Module 09 · Cyberspace Tech Solutions Cybersecurity Curriculum
Cloud Security
Cloud IAM, data protection strategies, CSPM, CNAPP, misconfigurations, and compliance — ~60 minutes of interview prep.
20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes
Learning Outcomes
- Implement robust IAM controls in cloud environments
- Protect sensitive data across cloud service models (IaaS, PaaS, SaaS)
- Monitor cloud infrastructure for compliance and anomalies using CSPM/CNAPP
- Identify and remediate common cloud misconfigurations
Topics Covered
| # | Topic | Time | Type |
|---|---|---|---|
| 1 | Core Concepts (Shared Responsibility, IAM, CSPM, Misconfigs) | 10 min | Reading |
| 2 | Interview Questions & Answers | 20 min | Q&A |
| 3 | MCQ Quiz (25 questions) | 15 min | Quiz |
| 4 | Shared Responsibility Model Mapper | 5 min | Simulation |
| 5 | IAM Permission Evaluator | 4 min | Simulation |
| 6 | Cloud Misconfiguration Finder | 3 min | Simulation |
| 7 | Cloud Service Model Matcher | 3 min | Simulation |
⚠️ Interview Fact: Misconfiguration is the #1 cause of cloud data breaches. Gartner estimated that through 2025, 99% of cloud security failures will be the customer's fault — not the CSP's.
Core Concepts · ~10 min
Cloud Security Fundamentals
Shared Responsibility Model
| Responsibility | IaaS (e.g., EC2) | PaaS (e.g., Lambda) | SaaS (e.g., Office 365) |
|---|---|---|---|
| Physical security | CSP | CSP | CSP |
| Hypervisor/infrastructure | CSP | CSP | CSP |
| OS patching | Customer | CSP | CSP |
| Runtime/middleware | Customer | CSP | CSP |
| Application code | Customer | Customer | CSP |
| Data classification & encryption | Customer | Customer | Customer |
| IAM & access management | Customer | Customer | Customer |
| Network controls (security groups) | Customer | Customer/CSP | CSP |
💡 Key principle: CSP secures the cloud infrastructure itself. The customer secures everything they put in the cloud. The boundary shifts as you move from IaaS → PaaS → SaaS.
Cloud IAM Key Concepts
| Concept | Description | AWS Example |
|---|---|---|
| IAM User | Individual identity for a person/application | aws iam create-user |
| IAM Group | Collection of users sharing policies | Developers, Admins |
| IAM Role | Identity assumed by services/users — no long-term credentials | EC2 instance role, Lambda execution role |
| IAM Policy | JSON document defining allowed/denied actions on resources | AmazonS3ReadOnlyAccess |
| STS | Security Token Service — issues temporary credentials | AssumeRole, GetSessionToken |
| IAM Access Analyzer | Identifies resources shared with external entities | Finds public S3 buckets, open roles |
Common Cloud Misconfigurations (Top Risks)
| Misconfiguration | Risk | Fix |
|---|---|---|
| Public S3 bucket | Data exposure to the entire internet | Block Public Access setting, S3 bucket policy, S3 Object Ownership |
| Security group 0.0.0.0/0 on port 22/3389 | SSH/RDP brute force from any IP | Restrict to known IPs, use VPN + bastion host |
| No MFA on root account | Full account takeover if password leaked | Enable hardware MFA on root, avoid using root |
| CloudTrail disabled | No audit log — attackers can cover tracks | Enable CloudTrail in all regions, log to S3 with integrity validation |
| Overly permissive IAM (AdministratorAccess) | Privilege escalation if service account compromised | Apply least privilege, use IAM Access Analyzer |
| Unencrypted RDS databases | Data accessible if storage media is compromised | Enable RDS encryption at rest (KMS) |
| Secrets in EC2 user data / environment variables | Credentials exposed in metadata or logs | Use AWS Secrets Manager or Parameter Store |
CSPM vs CNAPP
CSPM — Cloud Security Posture Management
- Continuously checks cloud configs against security benchmarks
- Finds misconfigurations (public buckets, open ports)
- Compliance reporting (CIS, PCI-DSS, HIPAA)
- Tools: Wiz, Prisma Cloud, AWS Security Hub
CNAPP — Cloud Native Application Protection Platform
- CSPM + workload protection + container security + CIEM
- Covers containers, serverless, microservices
- Runtime threat detection on cloud workloads
- Tools: Wiz, Orca Security, Sysdig, Aqua
Interview Q&A · ~20 min · 20 Questions
Interview Questions & Model Answers
Click any question to reveal the model answer. Easy Medium Hard
1Explain the AWS Shared Responsibility Model.Easy▼
The AWS Shared Responsibility Model divides security obligations between AWS and the customer:
- AWS is responsible FOR the cloud: Physical data centres, global network infrastructure, hardware, hypervisor, availability zones. AWS secures the foundational services that run everything.
