Cloud Control Plane Attack
Qu'est-ce que Cloud Control Plane Attack ?
Cloud Control Plane AttackAn attack that targets the management API of a cloud provider (AWS, Azure, GCP) — IAM, billing, deployment APIs — rather than workloads, achieving tenant-wide impact through stolen tokens, federation abuse, or partner-channel compromises.
A cloud control-plane attack is one that targets the provider's management surface (sts:AssumeRole, AWS Organizations, Entra ID Graph, GCP Resource Manager, billing APIs, Identity Center, hub-and-spoke deployment tools) instead of the workloads running inside a tenant. Because every workload's permissions, every resource's existence, and the billing relationship itself live in the control plane, a control-plane compromise is unrecoverable from inside the tenant — the attacker can disable logging, exfiltrate keys, create persistent backdoor IAM users, modify Conditional Access, or move resources to other accounts. Documented techniques include long-lived access-key theft from developer laptops, Single-Sign-On compromise (the 2020 SolarWinds chain into Microsoft 365, the 2023 Storm-0558 Azure key forge), reseller-channel abuse (the 2024 Midnight Blizzard test-tenant pivot), federation/IdP trust manipulation (Golden SAML), and abuse of CI/CD identities with cloud admin trust (OIDC-to-cloud-role). Defenses focus on root-account isolation, FIDO2 phishing-resistant MFA on every break-glass identity, hardware-bound CI/CD trust, restrictive Conditional Access, immutable CloudTrail/Azure-Monitor to a separate tenant, and continuous control-plane anomaly detection.
● Exemples
- 01
Storm-0558 forged Azure AD signing tokens and read Exchange Online mailboxes across U.S. federal tenants in 2023 — a textbook control-plane compromise.
- 02
An attacker with a stolen long-lived AWS access key creates a new IAM user, attaches AdministratorAccess, and uses it from a different region to remain below GuardDuty thresholds.
● Questions fréquentes
Qu'est-ce que Cloud Control Plane Attack ?
An attack that targets the management API of a cloud provider (AWS, Azure, GCP) — IAM, billing, deployment APIs — rather than workloads, achieving tenant-wide impact through stolen tokens, federation abuse, or partner-channel compromises. Cette notion relève de la catégorie Sécurité du cloud en cybersécurité.
Que signifie Cloud Control Plane Attack ?
An attack that targets the management API of a cloud provider (AWS, Azure, GCP) — IAM, billing, deployment APIs — rather than workloads, achieving tenant-wide impact through stolen tokens, federation abuse, or partner-channel compromises.
Comment fonctionne Cloud Control Plane Attack ?
A cloud control-plane attack is one that targets the provider's management surface (sts:AssumeRole, AWS Organizations, Entra ID Graph, GCP Resource Manager, billing APIs, Identity Center, hub-and-spoke deployment tools) instead of the workloads running inside a tenant. Because every workload's permissions, every resource's existence, and the billing relationship itself live in the control plane, a control-plane compromise is unrecoverable from inside the tenant — the attacker can disable logging, exfiltrate keys, create persistent backdoor IAM users, modify Conditional Access, or move resources to other accounts. Documented techniques include long-lived access-key theft from developer laptops, Single-Sign-On compromise (the 2020 SolarWinds chain into Microsoft 365, the 2023 Storm-0558 Azure key forge), reseller-channel abuse (the 2024 Midnight Blizzard test-tenant pivot), federation/IdP trust manipulation (Golden SAML), and abuse of CI/CD identities with cloud admin trust (OIDC-to-cloud-role). Defenses focus on root-account isolation, FIDO2 phishing-resistant MFA on every break-glass identity, hardware-bound CI/CD trust, restrictive Conditional Access, immutable CloudTrail/Azure-Monitor to a separate tenant, and continuous control-plane anomaly detection.
Comment se défendre contre Cloud Control Plane Attack ?
Les défenses contre Cloud Control Plane Attack combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Cloud Control Plane Attack ?
Noms alternatifs courants : Cloud management-plane attack, Tenant takeover.
● Termes liés
- cloud-security№ 212
Vol de tokens cloud
Vol de tokens OAuth, SAML ou de signature aupres d'un service d'identite cloud et rejeu pour usurper utilisateurs ou services sans avoir besoin de mots de passe.
- cloud-security№ 562
Escalade de privileges IAM
Detournement de permissions IAM existantes dans le cloud pour obtenir des privileges superieurs, souvent par edition de policy, prise de role ou auto-attribution de droits admin.
- identity-access№ 496
Golden SAML
An identity-attack technique that steals a federation IdP's token-signing private key (typically from AD FS) and forges arbitrary SAML responses, granting persistent, MFA-bypassing access to any federated service.
- attacks№ 1234
Attaque de la chaîne d'approvisionnement
Attaque qui compromet un fournisseur de logiciel, de matériel ou de services de confiance afin d'atteindre ses clients en aval.
- cloud-security№ 1142
Modèle de responsabilité partagée
Cadre de sécurité cloud qui répartit les tâches de sécurité entre le fournisseur (sécurité du cloud) et le client (sécurité dans le cloud).
- cloud-security№ 209
Mauvaise configuration cloud
Faille de sécurité due à des réglages incorrects ou non sécurisés des services cloud : stockage exposé, politiques IAM faibles, ports d'administration ouverts, etc.