Cloud Security Fundamentals

The cloud is a rented infrastructure. When we say a company "runs in the cloud", we mean they pay a provider (AWS, Azure, Google Cloud, or another) for compute, storage, and networking delivered through an API. Instead of buying servers and racking them in a room, the customer clicks a button and receives a virtual machine minutes later.

That matters to a penetration tester for one reason: almost every engagement now crosses cloud boundaries. A company's public-facing web app might run on a cloud virtual machine, its files in an object storage bucket, and its identities in a cloud directory. If we do not understand the primitives attackers abuse in these environments, we miss findings, or worse, we write recommendations that do not apply.

This room will present the concepts in a cloud-agnostic way. Each task will introduce concepts using generic terms that convey the same general idea across different clouds. The flow will cover service deployment models, identity, storage, networking, and compute. You will also have a practical, hands-on exercise at the end in a simulated cloud environment that will walk you through port scanning, pivoting, SSRF chaining, and exfiltration.

Learning Objectives

• Explain the Shared Responsibility Model and map responsibilities across IaaS, PaaS, and SaaS
• Read an IAM policy, identify roles as the attackable primitive, and spot an over-permissive wildcard
• Recognize publicly exposed cloud storage and articulate how an attacker enumerates it
• Describe cloud networking primitives and common exposed-service and lateral-movement patterns
• Explain the Instance Metadata Service and the SSRF-to-credentials attack chain
• Walk a guided, cloud-agnostic attack against a simulated cloud environment

Learning Prerequisites

• Basic Linux commands - Linux Fundamentals
• HTTP basics - Web Application Basics
• General attacker mindset from earlier rooms in the Jr Penetration Tester path