☁️ Cloud Security Posture Management — Deep Dive: CSPM, K8s Admission Control, AWS IAM, dan Cloud-Native WAF

Panduan komprehensif keamanan cloud-native mulai dari Cloud Security Posture Management (CSPM), Kubernetes admission control (OPA/Gatekeeper, Kyverno), AWS IAM policies & identity federation, cloud-native WAF (AWS WAF, Cloud Armor, Cloudflare WAF), hingga CIEM (Cloud Infrastructure Entitlement Management). Mencakup attack vectors spesifik cloud (S3 bucket misconfiguration, IAM privilege escalation, K8s RBAC abuse) serta tooling deteksi (CloudSploit, Prowler, Checkov, Kubescape).

Hubungan ke Vault

Nota ini terkait dengan cloud-infrastructure untuk gambaran arsitektur cloud secara umum, container-kubernetes-security-deepdive untuk fondasi keamanan container yang diperluas ke admission control dan cloud security posture, cicd-shiftleft-shiftright dan cicd-guide untuk DevSecOps pipeline placement, iam-identity-access-management untuk identitas dan akses, api-security-deep-dive dan waf-reverse-proxy-deepdive untuk WAF di perimeter cloud, serta zero-trust-security untuk prinsip zero trust di cloud.


Daftar Isi


Foundation

Mengapa Cloud Security Berbeda dari On-Premise?

Keamanan cloud tidak bisa disamakan dengan on-premise karena beberapa perbedaan fundamental:

AspekOn-PremiseCloud (IaaS/PaaS)
PerimeterJaringan fisik (firewall, DMZ)Identity dan API — “the perimeter is the IAM policy”
Kontrol aksesVLAN + firewall rulesIAM role + policy + resource-based policy
Model tanggung jawabSepenuhnya milik organisasiShared Responsibility Model (AWS: security OF the cloud vs security IN the cloud)
Skalabilitas konfigurasiManual atau script terbatasInfrastructure as Code (IaC) — Terraform, Pulumi, CloudFormation
VisibilityLog server + network flowCloudTrail, AWS Config, VPC Flow Logs, GuardDuty
EksposurTerbatas pada IP publik yang diketahuiAPI endpoints, managed services, serverless functions — bisa ter-expose tanpa sengaja via IAM misconfiguration

Shared Responsibility Model (AWS sebagai contoh)

┌──────────────────────────────────────────────┐
│                  CUSTOMER                      │
│  Data classification & encryption             │
│  Platform, applications, IAM, OS patching     │
│  Network traffic protection, firewall config  │
├──────────────────────────────────────────────┤
│                  AWS                           │
│  Compute, storage, database, networking       │
│  Global infrastructure (AZ, regions, edge)    │
│  Physical security, hardware lifecycle        │
└──────────────────────────────────────────────┘

Kesalahan umum: Customer menganggap di PaaS (misal RDS dengan IAM auth) semua secure — tapi tetap harus mengatur security group, parameter group encryption, backup encryption, dan audit logging.

Cloud Security Posture Management (CSPM)

CSPM adalah kategori tool yang secara otomatis mengidentifikasi misconfiguration, compliance violation, dan risiko keamanan di lingkungan cloud (multi-cloud).

DimensiTools Open SourceTools Komersial
AWSProwler, ScoutSuite, CloudSploitAWS Security Hub, Wiz, Orca, Lacework
AzureProwler (Azure support), Azure PolicyMicrosoft Defender for Cloud
GCPProwler (GCP support), ForsetiGoogle Security Command Center
Multi-Cloud / IaCCheckov, Terrascan, tfsec, KICSBridgecrew, Prisma Cloud, Snyk IaC

Misconfiguration Paling Umum (Berdasarkan CSA & CrowdStrike 2024 Report)

  1. S3 Bucket public-read atau public-write — data breach paling umum di cloud (bucket name unik + misconfigured ACL/bucket policy).
  2. IAM policy overly permissive"Effect": "Allow" dengan "Action": "*" dan "Resource": "*".
  3. Security Group ingress 0.0.0.0/0 — port SSH (22), RDP (3389), MySQL (3306) terbuka ke internet.
  4. Unrestricted outbound traffic — egress 0.0.0.0/0 tanpa filter untuk data exfiltration.
  5. KMS key with cross-account access — bisa jadi data leaking ke account yang tidak diaudit.
  6. Public EBS/AMI snapshot — snapshot snapshot bisa berisi data sensitif.
  7. Unused / orphaned resources — Elastic IP, EBS volume unattached → cost + security risk.
  8. Credentials in source code / CI variables — IAM keys hardcoded.

