📋 Daftar Isi
1. Pengenalan CSPM
Cloud Security Posture Management (CSPM) adalah tools dan praktik yang secara kontinu memantau dan memperbaiki misconfiguration serta compliance violation di cloud. Gartner memperkirakan 99% cloud security failures hingga 2025 adalah kesalahan pelanggan.
📋 Apa yang Dipelajari
- Cloud misconfiguration yang paling umum
- Security best practices AWS, Azure, GCP
- IaC security scanning
- Compliance monitoring
- Multi-cloud security strategy
- Automated remediation
2. Common Cloud Misconfigurations
| Misconfiguration | Dampak | Deteksi |
|---|---|---|
| Public S3 bucket | Data exposure | CloudTrail, GuardDuty |
| Over-permissive IAM | Privilege escalation | IAM Access Analyzer |
| Security group 0.0.0.0/0 | Open to internet | VPC Flow Logs |
| Unencrypted storage | Data at rest exposure | Config Rules |
| No MFA on root | Account takeover | Security Hub |
| Public RDS | Database exposure | Config Rules |
| Logging disabled | No audit trail | CloudTrail |
3. AWS Security Posture
Bash — AWS Security Hardening
# =============================================
+# AWS Cloud Security Hardening
+# =============================================
+# 1. Enable Security Hub
+aws securityhub enable-security-hub --enable-default-standards
+# 2. Enable Config recorder
+aws configservice put-configuration-recorder \
+ --configuration-recorder name=default,roleArn=arn:aws:iam::role/awsconfig
+# 3. S3 public access block
+aws s3api put-public-access-block \
+ --bucket my-bucket \
+ --public-access-block-configuration \
+ "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+# 4. Enable GuardDuty
+aws guardduty create-detector --enable
+# 5. Check overly permissive IAM
+aws iam get-account-authorization-details | \
+ python3 -c "
+import json,sys
+data=json.load(sys.stdin)
+for p in data.get('UserDetailList',[]):
+ for policy in p.get('UserPolicyList',[]):
+ for stmt in policy.get('PolicyDocument',{}).get('Statement',[]):
+ if stmt.get('Effect')=='Allow' and stmt.get('Resource')=='*':
+ print(f'WARNING: {p["UserName"]} has * resource')
+"
4. Azure Security
Bash — Azure Security
# ============================================= +# Azure Security Configuration +# ============================================= +# 1. Enable Defender for Cloud +az security auto-provisioning-setting update --name default --autoProvision On +# 2. NSG audit — check 0.0.0.0/0 +az network nsg list --query "[].securityRules[?access=='Allow' && direction=='Inbound' && sourceAddressPrefix=='*']" +# 3. Enable Azure Policy +az policy assignment create \ + --policy "Audit VMs that do not use managed disks"
5. GCP Security
Bash — GCP Security
# ============================================= +# GCP Security Posture Management +# ============================================= +# 1. Enable Security Command Center +gcloud scc sources enable --organization=ORG_ID --source=SOURCE_ID +# 2. Audit logging +gcloud logging sinks create audit-sink \ + --destination=storage.googleapis.com/audit-bucket \ + --log-filter="logName:cloudaudit.googleapis.com" +# 3. Check public GCS buckets +gsutil iam get gs://my-bucket | grep allUsers +# 4. Firewall audit +gcloud compute firewall-rules list \ + --filter="sourceRanges=0.0.0.0/0 AND allowed.ports=22"
6. Infrastructure as Code Security
Scanning IaC templates sebelum deployment mencegah misconfiguration masuk ke production.
