Cloud Security: A Defender's Perspective

Aditya Rai 16/10/2024

Cloud security involves a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing.

What does Cloud Security mean from a Defender's Perspective?

From a cyber defender's perspective, cloud security encompasses strategies and tools to safeguard against threats and ensure data integrity, confidentiality, and availability.

Importance of Cloud Security

As per the Modor Intelligence industry report, this year (2024), the cloud computing market is projected to reach a value of $680 billion and it is expected to hit $1.44 trillion by 2029. The companies are now also shifting from traditional On-Prem environments to Cloud Environments. Companies are increasingly shifting from traditional on-premises environments to cloud environments. As this transition accelerates, the cloud is becoming a new battleground for adversaries. According to the Crowdstrike Global Threat Report 2024, there has been a 75% increase in cloud intrusions. With the growing adoption of cloud services, the importance of cloud security has surged. Effective cloud security measures are crucial for protecting sensitive data from breaches, ensuring compliance with regulations, and maintaining the trust of customers and stakeholders.

Major Cloud Service Providers

Amazon Web Services (AWS): AWS is the leading cloud service provider offering a comprehensive and broadly adopted cloud platform with over 200 fully featured services from data centers globally. Known for its extensive suite of tools and services, AWS provides robust infrastructure solutions such as compute power, storage options, and advanced networking capabilities. AWS is renowned for its flexibility, scalability, and reliability, making it a preferred choice for startups, enterprises, and government agencies.

Google Cloud Platform (GCP): Google Cloud leverages Google's cutting-edge technology and infrastructure to offer a suite of cloud computing services. GCP is known for its strengths in data analytics, machine learning, and AI services, which are built on the same infrastructure that powers Google's search engine and other major services. It provides seamless integration with other Google services and is recognized for its high-performance computing and innovative solutions.

Microsoft Azure: Azure is Microsoft's cloud computing platform, providing a wide array of services to build, deploy, and manage applications through Microsoft-managed data centers. Azure is popular for its hybrid cloud capabilities, allowing businesses to seamlessly integrate their on-premises environments with the cloud. It offers strong support for Windows-based applications and services, making it an attractive option for enterprises that heavily use Microsoft software.

Each of these major cloud service providers offers unique features and strengths, allowing organizations to choose the best fit for their specific needs and requirements. By understanding the offerings of AWS, Google Cloud, and Azure, businesses can strategically leverage their strengths for optimal performance, scalability, and cost-efficiency.

Different Components in Cloud Service Providers

Technology	AWS	Google Cloud	Azure
Storage Security	S3	Google Cloud Storage	Azure Blob Storage
Identity and Access	AWS IAM	Google Cloud IAM	Azure Active Directory
Network Security	VPC	Google Cloud VPC	Azure Virtual Network
Encryption	AWS KMS	Google Cloud KMS	Azure Key Vault
Logging and Monitoring	CloudWatch, CloudTrail	Audit Logs, VPC Flow, Logs, Cloud Logging	Azure Monitor, Azure Security Center
Compute	EC2	Google Compute Engine	Azure Virtual Machines
Database Security	RDS, DynamoDB	Cloud SQL, Firestore	Azure SQL Database, Cosmos DB

Cloud Service: Shared Responsibility Model

The Shared Responsibility Model is a cloud security framework that delineates the security responsibilities of the cloud service provider (CSP) and the customer. This model helps clarify who is accountable for which aspects of security to ensure comprehensive protection.

Cloud Provider Responsibilities: The CSP is responsible for the security of the cloud infrastructure, including hardware, software, networking, and facilities that run cloud services.

Customer Responsibilities: The customer is responsible for securing anything they put in the cloud, including applications, data, and configurations.

Example:

AWS secures the underlying infrastructure (e.g., compute, storage, networking).
Customers must secure their data, manage identity and access, and configure network settings properly.

Shared Responsibility | Credit: AWS Documentation

Multi-Cloud Model

Multi Cloud Architecture | Credit: orangematter.solarwinds.com

The Multi-Cloud Model refers to the use of multiple cloud computing services from different providers within a single heterogeneous architecture. This approach allows organizations to distribute workloads across several cloud environments, avoiding dependence on a single cloud provider.

