Chương 32: Cloud Security liên quan ứng dụng Web

IMDS và Credential Theft

AWS EC2 Metadata: http://169.254.169.254
GCP Metadata: http://metadata.google.internal  
Azure Metadata: http://169.254.169.254

Xem SSRF (Chương 15) để chi tiết.

IAM Misconfigurations

// Overly permissive IAM role:
{
  "Effect": "Allow",
  "Action": "*",          // ← Tất cả actions!
  "Resource": "*"         // ← Tất cả resources!
}

// Principle of Least Privilege:
{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:PutObject"
  ],
  "Resource": "arn:aws:s3:::my-specific-bucket/*"
}

S3 Bucket Exposure

# Phát hiện S3 buckets exposed
# Public bucket có thể list/download files

# Check bucket permissions
aws s3api get-bucket-acl --bucket my-bucket
aws s3api get-bucket-policy --bucket my-bucket

# List exposed buckets (reconnaissance)
# Naming convention: company-name-env-purpose
https://company-backups.s3.amazonaws.com/
https://company-prod-assets.s3.amazonaws.com/

# Block public access (tất cả settings)
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration \
    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

Cloud Security Checklist

□ IMDSv2 required cho tất cả EC2 instances
□ IAM roles dùng principle of least privilege
□ S3 buckets: public access blocked (trừ static website)
□ CloudTrail enabled cho tất cả regions
□ GuardDuty enabled
□ Security Hub enabled
□ VPC: no 0.0.0.0/0 ingress trừ ports cần thiết
□ RDS: không public accessible
□ Secrets trong Secrets Manager, không hardcode
□ MFA cho root account và IAM users
□ Access Keys rotation
□ CloudWatch Alarms cho suspicious activities