Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dangerous by Design Cloud Security Flaws We Kee...

Avatar for Sena Yakut Sena Yakut
June 29, 2025
150

Dangerous by Design Cloud Security Flaws We Keep Repeating

Avatar for Sena Yakut

Sena Yakut

June 29, 2025
Tweet

Transcript

  1. Obviously.. Publicly Accessible Resources • S3 buckets with public read/write

    permissions • Open RDS/Elasticsearch/OpenSearch endpoints • Public EC2 instances with port 22/3389 exposed • Unrestricted security groups (0.0.0.0/0) • Misconfigured CDN or load balancer settings • Cloud Storage misconfigurations (GCP/Azure blobs)
  2. Obviously.. Publicly Accessible Resources "The Bucket That Bit Back" A

    developer created a public S3 bucket to share marketing assets. However, the same bucket also contained internal documents. A threat actor found it via a public bucket scanner, downloaded sensitive company roadmaps, and posted them online — triggering an internal investigation and reputation damage.
  3. Shadow Cloud Resources • Dev/test environments outside IaC • Untracked

    cloud accounts (e.g. marketing-owned) • Temporary workloads left running (e.g. experiments) • Orphaned resources post-migration • BYOD cloud tools (unauthorized SaaS/PaaS usage) • Forgotten POCs and abandoned third-party integrations
  4. Shadow Cloud Resources "The Forgotten Lab" The data science team

    created a dev environment in their own AWS account using company credit cards. The environment ran a temporary ML model with a permissive IAM role. Months later, the account was compromised, and attackers used the forgotten EC2 instances to launch crypto mining attacks — unnoticed for weeks.
  5. Enable Security Services – Then Forget Them • GuardDuty enabled

    but findings ignored • AWS Config turned on, no remediation setup • Security Hub without aggregation or alerts • WAF deployed, no rules maintained • Shield Advanced without any playbook • No budget for follow-up security team actions
  6. Enable Security Services – Then Forget Them "GuardDuty Ghosts" A

    security engineer enabled GuardDuty and AWS Config as part of compliance prep. However, alert emails went to a defunct inbox, and no remediation scripts were deployed. Months later, a compromised IAM key was flagged by GuardDuty — but nobody saw it until after data exfiltration occurred.
  7. Lack of Logging / Monitoring • No log, no incident

    response analysis • CloudTrail not centralized or multi-region • No VPC Flow Logs for key subnets • S3 access logs not enabled • Lambda logs not ingested/analyzed • No SIEM or alerting integration • Logs stored but never reviewed
  8. Lack of Logging / Monitoring "Silent Breach" A production Lambda

    function was exploited via an unvalidated API input. With no logs ingested into a SIEM and no CloudTrail for the region enabled, the security team was unaware until a customer reported unusual behavior.
  9. Misused IAM and Privilege Escalation • Overuse of AdministratorAccess •

    Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings
  10. Misused IAM and Privilege Escalation • Overuse of AdministratorAccess •

    Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings
  11. Misused IAM and Privilege Escalation “The DevOps Shortcut” A contractor

    was granted AdministratorAccess for a “short task.” The credentials were leaked via GitHub, and an attacker spun up 100 high-cost instances across multiple regions. The monthly bill spiked to $70,000 before AWS billing alerts were triggered.
  12. Inconsistent Patch Management • AMIs not updated regularly • Containers

    with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement
  13. Inconsistent Patch Management • AMIs not updated regularly • Containers

    with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement
  14. Inconsistent Patch Management “Zombie Containers" A web app used an

    outdated Docker image with a known critical vulnerability. The DevOps pipeline had no image scanning, and patching relied on manual updates. An attacker exploited the flaw to gain shell access and pivot into the internal network.
  15. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement
  16. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement
  17. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement
  18. Ineffective Network Segmentation “Flat is Fragile" An internal dev app

    was deployed in the same VPC as production systems. After the dev app was compromised, the attacker moved laterally to the production RDS instance and downloaded customer data. There were no subnet-level firewalls to isolate workloads.