2068
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
🔶 Billing View now supports cost management data from multiple organizations
AWS announced the general availability of new capabilities within AWS Billing and Cost Management that enable customers to manage their AWS spend across multiple organizations through a single AWS account.
https://aws.amazon.com/ru/about-aws/whats-new/2025/09/billing-view-cost-management-multiple-organizations/
(Use VPN to open from Russia)
#aws
🔶 Build secure network architectures for generative AI applications using AWS services
Post which reviews the secure network design principles that provide a robust foundation for deploying generative AI applications on AWS while maintaining strong security controls.
https://aws.amazon.com/ru/blogs/security/build-secure-network-architectures-for-generative-ai-applications-using-aws-services/
(Use VPN to open from Russia)
#aws
🔴 Strengthen GCE and GKE security with new dashboards powered by Security Command Center
The GCE Security Risk Overview page now shows top security findings, vulnerability findings over time, and common vulnerabilities and exploits (CVEs) on your virtual machines.
https://cloud.google.com/blog/products/identity-security/new-gce-and-gke-dashboards-strengthen-security-posture/
#gcp
🔶 Introducing the AWS Infrastructure Canarytoken
This post introduces AWS Infrastructure Canarytoken, a new free tool that helps deploy decoy AWS resources (DynamoDB, S3, SSM Parameters, etc.) to detect attackers exploring compromised AWS accounts.
https://blog.thinkst.com/2025/09/introducing-the-aws-infrastructure-canarytoken.html
#aws
🔶 Automate OIDC client secret rotation with Application Load Balancer
Elastic Load Balancing simplifies authentication by offloading it to OpenID Connect (OIDC) compatible identity providers (IdPs). This lets builders focus on application logic while using robust identity management.
https://aws.amazon.com/ru/blogs/security/automate-oidc-client-secret-rotation-with-application-load-balancer/
(Use VPN to open from Russia)
#aws
🔶🔷🔴 Comparing CSP-Managed Machine Identities
This paper compares the threat models of machine identities managed by the CloudService Providers (CSP-managed) across the three major cloud service providers, with a focus on the risks associated with impersonation and usage.
https://cdn.prod.website-files.com/64e50cbe2b6f932c04238c14/68c18f3c1a686fcdf26e81ac_V_WP_Comparing-CSP-Managed-Machine-Identities_090925_FNL%20(1).pdf
#aws #azure #gcp
👩💻 One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
This article details a critical vulnerability discovered in Entra ID that allowed full tenant compromise through undocumented Actor tokens and a flaw in Azure AD Graph API's tenant validation. Microsoft patched it under CVE-2025-55241.
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
#azure
🔶 Overview of security services available in AWS Dedicated Local Zones
Dedicated Local Zones provide a robust solution for running regulated workloads for all industries, to meet strict data residency and digital sovereignty, integrating services like AWS Nitro System, AWS KMS External Key Store, ACM, AWS Shield, Amazon GuardDuty, Amazon Inspector, and AWS CloudTrail.
https://aws.amazon.com/ru/blogs/security/overview-of-security-services-available-in-aws-dedicated-local-zones/
(Use VPN to open from Russia)
#aws
👩💻 Copilot Broke Your Audit Log, but Microsoft Won’t Tell You
This article reveals a vulnerability in Microsoft 365 Copilot where users could access files without generating audit log entries by simply asking Copilot to omit file links. Microsoft fixed but chose not to disclose this issue.
https://pistachioapp.com/blog/copilot-broke-your-audit-log
#azure
🔶 AWS Shield network security director (preview)
Use network security director to understand your AWS security configuration and to explore ways to strengthen it.
https://docs.aws.amazon.com/waf/latest/developerguide/nsd-chapter.html
(Use VPN to open from Russia)
#aws
🔶 Use scalable controls to help prevent access from unexpected networks
AWS has introduced three new global condition keys for scalable access controls based on request origin: aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID.
https://aws.amazon.com/blogs/security/use-scalable-controls-to-help-prevent-access-from-unexpected-networks/
(Use VPN to open from Russia)
#aws
🔶 Sandboxed to Compromised: Credential Exfiltration Paths in AWS Code Interpreters
The article discusses security vulnerabilities in AWS Code Interpreters, particularly focusing on sandboxed environments, and demonstrates that even sandboxed interpreters can access certain AWS services like S3, and their role credentials can be extracted through the Metadata Service.
https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/
(Use VPN to open from Russia)
#aws
🔶 AWS CDK and SaaS Provider Takeover
This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.
https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html
(Use VPN to open from Russia)
#aws
🔶 AWS CDK and SaaS Provider Takeover
This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.
https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html
#aws
🔴 Now available: Cloud HSM as an encryption key service for Workspace client-side encryption
To help highly-regulated organizations meet their encryption key service obligation, Google is now offering Cloud HSM for Google Workspace CSE customers.
