Digital Forensics: Cloud Security and Cloud Forensics Applied Scenarios

Applied-scenario drill on cloud security architecture and cloud forensics for the FACT digital forensics paper. Questions are pitched at the medium band, where a candidate must connect two cloud concepts (Shared Responsibility plus an IaaS-PaaS-SaaS breach, IAM policy JSON plus a privilege-escalation chain, CloudTrail event types plus an investigation path) rather than recall a single definition. Sub-topics cover the AWS Shared Responsibility Model across EC2, RDS, and WorkDocs; IAM policy reading for Principal, Action, Resource, and Condition; the iam:PassRole plus iam:CreatePolicyVersion escalation pattern; envelope encryption with AWS KMS; SSE-S3 vs SSE-KMS vs SSE-C selection; mTLS at the Application Load Balancer; CloudTrail data events vs management events for S3 object-level breaches; AssumeRole chain reading for cross-account attacks; EBS snapshot preservation under legal hold; VPC Flow Log field interpretation; Lambda forensics via CloudWatch Logs and X-Ray; EKS pod IAM via IRSA; CSPM vs CWPP vs CNAPP selection; CLOUD Act vs MLAT routing; DPDP Act 2023 cross-border rules; SAML 2.0 and OIDC token verification; KMS key rotation; BYOK vs HYOK custody; CloudTrail integrity validation; Azure Activity Log vs Diagnostic Settings; GCP Admin Activity vs Data Access logs; NIST SP 800-207 zero trust; NIST SP 800-86 forensic phases; NIST IR 8006 ephemeral-resource challenges; and CSA Cloud Controls Matrix v4 domains.

Designed for FACT aspirants, NFSU MSc cyber forensics candidates, and cloud incident responders who want a fast self-check against the AWS, Azure, and Google Cloud security stacks together. Citations are grounded in AWS, Microsoft, and Google official documentation, NIST SP 800-86, NIST SP 800-207, NIST IR 8006, OASIS SAML 2.0, OpenID Connect Core 1.0, the CLOUD Act 2018, and the Digital Personal Data Protection Act 2023.

Topics covered:

• Shared Responsibility scenarios across IaaS, PaaS, and SaaS breaches
• IAM policy reading and privilege-escalation chains in AWS
• Envelope encryption, key rotation, BYOK, and HYOK custody models
• CloudTrail management vs data events and integrity validation
• Cloud-platform investigation in AWS, Azure, and GCP audit logs
• Lambda, EKS, and container forensic surfaces and limits
• CSPM vs CWPP vs CNAPP and CCM v4 control mapping
• Zero trust, MLAT and CLOUD Act routing, and DPDP Act 2023 transfers

A medium-band paper that rewards joined-up thinking over single-fact recall. Allow 30 minutes.