← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 09 · Cyberspace Tech Solutions Cybersecurity Curriculum

Cloud Security

Cloud IAM, data protection strategies, CSPM, CNAPP, misconfigurations, and compliance — ~60 minutes of interview prep.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Learning Outcomes

  • Implement robust IAM controls in cloud environments
  • Protect sensitive data across cloud service models (IaaS, PaaS, SaaS)
  • Monitor cloud infrastructure for compliance and anomalies using CSPM/CNAPP
  • Identify and remediate common cloud misconfigurations

Topics Covered

#TopicTimeType
1Core Concepts (Shared Responsibility, IAM, CSPM, Misconfigs)10 minReading
2Interview Questions & Answers20 minQ&A
3MCQ Quiz (25 questions)15 minQuiz
4Shared Responsibility Model Mapper5 minSimulation
5IAM Permission Evaluator4 minSimulation
6Cloud Misconfiguration Finder3 minSimulation
7Cloud Service Model Matcher3 minSimulation
⚠️ Interview Fact: Misconfiguration is the #1 cause of cloud data breaches. Gartner estimated that through 2025, 99% of cloud security failures will be the customer's fault — not the CSP's.
Core Concepts · ~10 min

Cloud Security Fundamentals

Shared Responsibility Model

ResponsibilityIaaS (e.g., EC2)PaaS (e.g., Lambda)SaaS (e.g., Office 365)
Physical securityCSPCSPCSP
Hypervisor/infrastructureCSPCSPCSP
OS patchingCustomerCSPCSP
Runtime/middlewareCustomerCSPCSP
Application codeCustomerCustomerCSP
Data classification & encryptionCustomerCustomerCustomer
IAM & access managementCustomerCustomerCustomer
Network controls (security groups)CustomerCustomer/CSPCSP
💡 Key principle: CSP secures the cloud infrastructure itself. The customer secures everything they put in the cloud. The boundary shifts as you move from IaaS → PaaS → SaaS.

Cloud IAM Key Concepts

ConceptDescriptionAWS Example
IAM UserIndividual identity for a person/applicationaws iam create-user
IAM GroupCollection of users sharing policiesDevelopers, Admins
IAM RoleIdentity assumed by services/users — no long-term credentialsEC2 instance role, Lambda execution role
IAM PolicyJSON document defining allowed/denied actions on resourcesAmazonS3ReadOnlyAccess
STSSecurity Token Service — issues temporary credentialsAssumeRole, GetSessionToken
IAM Access AnalyzerIdentifies resources shared with external entitiesFinds public S3 buckets, open roles

Common Cloud Misconfigurations (Top Risks)

MisconfigurationRiskFix
Public S3 bucketData exposure to the entire internetBlock Public Access setting, S3 bucket policy, S3 Object Ownership
Security group 0.0.0.0/0 on port 22/3389SSH/RDP brute force from any IPRestrict to known IPs, use VPN + bastion host
No MFA on root accountFull account takeover if password leakedEnable hardware MFA on root, avoid using root
CloudTrail disabledNo audit log — attackers can cover tracksEnable CloudTrail in all regions, log to S3 with integrity validation
Overly permissive IAM (AdministratorAccess)Privilege escalation if service account compromisedApply least privilege, use IAM Access Analyzer
Unencrypted RDS databasesData accessible if storage media is compromisedEnable RDS encryption at rest (KMS)
Secrets in EC2 user data / environment variablesCredentials exposed in metadata or logsUse AWS Secrets Manager or Parameter Store

CSPM vs CNAPP

CSPM — Cloud Security Posture Management
  • Continuously checks cloud configs against security benchmarks
  • Finds misconfigurations (public buckets, open ports)
  • Compliance reporting (CIS, PCI-DSS, HIPAA)
  • Tools: Wiz, Prisma Cloud, AWS Security Hub
CNAPP — Cloud Native Application Protection Platform
  • CSPM + workload protection + container security + CIEM
  • Covers containers, serverless, microservices
  • Runtime threat detection on cloud workloads
  • Tools: Wiz, Orca Security, Sysdig, Aqua
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer. Easy Medium Hard