https://cloud.google.com/blog/products/identity-security/introducing-cloud-hsm-as-an-encryption-key-service-for-workspace-cse/
#gcp
🔶 How to develop an AWS Security Hub POC
This article guides you through planning and implementing an AWS Security Hub proof of concept, covering value assessment, success criteria definition, configuration, deployment, and validation steps.
https://aws.amazon.com/ru/blogs/security/how-to-develop-an-aws-security-hub-poc/
(Use VPN to open from Russia)
#aws
🔶 How to accelerate security finding reviews using automated business context validation in AWS Security Hub
A structured workflow where security teams define acceptable compensating controls, developers implement them, and an automated system validates their effectiveness.
https://aws.amazon.com/ru/blogs/security/how-to-accelerate-security-finding-reviews-using-automated-business-context-validation-in-aws-security-hub/
(Use VPN to open from Russia)
#aws
🔶 IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
This post is about how Wiz used a data-driven methodology to uncover and stop anomalous IMDS usage, and how that approach led them to discover a zero-day vulnerability being exploited in the wild in a popular web service.
https://www.wiz.io/blog/imds-anomaly-hunting-zero-day
#aws
🔶 Adding Determinism and Safety to Uber IAM Policy Changes
Uber's production environment relies on a complex network of microservices and assets governed by IAM policies. Managing these policies effectively without disrupting production is challenging, as highlighted by an incident where an accidental IAM policy change caused Uber Eats outages. To address this, Uber introduced a Policy Simulator tool that allows policy authors to preview the impact of proposed changes in real time.
https://www.uber.com/en-GB/blog/adding-determinism-and-safety-to-uber-iam-policy-changes/
#aws
🔶 Multi-Region keys: A new approach to key replication in AWS Payment Cryptography
The new Multi-Region key replication feature in Payment Cryptography enhances automatic key replication capabilities, providing improved resilience and simplified management for global payment applications.
https://aws.amazon.com/ru/blogs/security/multi-region-keys-a-new-approach-to-key-replication-in-aws-payment-cryptography/
(Use VPN to open from Russia)
#aws
👩💻 Illicit Consent-Granting & App Backdooring – Obtaining persistence in Entra
This article details how attackers exploit Entra ID through OAuth consent injection and app backdooring, covering attack flows, MITRE ATT&CK mappings, detection strategies, and prevention methods for securing consent flows.
https://www.slashid.dev/blog/entra-app-backdooring/
#azure
👩💻 Azure mandatory multifactor authentication: Phase 2 starting in October 2025
Multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025. Now, Azure is announcing the start of Phase 2 MFA enforcement at the Azure Resource Manager layer, starting October 1, 2025.
https://azure.microsoft.com/en-us/blog/azure-mandatory-multifactor-authentication-phase-2-starting-in-october-2025/
#azure
🔶🔴 GCP Workload Identity Federation with AWS ECS Tasks
GCP Workload Identity Federation does not support AWS ECS tasks out of the box. Here is why and what you can do about it.
https://agarabhishek.com/posts/gcp-workload-identity-federation-with-aws-ecs-tasks/
#aws #gcp
🔶 From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover
Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns.
https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign
#aws
👩💻 Cloud forensics: Why enabling Microsoft Azure Storage Account logs matters
Although often overlooked, Azure Storage logs can provide invaluable insights for digital forensics, helping investigators reconstruct attacker activity, trace data access patterns, and detect anomalies.
https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/cloud-forensics-why-enabling-microsoft-azure-storage-account-logs-matters/4445723
#azure
👩💻 Illicit Consent-Granting & App Backdooring – Obtaining persistence in Entra
This article details how attackers exploit Entra ID through OAuth consent injection and app backdooring, covering attack flows, MITRE ATT&CK mappings, detection strategies, and prevention methods for maintaining persistence in Azure environments.
https://www.slashid.com/blog/entra-app-backdooring/
#azure
🔶 Simplify multi-tenant encryption with a cost-conscious AWS KMS key strategy
An efficient approach to managing encryption keys in a multi-tenant SaaS environment through centralization, addressing challenges like key proliferation, rising costs, and operational complexity across multiple AWS accounts and services.
https://aws.amazon.com/ru/blogs/architecture/simplify-multi-tenant-encryption-with-a-cost-conscious-aws-kms-key-strategy/
(Use VPN to open from Russia)
#aws
🔶 A new type of long-lived key on AWS: Bedrock API keys
AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions.
https://www.wiz.io/blog/a-new-type-of-long-lived-key-on-aws-bedrock-api-keys
(Use VPN to open from Russia)
#aws
🔴 From silos to synergy: New Compliance Manager, now in preview
Google Cloud Compliance Manager, now in preview, can help simplify and enhance how organizations manage security, privacy, and compliance in the cloud.
https://cloud.google.com/blog/products/identity-security/streamline-auditing-compliance-manager-is-now-in-preview/
#gcp
🔶 Another ECS Privilege Escalation Path
Post covering a privilege escalation vector which relies on using functionality designed for the ECS agent to self-register a compromised EC2 and override a task definition.
https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path
#aws