Kubernetes Admission Control

API server Kubernetes memiliki tiga fase untuk intercept request sebelum objek di-persist:

kubectl create pod → kubectl → Authentication → Authorization → ADMISSION CONTROL → etcd
                                                                     │
                                                ┌────────────────────┘
                                                ▼
                                     MutatingWebhook → ValidatingWebhook
TipeFasePerubahan ObjekContoh
Mutating admissionSebelum validasiBisa ubah/mutate objekInject sidecar, add labels, default security context
Validating admissionSetelah mutasiRead-onlyVerifikasi required labels, deny privileged containers
Built-inBawaan kube-apiserverVariatifAlwaysPullImages, NamespaceExist, PodSecurity, ResourceQuota

Policy Engines untuk Admission Control

EngineBahasaMutatingValidatingPopularitas
OPA GatekeeperRego declarative✅ (via mutation)Sangat luas, CNCF graduated, library policy library (G8S)
KyvernoYAML-native (no new language)Paling mudah dipelajari, growing rapidly, CNCF incubating
KubewardenWebAssembly (Rust, Go, JS)Performa tinggi, zero-trust supply chain, multi-language policies
jsPolicyJavaScriptFamiliar untuk JS developers

Technical Deep-Dive

AWS IAM — Deep Dive Privilege Escalation Vectors

IAM Policy Structure

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corp-data/*",
      "Condition": {
        "IpAddress": { "aws:SourceIp": "10.0.0.0/8" }
      }
    }
  ]
}

Komponen: Effect (Allow/Deny) → Action (service:operation) → Resource (ARN spesifik/wildcard) → Condition (opsional: IP, VPC endpoint, MFA, time, user agent).

IAM Privilege Escalation — 21 Methods (by Rhino Security Labs)

Metode populer yang sering dieksploitasi ketika attacker mendapatkan IAM credentials dengan iam:PassRole atau iam:CreatePolicyVersion:

#MetodeIzin Dibutuhkan
1CreateNewPolicyVersioniam:CreatePolicyVersion — bisa set policy version baru dengan full admin
2SetExistingDefaultPolicyVersioniam:SetDefaultPolicyVersion — rollback ke versi policy lama yang lebih permisif
3PassRoleToEC2iam:PassRole + ec2:RunInstances — launch EC2 dengan role admin → SSH → curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE
4PassRoleToLambdaiam:PassRole + lambda:CreateFunction + lambda:InvokeFunction — buat Lambda dengan admin role
5PassRoleToCloudFormationiam:PassRole + cloudformation:CreateStack — deploy stack yang execute custom resource dengan admin role
6UpdateAssumeRolePolicyiam:UpdateAssumeRolePolicyDocument — buka trust policy ke akun attacker
7CreateAccessKeyiam:CreateAccessKey — buat access key untuk user lain (misalnya admin)
8CreateLoginProfileiam:CreateLoginProfile — set password untuk user lain
9AttachUserPolicyiam:AttachUserPolicy — attach admin policy ke user attacker
10PutUserPolicyiam:PutUserPolicy — inline policy dengan akses penuh ke attacker

Mitigasi:

  • Gunakan Permissions Boundary — set batas maksimum izin yang bisa diberikan ke user/role.
  • Implementasi SCP (Service Control Policy) di AWS Organizations — berlaku untuk ALL accounts di OU, override IAM permissions.
  • Monitor CloudTrail untuk event PassRole, CreatePolicyVersion, UpdateAssumeRolePolicy dari non-admin.

Kubernetes Admission Control — Praktis dengan Kyverno

Install Kyverno

helm repo add kyverno https://kyverno.github.io/kyverno/
helm upgrade --install kyverno kyverno/kyverno \
  --namespace kyverno --create-namespace \
  --version v3.3.0 \
  --set admissionController.replicas=2

Policy 1: Prevent Privileged Containers (Validate)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged
spec:
  validationFailureAction: Enforce
  rules:
    - name: privileged-containers
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Privileged containers are not allowed. Please remove 'securityContext.privileged: true'"
        pattern:
          spec:
            containers:
              - securityContext:
                  privileged: "false"

Policy 2: Enforce Image Registry (Mutate + Validate)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-image-registries
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: validate-registry
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Image must be from trusted registry (harbor.corp.internal or docker.corp.internal)"
        foreach:
          - list: "request.object.spec.initContainers[]"
            pattern:
              image: "harbor.corp.internal/*"
          - list: "request.object.spec.containers[]"
            pattern:
              image: "harbor.corp.internal/*"