1Explain the AWS Shared Responsibility Model.Easy
The AWS Shared Responsibility Model divides security obligations between AWS and the customer:
  • AWS is responsible FOR the cloud: Physical data centres, global network infrastructure, hardware, hypervisor, availability zones. AWS secures the foundational services that run everything.
  • Customer is responsible IN the cloud: What you deploy on top — IAM configuration, OS patching (for IaaS), application code, data encryption, network security groups, firewall rules.
The boundary shifts by service model:
  • IaaS (EC2): Customer owns OS, middleware, runtime, application.
  • PaaS (Lambda/App Service): AWS manages OS and runtime; customer owns application and data.
  • SaaS (WorkMail, Chime): AWS manages almost everything; customer manages data and access.
💡 Interview Tip: The #1 exam/interview insight is that misconfigurations (public S3 buckets, open security groups) are ALWAYS the customer's responsibility — AWS cannot fix a bucket a customer made public.
2What are the most common cloud security misconfigurations?Easy
The most impactful cloud misconfigurations (largely driven by real breach data):
  • Public S3 buckets: Accidentally exposing databases, PII, source code. Capital One breach (2019) stemmed from an SSRF exploit combined with overly permissive IAM role.
  • Open security groups (0.0.0.0/0): Exposing SSH (22), RDP (3389), databases (3306, 5432) to the entire internet.
  • No MFA on root/admin accounts: Root account is the "god mode" of AWS — if compromised, everything is accessible.
  • CloudTrail disabled: No audit trail means attackers can delete resources, exfiltrate data, and cover tracks without detection.
  • Overly permissive IAM: AdministratorAccess or wildcard (*) policies on service accounts — lateral movement and privilege escalation if compromised.
  • Unencrypted storage: RDS, EBS, S3 objects without encryption at rest.
  • Hardcoded credentials: API keys in source code (GitHub), Lambda environment variables, EC2 user data.
💡 CSPM tools like Wiz and AWS Security Hub continuously scan for these and alert in real time — mention them as controls.
3What is CSPM and what does it do?Medium
Cloud Security Posture Management (CSPM) is a category of security tools that continuously monitor cloud infrastructure configurations for security risks and compliance violations.
  • Configuration assessment: Compares cloud resources against security benchmarks (CIS, NIST, PCI-DSS, HIPAA, SOC 2).
  • Misconfiguration detection: Identifies public buckets, open security groups, missing encryption, disabled logging.
  • Compliance reporting: Dashboards showing compliance posture by framework and resource.
  • Drift detection: Alerts when resources deviate from approved baseline configurations.
  • Multi-cloud support: Most CSPM tools cover AWS, Azure, and GCP simultaneously.
Tools: AWS Security Hub, Wiz, Prisma Cloud (Palo Alto), Orca Security, Microsoft Defender for Cloud.
💡 CSPM is configuration-focused. It doesn't stop active attacks — it prevents the misconfigurations that enable them. Pair with CWPP (Cloud Workload Protection) for runtime threat detection.
4What is the difference between CSPM and CNAPP?Medium
FeatureCSPMCNAPP
ScopeCloud configuration and postureFull cloud native app lifecycle protection
CoversIaaS configs, storage, IAM policiesCSPM + containers + serverless + workloads + APIs
Runtime protectionNo (config only)Yes — detects threats at runtime
Container securityLimitedFull (image scanning, Kubernetes, runtime)
CIEM (Cloud Identity Entitlement Management)SometimesYes — full identity risk analysis
Example toolsAWS Security Hub, Dome9Wiz, Orca, Sysdig, Aqua Security
💡 CNAPP is the evolution/superset of CSPM — it unified multiple point solutions (CSPM + CWPP + CIEM + container security) into a single platform. Gartner coined CNAPP in 2021.
5How does cloud IAM differ from on-premises IAM?Medium
AspectOn-Premises IAMCloud IAM
InfrastructureActive Directory, LDAP on-prem serversAWS IAM, Azure AD, GCP IAM — managed service
Identity typesUsers, service accountsUsers, roles, service accounts, federated identities, workload identities
CredentialsPasswords, Kerberos ticketsAccess keys, temporary STS tokens, instance profiles, OIDC tokens
GranularityFolder/share permissionsPer-API-action, per-resource ARN, condition-based
ScaleThousands of identitiesMillions of resources with fine-grained policies
Unique risksPass-the-Hash, KerberoastingSSRF→IMDS, privilege escalation via policy attachment, role chaining
💡 Cloud IAM roles are preferred over IAM users for services — roles use temporary credentials (no long-lived access keys to rotate/leak). IAM users with access keys are a major risk if keys are exposed.
6What is AWS KMS and why is it important?Medium
AWS Key Management Service (KMS) is a managed service for creating and controlling cryptographic keys used to encrypt data across AWS services.
  • CMKs (Customer Managed Keys): Keys you create and control — can define key policies, enable/disable rotation, audit usage via CloudTrail.
  • AWS Managed Keys: Automatically created for AWS services (aws/s3, aws/rds) — less control, no cost.
  • Integration: S3 (SSE-KMS), RDS, EBS, Secrets Manager, Lambda — nearly all AWS services support KMS encryption.
  • HSM-backed: KMS keys are stored in FIPS 140-2 validated HSMs — keys never leave the HSM in plaintext.
  • Key policies: Control who can use and administer each key — separate from IAM policies.
Audit: Every KMS API call is logged to CloudTrail — you can see who decrypted what data and when.
💡 For the highest security, use AWS CloudHSM — dedicated hardware where you control the HSM, with no AWS access to key material. KMS relies on shared HSM infrastructure (logical isolation).
7What is CloudTrail and what does it log?Easy
AWS CloudTrail is a service that records API calls made to AWS services — creating an immutable audit trail of all account activity.

