CAPITAL ONE AWS CLOUD DATA BREACH

(2019)

21CSC308T – SECURITY RISK MANAGEMENT PRINCIPLES

Submitted by

SAI PRASHANTH
[RA2311030010220]

DEPARTMENT OF NETWORKING AND

COMMUNICATIONS

FACULTY OF ENGINEERING AND TECHNOLOGY

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY

KATTANKULATHUR – 603 203
NOV 2025
 SRM INSTITUTE OF SCIENCE AND
TECHNOLOGYKATTANKULATHUR – 603 203
BONAFIDE CERTIFICATE

This is to certify that the Case Study Report titled “Capital One AWS Cloud Data Breach
(2019)” is a Bonafide record of work carried out by the following student as part of the
course 21CSC308T - Security Risk Management Principles, during the academic year
2025–2026.

This report has been submitted in partial fulfillment of the requirements for the successful
completion of the course and has not been submitted elsewhere for any academic or non-
academic purpose.

The work is found to be satisfactory and is hereby accepted.

Submitted by:

Register Number Name of Student

RA2311030010220 SAI PRASHANTH

Date of Submission:

Faculty Signature HoD/NWC

Mrs. R. Abirami Dr.M.Lakshmi

Assistant Professor Professor & Head
Dept of Networking and Communications Dept of Networking and
Communications
 RISK IDENTIFICATION AND CONTROL REPORT

1. CASE/SCENARIO TITLE
Case Study on the Capital One AWS Cloud Data Breach (2019)

2. INTRODUCTION
Capital One is one of the largest banks in the United States and among the top
credit card issuers worldwide. In July 2019, Capital One experienced one of the
most significant cloud data breaches in financial history, exposing sensitive data
of over 100 million customers.
The scope of this report focuses on information security risk identification and
control in a cloud computing environment (AWS), analysing threats,
vulnerabilities, and mitigation strategies related to the incident.
The scope of this report focuses on information security risk identification and
control in a cloud computing environment (AWS), analyzing threats,
vulnerabilities, and mitigation strategies related to the incident. This case
demonstrates how weaknesses in configuration management, identity access
controls, and continuous monitoring can lead to severe financial and
reputational consequences even in organizations with mature security
programs.
Furthermore, this case study aims to bridge theoretical risk management
principles with a real-world incident. It highlights the practical application of
frameworks such as ISO 27005, NIST SP 800-30, and the Shared Responsibility
Model, emphasizing the need for proactive auditing, automated controls, and
regular compliance reviews to strengthen cloud security posture and resilience
against evolving cyber threats.

1
3. ASSET IDENTIFICATION
Asset
Asset ID Owner/Department Importance
Description
AWS S3 Buckets
Cloud Operations /
A1 storing customer High
IT Security
data
Web Application
Network Security
A2 Firewall (WAF) High
Team
configuration
IAM Roles and Cloud Infrastructure
A3 High
Policies Team
Customer
Data Governance
A4 Financial and Critical
Department
Personal Data
CloudTrail and Security Operations
A5 Medium
Audit Logs Center (SOC)

4. RISK IDENTIFICATION
4.1 THREAT IDENTIFICATION
Threat Potential
Threat ID Source/Reference Likelihood
Description Impact
Unauthorized High data
T1 access through NIST SP 800-30 exposure and High
SSRF exploit data theft
Insider misuse Financial loss
T2 of privileged ISO 27005 and data Medium
credentials manipulation
Lack of
Delayed
continuous ENISA Threat
T3 detection of High
monitoring and Landscape
breach
alerting
Misconfiguration Exposure of
T4 NIST SP 800-53 High
of cloud services customer data
Weak IAM policy
Escalation of
and
T5 ISO 27001 access and data High
overprivileged
compromise
access

2
4.2 VULNERABILITY IDENTIFICATION
Asset
Vulnerabilit Vulnerability Source
Linke Severity
y ID Description Document
d
Misconfigure AWS
V1 d WAF A2 Security High
allowing SSRF Bulletin
Over-
privileged
ISO 27005
IAM roles
V2 A3 Risk High
without least
Guidelines
privilege
enforcement
Capital One
Incomplete
Breach Mediu
V3 encryption of A1
Report m
stored data
2019
Lack of real-
NIST SP
V4 time anomaly A5 High
800-137
detection
Poor network AWS
segmentation Security Mediu
V5 A1, A2
between Whitepape m
systems r

3
4.3 THREAT–VULNERABILITY PAIRING

Asset Possible
Pai
Threat Vulnerability Affecte Consequenc
r ID
d e
Unauthorize
V1 –
T1 – SSRF d access to
P1 Misconfigure A2
Exploit internal
d WAF
resources
Full access
T4 – V2 –
to S3
P2 Misconfiguratio Overprivilege A3
buckets and
n d IAM
data theft
Breach
V4 – Lack of
T3 – No undetected
P3 real-time A5
Monitoring for extended
alerts
time
Unauthorize
V2 – Role d download
P4 T5 – Weak IAM A1
Misuse of sensitive
data
Internal data
T2 – Insider V5 – Network leakage or
P5 A4
misuse gap manipulatio
n

