Dangerous by Design Cloud Security Flaws We Keep Repeating

Transcript

1. Dangerous by Design Cloud Security Flaws We Keep Repeating Sena

   Yakut, 2025

2. ABOUT ME Sena Yakut, Cloud Security Architect - CyberWhiz All

   details, links about me:

3. Obviously.. Publicly Accessible Resources • S3 buckets with public read/write

   permissions • Open RDS/Elasticsearch/OpenSearch endpoints • Public EC2 instances with port 22/3389 exposed • Unrestricted security groups (0.0.0.0/0) • Misconfigured CDN or load balancer settings • Cloud Storage misconfigurations (GCP/Azure blobs)

4. Obviously.. Publicly Accessible Resources

5. Obviously.. Publicly Accessible Resources "The Bucket That Bit Back" A

   developer created a public S3 bucket to share marketing assets. However, the same bucket also contained internal documents. A threat actor found it via a public bucket scanner, downloaded sensitive company roadmaps, and posted them online — triggering an internal investigation and reputation damage.

6. Shadow Cloud Resources • Dev/test environments outside IaC • Untracked

   cloud accounts (e.g. marketing-owned) • Temporary workloads left running (e.g. experiments) • Orphaned resources post-migration • BYOD cloud tools (unauthorized SaaS/PaaS usage) • Forgotten POCs and abandoned third-party integrations

7. Shadow Cloud Resources "The Forgotten Lab" The data science team

   created a dev environment in their own AWS account using company credit cards. The environment ran a temporary ML model with a permissive IAM role. Months later, the account was compromised, and attackers used the forgotten EC2 instances to launch crypto mining attacks — unnoticed for weeks.

8. Enable Security Services – Then Forget Them • GuardDuty enabled

   but findings ignored • AWS Config turned on, no remediation setup • Security Hub without aggregation or alerts • WAF deployed, no rules maintained • Shield Advanced without any playbook • No budget for follow-up security team actions

9. Enable Security Services – Then Forget Them "GuardDuty Ghosts" A

   security engineer enabled GuardDuty and AWS Config as part of compliance prep. However, alert emails went to a defunct inbox, and no remediation scripts were deployed. Months later, a compromised IAM key was flagged by GuardDuty — but nobody saw it until after data exfiltration occurred.

10. Lack of Logging / Monitoring • No log, no incident

    response analysis • CloudTrail not centralized or multi-region • No VPC Flow Logs for key subnets • S3 access logs not enabled • Lambda logs not ingested/analyzed • No SIEM or alerting integration • Logs stored but never reviewed

11. Lack of Logging / Monitoring "Silent Breach" A production Lambda

    function was exploited via an unvalidated API input. With no logs ingested into a SIEM and no CloudTrail for the region enabled, the security team was unaware until a customer reported unusual behavior.

12. Misused IAM and Privilege Escalation • Overuse of AdministratorAccess •

    Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings

13. Misused IAM and Privilege Escalation • Overuse of AdministratorAccess •

    Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings

14. Misused IAM and Privilege Escalation “The DevOps Shortcut” A contractor

    was granted AdministratorAccess for a “short task.” The credentials were leaked via GitHub, and an attacker spun up 100 high-cost instances across multiple regions. The monthly bill spiked to $70,000 before AWS billing alerts were triggered.

15. Inconsistent Patch Management • AMIs not updated regularly • Containers

    with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement

16. Inconsistent Patch Management • AMIs not updated regularly • Containers

    with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement

17. Inconsistent Patch Management “Zombie Containers" A web app used an

    outdated Docker image with a known critical vulnerability. The DevOps pipeline had no image scanning, and patching relied on manual updates. An attacker exploited the flaw to gain shell access and pivot into the internal network.

18. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement

19. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement

20. Ineffective Network Segmentation • No private subnets for sensitive services

    • Overuse of default VPC • Lack of NACLs or redundant firewall rules • Shared VPC mismanagement

21. Ineffective Network Segmentation “Flat is Fragile" An internal dev app

    was deployed in the same VPC as production systems. After the dev app was compromised, the attacker moved laterally to the production RDS instance and downloaded customer data. There were no subnet-level firewalls to isolate workloads.

22. Thank you!