Policy 3: Auto-Inject Sidecar (Mutate — Proxy Injection)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-sidecar
  annotations:
    policies.kyverno.io/title: Inject Sidecar Proxy
    policies.kyverno.io/subject: Pod
spec:
  rules:
    - name: inject-envoy
      match:
        any:
          - resources:
              kinds:
                - Pod
              namespaces:
                - "app-*"
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - name: envoy-sidecar
                image: envoyproxy/envoy:v1.30-latest
                ports:
                  - containerPort: 9901
                volumeMounts:
                  - name: envoy-config
                    mountPath: /etc/envoy

Cloud-Native WAF — AWS WAF vs Cloud Armor vs Cloudflare

FiturAWS WAFGoogle Cloud ArmorCloudflare WAF
DeploymentCloudFront, ALB, API Gateway, AppSyncCloud Load Balancing, Cloud CDN, Media CDNAny HTTP/HTTPS via reverse proxy
Rule engineJSON-based rule groups + Managed rulesYAML-based security policiesWAF rule builder + Managed rulesets
Rate limitingRate-based rules (5-minute window)Rate limiting per IPRate limiting rules + Advanced DDoS
Bot controlAWS WAF Bot Control (managed)Google Cloud Armor Bot ManagementBot Fight Mode + Super Bot Fight
IP reputationAWS Managed Rules (anonymous IP, etc.)Managed rules from threat intelligenceProject Honey Pot, own intelligence
Custom responseBlock / Count + custom response codeDeny / Redirect / Rate LimitChallenge / JS Challenge / Block
OWASP Top 10AWS Managed Rules (core rule set)OWASP CRS preconfiguredOWASP CRS + Cloudflare Managed Rules
Pricing0.60/1M requests$5-15/policy per monthFree tier available, Pro/Business/Enterprise

AWS WAF — Core Rule Set (OWASP CRS Equivalent)

{
  "Name": "AWSManagedRulesCommonRuleSet",
  "Priority": 0,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesCommonRuleSet",
      "ExcludedRules": []
    }
  },
  "OverrideAction": { "Count": {} },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AWSCommonRules"
  }
}

Cloud Infrastructure Entitlement Management (CIEM)

CIEM adalah kategori keamanan yang fokus pada manajemen entitlement dan izin di lingkungan cloud multi-account.

Masalah yang Dipecahkan CIEMTool
Over-privileged roles — identity yang punya izin jauh melebihi kebutuhanErmetic (Tenable), Entitle (Bionic), CloudKnox (Alkira)
Unused permissions — izin yang tidak pernah digunakan dalam 90+ hariAWS IAM Access Analyzer, Azure AD Entitlement Management
Cross-account access — trust relationships yang terlalu longgarAWS IAM Access Analyzer (cross-account access), CloudSploit
Human vs machine identity — membedakan yang perlu MFAAWS IAM last-used, AWS CloudTrail Insights
Just-in-Time access — izin sementara dengan approval workflowAWS IAM Identity Center (SSO), Teleport, Apono

Advanced

Kubernetes Admission Control — Gatekeeper (OPA) Policy Library

Koleksi policy umum menggunakan Rego/Gatekeeper:

ConstraintTemplate: Block NodePort Service

# constrainttemplate.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: blocknodeport
spec:
  crd:
    spec:
      names:
        kind: BlockNodeport
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sblocknodeport
        violation[{"msg": msg}] {
          input.review.kind.kind == "Service"
          input.review.operation == "CREATE"
          input.review.object.spec.type == "NodePort"
          msg := "Service type NodePort is not allowed"
        }
---
# constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: BlockNodeport
metadata:
  name: block-nodeport-all
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]

Zero-Trust Networking for Cloud (BeyondCorp, Tailscale, SPIFFE/SPIRE)

SPIFFE/SPIRE — Identity Federation untuk Workload

SPIFFE (Secure Production Identity Framework for Everyone) menyediakan identitas kriptografis untuk setiap workload (container, VM, bare-metal):

Workload → SPIRE Agent → SPIRE Server → Certificate Authority
              │
              ▼
    SVID (X.509 / JWT)

Implementasi:

# spire-server deployment
server:
  ca_subject:
    country: ID
    organization: Corp Security
  federation:
    - bundle_endpoint:
        address: 0.0.0.0
        port: 8443
# Agent registrasi — memberikan identitas ke workload
spire-server entry create \
  -spiffeID spiffe://corp.internal/nginx \
  -parentID spiffe://corp.internal/k8s-node \
  -selector k8s:pod-label:app:nginx
 
# Workload API — mendapatkan SVID
spire-agent api fetch /tmp/svid.pem

Cloud Attack Path Analysis

Attack Path: Rantai eksploitasi yang menghubungkan kompromi satu resource ke resource kritis di cloud.

