Cloud Security
Detect risky admin changes and data exposure across cloud and SaaS environments.
Zaun's Cloud Security module monitors your cloud infrastructure for risky configuration changes, data exposure, and suspicious administrative activity.
What Zaun Monitors
Configuration Drift
- Security group modifications that open unexpected ports
- IAM policy changes that expand access
- Storage bucket policy changes (public access, cross-account sharing)
- Encryption settings modifications
- Logging and monitoring configuration changes
Data Exposure
- Public S3 buckets or GCS buckets with sensitive data
- Overly permissive sharing in Google Drive, SharePoint, etc.
- Unencrypted data stores containing sensitive information
- Cross-account data access patterns
Administrative Activity
- Root account usage
- Unusual API call patterns
- Service account key creation and usage
- Cross-region resource deployment
Specific Use Cases
S3 Bucket Made Public
A developer modifies an AWS S3 bucket policy to allow public read access during a deployment and forgets to revert it. The bucket contains customer data exports. Zaun detects the CloudTrail PutBucketPolicy event, evaluates the new policy for public access grants, and raises a critical finding within minutes.
IAM Privilege Escalation in AWS
A compromised IAM user creates a new IAM policy with iam:* and s3:* permissions, then attaches it to their own account. Zaun detects the privilege escalation chain by monitoring AWS CloudTrail for CreatePolicy, AttachUserPolicy, and CreateAccessKey events in rapid succession.
GCP Service Account Key Exported
A developer generates a JSON key for a Google Cloud service account with roles/owner privileges and stores it in a local development environment. Zaun detects the google.iam.admin.v1.CreateServiceAccountKey event in GCP Audit Logs and alerts on key creation for highly-privileged service accounts.
Azure Resource Group Created in Unusual Region
An attacker with compromised Azure admin credentials deploys cryptomining VMs in an unusual region like Brazil South. Zaun monitors Azure Activity Log for resource deployments in regions outside the organization's approved list and flags the anomaly.
Google Workspace External Sharing
An employee shares a Google Drive folder containing HR documents with an external Gmail address. Zaun detects the sharing event via Google Workspace Admin Reports API, evaluates the sensitivity of files in the folder using Google Workspace DLP labels, and raises an alert.
Microsoft 365 Mailbox Forwarding Rule
An attacker creates an inbox forwarding rule in Exchange Online to BCC all incoming email to an external address. Zaun detects the New-InboxRule event in Microsoft 365 Unified Audit Log and flags rules that forward to external domains.
CloudTrail Logging Disabled
An attacker disables AWS CloudTrail logging in a specific region to cover their tracks. Zaun detects StopLogging or DeleteTrail events and raises a critical alert, since these actions typically indicate active compromise.
Terraform State File Exposed
A Terraform state file stored in an S3 bucket or GCS bucket becomes publicly accessible, exposing infrastructure secrets and credentials. Zaun detects the bucket policy change and correlates it with known state file naming patterns.
Supported Cloud Platforms
| Platform | Config Monitoring | Data Exposure | Admin Activity |
|---|---|---|---|
| AWS | Yes | Yes | Yes |
| Google Cloud (GCP) | Yes | Yes | Yes |
| Microsoft Azure | Yes | Yes | Yes |
| Google Workspace | Yes | Yes | Yes |
| Microsoft 365 | Yes | Yes | Partial |
Integrations
| Integration | Signal Type | What It Provides |
|---|---|---|
| AWS CloudTrail | API events | All AWS API calls, management and data events |
| AWS Config | Configuration | Resource configuration history, compliance rules |
| AWS GuardDuty | Threat detection | Malicious activity findings, anomalous API calls |
| AWS Security Hub | Aggregated findings | Consolidated security findings from AWS services |
| GCP Audit Logs | API events | Admin activity, data access, system events |
| GCP Security Command Center | Threat detection | Vulnerabilities, misconfigurations, threats |
| Azure Activity Log | API events | Resource operations, administrative actions |
| Azure Sentinel | SIEM events | Correlated security alerts, incidents |
| Microsoft 365 Unified Audit Log | SaaS events | Exchange, SharePoint, Teams, OneDrive activity |
| Google Workspace Admin Reports | SaaS events | Drive sharing, login, admin changes |
| Datadog Cloud SIEM | Aggregated logs | Cloud infrastructure monitoring signals |
| Wiz | Cloud posture | Misconfigurations, vulnerabilities, attack paths |
Configuration
# Example: Cloud security monitoring policy
cloud:
aws:
accounts:
- id: "123456789012"
regions: ["us-east-1", "us-west-2"]
monitoring:
- cloudtrail_events
- config_changes
- s3_bucket_policies
- iam_changes
alerting:
critical:
- root_account_usage
- public_bucket_creation
- security_group_open_to_world
high:
- iam_policy_expansion
- encryption_disabled
- logging_disabledSample Finding
{
"finding_id": "CLD-2024-042",
"detection": "s3_bucket_public_access",
"severity": "critical",
"timestamp": "2024-12-15T09:15:00Z",
"details": {
"bucket": "company-data-exports",
"account": "123456789012",
"region": "us-east-1",
"change": "bucket_policy_modified",
"risk": "public_read_access_enabled",
"changed_by": "arn:aws:iam::123456789012:user/deploy-bot"
},
"runbook": "CLD-RB-042"
}Next Steps
- Managed EDR - Endpoint detection and response
- Integrations - Connect your cloud accounts