Vulnerability Analysis of Default Service Configurations in Cloud Computing Providers

  • Caroline de Oliveira Braga CEFET/RJ
  • Dalbert Matos Mascarenhas CEFET/RJ
  • Igor M. Moraes UFF

Abstract


This work presents a comparative analysis of security vulnerabilities originating from default settings in major cloud providers (AWS, Azure, and GCP). The accelerated adoption of cloud services has introduced complex challenges regarding the Shared Responsibility Model. To address this, an automated audit framework was developed using Infrastructure as Code (Terraform) and orchestration via CI/CD in GitHub Actions with parallelized matrix execution. This automated setup audited 15 distinct infrastructure scenarios against 165 security controls using the Checkov static analysis tool. The experimental results revealed a global failure rate of 60.6% in newly created resources, confirming the systemic insecurity of default configurations. The study demonstrates that cloud security requires a transition from manual checks to automated Guardrails in DevSecOps pipelines.

References

Amazon Web Services (2024). Aws shared responsibility model. [link]. Acesso em: 7 out. 2025.

AMAZON WEB SERVICES (2024). Aws well-architected framework: Security pillar. [link]. Acesso em: 01 abr. 2026.

Braga, C. (2025). Repositório do Framework: Análise de Configurações Padrão em Nuvem. [link]. Acesso em: 28 mar. 2026.

Center for Internet Security (2025). Cis benchmarks. Acesso em: 7 out. 2025.

CloudZero (2025). 90+ estatísticas de computação em nuvem: um instantâneo do mercado de 2025. [link]. Acesso em: 27 out. 2025.

Gartner (2025). Forecast: Public cloud services, worldwide, 2023-2027, 4q24 update. Technical report, Gartner Research.

GOOGLE CLOUD (2025). Google cloud architecture framework: Security, privacy, and compliance. [link]. Acesso em: 01 abr. 2026.

Guptha, A. S., Murali, H., and T., S. (2021). A comparative analysis of security services in major cloud service providers. In 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), pages 1533–1538. IEEE.

IBM Security (2025). Cost of a data breach report 2025. Technical report, Ponemon Institute. Acesso em: 28 set. 2025.

Iosif, A.-C., Gasiba, T. E., Zhao, T., Lechner, U., and Pinto-Albuquerque, M. (2022). A large-scale study on the security vulnerabilities of cloud deployments. In Ubiquitous Security: First International Conference, UbiSec 2021, pages 37–52. Springer.

Khanam, S. and Ahmad, M. (2020). Cloud security hardening using cis benchmarks: A case study. In 2020 International Conference on Computing and Information Technology. IEEE.

Kumara, I., Pietrantuono, R., and Russo, S. (2021). Security of infrastructure as code: A systematic literature review. IEEE Access, 9:109641–109667.

Mell, P. and Grance, T. (2011). The nist definition of cloud computing. Technical Report SP 800-145, National Institute of Standards and Technology, Gaithersburg, MD.

MICROSOFT AZURE (2024). Azure security benchmark v3: Network security. [link]. Acesso em: 01 abr. 2026.

MITRE Corporation (2024). Capec-93: Log injection-tampering-forging. [link]. Acesso em: 22 nov. 2025.

Myrbakken, H. and Colomo-Palacios, R. (2017). Devsecops: A multivocal literature review. In Software Process Improvement and Capability Determination (SPICE 2017), pages 17–29. Springer.

NIST National Vulnerability Database (2018). Cve-2018-1002105: Kubernetes privilege escalation. [link]. Acesso em: 22 nov. 2025.

OWASP Foundation (2023). Owasp cloud native security top 10. [link]. Acesso em: 8 out. 2025.

Palo Alto Networks (2025). Unit 42 cloud threat report, 2h 2025. [link]. Acesso em: 28 set. 2025.

Pereira, M. and Santos, N. (2022). Evaluation of static application security testing tools for infrastructure as code. In 2022 IEEE International Conference on Cyber Security and Resilience (CSR), pages 167–174. IEEE.

Rahman, A. and Rahman, M. R. (2019). Security smells in ansible and chef scripts: A qualitative study and a dataset. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), pages 430–441. IEEE.

Rose, S., Souppaya, M., Fagan, M., and Frankel, K. (2020). Zero trust architecture. Technical Report SP 800-207, National Institute of Standards and Technology, Gaithersburg, MD.

Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, Indianapolis, IN.

Verdet, A., Hamdaqa, M., Da Silva, L., and Khomh, F. (2023). Exploring security practices in infrastructure as code: An empirical study. IEEE Transactions on Software Engineering, 49(10):4620–4645.
Published
2026-05-25
BRAGA, Caroline de Oliveira; MASCARENHAS, Dalbert Matos; MORAES, Igor M.. Vulnerability Analysis of Default Service Configurations in Cloud Computing Providers. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 44. , 2026, Praia do Forte/BA. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2026 . p. 169-182. ISSN 2177-9384. DOI: https://doi.org/10.5753/sbrc.2026.19964.

Most read articles by the same author(s)

1 2 > >>