Contoh attack path dengan Stratus Red Team:

Step 1: Attacker compromise GitHub personal access token → access AWS CodeBuild
Step 2: CodeBuild has iam:PassRole to a build role
Step 3: Build role has s3:GetObject on secret bucket
Step 4: Secret bucket contains database credentials
Step 5: Database (RDS) is publicly accessible with 0.0.0.0/0 ingress
Tool Attack Path AnalysisCloud
Stratus Red Team (Datadog)AWS — simulate attack techniques
CloudSploitAWS, Azure, GCP
ProwlerAWS, Azure, GCP
Wiz Cloud SecurityMulti-cloud + Kubernetes
Orca SecurityMulti-cloud (agentless)

Hardening Checklist — Cloud Security

☐ Enable CloudTrail / AWS Config / GuardDuty di ALL regions
☐ S3 Block Public Access — enabled di account level (AKIA...)
☐ IAM: enable last-used permissions analysis tiap 90 hari
☐ IAM: hapus access key > 90 hari tidak dipakai
☐ IAM: enforce MFA untuk ALL human users
☐ SCP: deny non-approved regions
☐ SCP: deny root user actions (kecuali emergency)
☐ EC2: restrict security group ingress — deny 0.0.0.0/0 for non-web services
☐ EBS: enable encryption by default (AES-256 KMS)
☐ RDS: enable encryption + automated backup
☐ K8s: enable OPA Gatekeeper / Kyverno di ALL clusters
☐ K8s: restrict NodePort services
☐ K8s: enforce readOnlyRootFilesystem + drop all capabilities
☐ VPC: enable Flow Logs for every VPC
☐ VPC: restrict default security group (no ingress rule)
☐ Secrets: use Secrets Manager / Parameter Store / Vault — never plaintext in code
☐ ECR: enforce image scanning + tag immutability
☐ Lambda: restrict VPC access + minimum IAM role
☐ CloudFront: enforce HTTPS + WAF
☐ Backup: automated backup plan dengan retention 30+ hari

Sigma Detection Rules for Cloud Attacks

S3 Bucket Public Access Change

title: S3 Block Public Access Disabled
id: d9f2e44a-9c08-4b7a-8e1f-6d5c3b2a1e7f
status: experimental
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventSource: s3.amazonaws.com
    eventName:
      - PutBucketAcl
      - PutBucketPolicy
      - PutBucketPublicAccessBlock
  condition: selection
level: high

IAM Privilege Escalation via PassRole

title: IAM PassRole to EC2 by Non-Admin
id: 7c9e5f1a-3d8c-4b6e-9f2a-1d5e7c8b0a3f
status: experimental
logsource:
  product: aws
  service: cloudtrail
detection:
  selection:
    eventSource: ec2.amazonaws.com
    eventName: RunInstances
  filter:
    requestParameters|contains: IamInstanceProfile
  condition: selection and filter
level: medium

