Global S3: Another C2 Channel for AgentCore Code Interpreters Nigel Sood Bedrock AgentCore Code Interpreters running in "Sandbox mode" can reach any S3 bucket worldwide — including buckets in other AWS accounts. Attack flow: drop a command file in an attacker bucket, the sandbox polls and executes it, then PUTs the result back via a presigned URL. DNS-based C2 was fixed, but the S3 path remains open until you switch to VPC mode and lock S3 with a Gateway Endpoint policy. 🧩 Sandbox mode allows unrestricted S3 GET/PUT across accounts 🔁 Polling C2: attacker writes commands → interpreter fetches & runs → results returned via presigned URL 🔒 Mitigation: move interpreters to VPC mode, enforce Gateway Endpoint policies, and monitor cross-account S3 access patterns ⚠️ Read for the full attack workflow, reproduction notes, and concrete mitigation guidance This was first mentioned in AWS Security Digest Issue #258: awssecuritydigest.com/past-i… Read here: sonraisecurity.com/blog/glob…

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System Yahav Festinger and Chen Doytshman Researchers created a three-agent offensive AI (infra, app, cloud) and tested it in a sandboxed GCP setup. The agents chained real cloud techniques: SSRF → metadata token theft → IAM enumeration → self-granted storage.objectAdmin → BigQuery exfil to a newly created bucket. They also showed brittleness—agents sometimes got stuck on irrelevant hosts or repeated low-value actions. 🔎 What’s notable - 🤖 Multi-agent orchestration can autonomously find cross-layer attack chains (network → metadata → IAM → storage). - 🔐 Short-lived tokens and overly permissive service accounts enabled privilege escalation and persistence. - 📦 BigQuery and storage served as stealthy exfil paths, including creating new buckets for data drops. 🧭 Practical takeaways for defenders - 🛡️ Restrict metadata/IMDS access and tighten instance/service-account scopes. - 🔐 Enforce least privilege for IAM and closely audit policy changes. - 🚨 Monitor unusual BigQuery exports, new buckets, and storage ACL changes; watch for automated, repetitive scanning. - 🧰 Use runtime anomaly detection—these attacks succeed when defenders miss chained, low-noise actions. Read the full write-up for agent workflows, logs, and defender playbooks — examples generalize beyond GCP. First mentioned in AWS Security Digest Issue #258: awssecuritydigest.com/past-i… Read here: unit42.paloaltonetworks.com/…

How attackers exploited LMDeploy LLM inference engines in 12 hours Sysdig LMDeploy’s chat-completion "yolo" endpoint blindly fetches whatever URL is in image_url, turning the model server into an SSRF proxy. Within 13 hours of the CVE, attackers hit a Sysdig honeypot and — in ~8 minutes — pulled AWS IAM credentials from the metadata service, port-scanned Redis and MySQL, then reached an unauthenticated admin endpoint. 🔍 Technical takeaways - Exploit vector: unchecked image_url → SSRF via "yolo". - Impact chain: SSRF → metadata access → IAM token theft → lateral scanning (Redis/MySQL) → unauthenticated admin access. - Timeline: CVE public → 13 hours to first compromise; 8 minutes from access to credential exfiltration. 🛡️ How to reduce risk - Sanitize or block arbitrary remote fetches; validate URLs. - Restrict inference-server egress and use network allowlists. - Harden instance metadata access (IMDS protections) and enforce least-privilege IAM. - Require auth on admin endpoints and monitor outbound requests for SSRF signs. Source: AWS Security Digest Issue #258 — awssecuritydigest.com/past-i… Read here: webflow.sysdig.com/blog/cve-…

The Invisible Footprint: How Anonymous S3 Requests Evade AWS Logging Maya Parizer Maya found that anonymous S3 requests originating inside a VPC to an external bucket left no CloudTrail trace in the caller’s account, no management event, no data event, and no Network Activity event, regardless of whether the VPC endpoint policy allowed or denied the call. That meant a compromised workload could quietly POST to an attacker-owned bucket with nothing in its own CloudTrail pointing to it. AWS has since patched this to emit Network Activity events for those calls. The writeup pairs with prior VPC endpoint account-ID leak research to show how this invisible path used to enable stealthy exfiltration and cover tracks. 🔍 Key technical takeaways: anonymous requests from inside a VPC skipped caller-side CloudTrail logs; the issue depended on request origin (VPC) vs external bucket; AWS’s patch now surfaces Network Activity events. ⚠️ Why click: the post explains attack scenarios, forensic blind spots, and how the patch changes detection—essential reading for cloud defenders. This was first mentioned in AWS Security Digest Issue #257: awssecuritydigest.com/past-i… Read here: varonis.com/blog/anonymous-s…

