Análise de Vulnerabilidades em Configurações Padrão de Serviços em Provedores de Computação em Nuvem
Resumo
Este trabalho apresenta uma análise comparativa das vulnerabilidades de segurança originadas por configurações padrão (default settings) nos principais provedores de nuvem (AWS, Azure e GCP). A adoção acelerada de serviços em nuvem introduziu desafios complexos no Modelo de Responsabilidade Compartilhada. Para investigar este cenário, desenvolveu-se um framework de auditoria automatizada utilizando Infraestrutura como Código (Terraform) e orquestração via CI/CD no GitHub Actions com estratégia de execução matricial paralela. Esta automação submeteu 15 cenários de infraestrutura distintos à auditoria de 165 controles de segurança via análise estática (Checkov). Os resultados revelaram uma taxa global de falha de 60,6% nos recursos recém-criados. O trabalho aponta que a segurança em nuvem exige a transição para Guardrails automatizados integrados às esteiras de desenvolvimento.Referências
Amazon Web Services (2024). Aws shared responsibility model. [link]. Acesso em: 7 out. 2025.
AMAZON WEB SERVICES (2024). Aws well-architected framework: Security pillar. [link]. Acesso em: 01 abr. 2026.
Braga, C. (2025). Repositório do Framework: Análise de Configurações Padrão em Nuvem. [link]. Acesso em: 28 mar. 2026.
Center for Internet Security (2025). Cis benchmarks. Acesso em: 7 out. 2025.
CloudZero (2025). 90+ estatísticas de computação em nuvem: um instantâneo do mercado de 2025. [link]. Acesso em: 27 out. 2025.
Gartner (2025). Forecast: Public cloud services, worldwide, 2023-2027, 4q24 update. Technical report, Gartner Research.
GOOGLE CLOUD (2025). Google cloud architecture framework: Security, privacy, and compliance. [link]. Acesso em: 01 abr. 2026.
Guptha, A. S., Murali, H., and T., S. (2021). A comparative analysis of security services in major cloud service providers. In 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), pages 1533–1538. IEEE.
IBM Security (2025). Cost of a data breach report 2025. Technical report, Ponemon Institute. Acesso em: 28 set. 2025.
Iosif, A.-C., Gasiba, T. E., Zhao, T., Lechner, U., and Pinto-Albuquerque, M. (2022). A large-scale study on the security vulnerabilities of cloud deployments. In Ubiquitous Security: First International Conference, UbiSec 2021, pages 37–52. Springer.
Khanam, S. and Ahmad, M. (2020). Cloud security hardening using cis benchmarks: A case study. In 2020 International Conference on Computing and Information Technology. IEEE.
Kumara, I., Pietrantuono, R., and Russo, S. (2021). Security of infrastructure as code: A systematic literature review. IEEE Access, 9:109641–109667.
Mell, P. and Grance, T. (2011). The nist definition of cloud computing. Technical Report SP 800-145, National Institute of Standards and Technology, Gaithersburg, MD.
MICROSOFT AZURE (2024). Azure security benchmark v3: Network security. [link]. Acesso em: 01 abr. 2026.
MITRE Corporation (2024). Capec-93: Log injection-tampering-forging. [link]. Acesso em: 22 nov. 2025.
Myrbakken, H. and Colomo-Palacios, R. (2017). Devsecops: A multivocal literature review. In Software Process Improvement and Capability Determination (SPICE 2017), pages 17–29. Springer.
NIST National Vulnerability Database (2018). Cve-2018-1002105: Kubernetes privilege escalation. [link]. Acesso em: 22 nov. 2025.
OWASP Foundation (2023). Owasp cloud native security top 10. [link]. Acesso em: 8 out. 2025.
Palo Alto Networks (2025). Unit 42 cloud threat report, 2h 2025. [link]. Acesso em: 28 set. 2025.
Pereira, M. and Santos, N. (2022). Evaluation of static application security testing tools for infrastructure as code. In 2022 IEEE International Conference on Cyber Security and Resilience (CSR), pages 167–174. IEEE.
Rahman, A. and Rahman, M. R. (2019). Security smells in ansible and chef scripts: A qualitative study and a dataset. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), pages 430–441. IEEE.