Case Studies

Studi KasusKonteksTemuan KunciMitigasi Diimplementasi
Capital One Breach (2019)PaaS WAF misconfiguration (WAF not blocking SSRF) → attacker access metadata service from EC2 → IAM role credential1. WAF tidak memblokir SSRF. 2. IAM role terlalu permisif (read all S3). 3. Metadata service endpoint 169.254.169.254 dapat diakses dari aplikasi. 4. 100M+ records terekspos.1. WAF blocking SSRF. 2. IMDSv2 (session-oriented metadata). 3. S3 bucket policy ketat per aplikasi. 4. Network segmentation EC2 + S3 via VPC Endpoint.
Accenture Leak via S3 (2022)S3 bucket salah konfigurasi — public-read ACL1. Bucket untuk penyimpanan data partner expose: API keys, credentials, secrets. 2. 6 TB data ter-expose selama 4 bulan.1. S3 Block Public Access enable all account level. 2. Automated CSPM scanning + AWS Config rule. 3. Incident response untuk exposed credentials.
Tesla Kubernetes Compromise (2018)K8s cluster tidak di-authenticate → attacker access dashboard → get kubeconfig1. K8s dashboard tidak dilindungi (exposed via LoadBalancer tanpa auth). 2. Cluster tidak menggunakan RBAC — satu pod bisa akses semua secret. 3. Mining cryptocurrency langsung di pod yang tidak dibatasi resources.1. K8s dashboard HA (disable default). 2. Enable RBAC + OIDC integration. 3. Resource quota + limit range. 4. NetworkPolicy default deny.
EggShell AWS Attack (2023)Attacker gunakan IAM credential dari compromised GitHub → privilege escalation1. GitHub Action token dgn iam:PassRole + ec2:RunInstances. 2. Launch EC2 dengan admin role → ekstrak credential dari metadata. 3. Persistence via IAM user baru + access key.1. OIDC-based GitHub Actions (no static keys). 2. SCP untuk membatasi PassRole. 3. IAM Access Analyzer izin yang tidak digunakan. 4. AWS Config + Security Hub auto-remediation.
Simulated Red Team: Cloud Pentest (2024)Lateral movement dari account dev ke account production via role chaining1. Dev account punya sts:AssumeRole ke role yang bisa iam:PassRole ke role produksi. 2. Backdoor via Lambda function dengan production role. 3. Unattended EBS snapshot bisa di-mount di account attacker.1. SCP batasi cross-account assume role dari non-prod. 2. Hapus unused snapshots/image. 3. Monitoring CloudTrail cross-account events.

Koneksi ke Vault


Referensi

  1. AWS. Shared Responsibility Model. https://aws.amazon.com/compliance/shared-responsibility-model/
  2. NIST. SP 800-207: Zero Trust Architecture. https://csrc.nist.gov/publications/detail/sp/800-207/final
  3. CNCF. Cloud Native Security Whitepaper. https://github.com/cncf/tag-security/blob/main/security-whitepaper/CNCF_cloud_native_security_whitepaper.pdf
  4. OPA Gatekeeper. Gatekeeper Policy Library. https://github.com/open-policy-agent/gatekeeper-library
  5. Kyverno. Kyverno Policies. https://github.com/kyverno/policies
  6. CIS. CIS Kubernetes Benchmark v1.9. https://www.cisecurity.org/benchmark/kubernetes/
  7. Rhino Security Labs. AWS IAM Privilege Escalation Methods. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
  8. AWS. IAM Best Practices. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  9. AWS. Security Best Practices for EKS. https://docs.aws.amazon.com/eks/latest/best-practices/security.html
  10. Prowler. Open Source AWS/Azure/GCP Security. https://github.com/prowler-cloud/prowler
  11. Checkov. IaC Security Scanning. https://github.com/bridgecrewio/checkov
  12. CloudSploit / Aqua Security. CloudSploit. https://github.com/aquasecurity/cloudsploit
  13. SPIFFE/SPIRE. SPIFFE Standard. https://spiffe.io/
  14. CrowdStrike. Global Threat Report 2024: Cloud Security. https://www.crowdstrike.com/global-threat-report/
  15. Wiz. Cloud Security Report 2024. https://www.wiz.io/ebooks/state-of-cloud-security-2024
  16. AWS. AWS Well-Architected Framework – Security Pillar. https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
  17. Google Cloud. Security Best Practices for GKE. https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview
  18. Microsoft. Azure Security Benchmark v3. https://learn.microsoft.com/en-us/security/benchmark/azure/
  19. Stratus Red Team (Datadog). Attack Technique Simulation. https://stratus-red-team.cloud/
  20. MITRE ATT&CK Cloud Matrix. Cloud-Based Techniques. https://attack.mitre.org/matrices/enterprise/cloud/

Bottom Line

Keamanan cloud bukanlah tentang satu produk atau satu lapisan — ini tentang posture berkelanjutan (CSPM), pencegahan di admission (OPA/Kyverno), kontrol identitas granular (IAM/SCP), dan deteksi anomaly (CloudTrail + GuardDuty). Karena perimeter cloud adalah IAM policy, semua misconfiguration bisa menjadi bencana dalam hitungan jam. Kombinasi antara IaC scanning (pre-deploy), CSPM monitoring (post-deploy), dan admission control (di waktu deploy) adalah fondasi pertahanan yang tidak bisa ditawar. Implementasi SCP untuk membatasi privilege escalation — khususnya iam:PassRole dan cross-account trust — adalah langkah dengan ROI keamanan tertinggi.