MITRE ATT&CK for cloud is the cloud-specific matrix within the MITRE ATT&CK framework that documents how adversaries target cloud infrastructure, including AWS, Google Cloud, Azure, Microsoft 365, and Google Workspace, across the full attack lifecycle from initial access through exfiltration.
Does MITRE ATT&CK have a cloud-specific matrix?
Yes, and it’s one of the most practically useful resources for cloud security practitioners. If you’re not yet familiar with the MITRE ATT&CK framework generally, the existing CyberSpeak guide to MITRE ATT&CK provides the foundational context before diving into the cloud-specific matrix here.
The cloud security context for ATT&CK is straightforward: cloud environments have a distinct attack surface—IAM roles, API endpoints, cloud storage, managed services—and attackers have developed techniques specifically for that surface. The general ATT&CK Enterprise matrix covers some of these, but the cloud matrix provides cloud-native specificity: techniques targeting IaaS providers (AWS, Google Cloud, Azure), SaaS platforms (Microsoft 365, Google Workspace), and container platforms.
The cloud matrix is organized around the same tactic structure as the Enterprise matrix (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact) but with cloud-specific techniques under each tactic.
What are the most important MITRE ATT&CK cloud techniques to detect?
Not all ATT&CK techniques are equally likely to appear in real cloud incidents. These are the high-priority techniques that security teams should prioritize detection coverage for:
T1078—Valid Accounts: The single most commonly abused technique in cloud attacks. Attackers use compromised credentials obtained through phishing, credential stuffing, or API key exposure to authenticate as legitimate users. Detection relies on behavioral analytics that identify anomalous authentication patterns, not signature matching.
T1136—Create Account: Attackers who establish persistence in cloud environments often create new IAM users or service accounts to maintain access even if the original compromised credential is revoked. Detecting new account creation, especially outside normal provisioning workflows, is a high-value detection.
T1537—Transfer Data to Cloud Account: Exfiltration technique where an attacker copies data from a victim’s cloud storage to an attacker-controlled cloud account. Detecting unusual cross-account or cross-organization data transfers is critical for identifying data theft in progress.
T1530—Data from Cloud Storage Object: Direct access to cloud storage (S3 buckets, GCS buckets, Azure Blob storage) for data exfiltration. Unusually high GetObject request volumes or access from unexpected principals are key detection signals.
T1580—Cloud Infrastructure Discovery: Reconnaissance technique where attackers enumerate cloud resources (listing EC2 instances, IAM roles, S3 buckets) to understand the environment and identify targets. Unusual Describe/List API calls, especially in rapid succession, indicate discovery activity.
T1098—Account Manipulation: Modifying existing accounts or their permissions to maintain access or escalate privileges. IAM policy changes, group membership additions, and MFA device registration changes are key signals.
What is MITRE ATT&CK for AWS?
MITRE ATT&CK for AWS documents the specific techniques attackers use against Amazon Web Services infrastructure. AWS-specific techniques mapped to the cloud matrix include:
Initial Access: Exploiting exposed APIs, using compromised IAM credentials from credential stuffing or phishing (T1078), or abusing public-facing services.
Persistence: Creating new IAM users (T1136), adding IAM policies to existing accounts, registering malicious Lambda functions, or modifying EC2 user data scripts.
Privilege Escalation: Assuming high-privilege IAM roles (T1548), exploiting misconfigured trust policies, or using EC2 instance profiles to obtain temporary credentials with elevated permissions.
Defense Evasion: Disabling or modifying CloudTrail logging (T1562), deleting CloudTrail trails, or using AWS services that don’t generate standard audit events.
Credential Access: Accessing EC2 instance metadata service (IMDS) to retrieve IAM role credentials (a technique that’s enabled by default unless IMDSv2 is enforced), dumping credentials from Lambda environment variables, or accessing Secrets Manager.
Exfiltration: Copying S3 data to attacker-controlled accounts (T1537), creating AMI snapshots and sharing them externally, or exfiltrating through DNS.
These AWS-specific techniques should be mapped against your current detection coverage, and gaps in high-priority technique categories should drive detection engineering priorities.
How does MITRE ATT&CK coverage work in cloud security?