Part 2 — CVE-2026-5429: Kiro WebView XSS → RCE Dhiraj Mishra Kiro inserts workbench.colorTheme into an inline script with no escaping and no Content Security Policy, so a malicious theme extension checked into a repo’s .vscode/ folder runs arbitrary JS as soon as the project opens. The webview also exposes a subprocess message handler that shells out, allowing that theme-based XSS to escalate to full command execution as the developer. This is Dhiraj’s second Kiro-to-RCE after the unquoted-workspace-path injection—workspace settings/extensions are a repeatable attack surface. 🔍 Technical chain: unescaped inline theme no CSP → webview XSS → exposed subprocess handler → shell exec as user 🔐 Key insight: a crafted theme checked into a repo can immediately compromise a developer; treat workspace metadata/extensions as high-risk input and add CSP, escaping, and stricter message-handler controls. First reported in AWS Security Digest Issue #257: awssecuritydigest.com/past-i… Read here: medium.com/@dhiraj_mishra/pa…

🛎️ AWS Security Digest 264 is out! 🎤 fwd:cloudsec North America wrap-up the best AWS talks 1️⃣ Sub:jugation: Hijacking Cloud Identities by Recycling Namespaces in Global OIDC Issuers by Tal Skverer 2️⃣ No Way Out? Bypassing the AWS Data Perimeter with Bedrock AgentCore by Dan Gansel 3️⃣ The HazyBeacon Protocol: How Malware Weaponizes AWS Lambda Function URLs by Aniket Harne awssecuritydigest.com/past-i…

AWS IAM Credential Revocation Gaps Eduard Agavriloae A tool called notyet exploits the ~4-second global propagation delay after disabling an AWS access key. Polling every 0.5s, it detects containment actions and acts before the disable completes — creating/assuming roles, provisioning randomly named users, and rewriting policies to retain access. - 4s propagation window; notyet polls every 0.5s - Can create/assume roles, mint identities, and alter policies during the window - AWS blocks deactivated keys from creating new access keys, but other IAM actions still work; notyet pivots via temporary roles to mint fresh identities - Nigel Sood’s red-blue tests (policies, permission boundaries, groups, key deactivation, role deletion, SSM runbooks) failed to contain it - Most reliable mitigation: an Organizations-level SCP that a compromised identity in a member account cannot detach First mentioned in AWS Security Digest Issue #256: awssecuritydigest.com/past-i… Read here: offensai.com/blog/notyet-aws…

Escaping the AWS AgentCore Sandbox By: Ori Hadad AgentCore's Code Interpreter sandbox promises total isolation—but Ori shows practical escape paths: arbitrary DNS lookups bypass network restrictions to create a covert bidirectional channel for exfil/C2, and the microVM Metadata Service (MMDS) exposes credentials with no session-token enforcement (IMDSv1-style). In part two, the starter toolkit auto-creates IAM roles with wildcard permissions across agents—so one compromised agent can pull other agents' images, read conversation history, and poison their memory. Ori calls it "Agent God Mode." 🧩 Attack chain: DNS tunnel → MMDS credential theft → wildcard IAM → full cross-agent takeover 🔐 MMDS risk: no session tokens; treat like IMDSv1 exposure 🛠️ Dev tooling warning: starter toolkit grants broad, account-wide privileges—apply least privilege and rotate creds Read the full writeup for PoC details and mitigations. This was first mentioned in AWS Security Digest Issue #256: awssecuritydigest.com/past-i… Read here: unit42.paloaltonetworks.com/…

🛎️ AWS Security Digest 263 is out! 1️⃣ Zapocalypse: The Attack Chain That Could Have Hijacked Zapier by Yair Balilti 2️⃣ Adding Strands Security Agents to Shadow Asset Scanner by Sena Yakut awssecuritydigest.com/past-i…

