Cloud Security Complete Guide: AWS, Azure & GCP Security Best Practices 2024

Key Takeaways

Misconfigurations cause 80%+ of cloud breaches
IAM is the new perimeter - overprivileged = compromised
Metadata services are critical SSRF targets
169.254.169.254 - the most dangerous IP in cloud

1. Cloud Security Fundamentals
2. IAM Security
3. Storage Misconfigurations
4. Metadata Service Attacks
5. AWS-Specific Security
6. Azure-Specific Security
7. Cloud Security Tools
8. Hardening Checklist

1. Cloud Security Fundamentals

Cloud computing has revolutionized IT, but it introduces unique security challenges. The shared responsibility model means YOU are responsible for securing your data, configurations, and applications—the cloud provider only secures the infrastructure.

Shared Responsibility Model

Provider responsibility: Physical security, hypervisor, network infrastructure
Your responsibility: Data, IAM, encryption, firewall rules, application security

2. IAM Security

Common IAM Mistakes

Using root/admin accounts for daily operations
Overly permissive policies ("*" permissions)
Long-lived access keys without rotation
No MFA on privileged accounts
Cross-account trust misconfigurations

# AWS - Check for overprivileged users
aws iam list-users
aws iam list-attached-user-policies --user-name username
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/username --action-names s3:*

# Find exposed access keys
trufflehog git https://github.com/target/repo --only-verified
gitleaks detect -s /path/to/repo

# AWS IAM policy analysis
aws iam get-account-authorization-details > iam_dump.json
# Use tools like Parliament, IAM Access Analyzer

IAM Best Practices

Principle of least privilege - grant minimal necessary permissions
Use roles instead of users where possible
Enforce MFA for all human users
Rotate access keys every 90 days
Use AWS Organizations SCPs for guardrails

3. Storage Misconfigurations

S3 Bucket Exposure

# Find public S3 buckets
aws s3 ls s3://bucket-name --no-sign-request
aws s3 sync s3://public-bucket ./loot --no-sign-request

# S3 bucket enumeration
python3 s3scanner.py -l buckets.txt
bucket_finder.rb targets.txt

# Common bucket naming patterns
company-backup, company-dev, company-prod, company-logs
data-company, company-assets, company-uploads

# Check bucket ACL
aws s3api get-bucket-acl --bucket bucket-name

Azure Blob Storage

# Anonymous blob access
curl https://storageaccount.blob.core.windows.net/container/file.txt

# Enumerate blobs
az storage blob list --account-name TARGET --container-name CONTAINER --auth-mode anonymous

4. Metadata Service Attacks

SSRF to Cloud Metadata

The instance metadata service at 169.254.169.254 exposes credentials, tokens, and sensitive information. SSRF vulnerabilities can leak this data.

# AWS metadata (IMDSv1 - vulnerable to SSRF)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE-NAME

# AWS metadata (IMDSv2 - requires token, harder but not impossible)
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/

# Azure metadata
curl -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

# GCP metadata
curl -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/"
curl -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"

5. AWS-Specific Security

Lambda Function Vulnerabilities

# Environment variable exposure
aws lambda get-function --function-name FUNCTION_NAME

# Check if Lambda has overprivileged role
aws lambda get-function-configuration --function-name FUNCTION_NAME
# Returns ExecutionRole ARN - check its policies

EC2 Security Groups

# Find open security groups
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]]'

# Check for SSH/RDP open to world
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0"

6. Azure-Specific Security

# Azure AD enumeration (with valid creds)
az ad user list
az ad group list
az role assignment list

# Check for exposed storage accounts
az storage account list
az storage container list --account-name ACCOUNT

# Azure Functions configuration
az functionapp list
az functionapp config appsettings list --name FUNCAPP --resource-group RG

7. Cloud Security Tools

ScoutSuite: Multi-cloud security auditing (AWS, Azure, GCP)
Prowler: AWS security assessment tool
CloudSploit: Cloud security configuration monitoring
Pacu: AWS exploitation framework
CloudMapper: AWS network visualization
ROADtools: Azure AD enumeration

# ScoutSuite - Multi-cloud audit
python3 scout.py aws
python3 scout.py azure --cli

# Prowler - AWS security
./prowler -M html -M json

# Pacu - AWS exploitation
python3 pacu.py
Pacu> run iam__enum_permissions
Pacu> run ec2__enum

8. Hardening Checklist

Cloud Security Checklist

✅ Enable CloudTrail/Activity Logs (audit logging)
✅ Use IMDSv2 (AWS) to prevent SSRF metadata theft
✅ Block public S3/Blob access by default
✅ Enable GuardDuty/Security Center threat detection
✅ Implement SCPs/Azure Policy for guardrails
✅ Encrypt all data at rest and in transit
✅ Regular IAM permission reviews
✅ Enable VPC Flow Logs for network visibility

FAQ

Which cloud is most secure?

All major providers (AWS, Azure, GCP) have strong security foundations. Security depends on YOUR configuration, not the provider. Most breaches are customer misconfigurations.

How do I start learning cloud security?

Create free tier accounts on AWS/Azure/GCP. Practice with intentionally vulnerable labs like CloudGoat (AWS), Thunder CTF (GCP), and AzureGoat.

SSRF Guide Kubernetes Security Pentest Guide