Cloud Metadata Detection
Protection Module: CloudMetadata
Detects if the application is running in a cloud environment (AWS, Azure, GCP, etc.).
Available for:
- Server Applications
- Desktop Applications
- Cloud Services
How It Works
Cloud Metadata Detection identifies cloud environments by querying cloud provider metadata services and analyzing system characteristics.
Detection Methods:
- Metadata Service Queries - Checks cloud provider metadata endpoints
- DMI/BIOS Analysis - Examines system manufacturer information
- Environment Variables - Detects cloud-specific variables
- DNS Resolution - Validates cloud DNS patterns
- MAC Address Prefixes - Identifies cloud provider network interfaces
Detected Cloud Providers:
- Amazon Web Services (AWS/EC2)
- Microsoft Azure
- Google Cloud Platform (GCP)
- Oracle Cloud Infrastructure (OCI)
- Alibaba Cloud
- IBM Cloud
- DigitalOcean
- Linode
- Vultr
Configuration
JSON
{
"protections": {
"CloudMetadata": {
"enabled": true,
"action": "log"
}
}
}{
"protections": {
"CloudMetadata": {
"enabled": true,
"action": "log"
}
}
}Code-Based Configuration
C#
await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.CloudMetadata, ActionType.Log);
});await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.CloudMetadata, ActionType.Log);
});Single Execution
This protection runs once at application startup, not periodically, as cloud environment doesn't change during runtime.
Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Log | Record cloud environment | Analytics, telemetry |
| Custom | Execute cloud-specific logic | Configuration, features |
| None | Detect only | Passive monitoring |
When to Use
Recommended for:
- License Differentiation - Different pricing for cloud vs on-premise
- Configuration Optimization - Cloud-specific settings
- Feature Enablement - Enable cloud integrations
- Analytics - Track deployment environments
- Security Monitoring - Detect unexpected cloud deployments
- Compliance - Track data residency
Code Examples
Cloud Environment Analytics
C#
config.RegisterCustomAction("cloud-analytics", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var region = threat.Metadata["region"]?.ToString();
var instanceType = threat.Metadata["instanceType"]?.ToString();
await TelemetryClient.TrackEventAsync("CloudEnvironmentDetected", new
{
Provider = cloudProvider,
Region = region,
InstanceType = instanceType,
Timestamp = DateTime.UtcNow
});
await LogInfoAsync($"Running on {cloudProvider} in {region}");
});config.RegisterCustomAction("cloud-analytics", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var region = threat.Metadata["region"]?.ToString();
var instanceType = threat.Metadata["instanceType"]?.ToString();
await TelemetryClient.TrackEventAsync("CloudEnvironmentDetected", new
{
Provider = cloudProvider,
Region = region,
InstanceType = instanceType,
Timestamp = DateTime.UtcNow
});
await LogInfoAsync($"Running on {cloudProvider} in {region}");
});Cloud-Specific Configuration
C#
config.RegisterCustomAction("cloud-config-optimization", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var isCloud = !string.IsNullOrEmpty(cloudProvider);
if (isCloud)
{
switch (cloudProvider)
{
case "AWS":
AppConfig.UseAwsParameterStore = true;
AppConfig.UseAwsSecretsManager = true;
AppConfig.EnableXRayTracing = true;
await LogInfoAsync("Enabled AWS integrations");
break;
case "Azure":
AppConfig.UseAzureKeyVault = true;
AppConfig.UseAzureAppInsights = true;
AppConfig.UseManagedIdentity = true;
await LogInfoAsync("Enabled Azure integrations");
break;
case "GCP":
AppConfig.UseGcpSecretManager = true;
AppConfig.UseCloudTrace = true;
AppConfig.UseWorkloadIdentity = true;
await LogInfoAsync("Enabled GCP integrations");
break;
}
}
});config.RegisterCustomAction("cloud-config-optimization", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var isCloud = !string.IsNullOrEmpty(cloudProvider);
if (isCloud)
{
switch (cloudProvider)
{
case "AWS":
AppConfig.UseAwsParameterStore = true;
AppConfig.UseAwsSecretsManager = true;
AppConfig.EnableXRayTracing = true;
await LogInfoAsync("Enabled AWS integrations");
break;
case "Azure":
AppConfig.UseAzureKeyVault = true;
AppConfig.UseAzureAppInsights = true;
AppConfig.UseManagedIdentity = true;
await LogInfoAsync("Enabled Azure integrations");
break;
case "GCP":
AppConfig.UseGcpSecretManager = true;
AppConfig.UseCloudTrace = true;
AppConfig.UseWorkloadIdentity = true;
await LogInfoAsync("Enabled GCP integrations");
break;
}
}
});License-Based Cloud Detection
C#
config.RegisterCustomAction("cloud-license-check", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var isCloud = !string.IsNullOrEmpty(cloudProvider);
if (isCloud)
{
var license = await GetLicenseAsync();
if (!license.AllowsCloudDeployment)
{
await ShowMessageAsync(
"License Restriction",
$"Your license does not permit cloud deployments. " +
$"Detected: {cloudProvider}. " +
"Please upgrade to a Cloud license."
