EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitySTRIDEMITRE-ATT&CKthreat-modelling

Threat Modelling with STRIDE & MITRE ATT&CK for Cloud

How to apply the STRIDE threat model to cloud workloads, and how the MITRE ATT&CK for Cloud matrix maps attacker techniques to cloud-native detection opportunities.

Ashish Revar3 July 202613 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

MITRE ATT&CK for Cloud Matrix

The complete MITRE ATT&CK for Cloud matrix covering AWS, Azure, GCP, Microsoft 365, and SaaS platforms.

wiki
MITRE ATT&CK for Cloud Matrix

The complete MITRE ATT&CK for Cloud matrix covering AWS, Azure, GCP, Microsoft 365, and SaaS platforms.

wiki
Microsoft STRIDE Threat Model Overview

Microsoft documentation on the STRIDE model and the Threat Modeling Tool for cloud architectures.

blog
Microsoft STRIDE Threat Model Overview

Microsoft documentation on the STRIDE model and the Threat Modeling Tool for cloud architectures.

blog
OWASP Threat Modeling Cheat Sheet

OWASP practical guidance on threat modeling including STRIDE application to web applications.

wiki
OWASP Threat Modeling Cheat Sheet

OWASP practical guidance on threat modeling including STRIDE application to web applications.

wiki
CloudGoat — Vulnerable AWS Lab for ATT&CK Techniques

Rhino Security Labs intentionally vulnerable AWS environment for practising cloud attack techniques.

tool
CloudGoat — Vulnerable AWS Lab for ATT&CK Techniques

Rhino Security Labs intentionally vulnerable AWS environment for practising cloud attack techniques.

tool
More articlesTest your knowledge

Why Threat Modelling Matters in Cloud

Traditional penetration testing finds what is already broken. Threat modelling finds what could break before it does. In cloud environments — where new services are provisioned in minutes and architecture changes weekly — threat modelling is the only scalable approach to staying ahead of attackers.

STRIDE: A Structured Threat Classification

STRIDE was developed at Microsoft and classifies threats into six categories that cover every attacker goal:

ThreatAttacker GoalCloud ExampleProperty Violated
SpoofingImpersonate another identityStealing JWT tokens to call APIs as another userAuthentication
TamperingModify data without authorisationWriting to an S3 bucket to plant malicious filesIntegrity
RepudiationDeny performing an actionDisabling CloudTrail before exfiltrationNon-repudiation
Information DisclosureAccess data without authorisationPublicly accessible S3 bucket with sensitive dataConfidentiality
Denial of ServicePrevent legitimate accessEDoS attack consuming auto-scaled computeAvailability
Elevation of PrivilegeGain higher access than grantedIAM privilege escalation via iam:PassRoleAuthorisation

Applying STRIDE to a Cloud Workload

Consider a simple web application on AWS: EC2 → ALB → Lambda → RDS → S3.

Spoofing threats:

  • Fake SSL certificate for the ALB hostname
  • JWT token theft via XSS on the web front-end
  • Mitigation: ACM certificates with auto-renewal; HTTPOnly cookies; MFA

Tampering threats:

  • SQL injection via Lambda function to modify RDS data
  • Attacker with write access to S3 replacing application assets
  • Mitigation: Parameterised queries; S3 versioning and object lock

Repudiation threats:

  • Attacker disables CloudTrail logging before data exfiltration
  • Mitigation: CloudTrail log file integrity validation; S3 Object Lock on log bucket

Information Disclosure threats:

  • S3 bucket accidentally set to public
  • Lambda environment variables exposing API keys in CloudWatch logs
  • Mitigation: S3 Block Public Access; Secrets Manager instead of env vars

Denial of Service threats:

  • ALB flooded with requests exceeding Lambda concurrency limits
  • Mitigation: AWS WAF rate limiting; Lambda reserved concurrency; Shield Advanced

Elevation of Privilege threats:

  • Lambda execution role has iam:PassRole with * resource — can pass any role to any service
  • EC2 instance with overprivileged role attached
  • Mitigation: Least-privilege IAM; regular access reviews; IAM Access Analyzer

MITRE ATT&CK for Cloud

MITRE ATT&CK for Cloud extends the ATT&CK framework with cloud-specific tactics and techniques across AWS, Azure, GCP, Microsoft 365, and SaaS platforms.

TacticKey Cloud TechniqueDetection Opportunity
Initial AccessValid Accounts (T1078) — compromised IAM credentialsAnomalous GetCallerIdentity calls; unfamiliar source IP
ExecutionServerless Execution (T1648) — malicious Lambda functionsLambda invocation from new principals
PersistenceAccount Manipulation (T1098) — adding new IAM usersCloudTrail: CreateUser, CreateAccessKey
Privilege EscalationValid Accounts — assuming admin rolesAssumeRole calls to sensitive roles
Defence EvasionImpair Defences (T1562) — disabling GuardDuty, CloudTrailConfig rule violations; CloudTrail StopLogging event
Credential AccessUnsecured Credentials (T1552) — EC2 IMDS abuseAccess to 169.254.169.254 in VPC Flow Logs
DiscoveryCloud Service Discovery (T1526) — enumerating S3, EC2High-volume List* and Describe* API calls
ExfiltrationTransfer Data to Cloud Account (T1537) — S3 replication to attacker bucketPutBucketReplication on sensitive buckets

Key Takeaway

STRIDE gives you the what — which security property is being attacked. MITRE ATT&CK for Cloud gives you the how — which specific techniques attackers use and where to detect them. Together they form a complete threat modelling and detection engineering toolkit for cloud environments.