Bash — IaC Scanning
# ============================================= +# IaC Security Scanning +# ============================================= +# 1. Checkov — Terraform/CloudFormation +checkov -d ./terraform/ + +# 2. tfsec +tfsec ./terraform/ + +# 3. Terrascan +terrascan scan -d ./terraform/ -i terraform + +# 4. cfn-lint +cfn-lint template.yaml + +# 5. Semgrep IaC rules +semgrep --config=p/terraform ./terraform/
7. Compliance & Governance
| Framework | Fokus | Cloud Mapping |
|---|---|---|
| CIS Benchmarks | Hardening guidelines | CIS AWS/Azure/GCP Foundations |
| SOC 2 | Trust service criteria | Security, Availability, Confidentiality |
| ISO 27001 | ISMS | A.12 Operations Security |
| PCI DSS | Payment card data | Req 1-12 mapped to cloud controls |
8. CSPM Tools & Automation
Bash — Open Source CSPM
# ============================================= +# CSPM Tools — Open Source +# ============================================= +# 1. Prowler — AWS security +pip install prowler +prowler aws --checks cis_level2 +# 2. ScoutSuite — Multi-cloud +pip install scoutsuite +scout aws +# 3. Steampipe — SQL queries +steampipe plugin install aws +steampipe query "SELECT name FROM aws_s3_bucket WHERE bucket_policy_is_public"
Cloud Identity & Access Management
IAM adalah kontrol keamanan paling penting di cloud. Konfigurasi IAM yang salah adalah penyebab #1 dari cloud breaches. Principle of least privilege harus diterapkan secara ketat.
+IAM Policy Analysis
+Bash — IAM Security Audit
+# =============================================
+# Cloud IAM Security Audit
+# =============================================
+# AWS: Find users with admin access
+aws iam list-entities-for-policy \
+ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+# AWS: Find unused IAM credentials
+aws iam generate-credential-report
+aws iam get-credential-report \
+ --query 'Content' --output text | base64 -d
+# AWS: Find roles that can be assumed externally
+aws iam list-roles --query 'Roles[?contains(AssumeRolePolicyDocument.Statement[].Principal.AWS, `*`)]'
+# Azure: Find owners on subscriptions
+az role assignment list --role "Owner" \
+ --query "[].{Principal:principalName, Scope:scope}"
+# GCP: Find service accounts with keys
+gcloud iam service-accounts list \
+ --format="table(email,displayName)"
+gcloud iam service-accounts keys list \
+ --iam-account=SA_EMAIL
+# Terraform: Check for overly permissive policies
+cat > check_iam.py << 'EOF'
+import json, glob
+for f in glob.glob("**/*.tf.json", recursive=True):
+ data = json.load(open(f))
+ for r in data.get("resource", []):
+ for policy in r.get("aws_iam_policy", {}):
+ doc = json.loads(policy["policy"])
+ for stmt in doc.get("Statement", []):
+ if stmt.get("Effect") == "Allow":
+ actions = stmt.get("Action", [])
+ if isinstance(actions, str):
+ actions = [actions]
+ if "*" in actions:
+ print(f"WARNING: {policy} has Action: *")
+EOF
+python3 check_iam.py
+ Cloud Logging & Monitoring
+Logging adalah fondasi deteksi dan forensik di cloud. Pastikan semua control plane dan data plane activity ter-log.
+Bash — Cloud Logging Setup
+# =============================================
+# Cloud Logging Best Practices
+# =============================================
+# AWS CloudTrail — Log semua API calls
+aws cloudtrail create-trail \
+ --name org-trail \
+ --s3-bucket-name audit-logs-bucket \
+ --is-multi-region-trail \
+ --enable-log-file-validation
+aws cloudtrail start-logging --name org-trail
+# AWS VPC Flow Logs — Network traffic
+aws ec2 create-flow-logs \
+ --resource-type VPC \
+ --resource-ids vpc-12345 \
+ --traffic-type ALL \
+ --log-destination-type s3 \
+ --log-destination arn:aws:s3:::flow-logs-bucket
+# Azure Monitor — Activity logs
+az monitor diagnostic-settings create \
+ --name audit \
+ --resource /subscriptions/xxx \
+ --storage-account auditstorage \
+ --logs '[
+ {"category":"Administrative","enabled":true},
+ {"category":"Security","enabled":true},
+ {"category":"Alert","enabled":true}
+ ]'
+# GCP Audit Logs
+gcloud logging sinks create audit-sink \
+ --log-filter='logName:cloudaudit.googleapis.com' \
+ --destination=storage.googleapis.com/audit-bucket
+ Cloud Incident Response
+Cloud incident response berbeda dari on-premise karena sifat API-driven dan ephemeral resources. Speed sangat kritis karena attacker bisa spin up resources dalam hitungan detik.