);
Environment.Exit(-1);
}
// Track cloud usage for billing
await BillingService.RecordCloudUsageAsync(cloudProvider, license.Key);
}
});config.RegisterCustomAction("cloud-license-check", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var isCloud = !string.IsNullOrEmpty(cloudProvider);
if (isCloud)
{
var license = await GetLicenseAsync();
if (!license.AllowsCloudDeployment)
{
await ShowMessageAsync(
"License Restriction",
$"Your license does not permit cloud deployments. " +
$"Detected: {cloudProvider}. " +
"Please upgrade to a Cloud license."
);
Environment.Exit(-1);
}
// Track cloud usage for billing
await BillingService.RecordCloudUsageAsync(cloudProvider, license.Key);
}
});Regional Compliance
C#
config.RegisterCustomAction("compliance-check", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var region = threat.Metadata["region"]?.ToString();
if (cloudProvider == "AWS" || cloudProvider == "Azure" || cloudProvider == "GCP")
{
var allowedRegions = new[] { "us-east-1", "eu-west-1", "eu-central-1" };
if (!allowedRegions.Contains(region))
{
await LogSecurityEventAsync("compliance_violation", new
{
Provider = cloudProvider,
Region = region,
Reason = "Deployment in non-compliant region"
});
await ShowMessageAsync(
"Compliance Violation",
$"Application deployed in non-compliant region: {region}. " +
$"Allowed regions: {string.Join(", ", allowedRegions)}"
);
}
}
});config.RegisterCustomAction("compliance-check", async (threat) =>
{
var cloudProvider = threat.Metadata["cloudProvider"]?.ToString();
var region = threat.Metadata["region"]?.ToString();
if (cloudProvider == "AWS" || cloudProvider == "Azure" || cloudProvider == "GCP")
{
var allowedRegions = new[] { "us-east-1", "eu-west-1", "eu-central-1" };
if (!allowedRegions.Contains(region))
{
await LogSecurityEventAsync("compliance_violation", new
{
Provider = cloudProvider,
Region = region,
Reason = "Deployment in non-compliant region"
});
await ShowMessageAsync(
"Compliance Violation",
$"Application deployed in non-compliant region: {region}. " +
$"Allowed regions: {string.Join(", ", allowedRegions)}"
);
}
}
});Detection Metadata
AWS EC2
JSON
{
"cloudProvider": "AWS",
"region": "us-east-1",
"availabilityZone": "us-east-1a",
"instanceId": "i-0123456789abcdef0",
"instanceType": "t3.medium",
"imageId": "ami-0abcdef1234567890",
"accountId": "123456789012"
}{
"cloudProvider": "AWS",
"region": "us-east-1",
"availabilityZone": "us-east-1a",
"instanceId": "i-0123456789abcdef0",
"instanceType": "t3.medium",
"imageId": "ami-0abcdef1234567890",
"accountId": "123456789012"
}Azure Virtual Machine
JSON
{
"cloudProvider": "Azure",
"region": "eastus",
"resourceGroup": "myapp-rg",
"subscriptionId": "12345678-1234-1234-1234-123456789012",
"vmId": "abcd1234-5678-90ab-cdef-1234567890ab",
"vmSize": "Standard_D2s_v3",
"osType": "Linux"
}{
"cloudProvider": "Azure",
"region": "eastus",
"resourceGroup": "myapp-rg",
"subscriptionId": "12345678-1234-1234-1234-123456789012",
"vmId": "abcd1234-5678-90ab-cdef-1234567890ab",
"vmSize": "Standard_D2s_v3",
"osType": "Linux"
}Google Cloud Platform
JSON
{
"cloudProvider": "GCP",
"region": "us-central1",
"zone": "us-central1-a",
"projectId": "my-project-123456",
"instanceId": "1234567890123456789",
"machineType": "n1-standard-2",
"preemptible": false
}{
"cloudProvider": "GCP",
"region": "us-central1",
"zone": "us-central1-a",
"projectId": "my-project-123456",
"instanceId": "1234567890123456789",
"machineType": "n1-standard-2",
"preemptible": false
