4. Cloud Threat Models

By Cyber Analyst • 22 Apr 2025

As organizations migrate to cloud architectures, the way we understand and categorize threats undergoes a fundamental shift. Traditional security models were built around fixed perimeters, physical systems, and predictable trust boundaries. Cloud computing, however, dissolves these boundaries and replaces them with dynamic, API-driven, distributed environments. Workloads scale automatically, users authenticate from anywhere, services communicate over virtual networks, and applications continuously integrate third-party services.

 

In this landscape, threat modeling becomes a critical discipline, not a luxury or an optional step. Threat modeling in cloud environments focuses on understanding adversarial capabilities, attack surfaces, misconfiguration risks, and trust assumptions across identity systems, virtual networks, APIs, containers, and cloud-native services. Drawing from the systematic exploitation frameworks outlined in The Web Application Hacker’s Handbook and the security design principles emphasized in Schneier’s Applied Cryptography, cloud threat models must incorporate modern realities: automation, ephemeral infrastructure, identity-centric trust, and interconnected digital ecosystems.

 

This chapter provides a deep exploration of cloud threat modeling from an enterprise cybersecurity perspective. Students will learn the mental frameworks used by professionals to anticipate, map, and mitigate risks within AWS, Azure, Google Cloud, and hybrid infrastructures.

 

Fundamentals of Cloud Threat Modeling

Cloud threat modeling is the structured process of identifying potential threats, vulnerabilities, and attack paths that affect cloud environments.

 

It involves:

  1. Identifying assets and their value
  2. Mapping attack surfaces
  3. Understanding trust boundaries
  4. Recognizing platform-specific and shared-responsibility risks
  5. Evaluating attacker motivations and capabilities
  6. Implementing controls aligned with best practices and compliance standards

 

Unlike on-premises models, cloud threats must account for:

  • Cloud provider infrastructure
  • Customer-managed configurations
  • Identity systems
  • Network policies
  • Multi-tenant risks
  • API-driven automation
  • Integration with external systems

 

Cloud threat models must also be iterative. Cloud environments change rapidly; therefore, threat modeling is a continuous discipline, not a one-time event.

 

The Cloud Shared Responsibility Model as a Threat Modeling Foundation

Every cloud threat model begins with understanding the Shared Responsibility Model (SRM).

Although each cloud provider expresses it differently, the SRM defines:

  • What the cloud provider secures (physical infrastructure, hardware, global network, base services)
  • What the customer must secure (identity, data, configurations, access, workloads)

 

Threats must be evaluated relative to this division of responsibilities.

Many breaches result from misunderstandings of SRM boundaries, for example:

  • Public S3 buckets exposing sensitive data
  • Misconfigured IAM policies
  • Overly permissive security groups
  • Unprotected API keys in code repositories
  • Insecure container registries

 

The SRM does not reduce risk, it simply partitions it.

Understanding the SRM allows security teams to target their defensive controls where they matter most.

 

 

Cloud Threat Categories

Threats in cloud systems can be categorized based on their impact vectors. Below are the major categories that form the core of professional cloud threat models.

 

Identity-Based Threats: The Primary Attack Vector

Modern cloud systems are identity-driven.

This reflects the principles found in NIST SP 800-63, which emphasizes identity assurance, strong credentialing, and secure authentication workflows.

 

Identity-based threats include:

  • Credential Theft & Misuse

Attackers obtain API keys, passwords, OAuth tokens, or access keys.

This remains one of the top causes of cloud breaches.

  • Privilege Escalation

Overly broad IAM permissions give attackers the ability to modify security groups, spawn instances, or access data.

  • Faulty Federation Configurations

Misconfigured SSO, SAML assertions, or OpenID Connect flows can be exploited.

  • Abusing Forgotten or Orphaned Credentials

Service accounts with excessive permissions remain active without proper rotation.

 

Identity threats are particularly dangerous because identity equals trust in the cloud.

 

Network-Based Threats

Though cloud networks are virtualized, they remain vulnerable to the same fundamental risks described in NIST SP 800-153: exposure, weak isolation, and insecure communications.

 

Key threats include:

  • Exposure of resources to the public internet
  • Lateral movement within flat VPC/VNet networks
  • Exploitation of overly permissive security groups or firewall rules
  • DNS hijacking or poisoning
  • Attacks through misconfigured load balancers or reverse proxies
  • Insecure Wi-Fi connections to cloud consoles or administrative endpoints

 

Cloud networks must assume that no network path is inherently secure, a principle central to Zero Trust.

 

Data Exposure & Exfiltration Threats

Cloud storage misconfigurations are among the most well-documented breach causes.

Threats include:

  • Public cloud storage buckets
  • Overly permissive database firewall rules
  • Snapshot exposures
  • Data exfiltration through outbound rules or NAT gateways
  • Disabling encryption in transit or at rest

 

Cryptographic failures, such as weak keys, improper deployment, or ignoring certificate validation, reflect the risks outlined in Applied Cryptography.

 

Application & API Threats in Cloud Environments

Cloud systems heavily rely on APIs, making them central targets.

 

Drawing from methodologies in The Web Application Hacker’s Handbook, common threats include:

  • Injection vulnerabilities in serverless functions
  • API key leakage
  • Misconfigured API gateways
  • Server-side request forgery (SSRF)
  • Cross-tenant data exposure due to misconfiguration
  • Insecure mobile application integrations (MASTG principles)

 

APIs become a universal attack surface for cloud-native architectures.

