⚡ What Security+ Tests on Cloud Security
Security+ SY0-701 expanded cloud security significantly from SY0-601. The key concepts: shared responsibility model (who owns what in IaaS/PaaS/SaaS), CASB (cloud access security broker — visibility and control over SaaS usage), CSPM (cloud security posture management — detecting misconfigurations), serverless and container security, and the top cloud misconfigurations that lead to breaches. Scenarios ask you to select the right tool or identify the vulnerability in a described cloud architecture.

The Shared Responsibility Model — Who Owns What

The shared responsibility model defines the boundary between what the cloud provider secures and what the customer must secure. This boundary shifts depending on the service model. The most common exam scenario: a company stores sensitive data in an S3 bucket that is publicly accessible. Who is responsible for the misconfiguration? The customer — configuring access controls is always the customer's responsibility.

Security Responsibility IaaS PaaS SaaS
Physical infrastructure, datacentreProviderProviderProvider
Hypervisor / virtualisation layerProviderProviderProvider
Operating system (patching, hardening)CustomerProviderProvider
Runtime / middlewareCustomerProviderProvider
Application code and configurationCustomerCustomerProvider
Data classification and protectionCustomerCustomerCustomer
Identity and access managementCustomerCustomerShared
Network controls (security groups, firewall)CustomerSharedProvider
Endpoint security (devices accessing cloud)CustomerCustomerCustomer
🎯 The Shared Responsibility Exam Trap

Data is always the customer's responsibility — regardless of service model. Even in SaaS, you are responsible for what data you put in the application, who has access to it, and how it's classified. The provider secures the platform; you secure your data on it.

IaaS = most customer responsibility. You own the OS up. The provider owns the physical layer and hypervisor. On A+ and Security+, IaaS scenarios where a VM is compromised due to an unpatched OS — that's the customer's fault, not the provider's.

Cloud Security Tools — What They Do and When to Use Them

CASB
Cloud Access Security Broker
Sits between users and cloud services to provide visibility, compliance, and threat protection for SaaS usage. Detects shadow IT (employees using unapproved cloud apps), enforces DLP policies on cloud-stored data, and monitors for anomalous behaviour. Can operate as a forward proxy (inline) or reverse proxy, or via API integration with SaaS platforms.

Exam trigger: A company wants to see what cloud services employees are using without approval → CASB.
CSPM
Cloud Security Posture Management
Continuously monitors cloud infrastructure configurations against security best practices and compliance frameworks. Identifies misconfigurations — S3 buckets with public read access, overly permissive IAM roles, security groups with 0.0.0.0/0 inbound rules, unencrypted storage volumes, disabled MFA on root accounts.

Exam trigger: A company wants to find security misconfigurations across their AWS/Azure environment → CSPM.
CWPP
Cloud Workload Protection Platform
Secures workloads running in the cloud — VMs, containers, and serverless functions. Provides runtime protection, vulnerability scanning, and behavioural monitoring for cloud-hosted compute resources. Where CSPM focuses on configuration, CWPP focuses on what's running on the infrastructure.

Exam trigger: A company needs to protect containers and VMs running in their cloud environment at runtime → CWPP.
SASE
Secure Access Service Edge
Combines network security (firewall, CASB, SWG, ZTNA) with WAN capabilities into a cloud-delivered service. Designed for distributed workforces — instead of routing traffic back to a corporate datacenter, users connect securely to a cloud-based security stack that enforces policies.

Exam trigger: A company with remote workers wants to replace their VPN and perimeter firewall with a cloud-native security model → SASE.

Top Cloud Misconfigurations — The Most Common Attack Vectors

Cloud breaches are disproportionately caused by misconfigurations rather than sophisticated attacks. Security+ scenarios frequently describe a cloud environment and ask you to identify the security flaw. These are the most commonly tested misconfigurations.

MisconfigurationRiskCorrect Control
Publicly accessible cloud storage (S3 bucket, Azure blob with public read) Data exposure — anyone can read the bucket contents without authentication Block public access at the account level. Use bucket policies and ACLs to restrict to specific principals only.
Overly permissive IAM roles (wildcard * permissions) Privilege escalation — a compromised service can access any resource Principle of least privilege — grant only the specific permissions required. Audit IAM roles regularly with tools like AWS Access Analyzer.
Security group / firewall rule 0.0.0.0/0 on management ports (SSH/RDP) Brute force, credential stuffing, exploitation of unpatched services from any internet source Restrict SSH/RDP to specific IP ranges or VPN. Use a bastion host or jump server for management access.
Root account / global admin used for daily operations Compromise of root gives unrestricted access to everything — no recovery path Disable root access keys. Enable MFA on root. Use IAM users/roles with minimum permissions for all routine tasks.
Unencrypted storage volumes and databases Data exposure if volume snapshots are shared or storage media is repurposed Enable encryption at rest using cloud KMS (Key Management Service). Enforce encryption on all new volumes via policy.
Disabled logging and monitoring (CloudTrail, Azure Monitor off) No audit trail — attackers can operate undetected and incidents cannot be investigated Enable logging for all services. Forward logs to a SIEM. Set alerts for privileged actions, failed auth, and resource creation.
Secrets and credentials in source code or environment variables Credential theft from code repositories — GitHub scans routinely find AWS keys Use cloud secrets managers (AWS Secrets Manager, Azure Key Vault). Never commit credentials to version control.

Serverless Security

Serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) run code without managing servers. The cloud provider handles the OS and runtime — but you still own the function's code, its permissions, and the data it processes. The attack surface shifts from infrastructure to function configuration and code vulnerabilities.