- Customer is responsible IN the cloud: What you deploy on top — IAM configuration, OS patching (for IaaS), application code, data encryption, network security groups, firewall rules.
- IaaS (EC2): Customer owns OS, middleware, runtime, application.
- PaaS (Lambda/App Service): AWS manages OS and runtime; customer owns application and data.
- SaaS (WorkMail, Chime): AWS manages almost everything; customer manages data and access.
💡 Interview Tip: The #1 exam/interview insight is that misconfigurations (public S3 buckets, open security groups) are ALWAYS the customer's responsibility — AWS cannot fix a bucket a customer made public.
2What are the most common cloud security misconfigurations?Easy▼
The most impactful cloud misconfigurations (largely driven by real breach data):
- Public S3 buckets: Accidentally exposing databases, PII, source code. Capital One breach (2019) stemmed from an SSRF exploit combined with overly permissive IAM role.
- Open security groups (0.0.0.0/0): Exposing SSH (22), RDP (3389), databases (3306, 5432) to the entire internet.
- No MFA on root/admin accounts: Root account is the "god mode" of AWS — if compromised, everything is accessible.
- CloudTrail disabled: No audit trail means attackers can delete resources, exfiltrate data, and cover tracks without detection.
- Overly permissive IAM: AdministratorAccess or wildcard (*) policies on service accounts — lateral movement and privilege escalation if compromised.
- Unencrypted storage: RDS, EBS, S3 objects without encryption at rest.
- Hardcoded credentials: API keys in source code (GitHub), Lambda environment variables, EC2 user data.
💡 CSPM tools like Wiz and AWS Security Hub continuously scan for these and alert in real time — mention them as controls.
3What is CSPM and what does it do?Medium▼
Cloud Security Posture Management (CSPM) is a category of security tools that continuously monitor cloud infrastructure configurations for security risks and compliance violations.
- Configuration assessment: Compares cloud resources against security benchmarks (CIS, NIST, PCI-DSS, HIPAA, SOC 2).
- Misconfiguration detection: Identifies public buckets, open security groups, missing encryption, disabled logging.
- Compliance reporting: Dashboards showing compliance posture by framework and resource.
- Drift detection: Alerts when resources deviate from approved baseline configurations.
- Multi-cloud support: Most CSPM tools cover AWS, Azure, and GCP simultaneously.
💡 CSPM is configuration-focused. It doesn't stop active attacks — it prevents the misconfigurations that enable them. Pair with CWPP (Cloud Workload Protection) for runtime threat detection.
4What is the difference between CSPM and CNAPP?Medium▼
| Feature | CSPM | CNAPP |
|---|---|---|
| Scope | Cloud configuration and posture | Full cloud native app lifecycle protection |
| Covers | IaaS configs, storage, IAM policies | CSPM + containers + serverless + workloads + APIs |
| Runtime protection | No (config only) | Yes — detects threats at runtime |
| Container security | Limited | Full (image scanning, Kubernetes, runtime) |
| CIEM (Cloud Identity Entitlement Management) | Sometimes | Yes — full identity risk analysis |
| Example tools | AWS Security Hub, Dome9 | Wiz, Orca, Sysdig, Aqua Security |
💡 CNAPP is the evolution/superset of CSPM — it unified multiple point solutions (CSPM + CWPP + CIEM + container security) into a single platform. Gartner coined CNAPP in 2021.
5How does cloud IAM differ from on-premises IAM?Medium▼
| Aspect | On-Premises IAM | Cloud IAM |
|---|---|---|
| Infrastructure | Active Directory, LDAP on-prem servers | AWS IAM, Azure AD, GCP IAM — managed service |
| Identity types | Users, service accounts | Users, roles, service accounts, federated identities, workload identities |
| Credentials | Passwords, Kerberos tickets | Access keys, temporary STS tokens, instance profiles, OIDC tokens |
| Granularity | Folder/share permissions | Per-API-action, per-resource ARN, condition-based |
| Scale | Thousands of identities | Millions of resources with fine-grained policies |
| Unique risks | Pass-the-Hash, Kerberoasting | SSRF→IMDS, privilege escalation via policy attachment, role chaining |
💡 Cloud IAM roles are preferred over IAM users for services — roles use temporary credentials (no long-lived access keys to rotate/leak). IAM users with access keys are a major risk if keys are exposed.