Multiple Providers: Utilizing services from more than one cloud service provider (e.g., AWS, Google Cloud, Azure) to achieve specific business or technical goals.
Distribution of Workloads: Workloads can be strategically placed across different clouds to optimize performance, cost, or compliance requirements.
Redundancy and Resilience: Multi-cloud strategies enhance redundancy and fault tolerance by not being reliant on a single provider. Interesting read showing the importance of Multi-Cloud & redundancy: Google Cloud’s Parisian outage persists into third week.

Key Components and Technologies

Identity and Access Management (IAM):

Ensures that only authorized users can access specific resources.
Key Technologies: AWS IAM, Google Cloud IAM, Azure Active Directory

Data Encryption:

Protects data at rest and in transit using encryption algorithms.
Key Technologies: AWS KMS, Google Cloud KMS, Azure Key Vault

Network Security:

Encompasses controls and measures to protect the integrity, confidentiality, and accessibility of the network and data.
Key Technologies: AWS VPC, Google Cloud VPC, Azure Virtual Network

Endpoint Security:

Focuses on securing end-user devices and ensuring they do not become a vector for attacks.
Key Technologies: Endpoint detection and response (EDR) solutions, Mobile Device Management (MDM)

Application Security:

It involves protecting applications from external threats throughout their lifecycle.
Key Technologies: Web Application Firewalls (WAF), Application Security Testing (AST)

Security Information and Event Management (SIEM):

Aggregates and analyzes security data from various sources to detect and respond to potential security incidents.
Key Technologies: AWS CloudTrail, Google Cloud Operations Suite (formerly Stackdriver), Azure Monitor

Security Challenges in the Cloud Environment

Data Breaches: Unauthorized access to sensitive data stored in the cloud.
Insecure Interfaces and APIs: Vulnerabilities in cloud service interfaces and APIs can be exploited.
Misconfiguration: Improper configuration of cloud services can lead to security gaps.
Lack of Visibility: Limited visibility into cloud environments can hinder threat detection and response.
Compliance and Legal Risks: Ensuring compliance with various regulations (e.g., GDPR, HIPAA) in a cloud environment can be challenging.
Insider Threats: Malicious insiders or employees with excessive privileges can exploit cloud resources.
Advanced Persistent Threats (APTs): APTs are sophisticated, prolonged attacks targeting specific entities.
Shared Technology Vulnerabilities: Vulnerabilities in shared cloud infrastructure components (e.g., hypervisors) can be exploited.

Logging and Monitoring in Cloud Security

Logging and monitoring are critical components of cloud security, providing essential visibility into the operations and activities within cloud environments. Despite their importance, many organizations remain unaware of the extensive logging options available across different cloud services, such as Google Cloud Platform (GCP). Effective logging allows for the tracking of user activities, system events, and access patterns, which are crucial for detecting anomalies, troubleshooting issues, and ensuring compliance with regulatory standards.

AWS Logging Options

CloudTrail: Logs API calls made within your AWS account, providing visibility into user activity.

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AID1234567890",
    "arn": "arn:aws:iam::111122223333:user/Alice",
    "accountId": "111122223333",
    "accessKeyId": "AKIA1234567890",
    "userName": "Alice"
  },
  "eventTime": "2023-07-23T10:20:30Z",
  "eventSource": "iam.amazonaws.com",
  "eventName": "PutRolePolicy",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.168.0.1",
  "userAgent": "aws-sdk-go/1.15.0 (go1.9.4; linux; amd64)",
  "requestParameters": {
    "roleName": "ExampleRole",
    "policyName": "ExamplePolicy",
    "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}"
  },
  "responseElements": null,
  "requestID": "abc123def456",
  "eventID": "c1a2b3c4-d5e6-7f8g-9h0i-j1k2l3m4n5o6",
  "eventType": "AwsApiCall",
  "recipientAccountId": "111122223333"
}

This log entry records an IAM API call made by the user "Alice" to attach a policy to a role named "ExampleRole" in the AWS account with ID "111122223333". The policy named "ExamplePolicy" grants permission to perform all actions on S3 resources. The event occurred on July 23, 2023, and was executed from a specific source IP address using the AWS SDK for Go.