ATT&CK coverage measurement answers the question: “Of the techniques documented in the cloud matrix, which ones do we have detection capability for?” Coverage is typically visualized using ATT&CK Navigator—a tool that allows teams to color-code techniques by detection status (covered, partially covered, no coverage) and export the resulting heatmap.
Coverage measurement is valuable for three reasons:
Prioritizing detection engineering. Not all coverage gaps are equally important. ATT&CK coverage analysis combined with threat intelligence about which techniques are most actively used against your industry helps prioritize where to build new detections first.
Communicating security posture to leadership. A coverage heatmap is a visually accessible way to show what percentage of documented cloud attack techniques your program can detect, and where the gaps are.
Evaluating MDR providers. Asking a potential MDR provider to demonstrate their ATT&CK cloud matrix coverage is one of the most concrete ways to assess detection quality. It moves the conversation from marketing claims to specific, verifiable capability.
How do you use MITRE ATT&CK to improve cloud security?
A practical workflow for using the ATT&CK cloud matrix to improve detection coverage:
- Map your current cloud detections to ATT&CK techniques. For each detection rule or alert you have in production, identify which technique(s) it covers.
- Visualize gaps using ATT&CK Navigator. Color-coded heatmaps make coverage gaps immediately visible across the full technique set.
- Cross-reference gaps against threat intelligence. Which uncovered techniques are most actively used against organizations in your industry or with your cloud profile?
- Prioritize detection engineering based on risk-weighted gaps. Post-exploitation techniques (lateral movement, credential access, exfiltration) are typically higher priority than initial access techniques that may be covered by other preventive controls.
- Test coverage validity. Having a detection mapped to a technique doesn’t guarantee it fires reliably. Periodic adversary simulation exercises—even simple tabletop walkthroughs of key technique scenarios—validate that detections work as expected.
Frequently asked questions
Does MITRE ATT&CK have a cloud-specific matrix?
Yes. MITRE ATT&CK includes a cloud matrix that documents adversary tactics and techniques specifically targeting cloud infrastructure, covering AWS, Google Cloud, Azure, Microsoft 365, and Google Workspace. It’s organized around the same tactic structure as the Enterprise matrix but with cloud-native techniques under each tactic. The cloud matrix is actively maintained and updated as new cloud-specific techniques are documented, making it a living reference rather than a static list.
What are the most important MITRE ATT&CK cloud techniques to detect?
High-priority cloud techniques include T1078 (Valid Accounts—credential abuse, the most common cloud initial access technique), T1136 (Create Account—persistence through new IAM user creation), T1537 (Transfer Data to Cloud Account—exfiltration to attacker-controlled storage), T1530 (Data from Cloud Storage Object—direct data theft from cloud storage), and T1580 (Cloud Infrastructure Discovery—reconnaissance enumeration of cloud resources). These should be treated as the baseline detection coverage requirement for any cloud security program. Gaps here represent significant risk given how frequently these techniques appear in real cloud incidents.
How does MITRE ATT&CK coverage work in cloud security?
MITRE ATT&CK coverage measures how many documented cloud attack techniques your detection capabilities can identify. Organizations use the ATT&CK Navigator to visualize coverage gaps and prioritize detection engineering. Coverage analysis is most valuable when combined with threat intelligence. Knowing which techniques are actively used against organizations in your industry helps prioritize where to close gaps first rather than treating all uncovered techniques equally.
What is MITRE ATT&CK for AWS?
MITRE ATT&CK for AWS documents adversary techniques targeting Amazon Web Services, including IAM abuse (using compromised credentials to assume roles and access resources), EC2 exploitation, S3 data theft (T1530, T1537), CloudTrail log deletion (defense evasion), and credential extraction from EC2 instance metadata service. AWS-specific technique knowledge is essential for building detection content that goes beyond generic cloud rules to catch techniques specific to how attackers operate in AWS environments.
How do I use MITRE ATT&CK to improve cloud security?
Map your current cloud detections to ATT&CK techniques, visualize gaps using ATT&CK Navigator, cross-reference gaps against threat intelligence to identify highest-risk uncovered techniques, and prioritize detection engineering accordingly. Use periodic adversary simulation exercises to validate that mapped detections actually fire as expected. Coverage on paper doesn’t always translate to reliable detection in production.