What it captures:
  • Who made the call (IAM user, role, AWS service)
  • What action was taken (CreateBucket, TerminateInstances, AttachRolePolicy)
  • When it happened (timestamp)
  • From where (source IP, user agent)
  • On which resource (ARN of affected resource)
  • Whether it succeeded or failed
CloudTrail event types: Management events (control plane — create/delete/modify resources), Data events (S3 object-level, Lambda invocations — higher cost), Insights events (unusual activity detection).
💡 Best practices: Enable CloudTrail in ALL regions (not just primary), log to a dedicated S3 bucket in a separate security account, enable log file validation (SHA-256 hash), integrate with SIEM via CloudWatch Events.
8What is an SSRF attack against cloud metadata services (IMDS)?Hard
Server-Side Request Forgery (SSRF) against cloud metadata services is a high-impact attack technique:

How it works:
  1. Attacker finds an SSRF vulnerability in a web application running on an EC2 instance (e.g., URL parameter that the server fetches).
  2. Attacker makes the server fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/ — the AWS Instance Metadata Service (IMDS).
  3. The IMDS returns temporary AWS credentials (Access Key ID, Secret Access Key, Session Token) for the instance's IAM role.
  4. Attacker uses these credentials to access AWS services with the permissions of that role — could be S3, RDS, secrets, or even full admin access.
Real-world example: Capital One breach (2019) — attacker exploited SSRF in a WAF misconfiguration, retrieved credentials from IMDS, and exfiltrated 100M+ customer records from S3.