+Bash — Cloud IR Quick Response
+# =============================================
+# Cloud Incident Response — Quick Actions
+# =============================================
+# COMPROMISED EC2 INSTANCE
+# 1. Snapshot instance (preserve evidence)
+aws ec2 create-snapshot --volume-id vol-xxx \
+ --description "IR evidence - $(date)"
+# 2. Isolate instance (change security group)
+aws ec2 modify-instance-attribute \
+ --instance-id i-xxx \
+ --groups sg-isolation # SG with no rules
+# 3. Capture instance metadata
+aws ec2 describe-instances --instance-id i-xxx
+# COMPROMISED IAM CREDENTIALS
+# 1. Immediately disable access
+aws iam update-access-key \
+ --user-name compromised-user \
+ --access-key-id AKIAxxx \
+ --status Inactive
+# 2. Revoke all sessions
+aws iam put-user-policy \
+ --user-name compromised-user \
+ --policy-name RevokeAllSessions \
+ --policy-document '{
+ "Version":"2012-10-17",
+ "Statement":[{
+ "Effect":"Deny",
+ "Action":"*",
+ "Resource":"*",
+ "Condition":{"DateLessThan":{"aws:TokenIssueTime":"2024-01-15T00:00:00Z"}}
+ }]
+ }'
+# 3. Check CloudTrail for damage
+aws cloudtrail lookup-events \
+ --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user \
+ --max-results 100
+ Cloud Data Classification
+Data classification adalah langkah pertama untuk melindungi data di cloud. Tanpa mengetahui data apa yang sensitif, tidak mungkin menerapkan kontrol yang tepat.
+| Classification | Description | Controls |
|---|---|---|
| Public | Data yang boleh diakses publik | Basic access controls |
| Internal | Hanya untuk karyawan | Authentication required, logging |
| Confidential | Data sensitif bisnis | Encryption, DLP, strict access |
| Restricted | Data paling sensitif (PII, financial) | All controls + audit + MFA + PAM |
Cloud Cost Security
+Cloud cost anomaly bisa menjadi indikator serangan. Crypto mining atau resource abuse akan menghasilkan spike biaya yang tidak biasa.
+Bash — Cloud Cost Anomaly Detection
+# =============================================
+# Cloud Cost Anomaly Detection
+# =============================================
+# AWS — Check billing anomaly
+aws ce get-cost-and-usage \
+ --time-period Start=2024-01-01,End=2024-01-15 \
+ --granularity DAILY \
+ --metrics "UnblendedCost"
+# AWS — Set billing alarm
+aws cloudwatch put-metric-alarm \
+ --alarm-name "HighBilling" \
+ --metric-name EstimatedCharges \
+ --namespace AWS/Billing \
+ --threshold 1000 \
+ --comparison-operator GreaterThanThreshold \
+ --evaluation-periods 1 \
+ --statistic Maximum
+# Check for crypto mining indicators
+# - Unusual GPU instance launches
+# - High CPU utilization on small instances
+# - New instances in unexpected regions
+aws ec2 describe-instances \
+ --filters "Name=instance-type,Values=g4dn.*,p3.*" \
+ --query "Reservations[].Instances[].[InstanceId,LaunchTime,Tags[?Key=='Name'].Value]"
+# Azure — Cost anomaly
+az costmanagement query \
+ --type ActualCost \
+ --timeframe MonthToDate \
+ --dataset-aggregation '{"totalCost":{"name":"Cost","function":"Sum"}}'
+ Multi-Cloud Security Strategy
+Banyak organisasi menggunakan multiple cloud providers. Strategi keamanan harus konsisten di semua cloud.