6What is AWS KMS and why is it important?Medium▼
AWS Key Management Service (KMS) is a managed service for creating and controlling cryptographic keys used to encrypt data across AWS services.
- CMKs (Customer Managed Keys): Keys you create and control — can define key policies, enable/disable rotation, audit usage via CloudTrail.
- AWS Managed Keys: Automatically created for AWS services (aws/s3, aws/rds) — less control, no cost.
- Integration: S3 (SSE-KMS), RDS, EBS, Secrets Manager, Lambda — nearly all AWS services support KMS encryption.
- HSM-backed: KMS keys are stored in FIPS 140-2 validated HSMs — keys never leave the HSM in plaintext.
- Key policies: Control who can use and administer each key — separate from IAM policies.
💡 For the highest security, use AWS CloudHSM — dedicated hardware where you control the HSM, with no AWS access to key material. KMS relies on shared HSM infrastructure (logical isolation).
7What is CloudTrail and what does it log?Easy▼
AWS CloudTrail is a service that records API calls made to AWS services — creating an immutable audit trail of all account activity.
What it captures:
What it captures:
- Who made the call (IAM user, role, AWS service)
- What action was taken (CreateBucket, TerminateInstances, AttachRolePolicy)
- When it happened (timestamp)
- From where (source IP, user agent)
- On which resource (ARN of affected resource)
- Whether it succeeded or failed
💡 Best practices: Enable CloudTrail in ALL regions (not just primary), log to a dedicated S3 bucket in a separate security account, enable log file validation (SHA-256 hash), integrate with SIEM via CloudWatch Events.
8What is an SSRF attack against cloud metadata services (IMDS)?Hard▼
Server-Side Request Forgery (SSRF) against cloud metadata services is a high-impact attack technique:
How it works:
Mitigations:
How it works:
- Attacker finds an SSRF vulnerability in a web application running on an EC2 instance (e.g., URL parameter that the server fetches).
- Attacker makes the server fetch
http://169.254.169.254/latest/meta-data/iam/security-credentials/— the AWS Instance Metadata Service (IMDS). - The IMDS returns temporary AWS credentials (Access Key ID, Secret Access Key, Session Token) for the instance's IAM role.
- Attacker uses these credentials to access AWS services with the permissions of that role — could be S3, RDS, secrets, or even full admin access.
Mitigations:
- Enforce IMDSv2 (requires token-based requests — SSRF cannot get token in single request)
- Disable IMDS entirely if instance doesn't need AWS credentials
- Apply least-privilege IAM roles to instances
- Use WAF rules to block requests to 169.254.169.254
9How do you secure an S3 bucket?Medium▼
A comprehensive S3 bucket security checklist:
- Block Public Access: Enable S3 Block Public Access at the account level — prevents any bucket from being made public regardless of bucket policy.
- Bucket policy: Restrict access to specific IAM principals, enforce HTTPS only (
aws:SecureTransportcondition), restrict to VPC endpoints. - Encryption at rest: Enable SSE-S3 (AES-256) or SSE-KMS (KMS CMK) for all objects.
- Versioning: Enable versioning to protect against accidental deletion and ransomware.
- MFA Delete: Require MFA to permanently delete object versions.
- Access Logging: Enable S3 server access logging to audit who accesses objects.
- S3 Object Ownership: Set to Bucket owner enforced — disables ACLs, bucket policy is sole access control.
- Lifecycle policies: Move old versions to Glacier, auto-delete temporary data.
- Monitoring: AWS Macie for PII detection, CloudTrail data events for access auditing.
10What is a Cloud Access Security Broker (CASB)?Medium▼
A CASB sits between users and cloud service providers, providing visibility and control over cloud usage — including shadow IT (unauthorized cloud apps).
Vendors: Microsoft Defender for Cloud Apps, Netskope, Zscaler, McAfee MVISION Cloud.
- Discovery: Identifies all cloud services used by the organization (shadow IT discovery).
- Data security: Applies DLP policies to data stored in or moving to cloud apps (detect PII in Dropbox).
- Threat protection: Detects compromised accounts, unusual access patterns, malware in cloud storage.
- Compliance: Enforces policies for regulated data (GDPR, HIPAA) in cloud applications.
- Access control: Enforces MFA, device posture checks, conditional access for cloud apps.
Vendors: Microsoft Defender for Cloud Apps, Netskope, Zscaler, McAfee MVISION Cloud.
11What is cryptojacking and how do you detect it?Medium▼
Cryptojacking is the unauthorized use of someone else's cloud/computer resources to mine cryptocurrency (typically Monero — harder to trace than Bitcoin).
