Runtime and cloud security

What you will be able to do

1. Apply the cloud shared responsibility model to identify which security controls a customer must implement for IaaS, PaaS, and SaaS deployments.
2. Use CIS Benchmarks Level 1 to harden a cloud compute instance.
3. Describe how container image scanning and Kubernetes RBAC reduce the attack surface of a containerised workload.
4. Explain how Falco uses eBPF to detect runtime threats without kernel module installation.

19.1 The shared responsibility model

Cloud providers secure the cloud itself: physical data centres, network fabric, hypervisors, and managed services. Customers are responsible for everything they run inside the cloud , operating systems, application code, identity and access management, data classification, and configuration of every service they consume. The boundary shifts depending on the service model in use.

The distinction is not theoretical. The Capital One breach illustrates it precisely. AWS managed the underlying infrastructure without fault. The customer-owned WAF, IAM role, and S3 permissions were all misconfigured, and those were entirely within Capital One’s side of the boundary.

19.2 Cloud Security Posture Management (CSPM)

CSPM tools continuously scan a cloud environment and compare its configuration against security benchmarks. The most widely used benchmarks are the CIS (Center for Internet Security) Benchmarks. Level 1 contains scored, practical hardening steps that apply to most organisations without significantly affecting functionality. Level 2 is more restrictive and may introduce operational trade-offs.

Common misconfiguration findings include S3 buckets set to public access by default, EC2 security groups permitting inbound SSH from any IP address (0.0.0.0/0 on port 22), and root account usage without multi-factor authentication. These three findings appear in the majority of CSPM audits and represent the most frequently exploited cloud attack vectors. CSPM tooling examples include AWS Security Hub, Microsoft Defender for Cloud, and Google Security Command Center.

19.3 Container image security

A container image is an ordered set of filesystem layers. Each layer may introduce vulnerabilities: the base OS image may include packages with known CVEs, installed language dependencies may be outdated, application code may embed secrets, and prior build steps may leave sensitive files in intermediate layers. Attackers target all four surfaces.

Trivy (by Aqua Security) is a widely adopted open-source scanner that checks OS packages and language dependencies against the CVE database. The practical baseline for container image security is: use minimal base images (distroless or Alpine), never configure the container to run as root, pin image digests rather than mutable tags, and run a CVE scanner in CI before every push to the registry.

19.4 Kubernetes RBAC and Network Policies

Kubernetes Role-Based Access Control (RBAC) uses three objects: a Role (which defines permitted API verbs and resources), a RoleBinding (which attaches the Role to a subject), and a Subject (a User, Group, or ServiceAccount). The principle of least privilege applies directly: each ServiceAccount should be bound to a Role that allows only the specific API verbs the workload requires. Wildcard permissions (verbs: [“*”]) on any ServiceAccount are a high-severity misconfiguration.

Kubernetes Network Policies work on a default-deny model: create a policy that denies all ingress and egress, then add explicit allow rules for only the required traffic paths. For example, a payment-service pod should allow egress only to the database-service on port 5432. Without a Network Policy, all pods in a namespace can communicate freely with each other and with the internet.

19.5 Runtime threat detection with Falco

Falco, a CNCF graduated project originally developed by Sysdig, provides runtime security for containerised workloads. It intercepts Linux system calls using eBPF (extended Berkeley Packet Filter) probes. eBPF runs verified bytecode in a kernel sandbox, providing deep system call visibility without the stability risk of a traditional loadable kernel module.

Falco rules describe permitted behaviour. When a system call violates a rule, Falco generates an alert. Common rule examples include: a process spawned inside a container that was not in the expected process list, a write to /etc/passwd from within a container, or a network connection to an unexpected external IP address. Alert output can be sent to stdout, a SIEM, or a Slack channel via the Falco output plugin framework.