+💡 Multi-Cloud Best Practices
-
+
- Unified Policy — Gunakan policy as code (Terraform + OPA) untuk konsistensi +
- Centralized Logging — Aggregasi log dari semua cloud ke satu SIEM +
- Identity Federation — SSO yang terhubung ke semua cloud provider +
- CSPM Tool — Gunakan multi-cloud CSPM untuk visibility terpadu +
- Consistent Tagging — Tag semua resource untuk cost allocation dan security +
Cloud Security Architecture Patterns
+Arsitektur keamanan cloud yang baik menggunakan defense-in-depth dengan multiple layer kontrol di setiap level.
+Diagram: Cloud Defense-in-Depth
++┌─────────────────────────────────────────────────────┐ + CLOUD DEFENSE-IN-DEPTH │ +│ │ +│ Layer 1: PERIMETER │ +│ ├── WAF (Web Application Firewall) │ +│ ├── DDoS Protection (AWS Shield/Azure DDOS) │ +│ └── CDN with edge security (CloudFront/Akamai) │ +│ │ +│ Layer 2: NETWORK │ +│ ├── VPC/VNet segmentation │ +│ ├── Security Groups / NSGs │ +│ ├── NACLs / Firewall Rules │ +│ └── VPN / Private Link │ +│ │ +│ Layer 3: IDENTITY │ +│ ├── IAM policies (least privilege) │ +│ ├── MFA everywhere │ +│ ├── Service accounts governance │ +│ └── Federation & SSO │ +│ │ +│ Layer 4: APPLICATION │ +│ ├── Input validation │ +│ ├── Secrets management (Vault) │ +│ ├── Container security (image scanning) │ +│ └── API security (auth, rate limiting) │ +│ │ +│ Layer 5: DATA │ +│ ├── Encryption at rest (KMS managed) │ +│ ├── Encryption in transit (TLS 1.3) │ +│ ├── DLP (Data Loss Prevention) │ +│ └── Backup & disaster recovery │ +│ │ +│ Layer 6: MONITORING │ +│ ├── CloudTrail/Activity Logs │ +│ ├── Security Hub/Sentinel │ +│ ├── GuardDuty/Defender │ +│ └── SIEM integration │ +└─────────────────────────────────────────────────────┘ ++
Tagging Strategy for Security
+| Tag Key | Purpose | Example Values |
|---|---|---|
| Environment | Identify env | prod, staging, dev |
| Owner | Responsible team | team-finance, team-hr |
| DataClassification | Data sensitivity | public, internal, confidential, restricted |
| CostCenter | Billing allocation | CC-1001, CC-2002 |
| Compliance | Regulatory requirement | pci, hipaa, gdpr, none |
Enforce tagging menggunakan AWS Config Rules, Azure Policy, atau GCP Organization Policy. Resource tanpa tag yang lengkap harus di-flag dan di-remediate dalam 7 hari.
+⚠️ Catatan Penting
Cloud security adalah tanggung jawab bersama (shared responsibility model). Cloud provider mengamankan infrastruktur, tetapi Anda bertanggung jawab atas konfigurasi, data, dan akses. Jangan pernah mengasumsikan bahwa cloud provider sudah mengamankan semuanya untuk Anda.
Gunakan tools CSPM secara otomatis dan berkelanjutan. Manual checking tidak cukup untuk environment cloud yang dinamis. Automated remediation harus diprioritaskan untuk misconfiguration yang kritis seperti public storage dan overly permissive IAM.
9. Quiz Pemahaman
1. Apa itu CSPM?
2. Penyebab utama cloud security failures?
3. Tool scan Terraform untuk security?
4. Fungsi AWS GuardDuty?
5. Mengapa public S3 bucket berbahaya?
Rangkuman
📝 Poin Penting
- Misconfiguration — 99% cloud failures karena kesalahan pelanggan
- IaC Scanning — Checkov/tfsec mencegah misconfig sebelum deploy
- Multi-Cloud — Prowler untuk AWS, ScoutSuite untuk multi-cloud
- Compliance — CIS Benchmarks sebagai hardening baseline
- Automation — Automated remediation mengurangi human error