open source

Identify and remediate common cloud risks with the Datadog Cloud Security Atlas

March 30, 2023

We are pleased to announce the release of the Datadog Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments.

Real-world cloud attacks

The Cloud Security Atlas features a wide range of real-world cloud attacks. For each attack, we provide a log sample (e.g., CloudTrail in AWS) and a threat detection or prevention methodology. This information enables you to gain a deeper understanding of the attack, how it works, and how to detect and prevent it in your own cloud environment.

For example, let's take a closer look at the "Stealing an EBS snapshot by creating a snapshot and sharing it" attack. In this scenario, an attacker gains access to an AWS account and creates a snapshot of an EBS volume containing sensitive data. They then share the snapshot with their own account, allowing them to access the data without the knowledge of the original account owner.

The first thing you'll see in the Cloud Security Atlas entry is some metadata about the attack, such as the platform (e.g., AWS) and service (e.g., EC2) it targets. Next, you'll see some information about the CloudTrail events generated when the attack is performed:

Then, you'll also see the Stratus Red Team command you can use to simulate the attack in your own environment as part of testing your detection tooling:

Finally, you'll find the mapping to any existing Datadog out-of-the-box detection rule, to ensure it's also actionable for customers.

Common vulnerabilities and misconfiguration in cloud environments

In addition to cloud attacks, Cloud Security Atlas also covers vulnerabilities and misconfigurations that are commonly found in cloud environments. For each vulnerability, the database provides an actionable way to identify and remediate vulnerable resources using the AWS CLI. This information can help you identify misconfigurations and take corrective measures to enhance your cloud security posture.

Let's see an example with "Security group exposes risky ports to the internet". After some information about the business and technical impact, you'll find a precise AWS CLI command you can use to identify relevant misconfigured security groups:

Finally, we provide remediation advice, along with the necessary AWS CLI commands to remediate the issue:

An opinionated stance on prioritization

Prioritizing cloud security investments can be a daunting task. Cloud Security Atlas is more than a neutral repository of security information—it gives you an opinionated stance on which attacks and vulnerabilities are the most critical to identify and address, to help you make better prioritization decisions for remediation.

First, the attacks featured in the database are proven, real-world exploits that represent a single step toward breaching an environment. They have all been observed in the wild, used by offensive actors, and most of the time publicly documented. Similarly, the vulnerabilities documented in Cloud Security Atlas are all actively exploitable by an attacker, and most of them have been exploited in publicly documented cloud data breaches. Finally, both attacks and vulnerabilities come with a risk scoring made of two dimensions: exploitability and impact.

With this level of context and insight, Cloud Security Atlas helps practitioners focus on remediating the most critical vulnerabilities.

All the content in Cloud Security Atlas is easily searchable, allowing you to quickly find information on specific attacks or vulnerabilities. You can enter the key terms you’re looking for information about, filter the results by the impacted service (CloudTrail, EC2, etc.), and specify whether you want to see attacks, vulnerabilities, or both. This user-friendly interface makes it easy for you to navigate the extensive database and find the information you need without hassle.

Persona-tailored content

Every entry in Cloud Security Atlas features a persona-based description, allowing you to understand the impact of the attack or vulnerability from both a business and technical security perspective. This approach ensures that you can effectively communicate the importance of addressing these issues to stakeholders at all levels of your organization.

What’s next?

Cloud Security Atlas currently focuses on AWS. As a next step, we'll add Azure and GCP content. We're also investigating adding maturity levels, which would allow you to tailor your view of the entry for a specific vulnerability or attack based on your organization’s current security maturity, so the content is aligned with your expectations. Finally, we'll be open sourcing the data behind Cloud Security Atlas, made up of schematized YAML files, to make it accessible and reusable by the community.

We also want to hear from you! In particular, we'd love to hear your feedback on Cloud Security Atlas—what do you like about it, and how would you improve it? Shoot us a message at and say hi!

Frequently Asked Questions

How does it compare to CloudVulnDB?

CloudVulnDB is a database that catalogues vulnerabilities identified and resolved within cloud provider services. This platform is primarily dedicated to the cloud provider's end of the shared responsibility model. In contrast, the Cloud Security Atlas is focused on actionable practices for practitioners concerning the customer's end of the shared responsibility model.

Did you find this article helpful?