The Problem

In many organisations, threat modelling is performed early in the project lifecycle, documented for compliance or assurance, and rarely revisited once systems go live. This creates a gap. You may understand the risks but have no way of knowing when those risks are being exploited in real time.

The Shift: From Design to Detection

To make threat modelling useful, it needs to answer: how would we detect this in real time? This is where STRIDE becomes far more powerful. Instead of just identifying threats, we map them directly to observable behaviours and detection use cases.

STRIDE Threat Hunting in Cloud Landing Zones From threat model to live detection — each STRIDE category mapped to observable cloud behaviour STRIDE OBSERVABLE BEHAVIOUR DETECTION SOURCE SIEM RULE / ALERT HUNT QUERY SPOOFING Identity abuse Unusual sign-in location Unexpected role assumption New credential creation Entra Sign-in logs CloudTrail AssumeRole UEBA risk score Impossible travel alert Cross-account role spike MFA fatigue detection Sign-ins from new ASN or country last 24h TAMPERING Control change SCP / policy modified Security group rule added S3 ACL or bucket policy edit AWS Config rules CloudTrail write events Azure Policy compliance Unauthorised config change 0.0.0.0/0 rule created IaC drift alert Config changes outside approved change window INFORMATION DISCLOSURE Data exposure Large S3 data download Public bucket created API returning PII fields Macie · CASB · DLP S3 access logs WAF response inspection S3 public access alert High-volume GET spike PII classification alert Bulk S3 GetObject by identity not seen before ELEVATION OF PRIVILEGE Priv escalation Role policy attached Admin action by non-admin PIM activation outside hours IAM Access Analyser Defender for Identity PIM audit log Privilege escalation alert High-risk IAM event Out-of-hours PIM alert AttachRolePolicy by user without IAM admin role DENIAL OF SERVICE Availability attack API request flood Lambda concurrency hit Resource quota exhaustion WAF rate rules CloudWatch alarms AWS Shield metrics 429 rate limit spike Throttle threshold breach Shield DDoS detection Source IPs with >1000 req/min to single endpoint The shift: threat modelling at design generates the detection requirement — BAS validates it fires at runtime Design → write rule → deploy → simulate with BAS → confirm alert fires → repeat on every architecture change BreachForge maps all 10 scenarios to this detection chain · saleemyousaf.co.uk/breachforge
// STRIDE threat hunting in cloud landing zones

STRIDE Mapped to Cloud Detection

Spoofing

Becomes suspicious sign-ins, unusual identity provider behaviour, and unexpected role assumptions. Detection sources: Azure AD and Entra ID logs, AWS CloudTrail AssumeRole events, and identity protection alerts.

Tampering

Becomes policy drift, security control changes, and network rule modifications. Detection sources: Azure Policy, AWS Config, activity logs, and infrastructure drift detection.

Information Disclosure

Becomes unusual data access, bulk downloads, and public exposure of storage. Detection sources: S3 and Blob access logs, Defender for Cloud and Macie, and data exfiltration patterns.

Privilege Escalation

Becomes risky role assignments, permission changes, and elevated actions following role changes. Detection sources: IAM logs, Privileged Identity Management, and CloudTrail and Activity Logs.

Denial of Service

Becomes traffic spikes, resource exhaustion, and API abuse patterns. Detection sources: WAF logs, metrics and monitoring alerts, and load balancer telemetry.

Repudiation

Becomes unattributed privileged actions and missing or incomplete audit trails. Detection sources: centralised logging via SIEM and identity and session tracking.

Why This Matters for Cloud Landing Zones

A landing zone is not just about networks, identity, and resource structure. It is the foundation for visibility and detection. If detection is not designed into the landing zone, logs may be incomplete, signals may be missed, and incidents may go undetected.

Architecture matters. But architecture without visibility is blind. The real value comes from connecting design to threats to detection to response.
Back to all articlesSecure by Design for AWS