90 min · Asset Discovery · Attack Path Analysis · Continuous Monitoring · Reporting & Remediation
Prerequisite: S00–S08
The harness's first job is not to assess risk. It is to know what is deployed. You cannot defend an asset you have not inventoried.
Cloud posture tools fail at inventory first, then at assessment. The discovery layer is the load-bearing foundation.
Cloud infrastructure is not a static deployment — it is a continuously changing graph. A snapshot at midnight is stale by morning.
Terraform apply, console click, autoscaling, Lambda deploy, IAM update — each changes posture. The inventory must be continuously reconciled, not periodically snapshotted.
| Provider | Service |
|---|---|
| AWS | Security Hub + AWS Config |
| Azure | Resource Graph + Defender for Cloud |
| GCP | Security Command Center |
Defender for Cloud now supports AI security posture natively: discovers AI workloads, builds an AI BOM, tracks reachable AI endpoints, maps attack paths across all three clouds.
The harness adds: cross-provider normalization, AI-specific asset tagging, structured output for graph reasoning.
The endpoint_publicly_reachable tag distinguishes an internal tool from a public attack surface — tagged at inventory time, not assessment time.
A finding is a single point of weakness. An attack path is the chain that turns a single weakness into a breach.
Public S3 bucket = a finding. Public S3 bucket → over-privileged role → Lambda → regulated database = an attack path.
Three edge types dominate: IAM escalation (privilege ladder), public exposure chains (outside → crown jewel), lateral movement (cross-account pivots).
A finding list says "47 misconfigurations." An attack-path list says "3 of those 47 combine into a breach path."
Fixing a single node on a critical path breaks the path. Fixing 10 nodes not on any path changes nothing about actual risk. Path analysis turns 47 findings into 3 priorities.
Posture at a single point in time is a snapshot. The cloud is not a snapshot. Drift is the core operational challenge.
Scheduled monitor: assess nightly. Misconfiguration introduced 9 AM, exploited 2 PM = missed.
Event-driven: subscribe to CloudTrail / Activity Log. Security-relevant change → re-assess in seconds.
Efficient: 50,000-resource estate, 10,000 changes/day = 10,000 single-resource assessments, not 50,000-resource scans.
| Category | Events |
|---|---|
| IAM changes | AttachRolePolicy, PutRolePolicy, AssumeRole |
| Public exposure | PutBucketAcl, PutBucketPolicy, AuthorizeSecurityGroupIngress |
| AI workloads | CreateEndpoint, CreateAgent, model deploy |
Benchmark enforcement: CIS AWS Foundations, CIS Azure, CIS GCP, NIST CSF, PCI DSS — mapped to harness-checked policies. Findings scored by exploitability × impact × reachability.
One finding store, three audience views: engineer (per-finding detail), CISO (risk + top paths), auditor (control → evidence map).
Same data, different projections. No drift between what the engineer fixes and what the CISO reports.
Production always requires human approval. The harness may generate the fix, attach it to the ticket, and stage it — but it does not apply without approval.
Non-production may auto-apply per policy. Automated remediation that breaks production is worse than the misconfiguration it was fixing.
The cloud posture harness is operational: continuous discovery, graph-based attack paths, event-driven monitoring, approval-gated remediation.
S10 flips to the offensive side: cloud red team harnesses — API-first architecture, IAM privilege escalation path-finding, and evidence schemas mapped to SOC 2 / ISO 27001 / PCI DSS.