🛎️ AWS Security Digest 262 is out! 1️⃣ Pathfinding Labs: Deploy, test, and learn from 100 intentionally vulnerable AWS environments by Seth Art 2️⃣ 3 prerequisites to adopting Claude Platform on AWS by Nigel Sood 3️⃣ Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 by Rory McCune awssecuritydigest.com/past-i…

Enforcing AI Governance Across AWS Organizations Nigel Sood Bedrock guardrails are per-account with no org-level enforcement. This post outlines five controls for enforcing AI governance across an AWS Organization and flags two dangerous gotchas. 🛑 SCPs blocking Bedrock don't stop model calls via the OpenAI-compatible SDK — it uses a separate bedrock-mantle IAM namespace, so you must explicitly deny that namespace. 🔑 Long-lived Bedrock API keys can silently create IAM users with broad permissions (enough to remove guardrails). The post shows detection and tighter key policies. Read for practical controls and deny examples to harden Bedrock use and protect your guardrails. First mentioned in AWS Security Digest #255: awssecuritydigest.com/past-i… Read here: sonraisecurity.com/enforcing…

Navigating Amazon Bedrock's Multi-Agent Applications Jay Chen and Royce Lu Jay and Royce show how a legitimate chatbot user can craft inputs that enumerate collaborator agents, traverse orchestration layers, and invoke downstream tools with attacker-controlled content. Supervisor agents often delegate without reliably distinguishing adversarial from legitimate inputs, letting a crafted payload chain through an entire multi-agent workflow. 🧭 Supervisor agents can process and delegate requests but lack robust checks at delegation boundaries. 🔗 A single crafted input can: enumerate agents, move through orchestration layers, and trigger downstream tools — every agent added is another potential attack link. 🛡️ Core insight: prevent lateral chaining by enforcing explicit verification at each delegation step and locking down tool invocation policies. This was first mentioned in AWS Security Digest Issue #255: awssecuritydigest.com/past-i… Read here: unit42.paloaltonetworks.com/…

AWS CodeBuild: Escalating privileges via CodeConnections Thomas Preece An undocumented internal endpoint, codebuild-builds.{REGION}.amazonaws.com, responds to GetBuildInfo and can return the raw GitHub App installation token (or Bitbucket JWT) used by CodeConnections. That token grants admin/write access across every repo the app can reach — including bypassing branch protections. The write-up includes: 🔍 proof of the hidden endpoint and API surface leaking tokens; ⚠️ impact analysis of how one token bypasses protections and escalates access; 🧭 a full exploit path for defenders to audit and harden environments. First mentioned in AWS Security Digest Issue #255: awssecuritydigest.com/past-i… Read here: thomaspreece.com/2026/03/23/…

🛎️ AWS Security Digest 261 is out! 1️⃣ Authorization Bypass in Amazon Quick: Unauthorized AI Chat Agent Usage by Jason Kao 2️⃣ The AWS AI Security Framework: Securing AI with the right controls, at the right layers, at the right phases by Riggs Goodman III and Christopher Rae 3️⃣ Malicious Coding Agent Skills and the Risk of Dynamic Context by Nick Frichette and Ryan Simon awssecuritydigest.com/past-i…

AWS Keeps Breaking Its Own Trust Boundaries Daniel Grzelak A quick analysis of 20 AWS security bulletins (Oct 2025–Mar 2026) shows trust-boundary failures are the dominant class — 7 of 20 — not memory corruption or crypto bugs. The problem: services assume a principal is trustworthy when it isn’t, enabling privilege escalation or lateral movement. 🔒 Example: an EKS provisioning role included arn:aws:iam::ACCOUNT:root in its trust policy, effectively granting overly broad trust. 🧩 Example: a SageMaker read-only API leaked HMAC signing keys, allowing forged payloads. Insight: a permission’s danger comes from what it can reach via credential chains, resource-based policies, and service integrations — IAM action names alone don’t tell you risk. If AWS’s services make these mistakes, your environment probably has the same patterns. Audit trust policies, cross-service principals, and key exposures accordingly. This was first mentioned in AWS Security Digest Issue #254: awssecuritydigest.com/past-i… Read here: hackaws.cloud/blog/aws-secur…