Mitigations:
  • Enforce IMDSv2 (requires token-based requests — SSRF cannot get token in single request)
  • Disable IMDS entirely if instance doesn't need AWS credentials
  • Apply least-privilege IAM roles to instances
  • Use WAF rules to block requests to 169.254.169.254
9How do you secure an S3 bucket?Medium
A comprehensive S3 bucket security checklist:
  • Block Public Access: Enable S3 Block Public Access at the account level — prevents any bucket from being made public regardless of bucket policy.
  • Bucket policy: Restrict access to specific IAM principals, enforce HTTPS only (aws:SecureTransport condition), restrict to VPC endpoints.
  • Encryption at rest: Enable SSE-S3 (AES-256) or SSE-KMS (KMS CMK) for all objects.
  • Versioning: Enable versioning to protect against accidental deletion and ransomware.
  • MFA Delete: Require MFA to permanently delete object versions.
  • Access Logging: Enable S3 server access logging to audit who accesses objects.
  • S3 Object Ownership: Set to Bucket owner enforced — disables ACLs, bucket policy is sole access control.
  • Lifecycle policies: Move old versions to Glacier, auto-delete temporary data.
  • Monitoring: AWS Macie for PII detection, CloudTrail data events for access auditing.
10What is a Cloud Access Security Broker (CASB)?Medium
A CASB sits between users and cloud service providers, providing visibility and control over cloud usage — including shadow IT (unauthorized cloud apps).
  • Discovery: Identifies all cloud services used by the organization (shadow IT discovery).
  • Data security: Applies DLP policies to data stored in or moving to cloud apps (detect PII in Dropbox).
  • Threat protection: Detects compromised accounts, unusual access patterns, malware in cloud storage.
  • Compliance: Enforces policies for regulated data (GDPR, HIPAA) in cloud applications.
  • Access control: Enforces MFA, device posture checks, conditional access for cloud apps.
Deployment modes: API mode (integrates with SaaS APIs), Proxy mode (inline — intercepts traffic).
Vendors: Microsoft Defender for Cloud Apps, Netskope, Zscaler, McAfee MVISION Cloud.
11What is cryptojacking and how do you detect it?Medium
Cryptojacking is the unauthorized use of someone else's cloud/computer resources to mine cryptocurrency (typically Monero — harder to trace than Bitcoin).

In cloud environments, attackers who gain access (via leaked credentials, SSRF, or misconfigured IAM) spin up large numbers of GPU/CPU-intensive instances to mine crypto at the victim's expense — often running up AWS bills of hundreds of thousands of dollars before detection.

Detection signals:
  • Sudden spike in EC2/cloud costs — billing alert is often the first indicator
  • Unusual instance types launched (GPU instances for crypto mining)
  • High CPU utilization on instances with no corresponding application load
  • Outbound connections to known mining pool addresses
  • CloudTrail: RunInstances calls from unusual IPs or at unusual times
Prevention: AWS Cost Anomaly Detection, CloudTrail monitoring, least-privilege IAM, AWS GuardDuty (detects cryptomining in GuardDuty findings).
12What is AWS Security Hub?Medium
AWS Security Hub is a cloud security posture management service that aggregates, organizes, and prioritizes security findings from multiple AWS services and third-party tools into a single dashboard.
  • Finding aggregation: Collects findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, third-party tools.
  • Security standards: Continuously checks against AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, PCI DSS, NIST SP 800-53.
  • Normalized format: AWS Security Finding Format (ASFF) — standardizes findings from different sources.
  • Multi-account: Aggregates findings across all accounts in an AWS Organization via a designated Security Hub administrator account.
  • Automated response: Integrates with EventBridge to trigger Lambda functions for automated remediation.
💡 Security Hub is the AWS-native CSPM solution. For multi-cloud (AWS + Azure + GCP), consider third-party tools like Wiz or Prisma Cloud which provide unified visibility.
13What is Kubernetes security and common K8s vulnerabilities?Hard
Kubernetes (K8s) is the dominant container orchestration platform and has unique security concerns:
  • Exposed API server: The K8s API server should not be internet-facing. Exposed unauthenticated API servers have led to major breaches (Tesla, 2018).
  • Overly permissive RBAC: ClusterAdmin bindings or wildcard permissions grant attackers full cluster control.
  • Container escape: Privileged containers, hostPath mounts, and certain capabilities can allow breaking out of the container to the host node.
  • Vulnerable images: Containers built from outdated base images with known CVEs.
  • Secrets management: Kubernetes Secrets are base64-encoded (not encrypted) by default — use KMS envelope encryption or Vault.
  • Network policies: Without NetworkPolicies, all pods can communicate with each other — no east-west segmentation.
Security tools: kube-bench (CIS benchmark), Falco (runtime detection), OPA/Gatekeeper (policy enforcement), Trivy (image scanning).
14What is a service account and what are the risks if misconfigured?Medium
A service account (or IAM role in AWS) is an identity used by applications, services, and workloads to access cloud resources — rather than a human user.