}Cloud Provider Detection Details
AWS Detection Methods
- Metadata Service -
http://169.254.169.254/latest/meta-data/ - DMI Product Name - Contains "Amazon EC2"
- Hypervisor UUID - Starts with "ec2" or "EC2"
- MAC Address - AWS-specific prefixes
Azure Detection Methods
- Metadata Service -
http://169.254.169.254/metadata/instance - DMI System Manufacturer - "Microsoft Corporation"
- DMI Product Name - "Virtual Machine"
- Azure Agent - Presence of waagent
GCP Detection Methods
- Metadata Service -
http://metadata.google.internal/ - DMI Product Name - "Google Compute Engine"
- DMI BIOS Vendor - "Google"
Platform Compatibility
| Cloud Provider | Support | Detection Methods |
|---|---|---|
| AWS | ✔ | Metadata API, DMI, MAC |
| Azure | ✔ | Metadata API, DMI, agent |
| GCP | ✔ | Metadata API, DMI |
| Oracle Cloud | ✔ | Metadata API, DMI |
| Alibaba Cloud | ✔ | Metadata API |
| IBM Cloud | ✔ | Metadata API |
| DigitalOcean | ✔ | Metadata API, DMI |
Performance Impact
Detection Time: <100ms (single query at startup) CPU Usage: Negligible Memory: <50 KB Network: Single HTTP request to metadata service (timeout: 2s)
Best Practices
- Use for Telemetry and Configuration
C#
// Track cloud deployments for analytics
action: ActionType.Log// Track cloud deployments for analytics
action: ActionType.Log- Enable Cloud-Native Features
C#
if (cloudProvider == "AWS")
{
EnableAwsIntegrations();
}if (cloudProvider == "AWS")
{
EnableAwsIntegrations();
}- License Tier by Environment
C#
// Different pricing for cloud vs on-premise
if (isCloud && !license.IsCloudTier)
{
await ShowUpgradePromptAsync();
}// Different pricing for cloud vs on-premise
if (isCloud && !license.IsCloudTier)
{
await ShowUpgradePromptAsync();
}- Regional Compliance
C#
// Ensure deployments in allowed regions
ValidateRegionCompliance(region);// Ensure deployments in allowed regions
ValidateRegionCompliance(region);Threat Detection Details
JSON
{
"threatId": "CLD-2025-12-28-9012",
"description": "Cloud environment detected",
"moduleType": "CloudMetadata",
"detectedAt": "2025-12-28T22:00:00Z",
"confidence": 1.0,
"metadata": {
"cloudProvider": "AWS",
"region": "us-east-1",
"availabilityZone": "us-east-1a",
"instanceId": "i-0abcdef1234567890",
"instanceType": "t3.large",
"imageId": "ami-0123456789abcdef0",
"accountId": "123456789012",
"vpcId": "vpc-0abc123def456",
"subnetId": "subnet-0xyz789abc"
}
}{
"threatId": "CLD-2025-12-28-9012",
"description": "Cloud environment detected",
"moduleType": "CloudMetadata",
"detectedAt": "2025-12-28T22:00:00Z",
"confidence": 1.0,
"metadata": {
"cloudProvider": "AWS",
"region": "us-east-1",
"availabilityZone": "us-east-1a",
"instanceId": "i-0abcdef1234567890",
"instanceType": "t3.large",
"imageId": "ami-0123456789abcdef0",
"accountId": "123456789012",
"vpcId": "vpc-0abc123def456",
"subnetId": "subnet-0xyz789abc"
}
}Security Considerations
Metadata Service Security
Cloud metadata services can expose sensitive information. Ensure your application doesn't leak metadata to untrusted parties.
C#
// Don't expose cloud metadata in API responses
app.MapGet("/health", () => new { status = "healthy" }); // Good
app.MapGet("/info", (CloudMetadata meta) => meta); // BAD - leaks cloud info// Don't expose cloud metadata in API responses
app.MapGet("/health", () => new { status = "healthy" }); // Good
app.MapGet("/info", (CloudMetadata meta) => meta); // BAD - leaks cloud infoRelated Protections
Custom Actions
Cloud-specific logic
Actions
Configure responses