2 MARKS

1. What is VM hopping?
VM hopping is a type of virtualization-based attack where an attacker exploits
vulnerabilities in a hypervisor to move from one virtual machine (VM) to another within
the same physical host.

2. Define IAM.
IAM (Identity and Access Management) is a security framework that defines and manages
user identities and access permissions to cloud resources, ensuring only authorized users
can access specific services.

3. Name any two cloud security threats.

 Data breaches
 Denial of Service (DoS) attacks

4. What is hyperjacking?
Hyperjacking is a malicious attack where a hacker gains control over the hypervisor,
allowing them to control or monitor all VMs running on that host undetected.

5. Mention any two data protection techniques.

 Encryption (data at rest/in transit)
 Backup and Disaster Recovery

6. What is the role of encryption in cloud security?

Encryption ensures data confidentiality and integrity by converting sensitive information
into a secure format, protecting it from unauthorized access both at rest and in transit.

7. Define DRM.
Digital Rights Management (DRM) is a set of technologies used to control and restrict the
use, modification, and distribution of digital content to protect intellectual property.

8. What is multi-factor authentication?

Multi-factor authentication (MFA) is a security mechanism that requires two or more
verification factors (like password + OTP or biometric) to access a system, reducing
unauthorized access risks.

9. Mention one use of cloud logging.

Cloud logging helps in security auditing and incident response by tracking user activities,
API calls, and system events in real time.

10. What is a secure API?

A secure API is an Application Programming Interface that is protected against threats
using authentication, encryption, throttling, and other security mechanisms to prevent
unauthorized access and abuse.

5 MARKS
1. Explain IAM and its role in cloud security.
Identity and Access Management (IAM) is a framework that enables the definition,
enforcement, and monitoring of who can access what in cloud environments.
Key Roles of IAM:
 Authentication: Verifies user identity (via passwords, MFA).
 Authorization: Controls access using roles, policies, and permissions (e.g., AWS
IAM policies).
 Least Privilege: Ensures users only get the access needed for their tasks.
 Role-Based Access Control (RBAC): Assigns permissions based on job roles.
 Auditability: Logs access actions for security auditing and compliance.
In cloud: IAM services like AWS IAM, Azure Active Directory, and GCP IAM are central
to securing cloud workloads by managing users, services, and API access.

2. List and explain common cloud security threats.

1. Data Breaches: Unauthorized access to sensitive information due to weak access
control or misconfigurations.
2. Insecure APIs: Improperly secured interfaces can allow hackers to manipulate or
access data.
3. Denial of Service (DoS): Attackers flood cloud servers to make services unavailable.
4. Account Hijacking: Attackers gain control of cloud accounts via phishing or
credential leaks.
5. Insider Threats: Malicious or careless insiders misuse their access, causing data
leaks or system damage.
Prevention methods: MFA, access logs, API throttling, and network firewalls.

3. Describe encryption and its use in cloud data protection.

Encryption is the process of converting data into unreadable code using algorithms and keys,
ensuring confidentiality and integrity.
Types in the cloud:
 At Rest: Data stored in databases or disks is encrypted (e.g., using AES-256).
 In Transit: Data moving between clients and servers is encrypted via TLS/SSL.
 End-to-End Encryption: Ensures only sender and recipient can access plaintext data.
Use Cases:
 Protect user data (e.g., in S3, Azure Blob).
 Meet compliance requirements like GDPR, HIPAA.
 Prevent data leaks even if physical storage is compromised.

4. What is DRM and how is it applied in cloud?

Digital Rights Management (DRM) is a technology that controls access to digital
media/content to prevent unauthorized distribution or use.
Applications in Cloud:
 Access Control: Limits who can view, copy, or print content (e.g., in eBooks,
videos).
 License Management: Applies time-based or subscription-based access via cloud
platforms.
 Tracking: Monitors usage and revokes access if terms are violated.
 Cloud Integration: Cloud-based DRM services (e.g., Adobe DRM, Microsoft RMS)
manage digital assets centrally and scale globally.
DRM ensures intellectual property protection in digital content hosted on cloud platforms.

5. Discuss the importance of monitoring in cloud environments.

Monitoring involves tracking cloud resources, activities, and services to ensure
performance, security, and compliance.
Importance:
 Threat Detection: Real-time alerts on suspicious behavior (e.g., IAM misuse, port
scanning).
 Performance Monitoring: Ensures uptime and response times using tools like
CloudWatch or Azure Monitor.
 Auditing & Compliance: Log management supports standards like ISO 27001, SOC
2, and HIPAA.
 Incident Response: Enables rapid identification and resolution of issues.
 Cost Optimization: Detect unused or overprovisioned resources.
Monitoring is essential for proactive security and operational efficiency in cloud platforms.

10 MARKS
Major cloud security threats & mitigation techniques
Real-World
Threat How it Happens Mitigation
Example
Public 2024 Microsoft AI “Least-privilege” bucket
Misconfigured
buckets/disks data leak (38 TB in policies, CSPM scanners,
Storage
left open open SAS URL) encryption by default
Stolen
2023 Uber breach via
Account Hijacking credentials, MFA, hardware security keys
contractor’s MFA
/ Phishing OAuth token (FIDO2), session-lifetime limits
fatigue
theft
2024 XZ Utils
Poor auth,
supply-chain attack Signed requests (SigV4), API
Insecure APIs missing rate
inserted backdoor via gateways, WAF + throttling
limits
CI pipeline
Autoscaling, Anycast CDN,
Denial of Service Botnets flood Mirai variants, UDP
AWS Shield/Azure DDoS
(DoS / DDoS) endpoints amplification
Protection
Insider Rogue admin, Zero-trust, code-signing,
2025 CloudBuild
& Supply-Chain compromised “two-person rule” for prod
runner exploit
Risk CI/CD changes
 Real-World
Threat How it Happens Mitigation
Example
Side-Channel / Cache timing “Hertzbleed” → key CPU microcode patches, core
Spectre-like between tenants leakage pinning, confidential VMs/TEE
Key takeaway: Pair preventive controls (MFA, encryption) with detective & responsive
controls (SIEM, SOAR playbooks) for defense-in-depth.