4
5. RISK ANALYSIS
5.1 RISK RATING MATRIX

Threat–
Risk Likelihood Impact Risk Risk
Vulnerability
ID (1–5) (1–5) Score Level
Pair
P1 – SSRF +
R1 Misconfigured 5 5 25 High
WAF
P2 –
R2 Misconfiguration 5 5 25 High
+ IAM Access
P3 – No
R3 Monitoring + 4 4 16 High
Lack of Alerts
P4 – Weak IAM
R4 4 5 20 High
+ Role Misuse
P5 – Insider
R5 Threat + 3 4 12 Medium
Network Gap

5
6. RISK CONTROL / MITIGATION MEASURES
6.1 CONTROL OPTIONS
Effective risk control strategies are crucial to minimize the likelihood and
impact of cloud-based security incidents. For the Capital One breach, a
combination of preventive, detective, and corrective controls were identified
and implemented to strengthen the organization’s cloud security posture.

Preventive Controls
These controls aim to stop incidents before they occur by addressing
vulnerabilities and improving configurations.
• Enforce IAM Least Privilege Principle – provide users and roles only the
permissions necessary for their function.
• Implement Multi-Factor Authentication (MFA) for all administrative and
cloud accounts.
• Regularly review and patch WAF configurations to prevent SSRF and
related exploits.
• Ensure default encryption (SSE-KMS) for all stored data in S3 buckets.
• Conduct automated configuration compliance checks using AWS Config
Rules or Cloud Custodian.
• Establish secure software deployment pipelines with DevSecOps
integration to identify misconfigurations early.
• Implement segregation of duties (SoD) between development,
operations, and audit teams to prevent internal misuse.
• Use strong key management practices through AWS Key Management
Service (KMS).

Detective Controls
Detective controls help identify security incidents as they occur or shortly
after.
• Enable AWS GuardDuty for threat detection and anomaly monitoring.
• Configure AWS CloudTrail and CloudWatch for logging and continuous
activity tracking.
6
 • Set up SIEM (Security Information and Event Management) tools for
centralized log correlation and alerting.
• Perform regular vulnerability assessments and penetration testing to
uncover weaknesses.
• Implement automated alerts for unauthorized access attempts or data
exfiltration patterns.
• Conduct periodic configuration audits and compliance scans aligned
with ISO 27001.
• Enable user behavior analytics (UBA) to detect unusual access or
privilege escalation attempts.

Corrective Controls
Corrective controls are designed to minimize impact and restore systems after
an incident has occurred.
• Immediately revoke compromised IAM credentials and issue new access
tokens.
• Conduct forensic investigation to analyze attack vectors and data
exposure.
• Reconfigure affected systems (e.g., S3 buckets, WAF) to default secure
states.
• Apply Zero-Trust Architecture (ZTA) principles for all future
deployments.
• Create incident response playbooks specific to cloud misconfigurations
and IAM breaches.
• Implement backup and disaster recovery plans for critical data and
applications.
• Strengthen post-incident audit reviews to validate control effectiveness
and compliance.

7
6.2 RISK CONTROL TABLE

Risk Proposed Control Responsible Expected

ID Control Type Team Effectiveness
Patch WAF
and
Network
R1 restrict Preventive High
Security
SSRF
requests
Enforce
IAM least- Cloud
R2 Preventive High
privilege Infrastructure
and MFA
Enable
continuous
R3 monitoring Detective SOC Team High
with
GuardDuty
Automate
IAM audits Security
R4 Detective High
with AWS Operations
Config
Segment
internal
networks IT
R5 Corrective Medium
and limit Infrastructure
admin
access

8
7. RESIDUAL RISK EVALUATION

Initial
Control Residual
Risk ID Risk Acceptable?
Implemented Risk Level
Level
WAF
patching and
R1 High Low Yes
SSRF
prevention
IAM policy
R2 High restriction Low Yes
and MFA
GuardDuty
R3 High and real-time Medium Yes
alerts
Automated
R4 High audits and Medium Yes
IAM review
Network
R5 Medium Low Yes
segmentation

9
8. CONCLUSION
The Capital One AWS data breach highlights how cloud
misconfiguration and weak IAM controls can create critical
vulnerabilities.
Through effective risk identification, analysis, and mitigation, the
organization implemented strong preventive and detective controls.
Key controls such as IAM restriction, continuous monitoring, and
Zero-Trust adoption significantly reduced residual risk.
Regular audits under frameworks like ISO 27005 and NIST SP 800-30
remain essential to ensure continuous improvement in cloud
security.

10
9. REFERENCES
• Capital One Official Breach Report, 2019.
• U.S. Department of Justice, United States v. Paige A. Thompson,
2022.
• ISO/IEC 27001:2022 – Information Security Management
Systems.
• ISO/IEC 27005:2018 – Information Security Risk Management.
• NIST SP 800-30 – Risk Management Guide for Information
Technology Systems.
• AWS Security Best Practices Whitepaper, Amazon Web Services.
• ENISA Threat Landscape 2022.

11