BeginnerCloud Security

Require MFA for all cloud console access — delete root API keys immediately

AWS root account credentials with no MFA are a single compromised email away from complete account loss. The AWS root account should never be used for day-to-day operations, should have a hardware MFA token attached, and its access keys should be deleted entirely. All IAM users with console access require MFA. Enforce this with an IAM policy that denies all actions unless MFA is present. The Snowflake credential theft campaign in 2024 targeted cloud platform accounts where MFA was not enforced — attackers used credentials obtained from infostealer malware to log in to cloud consoles directly.

Tags

MFAAWS rootcloud consoleIAM policyinfostealer

More in Cloud Security

All guides
intermediatefeatured

Apply least-privilege IAM policies — no wildcard permissions in production

AWS IAM wildcard policies (Action: "*", Resource: "*") are the cloud equivalent of giving every employee a master key to every door. The Capital One breach was enabled by an SSRF vulnerability that allowed the attacker to query the EC2 metadata endpoint and retrieve IAM role credentials — credentials that had far broader permissions than the application needed. The GoDaddy breach used a provisioning system credential to access data across 1.2 million customer accounts. Audit every IAM role for over-broad permissions. Use AWS IAM Access Analyzer or equivalent tools to identify unused permissions. Restrict each role to exactly the S3 buckets, EC2 instances, and services it requires for its specific function.

See: Capital One BreachCloud Security
beginner

Block public access on S3 buckets at the account level, not just the bucket level

Misconfigured S3 buckets containing sensitive data have been a consistent cloud security failure for a decade. The fix exists: AWS S3 Block Public Access can be enforced at the account level, preventing any bucket in the account from ever being made public regardless of bucket-level settings. Enable Block Public Access at the organisation level in AWS Organizations SCPs. For buckets that legitimately need public access (static website hosting), require explicit approval and documentation. Audit all existing buckets for public access using AWS Config rules. Capital One's breach involved a misconfigured WAF role that could list and access S3 buckets — public access controls would not have stopped it, but defence in depth would have.

See: Capital One BreachCloud Security
intermediate

Use short-lived credentials via OIDC for CI/CD pipelines instead of long-lived secrets

Long-lived AWS access keys, GitHub personal access tokens, and API secrets stored in CI/CD environment variables are stolen regularly. The Codecov bash uploader attack harvested environment variables from thousands of build pipelines. The GitHub/Heroku OAuth token theft gave attackers access to private repositories. OpenID Connect (OIDC) enables CI/CD systems to request short-lived, scoped credentials from AWS, GCP, and Azure for each specific pipeline run — with no static secret stored anywhere. A stolen OIDC token is valid for minutes, not months. GitHub Actions, CircleCI, and most major CI platforms support OIDC-based credential exchange.

See: Codecov Bash UploaderCloud Security