In cloud environments, attackers who gain access (via leaked credentials, SSRF, or misconfigured IAM) spin up large numbers of GPU/CPU-intensive instances to mine crypto at the victim's expense — often running up AWS bills of hundreds of thousands of dollars before detection.
Detection signals:
In cloud environments, attackers who gain access (via leaked credentials, SSRF, or misconfigured IAM) spin up large numbers of GPU/CPU-intensive instances to mine crypto at the victim's expense — often running up AWS bills of hundreds of thousands of dollars before detection.
Detection signals:
- Sudden spike in EC2/cloud costs — billing alert is often the first indicator
- Unusual instance types launched (GPU instances for crypto mining)
- High CPU utilization on instances with no corresponding application load
- Outbound connections to known mining pool addresses
- CloudTrail: RunInstances calls from unusual IPs or at unusual times
12What is AWS Security Hub?Medium▼
AWS Security Hub is a cloud security posture management service that aggregates, organizes, and prioritizes security findings from multiple AWS services and third-party tools into a single dashboard.
- Finding aggregation: Collects findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, third-party tools.
- Security standards: Continuously checks against AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, PCI DSS, NIST SP 800-53.
- Normalized format: AWS Security Finding Format (ASFF) — standardizes findings from different sources.
- Multi-account: Aggregates findings across all accounts in an AWS Organization via a designated Security Hub administrator account.
- Automated response: Integrates with EventBridge to trigger Lambda functions for automated remediation.
💡 Security Hub is the AWS-native CSPM solution. For multi-cloud (AWS + Azure + GCP), consider third-party tools like Wiz or Prisma Cloud which provide unified visibility.
13What is Kubernetes security and common K8s vulnerabilities?Hard▼
Kubernetes (K8s) is the dominant container orchestration platform and has unique security concerns:
- Exposed API server: The K8s API server should not be internet-facing. Exposed unauthenticated API servers have led to major breaches (Tesla, 2018).
- Overly permissive RBAC: ClusterAdmin bindings or wildcard permissions grant attackers full cluster control.
- Container escape: Privileged containers, hostPath mounts, and certain capabilities can allow breaking out of the container to the host node.
- Vulnerable images: Containers built from outdated base images with known CVEs.
- Secrets management: Kubernetes Secrets are base64-encoded (not encrypted) by default — use KMS envelope encryption or Vault.
- Network policies: Without NetworkPolicies, all pods can communicate with each other — no east-west segmentation.
14What is a service account and what are the risks if misconfigured?Medium▼
A service account (or IAM role in AWS) is an identity used by applications, services, and workloads to access cloud resources — rather than a human user.
Misconfiguration risks:
Misconfiguration risks:
- Over-privileged roles: An EC2 instance with AdministratorAccess means any compromise of that instance gives full account control — SSRF → IMDS → game over.
- Unused service accounts: Old service accounts with active credentials — attackers find and reuse them.
- Long-lived access keys: IAM users with static access keys (never rotated) that are committed to GitHub or leaked in logs.
- Cross-account roles with excessive trust: A role that trusts all principals in another account — privilege escalation through partner accounts.
- Key rotation disabled: Access keys that are months or years old.
15How does encryption at rest work in AWS?Medium▼
AWS encryption at rest uses envelope encryption:
- A data encryption key (DEK) is generated using AES-256.
- The DEK encrypts your data.
- The DEK itself is encrypted (wrapped) by a KMS Customer Master Key (CMK).
- Only the encrypted DEK and encrypted data are stored.
- To decrypt: KMS decrypts the DEK (after authorization check), the DEK decrypts the data, DEK is destroyed from memory.
SSE-S3: AWS managed key, fully transparent, no costSSE-KMS: Customer-managed KMS key — audit trail, key policy control, per-request costSSE-C: Customer-provided key — you manage keys entirely outside AWSCSE: Client-side encryption — data encrypted before it reaches AWS
16What is the CIS Benchmark for cloud?Medium▼
The CIS (Center for Internet Security) Benchmarks are consensus-based security configuration guides for cloud environments.
How to use: AWS Security Hub has built-in CIS AWS Foundations Benchmark standard — it automatically checks your account against all controls and provides a compliance score.
- CIS AWS Foundations Benchmark: Level 1 (basic, broad applicability) and Level 2 (higher security, reduced functionality) controls for AWS account security — covers IAM, logging, monitoring, networking.
- Example controls: Avoid root account usage, enable MFA on root, ensure CloudTrail is enabled in all regions, ensure no security groups allow unrestricted inbound access on port 22, enable AWS Config.
