STRIDE on Break Lib Site https://break.mlibia.xyz/tags/stride/ Recent content in STRIDE on Break Lib Site Hugo -- gohugo.io en Lib Copyright Sun, 22 Feb 2026 00:00:00 +0000 Cloud Threat Model https://break.mlibia.xyz/p/cloud-threat-model/ Sun, 22 Feb 2026 00:00:00 +0000 https://break.mlibia.xyz/p/cloud-threat-model/ <h1 id="cloud-threat-model">Cloud Threat Model </h1><p>I attended a cybersecurity event πŸ‘‰<a class="link" href="https://containersecurityvillage.kubernetesvillage.com/" target="_blank" rel="noopener" >container security village</a>. I learn this topic <em>Threat Modelling in Cloud</em> so i want to apply this theory. Some memories :)</p> <img src="https://mochila.laotra.red/apps/files_sharing/publicpreview/d3KdGz7xrWxMwLG?file=/&fileId=5387198&x=1280&y=720&a=true&etag=ecabc18eed4285ca147c5304826da772" alt="Joined Images" style="width:100%; max-width:800px;"> <p>My experiment a static website in an AWS S3 bucket, served via a Content Delivery Network (CDN), with an AWS Lambda backend API. I want to apply threat modeling: shifting security left by finding flaws in the design phase rather than in production. </p> <p><img src="https://break.mlibia.xyz/p/cloud-threat-model/demo.png" width="610" height="517" srcset="https://break.mlibia.xyz/p/cloud-threat-model/demo_hu17647159605992948754.png 480w, https://break.mlibia.xyz/p/cloud-threat-model/demo_hu4591506862170095555.png 1024w" loading="lazy" alt="demo" class="gallery-image" data-flex-grow="117" data-flex-basis="283px" ></p> <h2 id="diagram-showing-components-data-flows-">Diagram showing Components (Data Flows) ✴️ </h2><ul> <li>Where does secure private data start?</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Browser / app.py </span></span><span class="line"><span class="cl"> AWS WAF </span></span><span class="line"><span class="cl"> β”‚ </span></span><span class="line"><span class="cl"> β–Ό </span></span><span class="line"><span class="cl">β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” </span></span><span class="line"><span class="cl">β”‚ API Gateway │──────▢ β”‚ Lambda (Python) β”‚ </span></span><span class="line"><span class="cl">β”‚ (HTTP API) β”‚ β”‚ handler.py β”‚ </span></span><span class="line"><span class="cl">β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </span></span><span class="line"><span class="cl"> β”‚ s3:ListBucket </span></span><span class="line"><span class="cl"> β–Ό </span></span><span class="line"><span class="cl"> β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” </span></span><span class="line"><span class="cl"> β”‚ S3 Bucket β”‚ (private) </span></span><span class="line"><span class="cl"> β”‚ gallery images β”‚ </span></span><span class="line"><span class="cl"> β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </span></span><span class="line"><span class="cl"> β–² </span></span><span class="line"><span class="cl"> OAC (sigv4) </span></span><span class="line"><span class="cl"> β”‚ </span></span><span class="line"><span class="cl">Browser ──────────────────▢ CloudFront CDN </span></span><span class="line"><span class="cl"> (image delivery) </span></span></code></pre></td></tr></table> </div> </div><h2 id="phase-2-identify-threats-using-stride-">Phase 2: Identify Threats (Using STRIDE) 🧐 </h2><table> <thead> <tr> <th>Component</th> <th>STRIDE Category</th> <th>Threat Description</th> </tr> </thead> <tbody> <tr> <td><strong>S3 Bucket</strong></td> <td>Information Disclosure</td> <td>Misconfigured permissions allow unauthorized public read access.</td> </tr> <tr> <td><strong>CDN (CloudFront)</strong></td> <td>Spoofing / Tampering</td> <td>Attackers bypass the CDN to target the S3 origin directly.</td> </tr> <tr> <td><strong>API Gateway / Lambda</strong></td> <td>Elevation of Privilege</td> <td>Lack of authentication allows unauthorized code execution.</td> </tr> </tbody> </table> <p><em>STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to identify threats at each component.</em></p> <h2 id="mitigation-plan-cloud-configuration-fixes">Mitigation Plan: Cloud configuration fixes. </h2><ul> <li><strong>S3:</strong> Block direct public access and apply CloudFront restriction.</li> <li><strong>Lambda:</strong> Use IAM roles for S3 and Cloudfront access.</li> <li><strong>API Gateway:</strong> Enable a firewall to block IPs that exceed request limits.</li> <li><strong>CloudFront:</strong> Apply Amazon CloudFront Origin Access Control (OAC).</li> </ul> <p>πŸ‘‰<em>My code</em>:πŸ”— <a class="link" href="https://github.com/libialany/DevOpsProject/tree/feat/stride" target="_blank" rel="noopener" >Results</a></p> <h2 id="recommended-tools">Recommended Tools </h2><ul> <li><strong>OWASP Threat Dragon</strong> (Free, open-source tool)</li> </ul> <h2 id="offtopic">Offtopic </h2><p><em>Love your dogs by giving them a quality life. Don’t forget to neuter!</em></p>