9.2 Cloud Threats & Attack Surfaces

The Cloud Attack Surface

CEH cloud questions describe a scenario and ask you to name the threat or the control. You do not need exploit commands; you need to recognize patterns — a public bucket, a leaked access key, an exposed API, a container that can reach the host. The control plane (the APIs and identities that manage resources) is the cloud's crown jewel: compromise it and an attacker manages your entire estate.

Misconfiguration — the Top Cloud Risk

The most common cause of real-world cloud breaches is misconfiguration, where the customer leaves a resource more open than intended. This is CNAS-1 in OWASP's list ("Insecure cloud, container or orchestration configuration"):

• Publicly readable storage buckets exposing sensitive files because access-control settings were left at, or loosened to, public.
• Over-permissive identity policies that grant wildcard (*) or administrator rights to a workload that needs little.
• Open management ports, default credentials, or unencrypted resources on cloud-hosted services.

The root cause is human and policy error; the fix is configuration hardening plus automated posture scanning (covered in 9.3).

Insecure APIs and the Control Plane

Every cloud service is driven by an Application Programming Interface (API). Insecure APIs — missing authentication, weak authorization, no rate limiting, secrets passed in URLs — let an attacker enumerate or modify cloud resources directly. Because APIs are the cloud control plane, an API weakness is high-impact: it can expose the management layer, not just one application.

Account / Credential Hijacking

Account hijacking occurs when an attacker obtains valid cloud credentials through phishing, credential stuffing, or — very commonly — access keys committed to public source code repositories. The attacker then inherits exactly the victim's entitlements. Long-lived static keys are especially dangerous; this is why least privilege, multi-factor authentication (MFA), and short-lived credentials are central cloud defenses.

Data Breach and Data Loss

A data breach is unauthorized disclosure; data loss is irreversible destruction (for example, deletion with no backups). Both are amplified in cloud because data is concentrated and reachable over the network. Encryption at rest and in transit limits breach impact; versioning and backups limit loss. Note the distinction — exams sometimes contrast disclosure (breach) with destruction (loss).

Denial of Service and Resource Abuse

Cloud also faces Denial of Service (DoS/DDoS) aimed at exhausting a tenant's capacity, and Economic Denial of Sustainability (EDoS) — driving up a victim's metered bill through traffic or by hijacking resources. Cryptojacking is a common abuse where an attacker who gains access spins up compute to mine cryptocurrency at the victim's expense. Inadequate compute quota limits (OWASP CNAS-9) make these abuses worse, so resource quotas, billing alerts, and provider DDoS protection are the controls.

Supply-Chain and CI/CD Risks

Cloud-native pipelines pull third-party packages and base images, so software supply-chain compromise (CNAS-4 and CNAS-7) is a major vector: a poisoned dependency or build step can ship a backdoor straight into production. Insecure secrets storage (CNAS-5) — API keys baked into images or environment variables — frequently fuels the credential hijacking described above.

Container and Kubernetes Risks

Container escape is the headline container threat: because containers share the host kernel, a privileged or misconfigured container plus a kernel flaw can give attacker access to the host and, from there, other tenants' workloads.

Side-Channel and Cross-Tenant Concepts

Because multitenancy shares physical hardware, side-channel concerns exist where one tenant might infer information from shared caches, timing, or co-residency (CPU-level issues such as the Spectre/Meltdown class are the classic example). On the CEH these appear conceptually: the takeaway is that side-channel and cross-tenant isolation is primarily the provider's responsibility, mitigated through hardware isolation, scheduling, micro-architectural patches, and hardened hypervisors — not customer application code.

The OWASP Cloud-Native Application Security Top 10

The OWASP Cloud-Native Application Security (CNAS) Top 10 catalogs the leading cloud-native risks. Know the list at a recognition level:

1. CNAS-1 Insecure cloud, container, or orchestration configuration
2. CNAS-2 Injection flaws (app layer, cloud events, cloud services)
3. CNAS-3 Improper authentication and authorization
4. CNAS-4 CI/CD pipeline and software supply-chain flaws
5. CNAS-5 Insecure secrets storage
6. CNAS-6 Over-permissive or insecure network policies
7. CNAS-7 Using components with known vulnerabilities
8. CNAS-8 Improper assets management
9. CNAS-9 Inadequate compute resource quota limits
10. CNAS-10 Ineffective logging and monitoring

Misconfiguration (CNAS-1) topping the list reinforces the single most important cloud-security fact: most cloud breaches stem not from exotic exploits but from resources left open by their owners.