Cloud Offensive Security

Domain overview

Cloud offensive work is identity-heavy, API-heavy and automation-heavy. The aim is to map who can assume what, which service can mint trust, and where control-plane decisions become durable access.

How to approach this surface

• Identity-first thinking: enumerate roles, service accounts, app registrations, federation points and token issuance paths before obsessing over individual compute instances.
• Control-plane abuse: cloud management APIs often matter more than a single VM because they can create, snapshot, attach, redeploy or exfiltrate at scale.
• Automation drift: CI/CD, IaC and GitOps pipelines frequently hold the quietest but most scalable route to privilege expansion.
• Container and Kubernetes pressure: namespace assumptions, secret mounting, admission gaps, node trust and exposed dashboards often become the bridge from workload to cluster influence.
• SaaS adjacency: a cloud estate is rarely isolated; identity, mail, file-sharing and ticketing systems often inherit trust from the same provider backbone.

Related certification and framework context

• OffSec SEC-588 / Cloud SecurityCloud-native attack paths, automation abuse and defensive context.
• OffSec PEN-200 / OSCP+Useful when cloud edges still terminate into classic internal attack paths.
• MITRE ATT&CK Cloud MatrixCloud-specific adversary techniques, identities and service abuse paths.

Selected public references

• AWS IAM DocumentationPolicies, principals, role assumption and trust policy behaviour.
• Microsoft Learn · Entra IDIdentity provider and cloud control guidance across Microsoft estates.
• Google Cloud IAMBindings, service accounts and permission inheritance.
• Kubernetes DocumentationControl-plane objects, RBAC, admission and workload operations.
• OWASP Kubernetes Top TenCommon cloud-native and container orchestration failure patterns.

Topic index