Cloud Laterale Beweging Stoppen
Guardrails Voor Elke Deploy
In de cloud is consistentie cruciaal: policy in code, minimale rechten en zicht op drift.
Voor Cloud Laterale Beweging Stoppen is segmentatie de hefboom: expliciete paden, deny-by-default en gecontroleerd beheer.
Zo houd je snelheid in de cloud, zonder dat veiligheid afhankelijk wordt van handmatig geluk.
Directe maatregelen (15 minuten)
Waarom dit telt
De kern van Cloud Laterale Beweging Stoppen is risicoreductie in de praktijk. Technische context ondersteunt de maatregelkeuze, maar implementatie en borging staan centraal.
Verdedigingsmaatregelen
Zero Trust Architectuur
Principe Implementatie
+-------------------------------+------------------------------------------+
| Verify explicitly | MFA op alle accounts, conditional access |
| Least privilege access | JIT access, time-bound role assignments |
| Assume breach | Micro-segmentatie, monitoring |
| Verify every transaction | API-level authorization, not just authn |
| Limit blast radius | Account isolation, service boundaries |
+-------------------------------+------------------------------------------+# AWS: Implementeer permission boundaries
aws iam put-role-permissions-boundary \
--role-name DeveloperRole \
--permissions-boundary arn:aws:iam::111111111111:policy/DeveloperBoundary
# Azure: Implementeer Conditional Access
az rest --method POST \
--url "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" \
--body '{
"displayName": "Require MFA for role assumption",
"state": "enabled",
"conditions": {
"applications": {"includeApplications": ["All"]},
"users": {"includeRoles": ["ROLE_ID"]}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["mfa"]
}
}'Network Segmentation
# AWS: Restrictieve security groups voor peered VPCs
aws ec2 create-security-group \
--group-name restricted-peering \
--description "Alleen noodzakelijk verkeer via peering" \
--vpc-id vpc-abc123
aws ec2 authorize-security-group-ingress \
--group-id sg-xyz789 \
--protocol tcp \
--port 443 \
--cidr 10.1.0.0/24 # Alleen specifieke subnet, niet hele VPC
# Azure: NSG op subnet level
az network nsg rule create \
--nsg-name restricted-nsg \
--resource-group prod-rg \
--name deny-lateral \
--priority 100 \
--direction Inbound \
--access Deny \
--source-address-prefixes "10.0.0.0/8" \
--destination-port-ranges "*"Cross-Account Audit
# AWS: Organization-wide CloudTrail
aws cloudtrail create-trail \
--name org-trail \
--s3-bucket-name org-audit-logs \
--is-organization-trail \
--is-multi-region-trail \
--enable-log-file-validation
# Monitor AssumeRole events
aws logs filter-log-events \
--log-group-name CloudTrail/org-trail \
--filter-pattern '{ $.eventName = "AssumeRole" && $.requestParameters.roleArn = "*cross-account*" }'
# Azure: Activity Log forwarding naar central SIEM
az monitor diagnostic-settings create \
--name "central-audit" \
--resource "/subscriptions/SUB_ID" \
--logs '[{"category": "Administrative", "enabled": true}]' \
--workspace "/subscriptions/SUB_ID/resourceGroups/rg/providers/Microsoft.OperationalInsights/workspaces/central-siem"Referentietabel
| Techniek | MITRE ATT&CK | AWS | Azure | GCP |
|---|---|---|---|---|
| Cross-account role assumption | T1550.001 - Application Access Token | sts:AssumeRole chains |
Lighthouse delegations | Service account impersonation |
| Hybrid AD pivot | T1078.004 - Cloud Accounts | N/A | Azure AD Connect, ADFS | Google Cloud Directory Sync |
| SAML token forgery | T1606.002 - SAML Tokens | SAML federation abuse | Golden SAML via ADFS | SAML IdP compromise |
| OIDC federation abuse | T1550.001 - Application Access Token | Web Identity Federation | Workload Identity | Workload Identity Federation |
| SSRF to IMDS | T1552.005 - Cloud Instance Metadata | IMDSv1/v2 (169.254.169.254) | IMDS (169.254.169.254) | Metadata (metadata.google.internal) |
| Service-to-service pivot | T1021.007 - Cloud Services | Lambda→DynamoDB→S3 | Function→Key Vault→SQL | Function→Firestore→GCS |
| VPC peering exploitation | T1599 - Network Boundary Bridging | VPC Peering, Transit Gateway | VNet Peering, vWAN | VPC Network Peering |
| Managed identity abuse | T1550.001 - Application Access Token | EC2 instance profiles | Managed Identity (system/user) | Service account tokens |
| Multi-cloud credential reuse | T1078.004 - Cloud Accounts | Credentials in Secrets Manager | Credentials in Key Vault | Credentials in Secret Manager |
| Intune command push | T1072 - Software Deployment Tools | N/A (use SSM) | Intune scripts/config | N/A |
| PrivateLink abuse | T1599.001 - Network Address Translation | VPC Endpoints | Private Endpoints | Private Service Connect |
| VPN configuration theft | T1120 - Peripheral Device Discovery | Site-to-Site VPN configs | VPN Gateway shared keys | Cloud VPN tunnels |
| Container metadata | T1552.005 - Cloud Instance Metadata | ECS task metadata, EKS IRSA | AKS pod identity | GKE workload identity |
| Service mesh pivot | T1021.007 - Cloud Services | App Mesh exploitation | N/A | Anthos Service Mesh |
| Federation trust abuse | T1484.002 - Trust Modification | IAM OIDC providers | External identity providers | Workload Identity pools |
In de cloud beweeg je niet van machine naar machine. Je beweegt van vertrouwen naar vertrouwen. En vertrouwen, zo blijkt, is bijna altijd misconfigured.
Verder lezen in de kennisbank
Deze artikelen in het portaal geven je meer achtergrond en praktische context:
- De cloud — andermans computer, jouw verantwoordelijkheid
- Containers en Docker — wat het is en waarom je het moet beveiligen
- Encryptie — de kunst van het onleesbaar maken
- Least Privilege — geef mensen alleen wat ze nodig hebben
Je hebt een account nodig om de kennisbank te openen. Inloggen of registreren.
Gerelateerde securitymaatregelen
Deze artikelen bieden aanvullende context en verdieping: