🔶 How to help prevent hotlinking using referer checking, AWS WAF, and Amazon CloudFront
How to help prevent hotlinking by using header inspection in AWS WAF, while still taking advantage of the improved user experience from a CDN such as CloudFront.
https://aws.amazon.com/ru/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/
(Use VPN to open from Russia)
#aws
How to help prevent hotlinking by using header inspection in AWS WAF, while still taking advantage of the improved user experience from a CDN such as CloudFront.
https://aws.amazon.com/ru/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/
(Use VPN to open from Russia)
#aws
❤1👍1🔥1
🔶 AWS Built a Security Tool. It Introduced a Security Risk
The «Account Assessment for AWS Organizations» tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions.
https://www.token.security/blog/aws-built-a-security-tool-it-introduced-a-security-risk
#aws
The «Account Assessment for AWS Organizations» tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions.
https://www.token.security/blog/aws-built-a-security-tool-it-introduced-a-security-risk
#aws
❤1👍1🔥1
🔶 Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
Post walking through multiple real-world scenarios, including how a malicious Hugging Face model can escalate privileges, how limited Glue access can impact other services, and how a single default role can ultimately lead to full control of an AWS account.
https://www.aquasec.com/blog/shadow-roles-aws-defaults-lead-to-service-takeover/
#aws
Post walking through multiple real-world scenarios, including how a malicious Hugging Face model can escalate privileges, how limited Glue access can impact other services, and how a single default role can ultimately lead to full control of an AWS account.
https://www.aquasec.com/blog/shadow-roles-aws-defaults-lead-to-service-takeover/
#aws
👍2❤1🔥1
🔶 Preventing Cross-Service Confused Deputy Attacks in AWS ELB Logging
Post highlighting the inconsistency in AWS services regarding S3 bucket permissions and encryption methods.
https://tomclancy.me/2025/04/24/preventing-cross-service-confused-deputy-attacks-in-aws-elb-logging.html
#aws
Post highlighting the inconsistency in AWS services regarding S3 bucket permissions and encryption methods.
https://tomclancy.me/2025/04/24/preventing-cross-service-confused-deputy-attacks-in-aws-elb-logging.html
#aws
❤1👍1🔥1
🔴 Tag Your Way In: New Privilege Escalation Technique in GCP
This post introduces a novel privilege escalation technique in Google Cloud Platform (GCP) that exploits IAM Conditions in combination with tagBindings.
https://www.mitiga.io/blog/tag-your-way-in-new-privilege-escalation-technique-in-gcp
#gcp
This post introduces a novel privilege escalation technique in Google Cloud Platform (GCP) that exploits IAM Conditions in combination with tagBindings.
https://www.mitiga.io/blog/tag-your-way-in-new-privilege-escalation-technique-in-gcp
#gcp
❤1👍1🔥1
Blog dissecting the limitations of Microsoft's activity logs, walking through real-world simulations using the msInvader tool, and highlighting what gets seen and what silently slips through the cracks.
https://www.abstract.security/blog/the-invisible-enemy-unmasking-microsoft-365s-logging-blind-spots
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
🔶 S3 bucket name squatting
Post sharing findings on four AWS services - Amazon Athena, AWS Elastic Beanstalk, AWS CodePipeline, AWS Config - and the implications of bucket name squatting.
https://www.reply.com/spike-reply/en/blog/s3-bucket-name-squatting
#aws
Post sharing findings on four AWS services - Amazon Athena, AWS Elastic Beanstalk, AWS CodePipeline, AWS Config - and the implications of bucket name squatting.
https://www.reply.com/spike-reply/en/blog/s3-bucket-name-squatting
#aws
❤1👍1🔥1
🔶 Configuring Model Context Protocol (MCP) with Amazon Q CLI
This post will walk you through everything you need to know to get Amazon Q CLI up and running to use MCP.
https://blog.beachgeek.co.uk/getting-started-mcp-amazon-q-cli/
#aws
This post will walk you through everything you need to know to get Amazon Q CLI up and running to use MCP.
https://blog.beachgeek.co.uk/getting-started-mcp-amazon-q-cli/
#aws
❤1👍1🔥1
🔴 What's new in IAM, Access Risk, and Cloud Governance
At Google Cloud Next, Google announced multiple new capabilities in their IAM, Access Risk, and Cloud Governance portfolio, including: IAM, Access Risk products including VPC Service Controls, Context-Aware Access and Identity Threat Detection and Response, Cloud Governance with Organization Policy Service, and Resource Management.
https://cloud.google.com/blog/products/identity-security/whats-new-in-iam-access-risk-and-cloud-governance/
#gcp
At Google Cloud Next, Google announced multiple new capabilities in their IAM, Access Risk, and Cloud Governance portfolio, including: IAM, Access Risk products including VPC Service Controls, Context-Aware Access and Identity Threat Detection and Response, Cloud Governance with Organization Policy Service, and Resource Management.
https://cloud.google.com/blog/products/identity-security/whats-new-in-iam-access-risk-and-cloud-governance/
#gcp
❤1👍1🔥1
🔶 Use an Amazon Bedrock powered chatbot with Amazon Security Lake to help investigate incidents
How to deploy a security chatbot with a GUI and a serverless backend powered by an Amazon Bedrock agent that incorporates existing playbooks to investigate or respond to a security event.
