1. Misconfigured Storage Buckets (S3 Buckets can expose sensitive data to public
1.1. AWS CLI, S3Scanner, Bucket Funder will find publically assible S3 bukets -> sensitive data or improper permissions
2. Exposed management interfaces like AWS Mgmnt Console or Azure Portal with no or weak MFA
3. Weak IAM Policies -> Overly permissive IAM roles and policies can allow unauthaired acccess or privlege escalation
3.1. Found by analyzing IAM policies to id roles with excessive permissions
3.1.1. Pacu (AWS exploitation framework) can help simulate attacks and id priv escalation paths
4. Supply Chain Attacks -> where 3rd party services or integrations could be attacked
4.1. Solar Winds hack
5. Cross-Account Roles and Trust Relationships -> cross-account roles can allow unauthorized access to another account’s resources.
6. Exploiting Serverless Functions -> vulnerable to injection attacks, improper access controls, or excessive permissions.
6.1. Analyze the code for vulnerabilities, perform injection attacks, or test function permissions using tools like AWS Lambda Security Scanner
6.1.1. lambda
6.1.1.1. executions fx by fx
6.1.1.2. exposed to internet API Gateway
7. Exposed Services
7.1. Injections
7.1.1. RCE
7.1.2. Use the SSRF (Server-Side Request Forgery) vulnerability to access the metadata API. For example, in AWS, this would be the http://169.254.169.254/latest/meta-data/ endpoint.
7.1.2.1. Metadata API -> Cloud instances often have a metadata API that, if not properly secured, can be exploited to gain sensitive information (e.g., IAM role credentials).
7.1.2.1.1. GCP http://metadata.google.internal/
7.1.2.1.2. Azurecurl -i -H Metadata:true http://169.254.169. 254/metadata/identity/oauth2/token?api- version=2018-02-01?resource=https:// management.azure.com/
7.1.2.1.3. AWS http://169.254.169.254/
7.1.3. cmd injection
7.2. Insecure API Points -> APIs are often exposed publicly and can be vulnerable to attacks like SQL injection, XSS, or API key leakage
7.3. Use Shodan to discover exposed services -> attempt to login with weak or default passwords
8. Password Attacks
8.1. Password Spraying
8.2. Brute Force
8.3. Credential Stuffing
9. Container Security Issues -> Containers might be misconfigured and alow for priv escalation or container breakiout
9.1. Use tools like Kube-hunter for Kubernetes clusters or Docker Bench for Security to identify vulnerabilities in container configurations.
10. Insecure Cloud Configuration -> many default configis are exploitable
10.1. Scoutsuite, CloudMapper, Prowler
10.2. CloudFox
10.2.1. Situational awareness, loot folder