Starting a 60-day cloud security series. Day 1 covers the fundamental shifts that make cloud security different from traditional infrastructure security.
The Shared Responsibility Gap
The number one source of cloud security incidents is the gap between what teams think the provider handles and what the provider actually handles.
Quick test -- run this against your AWS account:
# Find EC2 instances not using IMDSv2
aws ec2 describe-instances \
--query 'Reservations[].Instances[?MetadataOptions.HttpTokens!=`required`].[InstanceId,Tags[?Key==`Name`].Value|[0]]' \
--output table
Every instance in that output is vulnerable to metadata credential theft via SSRF. The fix:
# Enforce IMDSv2 on a specific instance
aws ec2 modify-instance-metadata-options \
--instance-id i-0abc123def456 \
--http-tokens required \
--http-endpoint enabled
This is the kind of one-command fix that prevents Capital One-style breaches. IMDSv2 requires a PUT request to get a session token before any metadata queries work, which blocks most SSRF attack chains.
Identity Over Network
Cloud does not have a network perimeter you can defend. IAM policies are your perimeter. A misconfigured policy is the cloud equivalent of leaving your firewall wide open.
Tomorrow: AWS account security setup from scratch. Follow the series for 60 days of practical cloud security.
Top comments (0)