DevOps
User
SSH Session Cloud Resources Accounts
(https)
AppDev
Network
Hacker VPC
User
Compute
Web Server
Virtual Machine
User
Storage
AWS
Entity
Cloud Resources
Application
Traffic Layer
Process Initiate
Data Flow
Port 22
Hacker
Traffic
Initiate
Data Flow
1
DevOps
User
SSH Session Cloud Resources Accounts
(https)
AppDev
Port 22
1
Hacker Bastion Host
Public Subnet
User Port 22
2
User Web Server Database Server
Public
THREAT MODEL
Port 443
Subnet Private Subnet VPC
Application Layer
Threat # Name Description Risk Mitigation / Customer
Security Control Acceptance
1 SSH Bastion Host is open to port (1) Spoofing (1) Protect Pem
22 (2) Repudiation Key
(3) Denial of (2) No Sharing of
service Keys
(3) Restrict
Availability
2 HTTPS Public Web Server port 443 / (1) Spoofing (1) Authentication
HTTPS (2) Tampering (2) Integration
(3) Repudiation (3) Non-
(4) Information Repudiation
Disclosure (4) Confidentiality
(5) Denial of (5) Availability
Service (6) Authorization
(6) Elevation of
Privilege
THREAT PROFILE
Security Points
Understand the ingress and egress of cloud environments
Common cloud model breakdown for Infrastructure as a Service
Learn how to create your own Threat Models
Think Cloud Security
Threat Modeling
https://www.owasp.org/index.php/Application_Threat_
Modeling
RESOURCES