3.4.3.3. Common Cloud Security Threats
3.4.3.3. Common Cloud Security Threats
Understanding common threats helps you design effective detection and prevention controls.
Top threats for the DOP-C02 exam:
| Threat | Detection Service | Prevention |
|---|---|---|
| Credential compromise | GuardDuty (UnauthorizedAccess:IAMUser) | MFA, role-based access, short-lived credentials |
| Data exfiltration | GuardDuty + Macie + VPC Flow Logs | VPC endpoints, S3 bucket policies, NACLs |
| Privilege escalation | CloudTrail + Access Analyzer | Permissions boundaries, SCPs |
| Crypto mining | GuardDuty (CryptoCurrency:EC2) | IMDSv2, security groups, monitoring |
| Supply chain attack | Inspector + ECR scanning | Image signing, CodeArtifact policies |
| DDoS | Shield + WAF | CloudFront, rate limiting, auto scaling |
| Misconfiguration | Config + Security Hub | SCPs, Service Catalog, cfn-guard |
Instance metadata service (IMDS) attacks: Attackers exploit SSRF vulnerabilities to steal instance credentials via the metadata endpoint (169.254.169.254).
IMDSv2 mitigation:
# Require IMDSv2 (token-based) — blocks SSRF attacks
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-tokens required \
--http-put-response-hop-limit 1
IMDSv2 requires a PUT request to get a session token before accessing metadata — SSRF attacks can't perform the two-step process.
Exam Trap: GuardDuty finding UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS means instance role credentials are being used from outside AWS (not from the instance). This is a strong indicator of credential theft. The correct response is: rotate the role credentials (by revoking active sessions), investigate the instance for compromise, and enable IMDSv2 if not already required.
