2212
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
🔶 Configuring Model Context Protocol (MCP) with Amazon Q CLI
This post will walk you through everything you need to know to get Amazon Q CLI up and running to use MCP.
https://blog.beachgeek.co.uk/getting-started-mcp-amazon-q-cli/
#aws
🔶 The Cloud Hunting Games
A new CTF by Wiz.
https://www.cloudhuntinggames.com/
#aws
🔴 Tag Your Way In: New Privilege Escalation Technique in GCP
This post introduces a novel privilege escalation technique in Google Cloud Platform (GCP) that exploits IAM Conditions in combination with tagBindings.
https://www.mitiga.io/blog/tag-your-way-in-new-privilege-escalation-technique-in-gcp
#gcp
🔶 Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
Post walking through multiple real-world scenarios, including how a malicious Hugging Face model can escalate privileges, how limited Glue access can impact other services, and how a single default role can ultimately lead to full control of an AWS account.
https://www.aquasec.com/blog/shadow-roles-aws-defaults-lead-to-service-takeover/
#aws
🔶 How to help prevent hotlinking using referer checking, AWS WAF, and Amazon CloudFront
How to help prevent hotlinking by using header inspection in AWS WAF, while still taking advantage of the improved user experience from a CDN such as CloudFront.
https://aws.amazon.com/ru/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/
(Use VPN to open from Russia)
#aws
👩💻 Understanding the threat landscape for Kubernetes and containerized assets
Microsoft released and updated the threat matrix for Kubernetes, an active knowledge base for security threats that target Kubernetes clusters, to systematically map the attack surface of Kubernetes.
https://www.microsoft.com/en-us/security/blog/2025/04/23/understanding-the-threat-landscape-for-kubernetes-and-containerized-assets/
#azure
🔶 Secure Cross-Account Access is Tricky. Four Common Dangerous Misconceptions
Post diving into cross-account trust policies, explaining four major misconceptions repeatedly seen in organizations, which often lead to the creation of cross-account trust paths from less secure accounts to more sensitive accounts.
https://www.token.security/blog/secure-cross-account-access-is-tricky-four-common-dangerous-misconceptions
#aws
🔴 Introducing stronger default Org Policies for our customers
Google Cloud is releasing an updated and stronger set of security defaults that can be implemented with Organizational Policies.
https://cloud.google.com/blog/products/identity-security/introducing-stronger-default-org-policies-for-our-customers/
#gcp
🔴 How to set compliance controls for your Google Cloud Organization
Assured Workloads can help you ensure comprehensive data protection and regulatory compliance with folders that support your compliance requirements.
https://cloud.google.com/blog/products/identity-security/how-to-set-compliance-controls-for-your-google-cloud-organization/
#gcp
🔶 Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaign
How the tracking of AWS Simple Notification Service (SNS) enumeration activity across multiple customer environments led to the takedown of a phishing site that was impersonating the French government.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-aws-activity-to-phishing/
#aws
🔴 Use customer-managed encryption keys
How to use a Cloud Key Management Service (Cloud KMS) encryption key with Dataflow.
https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys
#gcp
🔴 Introducing Security Command Center Enterprise
Security Command Center Enterprise is the first multicloud risk management solution that fuses AI-powered SecOps with cloud security.
https://cloud.google.com/blog/products/identity-security/introducing-security-command-center-enterprise
#gcp
🔶 Introducing the AWS WAF traffic overview dashboard
Post introducing the new dashboards and delve into a few use cases to help you gain better visibility into the overall security of your applications using AWS WAF and make informed decisions based on insights from the dashboards.
https://aws.amazon.com/ru/blogs/security/introducing-the-aws-waf-traffic-overview-dashboard/
#aws
🔶 The AWS S3 Denial of Wallet amplification attack
If you publicly host large data files on AWS S3 and pay for AWS transfer costs, you may be vulnerable to a «Denial of Wallet» amplification attack.
https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d
(Use VPN to open from Russia)
#aws
👩💻 Meet Silver SAML: Golden SAML in the Cloud
Semperis researchers have discovered Silver SAML: a new application of Golden SAML that can be exploited in Entra ID and without AD FS.
https://www.semperis.com/blog/meet-silver-saml/
#azure
🔶 S3 bucket name squatting
Post sharing findings on four AWS services - Amazon Athena, AWS Elastic Beanstalk, AWS CodePipeline, AWS Config - and the implications of bucket name squatting.
https://www.reply.com/spike-reply/en/blog/s3-bucket-name-squatting
#aws
👩💻 The Invisible Enemy: Unmasking Microsoft 365's Logging Blind Spots
Blog dissecting the limitations of Microsoft's activity logs, walking through real-world simulations using the msInvader tool, and highlighting what gets seen and what silently slips through the cracks.