Misconfiguration risks:
  • Over-privileged roles: An EC2 instance with AdministratorAccess means any compromise of that instance gives full account control — SSRF → IMDS → game over.
  • Unused service accounts: Old service accounts with active credentials — attackers find and reuse them.
  • Long-lived access keys: IAM users with static access keys (never rotated) that are committed to GitHub or leaked in logs.
  • Cross-account roles with excessive trust: A role that trusts all principals in another account — privilege escalation through partner accounts.
  • Key rotation disabled: Access keys that are months or years old.
Best practices: Prefer IAM roles over IAM users for services, apply least privilege, enable key rotation, use IAM Access Analyzer, use AWS Secrets Manager instead of hardcoded credentials.
15How does encryption at rest work in AWS?Medium
AWS encryption at rest uses envelope encryption:
  1. A data encryption key (DEK) is generated using AES-256.
  2. The DEK encrypts your data.
  3. The DEK itself is encrypted (wrapped) by a KMS Customer Master Key (CMK).
  4. Only the encrypted DEK and encrypted data are stored.
  5. To decrypt: KMS decrypts the DEK (after authorization check), the DEK decrypts the data, DEK is destroyed from memory.
Storage service encryption options:
  • SSE-S3: AWS managed key, fully transparent, no cost
  • SSE-KMS: Customer-managed KMS key — audit trail, key policy control, per-request cost
  • SSE-C: Customer-provided key — you manage keys entirely outside AWS
  • CSE: Client-side encryption — data encrypted before it reaches AWS
16What is the CIS Benchmark for cloud?Medium
The CIS (Center for Internet Security) Benchmarks are consensus-based security configuration guides for cloud environments.
  • CIS AWS Foundations Benchmark: Level 1 (basic, broad applicability) and Level 2 (higher security, reduced functionality) controls for AWS account security — covers IAM, logging, monitoring, networking.
  • Example controls: Avoid root account usage, enable MFA on root, ensure CloudTrail is enabled in all regions, ensure no security groups allow unrestricted inbound access on port 22, enable AWS Config.
Available for AWS, Azure, GCP, Kubernetes, Docker.

How to use: AWS Security Hub has built-in CIS AWS Foundations Benchmark standard — it automatically checks your account against all controls and provides a compliance score.
💡 CIS Level 1 is the baseline for most organizations. Level 2 may restrict some functionality — evaluate whether each control is appropriate for your environment before blindly enabling all of them.
17What is multi-cloud security and its challenges?Hard
Multi-cloud means using services from multiple cloud providers (e.g., AWS + Azure + GCP) simultaneously.