Serverless Security — Key Exam Points

Each function should have its own IAM role with minimum permissions. Giving all functions the same broad role means a vulnerable function can access resources it never needs.

Injection attacks still apply. If a serverless function passes user input to a database query without sanitising it, it's vulnerable to SQL injection the same as any other application.

Third-party dependencies are a supply chain risk. Serverless functions rely on libraries — a compromised library (like the Log4j vulnerability) affects every function that includes it.

Cold starts can mask attacks. Functions that are infrequently called may not have logging configured consistently — ensure every invocation is logged.

Container Security

Containers (Docker, Kubernetes) package applications and their dependencies into isolated units. Security+ SY0-701 tests containers primarily in the context of image security, container escape, and Kubernetes misconfigurations.

Container Security — Key Exam Points

Image vulnerabilities — containers are built from images. A vulnerable base image propagates the vulnerability to every container built from it. Scan images before deployment using tools like Trivy or Snyk.

Container escape — a vulnerability that allows malicious code in a container to break out and access the host OS or other containers. Running containers as root dramatically increases escape risk. Best practice: run containers as non-root users.

Kubernetes RBAC — Kubernetes has its own role-based access control system separate from cloud IAM. Misconfigured Kubernetes RBAC is a common attack vector — the default service account often has more permissions than needed.

Immutable infrastructure — containers should be treated as disposable and immutable. Never patch a running container; rebuild the image with the fix and redeploy. This prevents configuration drift and ensures a known-good state.

Cloud Security Architecture — Key Concepts

Infrastructure as Code (IaC) Security

IaC tools (Terraform, CloudFormation) define infrastructure in configuration files. Misconfigurations in IaC templates deploy insecure infrastructure at scale. Scanning IaC templates before deployment (using tools like Checkov or tfsec) catches misconfigurations before they reach production — this is "shift left" security applied to infrastructure.

Cloud-Native Firewall and Security Groups

Cloud providers offer virtual firewalls as security groups (AWS) or network security groups (Azure). Unlike traditional firewalls, these are stateful and attached to individual resources rather than network segments. Each resource should have its own security group with minimum required rules — the principle of least privilege applied to network access.

Secrets Management

Cloud Key Management Services (KMS) store and manage cryptographic keys and secrets. Applications retrieve secrets at runtime via API rather than storing them in config files or environment variables. Rotation policies ensure secrets are automatically cycled. On the exam: AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault are the tools associated with secrets management in cloud environments.

🎯 Three Exam Shortcuts for Cloud Security Questions

"Shadow IT" → CASB. Any scenario describing employees using unapproved cloud apps, or a company wanting visibility into what SaaS services are in use, points to a CASB solution.

"Misconfiguration detected" → CSPM. Continuous monitoring and detection of cloud configuration drift or policy violations is the CSPM use case. If the scenario involves a tool finding security gaps across cloud accounts automatically, that's CSPM.

Data breaches from public S3 buckets → customer's responsibility. Provider secures the platform; customer secures configuration and data. Exposed cloud storage is always the customer's misconfiguration, regardless of how the question is framed.

Exam Scenarios

A security analyst discovers that employees are uploading sensitive company documents to personal Dropbox accounts. The company wants to prevent this without blocking all cloud storage access. What technology should they implement? CASB — a Cloud Access Security Broker can enforce DLP policies on cloud uploads, blocking sensitive data from leaving via unapproved services while allowing access to sanctioned platforms.
A company's AWS environment is scanned and the report shows an S3 bucket with public read access containing employee records, IAM users without MFA, and security groups allowing SSH from 0.0.0.0/0. What type of tool generated this report? CSPM (Cloud Security Posture Management) — it continuously scans cloud configurations against security baselines and compliance standards, identifying exactly these types of misconfigurations.
An organisation uses AWS and wants to ensure all newly deployed EC2 instances have encrypted storage volumes and that no root access keys exist. The company cannot manually review 500 accounts. What is the most efficient approach? CSPM with automated remediation — or AWS Config with automated compliance rules and Lambda remediation functions. CSPM tools can enforce policies at scale across all accounts and auto-remediate violations like unencrypted volumes.
A developer's laptop is compromised, and the attacker finds AWS access keys hardcoded in a Python script committed to GitHub. What should the company do immediately, and how should this be prevented long-term? Immediate: revoke the compromised access keys, audit CloudTrail for any actions taken with those keys, and assess what resources were accessed. Prevention: use AWS Secrets Manager or IAM roles instead of static credentials, implement pre-commit hooks that scan for credentials, and enable GitHub's secret scanning feature.
A company migrates from on-premises to IaaS. After migration, a VM is compromised because the OS has not been patched in six months. Who is responsible? The customer. In IaaS, the cloud provider secures the physical infrastructure and hypervisor. The customer is responsible for OS patching, hardening, and configuration. The provider did not fail — the customer failed to maintain their OS.
A containerised application is running in production. A security scan finds that the container image is based on an OS version with a critical vulnerability. What is the correct remediation approach? Rebuild the container image using a patched base image and redeploy — do not patch the running container. Containers should be treated as immutable. Patching a running container creates configuration drift and the patch won't persist if the container restarts.

Studying for Security+ SY0-701?

Cloud security is 18% of Domain 3. See the full Security+ study guide for all 5 domains.

Security+ Study Guide →

Related Articles

Cloud Concepts (IaaS/PaaS/SaaS) Zero Trust Architecture Network Segmentation Identity & Access Management Encryption Types Incident Response Playbooks Security+ Complete Study Guide Security+ Cheat Sheet