CloudWatch: Provides monitoring and operational data, like application logs and performance metrics.

2023-07-23T10:20:30.123Z ERROR app - Unhandled exception: Index out of range

This log entry indicates an error event within an application, timestamped at 2023-07-23T10:20:30.123Z. The severity level is marked as "ERROR", highlighting a significant issue that occurred in the "app" component. The specific error is an "Unhandled exception: Index out of range", meaning the application attempted to access an array or list element beyond its bounds, leading to a crash or malfunction.

VPC Flow Logs: Captures information about IP traffic going to and from network interfaces in your VPC.

2 111122223333 eni-1a2b3c4d 192.168.1.10 54.239.29.85 443 1024 6 10 840 1598463001 1598463061 ACCEPT OK

This VPC Flow Log entry captures network traffic details for an Elastic Network Interface (ENI) within an AWS account. It records traffic from a source IP address (192.168.1.10) to a destination IP address (54.239.29.85) over HTTPS (port 443) using the TCP protocol. The log shows 10 packets and 840 bytes transferred between Unix epoch times 1598463001 and 1598463061, indicating the traffic was allowed ("ACCEPT") and the log was successfully recorded ("OK").

Google Cloud Logging Options

Cloud Audit Logs: Records admin activity, data access, and system events, providing a complete audit trail.

{
  "protoPayload": {
    "methodName": "google.iam.admin.v1.CreateServiceAccount",
    "resourceName": "projects/project-id/serviceAccounts/service-account-1@project-id.iam.gserviceaccount.com",
    "authenticationInfo": {
      "principalEmail": "alice@cloudtest-demo.com"
    },
    "requestMetadata": {
      "callerIp": "192.168.0.1"
    }
  },
  "resource": {
    "type": "project",
    "labels": {
      "project_id": "project-id"
    }
  },
  "timestamp": "2023-07-23T10:20:30.123Z",
  "severity": "NOTICE",
  "logName": "projects/project-id/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2023-07-23T10:20:31.456Z"
}

This log entry indicates an activity related to the creation of a service account. The event, marked with a "NOTICE" severity level, occurred at 2023-07-23T10:20:30.123Z and was received at 2023-07-23T10:20:31.456Z. The protoPayload section details the method invoked (google.iam.admin.v1.CreateServiceAccount), the resource involved (projects/project-id/serviceAccounts/service-account-1@project-id.iam.gserviceaccount.com), and the authentication information showing that the action was performed by alice@cloudtest-demo.com from the IP address 192.168.0.1. The resource section identifies the affected resource type as a project with the ID project-id.

Cloud Logging: Collects and stores logs from applications and services.

{
  "timestamp": "2023-07-23T10:20:30.123Z",
  "severity": "ERROR",
  "logName": "projects/project-id/logs/app-log",
  "textPayload": "Unhandled exception: Index out of range"
}

This log entry records an error event within an application, marked with an "ERROR" severity level, which occurred on 2023-07-23T10:20:30.123Z. The log is part of the "app-log" for the project identified by "project-id". The textPayload field contains the message "Unhandled exception: Index out of range", indicating that the application attempted to access an element outside the bounds of an array or list, leading to an unhandled exception.

VPC Flow Logs: Provides visibility into network traffic.

{
  "logName": "projects/project-id/logs/compute.googleapis.com%2Fvpc_flows",
  "resource": {
    "type": "gce_subnetwork",
    "labels": {
      "project_id": "project-id",
      "subnetwork_id": "1234567890123456789",
      "region": "us-central1"
    }
  },
  "timestamp": "2023-07-23T10:20:30.123456Z",
  "severity": "INFO",
  "jsonPayload": {
    "connection": {
      "src_ip": "192.168.1.10",
      "dest_ip": "8.8.8.8",
      "src_port": 12345,
      "dest_port": 53,
      "protocol": 17,
      "start_time": "2023-07-23T10:20:30.123456Z",
      "end_time": "2023-07-23T10:21:30.123456Z"
    },
    "disposition": "ALLOW",
    "bytes_sent": 1234,
    "bytes_received": 5678,
    "packets_sent": 12,
    "packets_received": 34
  }
}

Recommendation: Set up alerts for unusual access patterns, such as high download activity from unexpected IAM users or IP addresses, and regularly review access logs for unauthorized access attempts.