Security challenges:
  • No unified visibility: Each CSP has its own security tools, APIs, and interfaces — creating blind spots without a third-party CSPM.
  • IAM fragmentation: Different identity models (AWS IAM, Azure RBAC, GCP IAM) — policies inconsistently applied.
  • Data sovereignty: Data in different clouds may span different regulatory jurisdictions.
  • Increased attack surface: More services = more potential misconfigurations and entry points.
  • Skills gap: Security team must know security nuances of each platform.
  • Log correlation: Aggregating and correlating CloudTrail, Azure Monitor, GCP Audit Logs requires a common SIEM.
Solutions: Third-party CSPM/CNAPP (Wiz, Prisma Cloud), centralized SIEM (Splunk, Microsoft Sentinel), infrastructure as code (Terraform) for consistent policy enforcement across clouds.
18How do you implement Zero Trust in a cloud environment?Hard
Zero Trust in cloud: verify every request, assume breach, minimize blast radius.
  • Identity-centric: Every API call authenticated and authorized via IAM. Use short-lived tokens (STS), enforce MFA, use OIDC/SAML federation.
  • Device posture: Condition IAM policy access on endpoint compliance (device must be managed, up-to-date, enrolled in MDM).
  • Least privilege: IAM policies scoped to specific resources and actions. Use IAM Access Analyzer, CIEM tools.
  • Network microsegmentation: VPCs, security groups, NACLs, AWS PrivateLink (keep traffic within AWS backbone). No unnecessary public endpoints.
  • Encrypt everything: TLS in transit (enforce via bucket policy aws:SecureTransport), KMS at rest.
  • Continuous monitoring: CloudTrail, GuardDuty, Security Hub — every action logged and anomalies alerted.
  • Workload identity: Use service mesh (Istio) for mutual TLS between microservices — every service authenticates to every other service.
19What is tokenization and how does it differ from encryption?Medium
EncryptionTokenization
OutputCiphertext (mathematically derived from plaintext)Random token with no mathematical relationship to original
ReversibilityReversible with keyOnly reversible by looking up token in secure vault
Key riskAttacker with key can decrypt all dataNo key — attacker needs access to token vault
FormatChanges format/lengthCan preserve format (FPE — format-preserving)
Use caseData at rest, data in transitPayment card numbers (PCI-DSS), SSNs — replace sensitive data in databases
💡 Credit card numbers are often tokenized in databases — the actual card number stored in a vault (or with a payment processor), and only the token is stored in your database. Even if your database is breached, the token is useless without the vault.
20What is AWS GuardDuty and what threats does it detect?Medium
AWS GuardDuty is a managed threat detection service that continuously analyzes CloudTrail logs, VPC Flow Logs, DNS logs, and EKS audit logs using ML and threat intelligence to detect threats.

Example threat categories:
  • Reconnaissance: API calls from Tor exit nodes, unusual port scanning from EC2 instances, credential brute force.
  • Instance compromise: EC2 communicating with known C2 servers, cryptomining traffic, malware DNS queries.
  • Account compromise: Unusual region activity, root account usage, large-scale data exfiltration from S3.
  • Privilege escalation: IAM policy changes, new admin users created from unusual IP.
  • Kubernetes attacks: Anonymous API calls, exec into containers, deployment of privileged pods.
Findings are severity-rated (Low/Medium/High) and integrate with Security Hub, EventBridge for automated response.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after submission.

MCQ Progress:
0 / 25
Simulation 1 · ~5 min

Shared Responsibility Model Mapper

Drag each responsibility chip to the correct column: CSP Responsibility or Customer Responsibility.

☁️ CSP Responsibility

AWS/Azure/GCP secures this

👤 Customer Responsibility

You secure this

Simulation 2 · ~4 min

IAM Permission Evaluator

For each IAM scenario, determine if the permission is Too Permissive, Appropriate, or Too Restrictive.

Simulation 3 · ~3 min

Cloud Misconfiguration Finder

For each cloud configuration, select whether it is Secure or Misconfigured.

Simulation 4 · ~3 min

Cloud Service Model Matcher

Classify each cloud service as IaaS, PaaS, or SaaS.

🎉

Module 09 Complete!