I think the issue being exploited here is the auto-scaling nature. Compromising a web-app through something like SQL-injection then allows you to execute your own code on the server instance. You don't need to gain access to the actual back-end of the cloud system, just get the code running on the server-space that's been provisioned and then, as the compute requirements increase, the cloud provider will automatically spin up new server instances to cope with the load.
It seems to be that it's not a case of compromising the entire system, just getting your code running somewhere (even within a VM or container sitting atop the AWS/Azure/whatever instance) and the programmatic elasticity will do the rest for you. You'd think that any company running something with auto-scaling will have configured alerts to let them know when the loads are spiking and by how much, in that same way that on-prem servers will have thresholds set up for things like CPU load, disk space, latency, etc.
Biting the hand that feeds IT