 

Supply Chain & Dependency Threats

Cloud systems depend on:

  • Third-party libraries
  • External APIs
  • CI/CD pipelines
  • Container registries
  • Cloud provider managed services

 

Threats include:

  • Malicious libraries
  • Compromised images in container registries
  • Dependency confusion attacks
  • Poisoned CI/CD pipelines
  • Compromised build systems

 

These risks expand horizontally across the entire system.

 

Insecure Configuration & Hygiene Threats

Often the biggest threat in cloud environments is human error.

Examples:

  • Public-facing databases
  • Unrestricted security groups
  • Using default service roles
  • Disabling encryption for convenience
  • Hardcoded secrets
  • Disabled logging or monitoring

 

These threats stem from poor governance and lack of security automation.

 

Abuse of Cloud-native Capabilities

The cloud offers powerful features that can be used maliciously if compromised:

  • Auto-scaling for crypto-mining
  • Cloud messaging for malware propagation
  • Function-as-a-Service for unauthorized compute
  • Metadata service abuse (e.g., SSRF → credential theft)

 

Many attacks exploit legitimate features used incorrectly.

 

 

Cloud Threat Actors

Threat models also require defining adversaries.

 

Cloud-specific threat actors include:

  • External Attackers

Cybercriminals, ransomware groups, botnets, and exploit developers.

 

  • Malicious Insiders

Employees, contractors, or compromised privileged accounts.

 

  • Cloud Supply Chain Attackers

Targeting dependencies, packages, and integrated services.

 

  • Nation-State Actors

Highly resourced adversaries exploiting cloud infrastructure, often at scale.

 

  • Automated Scanners & Bots

Constantly scanning for:

  • Public storage buckets
  • Exposed admin panels
  • Vulnerable containers
  • Open ports

 

Threat models must assume constant exposure.

 

Cloud Threat Modeling Frameworks

Various structured methodologies assist in building cloud threat models.

 

STRIDE (Microsoft)

Focused on:

  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege

STRIDE helps evaluate system-specific threats.

 

DREAD

Useful for scoring threats:

  • Damage potential
  • Reproducibility
  • Exploitability
  • Affected users
  • Discoverability

 

LINDDUN

Privacy-oriented threat modeling, relevant for compliance-heavy cloud workloads.

 

Cloud Provider Native Threat Models

Each cloud provider offers native models:

  • AWS Threat Model Framework
  • Azure Threat Modeling Tool
  • Google Cloud Hierarchical Threat Model
    These incorporate platform-specific APIs, services, and attack paths.

 

Cloud Threat Modeling Across AWS, Azure, and GCP

AWS Threat Considerations

  • Misconfigured IAM roles (overly broad * permissions)
  • S3 bucket public exposure
  • Attack paths through EC2 metadata service
  • Lambda function privilege escalation
  • Excessive trust policies in cross-account access

 

AWS is identity-heavy, making IAM misconfigurations highly impactful.

 

Azure Threat Considerations

  • Overprivileged Azure AD applications
  • Misconfigured NSGs or service tags
  • Public exposure of Azure SQL or Storage
  • Weak conditional access policies
  • Subscription-wide privilege escalation paths

 

Azure’s strong integration with AD means identity and federation are dominant risks.

 

GCP Threat Considerations

  • Using default service accounts with wide permissions
  • Exposed Cloud Run & Cloud Functions endpoints
  • Lack of VPC Service Controls
  • IAM misconfigurations in organization policies
  • Publicly accessible GCS buckets

 

GCP’s global VPC architecture introduces unique propagation risks.

 

Mitigations Through Security Architecture

Threat models must directly inform architecture decisions.

 

Common mitigation themes include:

  • Zero Trust Identity Controls
    • MFA
    • Conditional access
    • Role-based access controls
    • Short-lived credentials
    • Identity federation hardening
  • Network Segmentation & Micro-Segmentation
    • Restrictive security groups
    • Private endpoints
    • No public IPs by default
    • VPC Service Controls (GCP)
  • Encryption & Cryptographic Hygiene

From Schneier’s principles:

  • Strong TLS configurations
  • Key rotation
  • HSM-backed key storage
  • Eliminating legacy protocols
  • Secure Coding & API Controls
    • Input validation
    • SSRF protections
    • API gateways with authentication
    • Rate limiting
    • Logging and audit trails
  • Secure Mobile Interactions

From MASTG:

  • Secure API tokens in mobile apps
  • Certificate pinning
  • Avoiding hardcoded secrets
  • Continuous Monitoring & Governance Automation
    • CSPM tools
    • SIEM integration
    • Flow log analysis
    • Security scanners
    • Real-time compliance engines

 

Threat modeling must influence both design and operational security.

 

Cloud threat models are essential guides that help organizations anticipate attacks, understand their architecture’s weaknesses, and strategically apply defenses.

They unify cryptographic thinking, identity assurance, network segmentation, application security, and operational governance into a coherent security strategy.

 

Students entering cybersecurity must learn to think in terms of:

  • System components
  • Trust boundaries
  • Attack surfaces
  • Misconfigurations
  • Adversarial behaviors
  • Mitigation techniques

 

Professional-level cloud security is impossible without mastering cloud threat modeling, because in a world defined by dynamic, software-defined infrastructure, understanding threats is the prerequisite to controlling them.

 

 

 

Category: CS08 - Cloud Fundamentals for Cybersecurity

Tags: threat Models cloud