>_AYSOLI SECURITY HUB
THREAT AREA

Cloud Storage & Data Lake

Large volumes of data in the cloud are a magnet for attackers. A single misconfiguration (public bucket) can lead to disaster.

Your Strategy

Implement a "default deny" policy for all storage resources. Use automated tools that continuously search for publicly accessible buckets.

Best Practices

  • Encryption: Use Customer Managed Keys (CMK) for maximum control over data encryption (at rest).
  • Access: Use SAS tokens or temporary IAM roles instead of permanent keys.
  • Logging: Enable data access logging and store these logs in an untraceable, immutable storage.

STRIDE-LM Design Risks

SpoofingS-CLD-01

Cloud Identity Spoofing

Hijacking cloud identities through leaked IAM keys.

TamperingT-CLD-01

Cloud Misconfiguration

Unintentional exposure of resources through misconfiguration.

RepudiationR-CLD-01

Cloud Logging Bypass

Disabling or bypassing cloud audit services.

Information DisclosureI-CLD-01

Metadata Service Abuse

Extracting instance metadata to obtain cloud credentials.

Denial of ServiceD-CLD-01

Denial of Wallet

Generating massive costs through resource exploitation.

Elevation of PrivilegeE-CLD-01

IAM Role Escalation

Exploiting excessive IAM permissions for privilege escalation.

Lateral MovementL-CLD-01

Cross-Tenant Lateral Movement

Jumping between different cloud tenants or subscriptions.

Monitoring GapsM-CLD-01

Shadow Cloud Assets

Creation of uncontrolled resources through "sprawl".

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Privileged Identity Management (PIM)Baseline ProtectionMedium
CIS: 6.2NIST: PR.AC-1OWASP: A01:2021
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Centralized Secrets VaultingExtended ProtectionMedium
CIS: 6.12NIST: PR.DS-1
Discovery
T1526

Cloud Service Discovery

ATT&CK

Identifying cloud resources and permissions.

Mitigated by
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
T1580

Shadow IT Asset Discovery

ATT&CK

Finding unmanaged resources in the network.

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
IAM Permissions BoundariesExtended ProtectionMedium
CIS: 6.2NIST: PR.AC-1
API Asset InventoryBaseline ProtectionMedium
CIS: 1.1OWASP: API9
Collection
T1530

Data from Cloud Storage Object

ATT&CK

Accessing data from cloud storage (S3, Blobs).

Mitigated by
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Immutable Audit LogsExtended ProtectionMedium
CIS: 8.2NIST: PR.PT-1
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Impact
T1531

Account Access Removal

ATT&CK

Removing access for legitimate users.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Cloud Resource LockingBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1
MFA for Deletion OperationsExtended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1485

Data Destruction

ATT&CK

Irretrievable deletion of company data.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Immutable Audit LogsExtended ProtectionMedium
CIS: 8.2NIST: PR.PT-1
Cloud Resource LockingBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1
MFA for Deletion OperationsExtended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1565

Inplace Modification

ATT&CK

Manipulation of existing code or data at the storage location.

Mitigated by
Immutable Audit LogsExtended ProtectionMedium
CIS: 8.2NIST: PR.PT-1
T1490

Inhibit System Recovery

ATT&CK

Deleting backups and shadow copies to prevent system recovery.

Mitigated by
Cloud Resource LockingBaseline ProtectionLow
CIS: 5.1NIST: PR.IP-1
MFA for Deletion OperationsExtended ProtectionLow
CIS: 6.5NIST: PR.AC-7

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation