policy
aws s3api get-bucket-policy --bucket bucket-name
# Check public access block
aws s3api get-public-access-block --bucket bucket-name
# List bucket contents (if public)
aws s3 ls s3://bucket-name --no-sign-request
# Enable versioning
aws s3api put-bucket-versioning --bucket bucket-name \
--versioning-configuration Status=Enabled
# IMDSv1 (vulnerable)
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/user-data/
# IMDSv2 requires token — use this:
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" \
-H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" \
http://169.254.169.254/latest/meta-data/
ConsoleLogin # Web console logins
CreateUser / DeleteUser # IAM changes
AttachUserPolicy # Permission changes
CreateAccessKey # New credentials created
StopLogging # Attacker disabling audit trail
PutBucketAcl # S3 ACL changes
AuthorizeSecurityGroupIngress # Firewall rule added
| Service | Purpose |
|---|
| CloudTrail | API audit logging |
| GuardDuty | Threat detection |
| Security Hub | Centralized findings |
| Config | Resource configuration compliance |
| Inspector | Vulnerability assessment |
| Macie | S3 data classification |
| WAF | Web application firewall |
| Shield | DDoS protection |
| Service | Purpose |
|---|
| Microsoft Defender for Cloud | CSPM + threat protection |
| Azure Sentinel | SIEM/SOAR |
| Azure AD | Identity management |
| Key Vault | Secrets management |
| Azure Policy | Compliance enforcement |
| NSG | Network Security Groups |
✓ Enable Conditional Access policies
✓ Require MFA for all users
✓ Enable Identity Protection
✓ Use Privileged Identity Management (PIM)
✓ Monitor sign-in risk reports
✓ Disable legacy authentication protocols
S3 buckets with public read/write
Overly permissive IAM roles
Exposed cloud metadata endpoints
Open security groups (0.0.0.0/0 on all ports)
Unencrypted storage volumes
Disabled audit logging
Hardcoded credentials in code/env vars
Default VPC used in production
No MFA on privileged accounts
Unrestricted outbound traffic
# Who am I?
aws sts get-caller-identity
# List users
aws iam list-users
# List roles
aws iam list-roles
# List buckets
aws s3 ls
# List EC2 instances
aws ec2 describe-instances
# List Lambda functions
aws lambda list-functions
# List secrets
aws secretsmanager list-secrets
# Check policies attached to user
aws iam list-attached-user-policies --user-name USERNAME
# AWS Secrets Manager
aws secretsmanager get-secret-value --secret-id MySecret
# Never store secrets in:
# ✗ Source code
# ✗ Environment variables (for long-lived secrets)
# ✗ S3 public buckets
# ✗ EC2 user data
# ✗ Docker images
# Use instead:
# ✓ AWS Secrets Manager
# ✓ AWS Parameter Store
# ✓ Azure Key Vault
# ✓ HashiCorp Vault