Cloud Posture Harnesses

Module S09 · Course 2A

90 min · Asset Discovery · Attack Path Analysis · Continuous Monitoring · Reporting & Remediation

Prerequisite: S00–S08

S09.1 — AI Workload Discovery & Asset Inventory

The harness's first job is not to assess risk. It is to know what is deployed. You cannot defend an asset you have not inventoried.

Cloud posture tools fail at inventory first, then at assessment. The discovery layer is the load-bearing foundation.

The drift problem

Cloud infrastructure is not a static deployment — it is a continuously changing graph. A snapshot at midnight is stale by morning.

Terraform apply, console click, autoscaling, Lambda deploy, IAM update — each changes posture. The inventory must be continuously reconciled, not periodically snapshotted.

Native discovery + harness normalization

ProviderService
AWSSecurity Hub + AWS Config
AzureResource Graph + Defender for Cloud
GCPSecurity Command Center

Defender for Cloud now supports AI security posture natively: discovers AI workloads, builds an AI BOM, tracks reachable AI endpoints, maps attack paths across all three clouds.

The harness adds: cross-provider normalization, AI-specific asset tagging, structured output for graph reasoning.

AI-specific assets to inventory

Model endpoints
SageMaker, Vertex, Azure ML
publicly reachable?
AI agent deployments
Bedrock, OpenAI, custom
what tools can it call?
Vector databases
Pinecone, pgvector
sensitive embeddings?
Training data stores
S3, Azure blobs
the crown jewels

The endpoint_publicly_reachable tag distinguishes an internal tool from a public attack surface — tagged at inventory time, not assessment time.

S09.2 — Attack Path Analysis

A finding is a single point of weakness. An attack path is the chain that turns a single weakness into a breach.

Public S3 bucket = a finding. Public S3 bucket → over-privileged role → Lambda → regulated database = an attack path.

The cloud attack surface is a graph

Nodes = assets
resources, identities,
data stores
Edges = access
can-assume, can-invoke,
can-read, can-write
Paths = traversals
entry point →
high-value target

Three edge types dominate: IAM escalation (privilege ladder), public exposure chains (outside → crown jewel), lateral movement (cross-account pivots).

Why paths, not findings

A finding list says "47 misconfigurations." An attack-path list says "3 of those 47 combine into a breach path."

Fixing a single node on a critical path breaks the path. Fixing 10 nodes not on any path changes nothing about actual risk. Path analysis turns 47 findings into 3 priorities.

S09.3 — Continuous Posture Monitoring

Posture at a single point in time is a snapshot. The cloud is not a snapshot. Drift is the core operational challenge.

Event-driven, not scheduled

Scheduled monitor: assess nightly. Misconfiguration introduced 9 AM, exploited 2 PM = missed.

Event-driven: subscribe to CloudTrail / Activity Log. Security-relevant change → re-assess in seconds.

Efficient: 50,000-resource estate, 10,000 changes/day = 10,000 single-resource assessments, not 50,000-resource scans.

Security-relevant events

CategoryEvents
IAM changesAttachRolePolicy, PutRolePolicy, AssumeRole
Public exposurePutBucketAcl, PutBucketPolicy, AuthorizeSecurityGroupIngress
AI workloadsCreateEndpoint, CreateAgent, model deploy

Benchmark enforcement: CIS AWS Foundations, CIS Azure, CIS GCP, NIST CSF, PCI DSS — mapped to harness-checked policies. Findings scored by exploitability × impact × reachability.

S09.4 — Reporting & Remediation

One finding store, three audience views: engineer (per-finding detail), CISO (risk + top paths), auditor (control → evidence map).

Same data, different projections. No drift between what the engineer fixes and what the CISO reports.

The approval gate

Production always requires human approval. The harness may generate the fix, attach it to the ticket, and stage it — but it does not apply without approval.

Non-production may auto-apply per policy. Automated remediation that breaks production is worse than the misconfiguration it was fixing.

What you take into S10

The cloud posture harness is operational: continuous discovery, graph-based attack paths, event-driven monitoring, approval-gated remediation.

S10 flips to the offensive side: cloud red team harnesses — API-first architecture, IAM privilege escalation path-finding, and evidence schemas mapped to SOC 2 / ISO 27001 / PCI DSS.