Cloud security used to be a network conversation. Increasingly, it is an identity conversation. The threats that hurt most modern cloud environments do not involve clever exploitation of software flaws. They involve abuse of identity systems, often through legitimate-looking sign-ins that satisfy every protective control on paper. Understanding the patterns helps shape both detection and response in environments where network boundaries no longer carry the weight they once did.
Token Theft Has Replaced Password Theft
MFA pushed simple password theft into the past, but adversary-in-the-middle phishing kits now steal session tokens directly. From the cloud platform’s perspective, the resulting session looks exactly like the legitimate user signing in successfully. The attacker holds a valid token and uses it to do whatever the user could do. Detecting this requires noticing the unusual properties of the new session, since none of the authentication events themselves will look wrong.
Service Principals and Managed Identities
Beyond user accounts, cloud environments rely heavily on non-interactive identities: service principals in Azure, IAM roles in AWS, service accounts in Google Cloud. These identities often hold significant privileges, rarely change credentials, and operate without the human-facing controls that protect users. Azure penetration testing reviews these identities specifically because they tend to be over-permissioned and under-monitored. The findings frequently surprise teams who assumed only user accounts needed scrutiny.
Cross-Tenant and Cross-Account Trust
Trust relationships between tenants, accounts, and organisations multiply the attack surface in ways that are easy to miss. A guest account in your Azure tenant brings the trust model of a different organisation. A cross-account role in AWS extends your permissions into someone else’s account, and theirs into yours. AWS penetration testing that examines these relationships maps them systematically, often surfacing trusts that nobody currently remembers granting.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: The cloud identity findings I report most often involve service accounts that have accumulated permissions over years. Each individual permission was justified at the time. Combined, they produce a service principal that effectively has god-mode in the tenant. Reviewing these accounts annually is one of the highest-value security activities available.
Consent Phishing Has Quietly Grown
An attacker no longer needs to steal credentials if they can persuade a user to grant their malicious application broad permissions. Consent phishing presents a legitimate-looking OAuth prompt, the user clicks through without reading carefully, and the attacker now has direct API access to their data. The application registration sits in the user’s tenant alongside legitimate apps. Restricting which users can grant consent and reviewing app registrations regularly mitigates the risk substantially.
Privilege Escalation Through Identity
Cloud privilege escalation often runs through identity rather than software flaws. A user with permission to assume a more privileged role, attach policies, or modify a service principal can quickly turn limited access into broad access. Tools such as PowerZure, Pacu, and BloodHound’s Azure flavours all illustrate the patterns clearly. Defenders can use the same tools to find the same paths first, which changes the conversation considerably with developers and platform owners.
Detection Aimed at the Right Targets
Cloud identity detection should focus on impossible travel, anomalous role assumption, unusual app consents, sudden changes to conditional access policies, and mass downloads following authentication from unfamiliar locations. None of these signals are perfect, but together they tell a coherent story when something is wrong. Wire them into your SIEM, tune the false positive rate down, and act quickly when they fire.
Building a Resilient Identity Posture
Audit privileged identities regularly, restrict consent grants, implement just-in-time access for elevated roles, enforce phish-resistant authentication for administrators, and monitor the patterns above continuously. The investment is modest by comparison with the cost of an incident, and the resulting posture genuinely raises the bar for any attacker who comes calling.