https://www.abstract.security/blog/the-invisible-enemy-unmasking-microsoft-365s-logging-blind-spots
#azure
🔶 Preventing Cross-Service Confused Deputy Attacks in AWS ELB Logging
Post highlighting the inconsistency in AWS services regarding S3 bucket permissions and encryption methods.
https://tomclancy.me/2025/04/24/preventing-cross-service-confused-deputy-attacks-in-aws-elb-logging.html
#aws
🔶 AWS Built a Security Tool. It Introduced a Security Risk
The «Account Assessment for AWS Organizations» tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions.
https://www.token.security/blog/aws-built-a-security-tool-it-introduced-a-security-risk
#aws
🔴 MCP Toolbox for Databases: Simplify AI Agent Access to Enterprise Data
Learn how MCP Toolbox for Databases can help you deliver secure and standardized ways to have your agents communicate with one another and access enterprise data.
https://cloud.google.com/blog/products/ai-machine-learning/mcp-toolbox-for-databases-now-supports-model-context-protocol/
#gcp
🔶🔷🔴 Threat Modelling Cloud Service Providers in 2025
With the US Government acting in an erratic and hostile manner towards its traditional allies, it makes sense for companies not typically subject to US Jurisdiction to reconsider their threat models when using the big three cloud providers. All of them are US-based companies, and all three conduct a substantial amount of business with the US Government.
https://www.chrisfarris.com/post/threat-model-2025/
#aws #azure #gcp
🔶 DynamoDB now supports resource-based policies. But is that a good idea?
While it simplifies cross-account access to DynamoDB tables, eliminating the need to assume IAM roles. It still begs the question: Is cross-account data access even a good idea?
https://theburningmonk.com/2024/03/dynamodb-now-supports-resource-based-policies-but-is-that-a-good-idea/
#aws
👩💻 Microsoft Copilot for Security: General Availability details
Microsoft announced the general availability of Microsoft Copilot for Security (Copilot) on April 1st.
https://techcommunity.microsoft.com/t5/microsoft-security-copilot-blog/microsoft-copilot-for-security-general-availability-details/ba-p/4079970
#azure
👩💻 Azure Deployment Scripts: Assuming User-Assigned Managed Identities
Attackers may get access to a role that allows assigning a Managed Identity to a resource. Depending on the permissions of the Managed Identity, this can be used for privilege escalation.
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-user-assigned-managed-identities-via-deployment-scripts/
#azure
🔶👩💻 CloudGrappler
CloudGrappler is a purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure. You can also refer to the companion blog post.
https://github.com/Permiso-io-tools/CloudGrappler
#aws #azure
🔶 How we sped up AWS CloudFormation deployments with optimistic stabilization
Post discussing the new optimistic stabilization strategy to shorten stack deployment times and improve visibility into resource provisioning.
https://aws.amazon.com/ru/blogs/devops/how-we-sped-up-aws-cloudformation-deployments-with-optimistic-stabilization/
#aws
🔶 The Missing Guide to AWS API Gateway Access Logs
Learn the what, why, and how of API Gateway access logs.
https://www.alexdebrie.com/posts/api-gateway-access-logs/
#aws
Яндекс делает закрытую вечеринку от команды информационной безопасности Yet Another Security Night
27 марта в 18:00
Только офлайн в Москве и в Питере
Мы приглашаем к себе в гости в офис на Льва Толстого в Москве и атмосферную локацию на набережной в Питере, где:
▫️Эксперты Яндекса расскажут про:
- Яндекс in-house: один день из жизни инженера СИБ, Спартак Свасян
- Уязвимости бизнес-логики, которые могут стоить вам миллионы, Азиз Алимов
▫️Бизнес игра - погружение во внутренние процессы команды в комфортном режиме
▫️Много нетворкинга и знакомств с нашими экспертами
▫️Афтерпати с DJ-сетом, крафтовыми напитками и настольным футболом
Получите приглашение - регистрация открыта!
Реклама. ООО "Яндекс", ИНН 7736207543
#advertising
👩💻 The mystery of the EnrichedOffice365AuditLogs solved
With Global Secure Access enabled access to the Microsoft 365 services such as SharePoint/OneDrive will be recorded in the EnrichedOffice365AuditLogs.
https://www.invictus-ir.com/news/the-mystery-of-the-enrichedoffice365auditlogs-solved
#azure
🔴 From Lighthouse to Loran - Navigating GCP Security Auditing Tools
Set sail on a secure journey through Google Cloud Platform with built-in and open-source auditing tools.
https://alexmorgan.uk/blog/from-lighthouse-to-loran---navigating-gcp-security-auditing-tools/
#gcp