>_AYSOLI SECURITY HUB
THREAT AREA

Public Cloud Landing Zone

Establishing a landing zone is the most critical step in cloud adoption. This is where the security guardrails are defined that apply to all future workloads.

Your Strategy

Consistently use Infrastructure as Code (IaC) and enforce policies (guardrails) at the organizational level. A landing zone without automated security testing is a high risk.

Best Practices

  • Isolation: Use separate subscriptions/accounts for different environments (Dev, Test, Prod).
  • Hardening: Implement Cloud Resource Locks for core infrastructure.
  • Identity: Enforce MFA Delete for critical resources.

STRIDE-LM Design Risks

SpoofingS-CLD-01

Cloud Identity Spoofing

Hijacking cloud identities through leaked IAM keys.

TamperingT-CLD-01

Cloud Misconfiguration

Unintentional exposure of resources through misconfiguration.

RepudiationR-CLD-01

Cloud Logging Bypass

Disabling or bypassing cloud audit services.

Information DisclosureI-CLD-01

Metadata Service Abuse

Extracting instance metadata to obtain cloud credentials.

Denial of ServiceD-CLD-01

Denial of Wallet

Generating massive costs through resource exploitation.

Elevation of PrivilegeE-CLD-01

IAM Role Escalation

Exploiting excessive IAM permissions for privilege escalation.

Lateral MovementL-CLD-01

Cross-Tenant Lateral Movement

Jumping between different cloud tenants or subscriptions.

Monitoring GapsM-CLD-01

Shadow Cloud Assets

Creation of uncontrolled resources through "sprawl".

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Zero Trust Network Access (ZTNA)Extended ProtectionHigh
CIS: 12.2NIST: PR.AC-3
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Persistence
T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Defense Evasion
T1535

Unused/Unsupported Cloud Regions

ATT&CK

Using unmonitored cloud regions.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Discovery
T1526

Cloud Service Discovery

ATT&CK

Identifying cloud resources and permissions.

Mitigated by
Infrastructure as Code (IaC) ScanningExtended ProtectionMedium
CIS: 1.1NIST: PR.IP-1
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Immutable Audit LogsExtended ProtectionMedium
CIS: 8.2NIST: PR.PT-1
Impact
T1531

Account Access Removal

ATT&CK

Removing access for legitimate users.

Mitigated by
Cloud Resource LockingBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
MFA for Deletion OperationsExtended ProtectionLow
CIS: 6.5NIST: PR.AC-7

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Public Cloud Landing Zone | IT Security Checklist for SMEs · AYSOLI Security Hub