Local File Inclusion in AWS Remote MCP Server via CLI Shorthand Syntax Coby Abrams Coby discovered an LFI (CVE-2026-4270) in the official AWS Remote MCP Server that completely bypasses FileAccessMode=NO_ACCESS. The AWS CLI’s shorthand for loading local file contents into command parameters was passed through unsanitized by the MCP server — point it at a sensitive file, trigger an error, and the error response leaks the file contents. Reproducible against aws-mcp.us-east-1.api.aws; patched in v1.3.9. 🔍 What matters: the vulnerability abuses CLI file-loading shorthand and server-side lack of input sanitization, not a client bug. ⚠️ Impact: secrets or config files can be exfiltrated via error messages even when NO_ACCESS is set. ✅ Fix: update AWS Remote MCP Server (and any forks) to v1.3.9 or later now. This was first mentioned in AWS Security Digest Issue #254: awssecuritydigest.com/past-i… Read here: varonis.com/blog/local-file-…

"But without PassRole it should be fine", Lambda edition Daniel Grzelak Conventional wisdom says iam:PassRole is the gatekeeper for Lambda privilege escalation — this post shows two practical bypasses using only lambda:UpdateFunctionConfiguration. 🔧 Attach a cross-account malicious layer and drop an executable into /opt/extensions/ — Lambda auto-runs extensions during Init, so the code executes as the function role without touching the handler or UpdateFunctionCode. 🧩 Or set AWS_LAMBDA_EXEC_WRAPPER to a wrapper script that runs before the runtime starts — same result: arbitrary code under the function role, no code diff alerts. ⚠️ Neither approach requires PassRole, and one was abused by Stratus Red Team for persistence. Quick defenders’ takeaways: 🔍 Alert on lambda:UpdateFunctionConfiguration that adds layers or changes environment variables (especially AWS_LAMBDA_EXEC_WRAPPER). 🔒 Block cross-account layer attachments, tighten UpdateFunctionConfiguration permissions, and require stricter layer/trust policies. 🛡️ Monitor /opt/extensions behavior, enable function code signing/versioning, and log layer-related events for rapid detection. This was first mentioned in AWS Security Digest Issue #254: awssecuritydigest.com/past-i… Read here: plerion.com/blog/without-pas…

UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours Ravie Lakshmanan Mandiant-tracked UNC6426 injected a malicious postinstall into the nx npm package to steal GitHub tokens from developer machines. Those tokens abused an overly permissive GitHub Actions→AWS OIDC trust to create an admin IAM role, then used Nord Stream to harvest CI/CD secrets—full environment takeover in 72 hours (S3 exfiltration; production instances terminated). 🔍 What to watch: compromised npm postinstall scripts, stolen GitHub tokens, permissive OIDC trust relationships, and tools like Nord Stream that automate secret harvesting. 🛡️ Mitigations: tighten OIDC role conditions and least-privilege for GitHub Actions, restrict postinstall execution, rotate and scope tokens, and enforce ephemeral credentials and CI/CD secret controls. ⚠️ Insight: OIDC simplifies auth but delegates critical trust to your CI provider—review trust boundaries and role conditions. First mentioned in AWS Security Digest Issue #253: awssecuritydigest.com/past-i… Read here: thehackernews.com/2026/03/un…

Pentesting a Pentest Agent: Here's What I've Found in AWS Security Agent Richard Fan 🔍 Multi-stage exploit chain — begins with debug-message injection, then hides malicious requests in emotionally framed narratives to bypass guardrails. ⚠️ Privilege escalation container escape — ends with retrieving instance credentials from IMDS, consistent with AWS threat model. 🧪 Dangerous testing — agent runs destructive SQL during probes (DROP TABLE) and includes discovered credentials in reports without redaction. 💡 Why it matters — autonomous pentest agents can amplify risk if unchecked; this research shows PoC techniques and failure modes practitioners should defend against. See the full breakdown for PoC details, attack flow diagrams, and mitigations. Mentioned in AWS Security Digest Issue #253: awssecuritydigest.com/past-i… Read here: blog.richardfan.xyz/2026/03/…

🛎️ AWS Security Digest 260 is out! 1️⃣ From Leaked AWS Key to Data Exfiltration in 60 Seconds by Adan Álvarez 2️⃣ Credential isolation and least privilege for AWS agents by Alex Smolen 3️⃣ AWS Credential Isolation for Local AI Agents by Alex Smolen awssecuritydigest.com/past-i…