CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution

Modern cloud-native environments present a fundamentally different exfiltration threat surface than traditional file-based scenarios. Attackers targeting AWS, GCP, Azure, and OCI steal S3 presigned URLs, container images, Kubernetes secrets, Terraform state modules, and IAM role tokens -- artefacts that existing honeytoken and beacon frameworks do not address. We present \textbf{CLOUDBURST}, the first formal taxonomy and measurement framework for cloud-native passive beacons, comprising six vector classes across four major cloud providers. We introduce the \textit{Cloud Attribution Score} (CAS), a four-component metric that explicitly models ephemeral infrastructure penalty ($E_p$), IAM coverage depth ($I_c$), and multi-cloud correlation bonus ($M_b$) -- dimensions absent from all prior attribution quality metrics. Experiments across $21$ deployed beacons, $205$ simulated callbacks, and three attacker sophistication levels yield four principal findings. First, IAM Canary Roles achieve the highest CAS (mean $0.450$) and Detection Resistance (DR $= 0.873$), making them the most deployable vector. Second, S3 Presigned URLs achieve the highest detection resistance (DR $= 0.890$), surviving all three cloud-native scanner models (AWS Macie, Checkov/tfsec, Prisma Cloud/Wiz). Third, ephemeral infrastructure churn degrades CAS from $\approx 0.79$ at deployment to $\approx 0.18$--$0.22$ at $48$ hours for all vectors ($p < 0.001$), establishing the first quantitative model of attribution decay in containerised environments. Fourth, Serverless Function Triggers exhibit the worst detection resistance (DR $= 0.611$) due to their explicit outbound HTTP callback pattern, motivating covert callback channel design as future work. No significant CAS difference is observed across cloud providers ($H = 1.99$, $p = 0.57$), confirming that CLOUDBURST is provider-agnostic in its effectiveness.