https://aws.amazon.com/ru/blogs/security/use-an-amazon-bedrock-powered-chatbot-with-amazon-security-lake-to-help-investigate-incidents/
(Use VPN to open from Russia)
#aws
How to deploy a security chatbot with a GUI and a serverless backend powered by an Amazon Bedrock agent that incorporates existing playbooks to investigate or respond to a security event.
https://aws.amazon.com/ru/blogs/security/use-an-amazon-bedrock-powered-chatbot-with-amazon-security-lake-to-help-investigate-incidents/
(Use VPN to open from Russia)
#aws
❤1👍1🔥1
🔶 Tales from the cloud trenches: The Attacker doth persist too much
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/
#aws
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/
#aws
👍2❤1🔥1
An Azure utility for mounting Azure Storage that comes preinstalled on Azure HPC/AI images allowed an unprivileged user on a Linux machine with this utility installed to escalate their privileges to root.
https://www.varonis.com/blog/aznfs-root-privilege-escalation-on-azure
(Use VPN to open from Russia)
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
🔶 AI lifecycle risk management: ISO/IEC 42001:2023 for AI governance
Post explaining how ISO/IEC 42001 enables effective AI governance, review the risk management requirements, and explore how you can use threat modeling as a practical technique to meet those expectations.
https://aws.amazon.com/ru/blogs/security/ai-lifecycle-risk-management-iso-iec-420012023-for-ai-governance/
(Use VPN to open from Russia)
#aws
Post explaining how ISO/IEC 42001 enables effective AI governance, review the risk management requirements, and explore how you can use threat modeling as a practical technique to meet those expectations.
https://aws.amazon.com/ru/blogs/security/ai-lifecycle-risk-management-iso-iec-420012023-for-ai-governance/
(Use VPN to open from Russia)
#aws
❤2👍1🔥1
🔶 Implementing safety guardrails for applications using Amazon SageMaker
Post explaining guardrail implementation strategies.
https://aws.amazon.com/ru/blogs/security/implementing-safety-guardrails-for-applications-using-amazon-sagemaker/
(Use VPN to open from Russia)
#aws
Post explaining guardrail implementation strategies.
https://aws.amazon.com/ru/blogs/security/implementing-safety-guardrails-for-applications-using-amazon-sagemaker/
(Use VPN to open from Russia)
#aws
❤1👍1🔥1
🔶 TrailAlerts
TrailAlerts is a AWS-native, serverless cloud-detection tool that lets you define simple rules as code and get rich alerts about events in AWS.
https://github.com/adanalvarez/TrailAlerts
#aws
TrailAlerts is a AWS-native, serverless cloud-detection tool that lets you define simple rules as code and get rich alerts about events in AWS.
https://github.com/adanalvarez/TrailAlerts
#aws
❤1👍1🔥1
🔶 Root in prod: The most important security analysis you will never do on your AWS accounts
This article outlines steps for identifying AWS accounts, determining which ones are truly production, and analyzing access levels, including finding users and roles with AdministratorAccess.
https://www.plerion.com/blog/root-in-prod
#aws
This article outlines steps for identifying AWS accounts, determining which ones are truly production, and analyzing access levels, including finding users and roles with AdministratorAccess.
https://www.plerion.com/blog/root-in-prod
#aws
❤1👍1🔥1
🔶 PowerUserAccess vs. AdministratorAccess from an attacker's perspective
The article highlights the dangers of using the AWS managed policy PowerUserAccess in complex environments by sharing an attacker's perspective on the matter.
https://www.offensai.com/blog/poweruseraccess-vs-administratoraccess-from-an-attacker-perspective
(Use VPN to open from Russia)
#aws
The article highlights the dangers of using the AWS managed policy PowerUserAccess in complex environments by sharing an attacker's perspective on the matter.
https://www.offensai.com/blog/poweruseraccess-vs-administratoraccess-from-an-attacker-perspective
(Use VPN to open from Russia)
#aws
❤1👍1🔥1
🔴 Hunting for Bucket Traversals in Google's Client Libraries
A bucket traversal vulnerability arises when an application mishandles user input while interacting with cloud storage, allowing unauthorized access to storage objects.
https://jdomeracki.github.io/2025/05/04/hunting_for_bucket_traversals/
#gcp
A bucket traversal vulnerability arises when an application mishandles user input while interacting with cloud storage, allowing unauthorized access to storage objects.
https://jdomeracki.github.io/2025/05/04/hunting_for_bucket_traversals/
#gcp
❤1👍1🔥1
Microsoft introduced Microsoft Entra Agent ID, which extends identity management and access capabilities to AI agents.
https://www.microsoft.com/en-us/security/blog/2025/05/19/microsoft-extends-zero-trust-to-secure-the-agentic-workforce/
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
🔴 Removing GitHub PATs and Private Keys From Google Cloud: Extending Token Server to Google Cloud
This article introduces the technologies, challenges, and solutions behind extending Token Server and migrating workloads on Google Cloud to use short-lived credentials.
https://engineering.mercari.com/en/blog/entry/20241203-token-server-google-cloud/
#gcp
This article introduces the technologies, challenges, and solutions behind extending Token Server and migrating workloads on Google Cloud to use short-lived credentials.
https://engineering.mercari.com/en/blog/entry/20241203-token-server-google-cloud/
#gcp
❤1👍1🔥1