Academy

Cloud providers secure infrastructure; customers secure configuration. Every breach happens on customer side.

Wildcard permissions, iam:PassRole privesc, cross-account trust, Pacu, PMapper. IAM is the hardest part of cloud security.

169.254.169.254, Capital One, IMDSv1 vs v2, container metadata, K8s service accounts. SSRF → cloud takeover.

Overly broad Principal, confused deputy, External ID, Azure Lighthouse. MSSP compromise cascades.

Pod → node → cluster, service account tokens, RBAC paths, exposed kubelet/etcd. kube-hunter, peirates.

Lambda role credential theft, event source injection, dep vulns, supply chain. Serverless shifts attack surface.

Codecov, CircleCI, SolarWinds patterns in cloud. OIDC federation, least-priv deploy roles, pinned artifacts.

Public S3, open GCS, anonymous Azure Blob. Continues in 2026 despite a decade of awareness.

CloudTrail, Activity Log, Audit Log. Identity-first detection. GuardDuty/Defender/SCC. Maturity model.

Per-cloud skill, divergent defaults, N × CSPM. Multi-cloud without investment = weaker overall security.