Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. Alongside their growing popularity, concerns related to their security vulnerabilities leading to data breaches and sophisticated attacks such as ransomware are growing. To address these, first, we propose a generic framework to express relations between different cloud objects such as users, datastores, security roles, to model access control policies in cloud systems. Access control misconfigurations are often the primary driver for cloud attacks. Second, we develop a PDDL model for detecting security vulnerabilities which can for example lead to widespread attacks such as ransomware, sensitive data exfiltration among others. A planner can then generate attacks to identify such vulnerabilities in the cloud. Finally, we test our approach on 14 real Amazon AWS cloud configurations of different commercial organizations. Our system can identify a broad range of security vulnerabilities, which state-of-the-art industry tools cannot detect.

翻译：云计算服务为数据存储、处理与协作提供了可扩展且经济高效的解决方案。随着其日益普及，有关安全漏洞导致数据泄露以及勒索软件等复杂攻击的担忧也在不断增加。针对这些问题，首先，我们提出了一个通用框架，用于表达用户、数据存储、安全角色等不同云对象之间的关系，以建模云系统中的访问控制策略。访问控制配置错误通常是云攻击的主要诱因。其次，我们开发了一个PDDL模型，用于检测安全漏洞，这些漏洞可能引发勒索软件等大规模攻击以及敏感数据泄露等风险。随后，规划器可生成攻击方案以识别云中的此类漏洞。最后，我们在14个来自不同商业组织的真实亚马逊AWS云配置上测试了该方法。我们的系统能够识别出当前业界领先工具无法检测的广泛安全漏洞。