## 2 How IAM works in cloud platforms (with examples)

1. Identity Objects
Users, groups, service accounts (GCP) or managed identities (Azure) represent
principals.
2. Authentication
– Native login, SAML/OIDC federation, or device certificates.
Example: Company Azure AD issues SSO tokens to AWS via IAM Identity Center.
3. Authorization via Policies
JSON documents (AWS IAM), Role-Based Access Control (Azure RBAC), or IAM
roles (GCP) grant Allow/Deny on resources + actions.
Example:
json
CopyEdit
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::corp-reports/*"
}
4. Temporary Credentials / Role Assumption
– STS tokens (AWS), OAuth2 access tokens (GCP), or Azure AD access tokens
minimise long-lived keys.
Use case: Lambda assumes an IAM role for 15 minutes to read secrets.
5. Fine-Grained Controls & Conditions
– Time-based, IP-based, MFA-present enforcement.
– AWS “session tags”, Azure “conditional access”, GCP “IAM Conditions”.
6. Audit & Access Analyzer
– CloudTrail, Azure AD sign-in logs, Cloud Audit Logs flag wide privileges.
Best Practice: Enforce least privilege, rotate keys automatically, mandate MFA, and review
IAM policy diffs in CI/CD pipelines.

## 3 A security framework for cloud infrastructure

Use the NIST Cybersecurity Framework (CSF) mapped to cloud layers:
1. Identify
Asset Inventory (AWS Config, Azure Resource Graph)
Data Classification tagging (Public, Confidential, Regulated)
2. Protect
Network Controls—VPC segmentation, security groups, WAF
Encryption—KMS/HSM, envelope encryption, Kubernetes secrets sealed
Identity—IAM, SSO, MFA, privileged access management (PAM)
Workload Hardening—CIS images, OS patch baselines
3. Detect
Logging & Monitoring—CloudWatch, Azure Monitor, Chronicle SIEM
 Threat Intelligence—GuardDuty, Microsoft Defender for Cloud
Behavior Analytics—UEBA to flag impossible travel, crypto-mining spikes
4. Respond
SOAR Runbooks—automatic isolation of compromised IAM key
Incident Management—PagerDuty alerts, JIRA tickets, forensics snapshots
Table-Top Exercises—simulate ransomware in S3
5. Recover
Backups & Cross-Region Replication—RPO/RTO targets
Immutable Infrastructure—redeploy from IaC & golden AMIs
Post-Mortems—root cause, action items, lessons learned
Governance overlay: map CSF to ISO 27001 controls, PCI-DSS segments, and org-wide
risk registry.

## 4 Role of encryption, secure APIs & DRM in cloud security

Control What it Protects How it Works Cloud Example
AES-256 for
S3 server-side SSE-KMS;
Data confidentiality data-at-rest, TLS 1.3 for
Encryption GCP CMEK; Azure Disk
& integrity data-in-transit, envelope
Encryption
encryption with KMS
Authn (JWT/OAuth2),
API Gateway + Lambda
Service-to-service Authz (IAM scopes),
Secure APIs authorizer; Azure APIM with
interactions Input validation, Rate
OAuth2; Apigee on GCP
limits, TLS mutual auth
Encrypt media, deliver
Digital Rights Netflix uses AWS KMS +
Intellectual property keys on user auth, apply
Management Widevine; Azure DRM
& licensed content playback rules (device
(DRM) (PlayReady) for streaming
count, offline expiry)
Integration tip:
Encrypt first, authenticate every API call, and apply DRM for content lifecycles—together
these cover data in motion, at rest, and in use.

## 5 Compliance & auditing in cloud computing (detailed note)

1. Drivers & Regimes
GDPR (EU), HIPAA (US health), PCI-DSS (payments), ISO 27001, FedRAMP.
2. Shared Responsibility Model
– CSP secures physical & virtual infrastructure.
– Customer configures workloads, IAM, data classification.
3. Compliance Tools
o AWS Artifact / Azure Compliance Manager / GCP Assured Workloads
provide audit reports.
o Config Rules, Policy-as-Code (OPA, Azure Policy) enforce standards
continuously.
4. Audit Trail Creation
o CloudTrail, Activity Logs, Bucket Access Logs—immutable, timestamped.
o Centralised in SIEM with write-once S3 Glacier vault / Azure Archive.
5. Workflow
Plan – Map controls to cloud services.
Implement – IaC templates embed guardrails.
Assess – Automated scanners & manual penetration testing.
Report – Generate SOC 2, ISO 27001 evidence packages.
Improve – Remediate drift, apply control updates.
6. Continuous Compliance
– Real-time posture management (CSPM), automated ticketing on violation.
– Kubernetes admission controllers deny non-encrypted pods.
7. Challenges
o Multi-region data residency.
o Rapid service evolution vs. static compliance checklists.
o Shadow IT & unsanctioned SaaS.
8. Best Practices
o Adopt “Compliance-as-Code” in CI/CD.
o Encrypt & tokenize regulated data.
o Keep auditors’ evidence centrally archived & hashed for integrity.