9.3 Cloud Security Controls

Mapping Controls to Threats

The CEH rewards candidates who can pair a threat with the right control. The exam frequently gives a misconfiguration or hijacking scenario and asks for the single best mitigation. Use this map:

CASB, CSPM, and CWPP

A Cloud Access Security Broker (CASB) sits between users and cloud services to enforce data, access, and threat policies and to reveal shadow IT — unsanctioned cloud apps employees use without approval. A CASB is about how people use cloud services.

Cloud Security Posture Management (CSPM) continuously scans cloud accounts for misconfigurations, compliance drift, and benchmark violations, then alerts or auto-remediates. CSPM is about how cloud resources are configured. It is the direct answer to the misconfiguration threat.

A Cloud Workload Protection Platform (CWPP) secures the workloads themselves — virtual machines, containers, and serverless functions — through vulnerability and image scanning, runtime protection, and integrity monitoring. Distinguish the three: CASB watches usage, CSPM watches configuration, and CWPP watches workloads. A converged Cloud-Native Application Protection Platform (CNAPP) bundles CSPM, CWPP, and identity/entitlement management into one platform, which is the direction the market and the exam framing have moved.

Identity and Access Management

Identity and Access Management (IAM) is the backbone of cloud security because identity is the new perimeter. Core principles:

• Least privilege — every identity gets only the permissions it needs, nothing more; avoid wildcard policies.
• Multi-factor authentication (MFA) — require a second factor for privileged, console, and root access.
• Short-lived / temporary credentials — prefer assuming a role for a time-boxed session over long-lived static keys.
• Separation of duties — no single identity can both make and approve a sensitive change.
• Just-in-time access — elevate permissions only when needed, then revoke.

In practice you also distinguish roles (assumable sets of permissions) from users (long-lived identities) and prefer roles for workloads. Federation/Single Sign-On (SSO) with an identity provider centralizes authentication so accounts and MFA are managed in one place and offboarding is immediate. Avoid using the cloud root/owner account for daily work — secure it with MFA and lock it away.

Encryption and Key Management

Encrypt data in transit with Transport Layer Security (TLS) and data at rest with storage/disk encryption. Using customer-managed keys (CMK) in a Key Management Service (KMS), or keys in a Hardware Security Module (HSM), gives the customer control to revoke access and contain a breach — "hold your own keys." Encryption does not prevent misconfiguration, but it limits what exposed data is worth: an attacker who reaches an encrypted, properly key-managed bucket gets ciphertext, not plaintext. Bring Your Own Key (BYOK) lets a customer import keys into the provider KMS for added control.

Logging, Monitoring, and Benchmarks

Enable centralized, tamper-resistant logging of API and control-plane activity (audit trails), then feed it to monitoring, alerting, and a SIEM. Attackers often disable logging first to evade detection, so log integrity is itself a control — protect logs from deletion or tampering. Inadequate logging is OWASP CNAS-10.

CIS Benchmarks, from the Center for Internet Security, are consensus-built hardened configuration baselines for clouds, operating systems, and platforms. CSPM tools commonly measure accounts against these benchmarks and report drift, giving a measurable definition of "hardened."

Zero Trust

Zero Trust assumes no implicit trust based on network location — "never trust, always verify." Every request is authenticated, authorized, and continuously validated using identity, device posture, and context, and access is granted at least privilege. Zero Trust directly counters the lateral movement that follows account hijacking or container escape: even an attacker inside the network cannot move freely because each new request is re-verified against policy. It replaces the legacy castle-and-moat perimeter, which trusted anything already inside.

Tying It Together

The defensible cloud combines these layers: CSPM keeps configuration hardened to CIS Benchmarks, CASB governs SaaS usage and shadow IT, least-privilege IAM with MFA and short-lived credentials limits identity blast radius, encryption with customer-managed keys protects data, CWPP secures workloads, centralized tamper-resistant logging provides detection, and Zero Trust removes implicit trust. On the exam, when a scenario names configuration drift think CSPM, shadow SaaS think CASB, leaked credentials think least-privilege/MFA, and lateral movement think Zero Trust.

Two more controls round out the toolkit. Network segmentation using virtual private clouds, subnets, and security groups limits how far an attacker can reach, and a Web Application Firewall (WAF) plus the provider's DDoS protection guards the application edge. Finally, compliance frameworks — the CSA Cloud Controls Matrix (CCM) and STAR registry, ISO 27017/27018, SOC 2, and FedRAMP — give auditable control sets that map provider and customer duties, reinforcing the shared responsibility model.

CEH scenarios that mention "continuous compliance against a recognized cloud control set" point to CSPM measuring against these frameworks and CIS Benchmarks.