Multi-Cloud Support

One Tool, All Clouds

Modern infrastructure spans multiple cloud providers. ThreatMitigator provides consistent, comprehensive security analysis across all major platforms—analyzing both Infrastructure as Code and application source code—without requiring different tools or switching contexts.

Whether you’re scanning Terraform configurations, application code using cloud SDKs, or both, ThreatMitigator detects threats across your entire cloud stack.

Supported Cloud Platforms

Amazon Web Services (AWS)

Extensive resource coverage:

• Compute: EC2, Lambda, ECS, EKS, Batch
• Storage: S3, EBS, EFS, FSx
• Database: RDS, DynamoDB, DocumentDB, ElastiCache
• Networking: VPC, Security Groups, ALB, NLB, CloudFront
• Identity: IAM, Cognito, Secrets Manager
• Security: KMS, CloudTrail, GuardDuty, Security Hub
• Management: CloudWatch, Systems Manager

Example AWS Threats:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Missing encryption on S3 bucket
id: T-AWS-S3-001
category: InformationDisclosure
resource: aws_s3_bucket
severity: high

# Overly permissive security group
id: T-AWS-EC2-002
category: InformationDisclosure
resource: aws_security_group
severity: critical

Microsoft Azure

Comprehensive platform support:

• Compute: Virtual Machines, App Service, Container Instances, AKS
• Storage: Blob Storage, File Storage, Disk Storage
• Database: SQL Database, Cosmos DB, MySQL, PostgreSQL
• Networking: Virtual Network, Application Gateway, Front Door
• Identity: Active Directory, Key Vault, Managed Identity
• Security: Security Center, Sentinel, Monitor
• Management: Policy, Resource Manager

Example Azure Threats:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Public storage account
id: T-AZURE-STORAGE-001
category: InformationDisclosure
resource: azurerm_storage_account
severity: high

# Missing network security group
id: T-AZURE-NETWORK-001
category: ElevationOfPrivilege
resource: azurerm_network_interface
severity: medium

Google Cloud Platform (GCP)

Complete GCP coverage:

• Compute: Compute Engine, Cloud Functions, GKE, App Engine
• Storage: Cloud Storage, Persistent Disks, Filestore
• Database: Cloud SQL, Firestore, Bigtable, Spanner
• Networking: VPC, Cloud Load Balancing, Cloud CDN
• Identity: IAM, Identity Platform, Secret Manager
• Security: Security Command Center, Cloud Armor
• Management: Logging, Monitoring, Resource Manager

Example GCP Threats:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Public GCS bucket
id: T-GCP-STORAGE-001
category: InformationDisclosure
resource: google_storage_bucket
severity: high

# Overly broad IAM binding
id: T-GCP-IAM-001
category: ElevationOfPrivilege
resource: google_project_iam_binding
severity: critical

Oracle Cloud Infrastructure (OCI)

OCI resource support:

• Compute instances and boot volumes
• Object Storage buckets
• Autonomous Database
• Virtual Cloud Networks
• IAM policies and groups
• Logging and monitoring

Alibaba Cloud

Alibaba Cloud coverage:

• ECS instances
• OSS buckets
• RDS databases
• VPC and security groups
• RAM policies
• Action Trail logging

Platform-Specific Intelligence

Each cloud platform has unique security considerations. ThreatMitigator’s rules understand platform-specific nuances:

AWS-Specific

• S3 bucket ACLs vs bucket policies
• IAM policy evaluation logic
• VPC endpoint security
• Cross-region replication risks

Azure-Specific

• Azure AD authentication patterns
• Network security group vs application security group
• Storage account firewall rules
• Managed identity permissions

GCP-Specific

• Uniform vs fine-grained bucket access
• IAM vs legacy bucket ACLs
• VPC service controls
• Organization policy constraints

Consistent Methodology

Despite platform differences, ThreatMitigator applies the same STRIDE framework across all clouds:

1
2
3
4
5
6
7

# Scan IaC for all platforms
threatmitigator scan ./terraform/aws --format yaml
threatmitigator scan ./terraform/azure --format yaml
threatmitigator scan ./terraform/gcp --format yaml

# Scan source code for cloud SDK usage
threatmitigator scan ./src --code-only --format yaml

Results include:

• Consistent severity ratings across platforms
• Standardized threat categories
• Comparable security posture metrics
• Unified reporting format

Cloud SDK Detection in Source Code

ThreatMitigator’s Connectivity Scanner automatically detects cloud service usage in your application code:

AWS SDK Detection (Python, JavaScript, Java, Go, etc.):

1
2
3
4
5
6
7
8
9

import boto3

# Detected: S3 client connection
s3 = boto3.client('s3', region_name='us-east-1')
s3.upload_file('local.txt', 'my-bucket', 'remote.txt')

# Detected: DynamoDB connection
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('users')

Azure SDK Detection:

1
2
3
4
5

using Azure.Storage.Blobs;

// Detected: Azure Blob Storage connection
var blobClient = new BlobServiceClient(connectionString);
var container = blobClient.GetBlobContainerClient("uploads");

GCP SDK Detection:

1
2
3
4
5

const {Storage} = require('@google-cloud/storage');

// Detected: Google Cloud Storage connection
const storage = new Storage({projectId: 'my-project'});
const bucket = storage.bucket('my-bucket');

This comprehensive detection ensures threats are identified whether they’re defined in IaC or created dynamically in application code.

Multi-Cloud Workflows

Hybrid Cloud Analysis

Analyze infrastructure spanning multiple clouds in a single scan:

1
2

threatmitigator scan ./infrastructure --format json
# Scans AWS, Azure, and GCP configs in one pass

Platform Comparison

Compare security posture across cloud providers:

1
2
3

threatmitigator scan ./aws --output aws-threats.yaml
threatmitigator scan ./azure --output azure-threats.yaml
threatmitigator diff aws-threats.yaml azure-threats.yaml

Unified Reporting

Generate consolidated security reports across all platforms:

1
2
3

threatmitigator scan ./multi-cloud \
  --format sarif \
  --output consolidated-threats.sarif

Custom Multi-Cloud Rules

Extend detection with organization-specific rules that work across platforms:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

id: CUSTOM-ENCRYPTION-001
stride_category: InformationDisclosure
severity: high
description: All storage must use customer-managed encryption keys

cloud_mappings:
  AWS:
    - resource_type: aws_s3_bucket
      checks:
        - condition: "kms_key_id is empty"
  Azure:
    - resource_type: azurerm_storage_account
      checks:
        - condition: "customer_managed_key not configured"
  GCP:
    - resource_type: google_storage_bucket
      checks:
        - condition: "encryption.default_kms_key_name is empty"

Performance Across Platforms

ThreatMitigator maintains consistent performance regardless of cloud provider:

• AWS scan (1000 resources): ~100ms
• Azure scan (1000 resources): ~100ms
• GCP scan (1000 resources): ~100ms
• Multi-cloud scan (3000 resources): ~330ms

With ThreatMitigator, you get comprehensive security analysis across your entire multi-cloud infrastructure with a single, fast, and reliable tool.