Identity and Access Management (IAM)

Scenario: Creation of a new IAM user to escalate privileges.

AWS CloudTrail Logs

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AID1234567890",
    "arn": "arn:aws:iam::111122223333:user/Alice",
    "accountId": "111122223333",
    "accessKeyId": "AKIA1234567890",
    "userName": "Alice"
  },
  "eventTime": "2023-07-23T10:20:30Z",
  "eventSource": "iam.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.168.0.1",
  "userAgent": "aws-sdk-go/1.15.0 (go1.9.4; linux; amd64)",
  "requestParameters": {
    "userName": "Bob"
  },
  "responseElements": {
    "user": {
      "createDate": "2023-07-23T10:20:30Z",
      "userName": "Bob",
      "path": "/",
      "arn": "arn:aws:iam::111122223333:user/Bob",
      "userId": "AID2345678901"
    }
  },
  "requestID": "abc123def456",
  "eventID": "c1a2b3c4-d5e6-7f8g-9h0i-j1k2l3m4n5o6",
  "eventType": "AwsApiCall",
  "recipientAccountId": "111122223333"
}

Google Cloud Audit Logs

{
  "protoPayload": {
    "methodName": "google.iam.admin.v1.CreateServiceAccount",
    "resourceName": "projects/project-id/serviceAccounts/service-account-1@project-id.iam.gserviceaccount.com",
    "authenticationInfo": {
      "principalEmail": "alice@cloudtest-demo.com"
    },
    "requestMetadata": {
      "callerIp": "192.168.0.1"
    }
  },
  "resource": {
    "type": "project",
    "labels": {
      "project_id": "project-id"
    }
  },
  "timestamp": "2023-07-23T10:20:30.123Z",
  "severity": "NOTICE",
  "logName": "projects/project-id/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2023-07-23T10:20:31.456Z"
}

Azure Active Directory Logs

{
  "time": "2023-07-23T10:20:30.1234567Z",
  "resourceId": "/subscriptions/xxxx/resourceGroups/yyy/providers/Microsoft.AzureActiveDirectory/users",
  "operationName": "Add user",
  "category": "UserManagement",
  "properties": {
    "targetResources": [
      {
        "id": "userId",
        "displayName": "Bob",
        "userPrincipalName": "bob@cloudtest-demo.com"
      }
    ],
    "principalId": "userId",
    "principalName": "alice@cloudtest-demo.com",
    "ipAddress": "192.168.0.1"
  }
}

Recommendation: Monitor IAM logs for changes such as the creation of new users, and implement multi-factor authentication (MFA) for critical actions to ensure that only authorized changes are made.

Conclusion

Cloud security requires a comprehensive approach using various technologies and practices to safeguard cloud environments. Leveraging the tools provided by major cloud service providers like AWS, Google Cloud, and Azure is crucial for effective defense. Best practices such as implementing the principle of least privilege, regularly auditing and reviewing security policies and configurations, monitoring and analyzing logs for unusual activities, and conducting regular security drills and incident response simulations could help in tackling the security challenges existing in the cloud environment.

About Security Blue Team

Security Blue Team's online cybersecurity training has equipped over 100,000 students worldwide with the key skills and knowledge to work effectively as defenders. With both free and paid training aimed at all levels of your cybersecurity career, we have something to support you in your learning journey.

References

Cloud Computing Market Size | Mordor Intelligence

CrowdStrike 2024 Global Threat Report | CrowdStrike

12 Cloud Security Issues: Risks, Threats & Challenges | CrowdStrike

Google Cloud Logging

AWS Logging, Monitoring and Auditing Cheat-sheet/Write-up

Azure security logging and auditing

About Aditya Rai

Aditya is interested in both the offensive and defensive domains of infosec. With his past industry and consulting experience, he aims to provide realistic labs and content to help the community become industry-ready.

Training

Certifications

Free Courses