How to use: AWS Security Hub has built-in CIS AWS Foundations Benchmark standard — it automatically checks your account against all controls and provides a compliance score.
💡 CIS Level 1 is the baseline for most organizations. Level 2 may restrict some functionality — evaluate whether each control is appropriate for your environment before blindly enabling all of them.
17What is multi-cloud security and its challenges?Hard▼
Multi-cloud means using services from multiple cloud providers (e.g., AWS + Azure + GCP) simultaneously.
Security challenges:
Security challenges:
- No unified visibility: Each CSP has its own security tools, APIs, and interfaces — creating blind spots without a third-party CSPM.
- IAM fragmentation: Different identity models (AWS IAM, Azure RBAC, GCP IAM) — policies inconsistently applied.
- Data sovereignty: Data in different clouds may span different regulatory jurisdictions.
- Increased attack surface: More services = more potential misconfigurations and entry points.
- Skills gap: Security team must know security nuances of each platform.
- Log correlation: Aggregating and correlating CloudTrail, Azure Monitor, GCP Audit Logs requires a common SIEM.
18How do you implement Zero Trust in a cloud environment?Hard▼
Zero Trust in cloud: verify every request, assume breach, minimize blast radius.
- Identity-centric: Every API call authenticated and authorized via IAM. Use short-lived tokens (STS), enforce MFA, use OIDC/SAML federation.
- Device posture: Condition IAM policy access on endpoint compliance (device must be managed, up-to-date, enrolled in MDM).
- Least privilege: IAM policies scoped to specific resources and actions. Use IAM Access Analyzer, CIEM tools.
- Network microsegmentation: VPCs, security groups, NACLs, AWS PrivateLink (keep traffic within AWS backbone). No unnecessary public endpoints.
- Encrypt everything: TLS in transit (enforce via bucket policy
aws:SecureTransport), KMS at rest. - Continuous monitoring: CloudTrail, GuardDuty, Security Hub — every action logged and anomalies alerted.
- Workload identity: Use service mesh (Istio) for mutual TLS between microservices — every service authenticates to every other service.
19What is tokenization and how does it differ from encryption?Medium▼
| Encryption | Tokenization | |
|---|---|---|
| Output | Ciphertext (mathematically derived from plaintext) | Random token with no mathematical relationship to original |
| Reversibility | Reversible with key | Only reversible by looking up token in secure vault |
| Key risk | Attacker with key can decrypt all data | No key — attacker needs access to token vault |
| Format | Changes format/length | Can preserve format (FPE — format-preserving) |
| Use case | Data at rest, data in transit | Payment card numbers (PCI-DSS), SSNs — replace sensitive data in databases |
💡 Credit card numbers are often tokenized in databases — the actual card number stored in a vault (or with a payment processor), and only the token is stored in your database. Even if your database is breached, the token is useless without the vault.
20What is AWS GuardDuty and what threats does it detect?Medium▼
AWS GuardDuty is a managed threat detection service that continuously analyzes CloudTrail logs, VPC Flow Logs, DNS logs, and EKS audit logs using ML and threat intelligence to detect threats.
Example threat categories:
Example threat categories:
- Reconnaissance: API calls from Tor exit nodes, unusual port scanning from EC2 instances, credential brute force.
- Instance compromise: EC2 communicating with known C2 servers, cryptomining traffic, malware DNS queries.
- Account compromise: Unusual region activity, root account usage, large-scale data exfiltration from S3.
- Privilege escalation: IAM policy changes, new admin users created from unusual IP.
- Kubernetes attacks: Anonymous API calls, exec into containers, deployment of privileged pods.
MCQ Quiz · ~15 min · 25 Questions
Multiple Choice Questions
Select an answer then click Check. Explanations shown after submission.
MCQ Progress:
0 / 25
Simulation 1 · ~5 min
Shared Responsibility Model Mapper
Drag each responsibility chip to the correct column: CSP Responsibility or Customer Responsibility.
☁️ CSP Responsibility
AWS/Azure/GCP secures this
👤 Customer Responsibility
You secure this
Simulation 2 · ~4 min
IAM Permission Evaluator
For each IAM scenario, determine if the permission is Too Permissive, Appropriate, or Too Restrictive.
Simulation 3 · ~3 min
Cloud Misconfiguration Finder
For each cloud configuration, select whether it is Secure or Misconfigured.
Simulation 4 · ~3 min
Cloud Service Model Matcher
Classify each cloud service as IaaS, PaaS, or SaaS.
🎉