Chapter 1 — Cloud Security Fundamentals
PART I — FOUNDATIONS OF CLOUD SECURITY
In 2019, a single misconfigured WAF rule exposed 100 million Capital One customer records. The attacker did not break any encryption. They did not exploit a zero-day vulnerability. They used a Server-Side Request Forgery (SSRF) flaw to query the EC2 Instance Metadata Service and retrieve temporary IAM credentials — then used those credentials to download data from S3. The entire attack chain relied on three things that are entirely within a cloud customer’s control: WAF configuration, IMDSv1 being enabled, and overly permissive IAM roles.
This chapter establishes the mental model that makes the rest of this handbook coherent: in the cloud, you are responsible for everything above the hypervisor, and the most dangerous misconfigurations are the ones that look like normal, working infrastructure.
1.1 The Evolution of Security in the Cloud
Section titled “1.1 The Evolution of Security in the Cloud”Traditional security models assumed:
- A clear network boundary
- Fixed infrastructure
- Long-lived servers
- Static identities
Cloud environments break all of these assumptions:
| Traditional IT | Cloud |
|---|---|
| Fixed servers | Ephemeral workloads |
| Perimeter firewall | Identity-first security |
| Manual provisioning | Infrastructure as Code |
| Periodic audits | Continuous monitoring |
| Static networks | Dynamic environments |
This shift requires a fundamentally different security mindset.
The Threat Landscape Evolution
Section titled “The Threat Landscape Evolution”The cloud threat landscape has evolved significantly:
2010-2015: Basic misconfigurations (public S3 buckets, open databases)
2015-2020: Sophisticated credential theft and API abuse
2020-2025: Supply chain attacks and container vulnerabilities
2025+: AI-powered attacks and automated exploitation
Modern attackers use cloud-native tools to scan for vulnerabilities continuously. Your security posture must be equally dynamic.
1.2 Core Security Principles
Section titled “1.2 Core Security Principles”A strong cloud security program rests on five principles:
1. Identity is the perimeter
Section titled “1. Identity is the perimeter”Traditional network perimeters have dissolved. In the cloud:
- Every user, service, and workload has an identity
- Identity governs all access decisions
- Zero Trust starts with strong identity controls
Implementation: centralized identity providers, MFA for all, just-in-time access
2. Least privilege by default
Section titled “2. Least privilege by default”Every entity gets only the permissions it strictly needs:
- Start with no permissions
- Grant minimal required access
- Review and prune regularly
- Automate permission management
Implementation: role-based access control, permission boundaries, automated access reviews
3. Assume breach
Section titled “3. Assume breach”Design systems with the expectation that compromise can happen:
- Multiple layers of defense
- Compartmentalization to limit blast radius
- Rapid detection and response capabilities
- Secure by default configurations
Implementation: network segmentation, encryption everywhere, comprehensive logging
4. Automate everything
Section titled “4. Automate everything”Reduce human error via tooling and guardrails:
- Infrastructure as Code
- Automated security testing
- Continuous compliance monitoring
- Self-healing security controls
Implementation: CI/CD security pipelines, policy-as-code, automated remediation
5. Measure continuously
Section titled “5. Measure continuously”Track KPIs to validate security effectiveness:
- Security metrics aligned with business goals
- Leading indicators of security posture
- Regular security assessments
- Data-driven decision making
Implementation: security dashboards, risk scoring, maturity assessments
1.3 Common Cloud Security Failures
Section titled “1.3 Common Cloud Security Failures”The most frequent causes of cloud breaches include:
Configuration Management Failures
Section titled “Configuration Management Failures”- Publicly exposed storage buckets: S3, Azure Blob, GCS buckets with public access
- Overly permissive IAM roles: Wildcard permissions, unused service accounts
- Unencrypted databases and storage: Default configurations left unchanged
- Open security groups/firewall rules: 0.0.0.0/0 access to sensitive services
Identity and Access Management Issues
Section titled “Identity and Access Management Issues”- Missing logging and monitoring: No CloudTrail, Activity Logs, or audit trails
- Weak credential management: Hardcoded secrets, long-lived access keys
- Lack of MFA enforcement: Especially for root and privileged accounts
- Inactive user accounts: Former employee access never revoked
Operational Security Gaps
Section titled “Operational Security Gaps”- Unpatched servers: Missing security updates, vulnerable software versions
- Secrets committed to source code: API keys, passwords in Git repositories
- Lack of incident response planning: No runbooks, unclear escalation paths
- Inadequate backup strategies: No testing, single-region storage
Application Security Deficiencies
Section titled “Application Security Deficiencies”- Insecure APIs: Missing authentication, excessive data exposure
- Container vulnerabilities: Unscanned images, privileged containers
- Serverless function exposures: Overly permissive execution roles
- Supply chain risks: Unverified third-party dependencies
Real-World Impact
Section titled “Real-World Impact”These failures have led to:
- Capital One breach (2019): 100M+ records exposed via SSRF vulnerability in a WAF, allowing access to EC2 IMDSv1 credentials.
- SolarWinds attack (2020): Supply chain compromise through build system
- Microsoft Exchange breach (2021): On-premises vulnerabilities affecting cloud deployments
- Codecov breach (2021): CI/CD environment compromise via Docker image
Your goal should be to eliminate these risks systematically through defense-in-depth.