How to apply the STRIDE threat model to cloud workloads, and how the MITRE ATT&CK for Cloud matrix maps attacker techniques to cloud-native detection opportunities.
Sign in to mark this article as read and track your progress.
Traditional penetration testing finds what is already broken. Threat modelling finds what could break before it does. In cloud environments — where new services are provisioned in minutes and architecture changes weekly — threat modelling is the only scalable approach to staying ahead of attackers.
STRIDE was developed at Microsoft and classifies threats into six categories that cover every attacker goal:
| Threat | Attacker Goal | Cloud Example | Property Violated |
|---|---|---|---|
| Spoofing | Impersonate another identity | Stealing JWT tokens to call APIs as another user | Authentication |
| Tampering | Modify data without authorisation | Writing to an S3 bucket to plant malicious files | Integrity |
| Repudiation | Deny performing an action | Disabling CloudTrail before exfiltration | Non-repudiation |
| Information Disclosure | Access data without authorisation | Publicly accessible S3 bucket with sensitive data | Confidentiality |
| Denial of Service | Prevent legitimate access | EDoS attack consuming auto-scaled compute | Availability |
| Elevation of Privilege | Gain higher access than granted | IAM privilege escalation via iam:PassRole | Authorisation |
Consider a simple web application on AWS: EC2 → ALB → Lambda → RDS → S3.
Spoofing threats:
Tampering threats:
Repudiation threats:
Information Disclosure threats:
Denial of Service threats:
Elevation of Privilege threats:
iam:PassRole with * resource — can pass any role to any serviceMITRE ATT&CK for Cloud extends the ATT&CK framework with cloud-specific tactics and techniques across AWS, Azure, GCP, Microsoft 365, and SaaS platforms.
| Tactic | Key Cloud Technique | Detection Opportunity |
|---|---|---|
| Initial Access | Valid Accounts (T1078) — compromised IAM credentials | Anomalous GetCallerIdentity calls; unfamiliar source IP |
| Execution | Serverless Execution (T1648) — malicious Lambda functions | Lambda invocation from new principals |
| Persistence | Account Manipulation (T1098) — adding new IAM users | CloudTrail: CreateUser, CreateAccessKey |
| Privilege Escalation | Valid Accounts — assuming admin roles | AssumeRole calls to sensitive roles |
| Defence Evasion | Impair Defences (T1562) — disabling GuardDuty, CloudTrail | Config rule violations; CloudTrail StopLogging event |
| Credential Access | Unsecured Credentials (T1552) — EC2 IMDS abuse | Access to 169.254.169.254 in VPC Flow Logs |
| Discovery | Cloud Service Discovery (T1526) — enumerating S3, EC2 | High-volume List* and Describe* API calls |
| Exfiltration | Transfer Data to Cloud Account (T1537) — S3 replication to attacker bucket | PutBucketReplication on sensitive buckets |
STRIDE gives you the what — which security property is being attacked. MITRE ATT&CK for Cloud gives you the how — which specific techniques attackers use and where to detect them. Together they form a complete threat modelling and detection engineering toolkit for cloud environments.