Rose, S., Souppaya, M., Fagan, M., and Frankel, K. (2020). Zero trust architecture. Technical Report SP 800-207, National Institute of Standards and Technology, Gaithersburg, MD.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, Indianapolis, IN.
Verdet, A., Hamdaqa, M., Da Silva, L., and Khomh, F. (2023). Exploring security practices in infrastructure as code: An empirical study. IEEE Transactions on Software Engineering, 49(10):4620–4645.
AMAZON WEB SERVICES (2024). Aws well-architected framework: Security pillar. [link]. Acesso em: 01 abr. 2026.
Braga, C. (2025). Repositório do Framework: Análise de Configurações Padrão em Nuvem. [link]. Acesso em: 28 mar. 2026.
Center for Internet Security (2025). Cis benchmarks. Acesso em: 7 out. 2025.
CloudZero (2025). 90+ estatísticas de computação em nuvem: um instantâneo do mercado de 2025. [link]. Acesso em: 27 out. 2025.
Gartner (2025). Forecast: Public cloud services, worldwide, 2023-2027, 4q24 update. Technical report, Gartner Research.
GOOGLE CLOUD (2025). Google cloud architecture framework: Security, privacy, and compliance. [link]. Acesso em: 01 abr. 2026.
Guptha, A. S., Murali, H., and T., S. (2021). A comparative analysis of security services in major cloud service providers. In 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), pages 1533–1538. IEEE.
IBM Security (2025). Cost of a data breach report 2025. Technical report, Ponemon Institute. Acesso em: 28 set. 2025.
Iosif, A.-C., Gasiba, T. E., Zhao, T., Lechner, U., and Pinto-Albuquerque, M. (2022). A large-scale study on the security vulnerabilities of cloud deployments. In Ubiquitous Security: First International Conference, UbiSec 2021, pages 37–52. Springer.
Khanam, S. and Ahmad, M. (2020). Cloud security hardening using cis benchmarks: A case study. In 2020 International Conference on Computing and Information Technology. IEEE.
Kumara, I., Pietrantuono, R., and Russo, S. (2021). Security of infrastructure as code: A systematic literature review. IEEE Access, 9:109641–109667.
Mell, P. and Grance, T. (2011). The nist definition of cloud computing. Technical Report SP 800-145, National Institute of Standards and Technology, Gaithersburg, MD.
MICROSOFT AZURE (2024). Azure security benchmark v3: Network security. [link]. Acesso em: 01 abr. 2026.
MITRE Corporation (2024). Capec-93: Log injection-tampering-forging. [link]. Acesso em: 22 nov. 2025.
Myrbakken, H. and Colomo-Palacios, R. (2017). Devsecops: A multivocal literature review. In Software Process Improvement and Capability Determination (SPICE 2017), pages 17–29. Springer.
NIST National Vulnerability Database (2018). Cve-2018-1002105: Kubernetes privilege escalation. [link]. Acesso em: 22 nov. 2025.
OWASP Foundation (2023). Owasp cloud native security top 10. [link]. Acesso em: 8 out. 2025.
Palo Alto Networks (2025). Unit 42 cloud threat report, 2h 2025. [link]. Acesso em: 28 set. 2025.
Pereira, M. and Santos, N. (2022). Evaluation of static application security testing tools for infrastructure as code. In 2022 IEEE International Conference on Cyber Security and Resilience (CSR), pages 167–174. IEEE.
Rahman, A. and Rahman, M. R. (2019). Security smells in ansible and chef scripts: A qualitative study and a dataset. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR), pages 430–441. IEEE.
Rose, S., Souppaya, M., Fagan, M., and Frankel, K. (2020). Zero trust architecture. Technical Report SP 800-207, National Institute of Standards and Technology, Gaithersburg, MD.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, Indianapolis, IN.
Verdet, A., Hamdaqa, M., Da Silva, L., and Khomh, F. (2023). Exploring security practices in infrastructure as code: An empirical study. IEEE Transactions on Software Engineering, 49(10):4620–4645.
Publicado
25/05/2026
Como Citar
BRAGA, Caroline de Oliveira; MASCARENHAS, Dalbert Matos; MORAES, Igor M..
Análise de Vulnerabilidades em Configurações Padrão de Serviços em Provedores de Computação em Nuvem. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 44. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 169-182.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2026.19964.
