CSA CCM AIS-06

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. By modifying conditional access policies, such as adding additional trusted IP ranges, removing Multi-Factor Authentication requirements, or allowing additional Unused/Unsupported Cloud Regions, adversaries may be able to ensure persistent access to accounts and circumvent defensive measures. Secure deployment templates can limit a user's ability to modify conditional access policies to only those required, which may limit this technique.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may gain access to and use configuration management and software deployment applications to execute commands and move laterally through the network. Security requirements for secure application deployment such as only granting access to application deployment systems only to authorized users and administrators, or ensuring the application deployment system can be configured to deploy only signed binaries can mitigate the adversary's abuse of this technique to execute commands and move laterally through the network.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. For example, in Microsoft 365 environments, an adversary may create a Power Automate workflow that forwards all emails a user receives or creates anonymous sharing links whenever a user is granted access to a document in SharePoint. Secure deployment templates and IaC scripts can restrict unusual serverless function modifications, such as adding roles to a function that allow unauthorized access or execution.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. Secure deployment templates should restrict the ability to openly changes to resource groups, such as creating new resource groups which may mitigate the abuse of this technique.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may deploy a container into a cloud environment to facilitate execution or evade defenses. The control outlines the use of scanning images before deployment, and block those that are not in compliance with security policies, which can mitigate this technique.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events. Secure deployment templates and tools that limit the modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events, could mitigate this technique.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. Secure deployment templates may mitigate the ability of an adversary to deploy malicious additions and changes to applications in the SaaS environment.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Secure deployment templates and checking the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software may aid in mitigating this technique.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Deployment templates and IaC scripts enforce which regions a deployment can occur and mitigate the ability of a compromised deployment to occur in an unused/unsupported region.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may abuse compute resource within a victim's cloud environment by modifying any tenant-wide policies that limit the sizes of deployed virtual machines. Deployment templates and automated rollback can enforce resource quotas, network segmentation, and least‑privilege IAM roles, reducing the ability of a compromised deployment to be repurposed for crypto‑mining or other illicit compute use.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling T1535 : Unused/Unsupported Cloud Regions. Enforcing approved deployment regions, and vetting deployed applications and resources under this control may reduce the chance that malicious cloud applications can be deployed.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may also modify settings that affect where cloud resources can be deployed, such as enabling T1535 : Unused/Unsupported Cloud Regions. Enforcing approved deployment regions, and vetting deployed applications and resources under this control may reduce the chance that malicious cloud applications can be deployed.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. The automated patch‑management system could ensure OS, runtime, and application vulnerabilities are remediated quickly, removing the exploitable footholds attackers use to elevate privileges after a compromised deployment.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Standardized deployment templates, a curated list of approved automation/deployment tools, and vetting of IaC libraries reduce the chance that malicious third‑party code or compromised build tools enter the pipeline.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may attempt to exploit a weakness in an cloud-hosted applications through software bugs or even deployment misconfigurations. Protecting cloud-hosted applications through standardized security configurations and deployment templates can mitigate the impact of this technique.