Father of two boys, guitar and uke player. Identity, GenAI, and security architect. My opinions are my own.
Joined March 2014
- Tweets 905
- Following 310
- Followers 1,138
- Likes 1,388
85 Photos and videos
Pinned Tweet
21 Feb 2023
šIf you ever need to call the AWS IAM or STS APIs, or want a snapshot of your IAM resources (users, roles, and policies), or just want to learn more on IAM's behavior, check out my two-part blog on this topic! aws.amazon.com/blogs/securitā¦
1
10
47
3,737
8 Aug 2025
It's these types of exploits that make me extra careful when reviewing the security apps that use LLMs.
7 Aug 2025
We got ChatGPT to leak sensitive data from your Google Drive data back to OUR servers. And youāll never even know it happened.
All by sharing a single document. A real 0-click data exfil attack.
Hereās a detailed breakdown of how we did it š§µ
#DEFCON #BHUSA @mbrg0
147
14 Jan 2025
Hey @canva, you told us that you wouldn't answer security questions "without purchase of the Enterprise version". Is this reflective of your attitude towards customers who care about security, privacy, and compliance especially with the concerns everyone has around AI? Do better!
2
170
14 Jan 2025
If this isn't reflective of your sales culture, then I'd appreciate a DM on how we can resolve this. My job is to review vendors on their AI-related security controls, and up to now all vendors have willingly complied, enterprise version or not. @canva thoughts?
62
28 Aug 2024
I'd recommend this anyone needed to skill up on AWS IAM!
208
22 Aug 2024
While not working on āļøIAM securityš, I've had to dive in Microsoft Copilot & Copilot Studio security. Copilot Studio is a no/low-code agent and chatbot platform with many integrations to your MS tenant, SNOW, Facebook, etc. Make sure your developers configure this securely!
19 Aug 2024
a short summary of all new attack vectors, lol techniques and tools we published at bh/dc (400 words)
labs.zenity.io/p/summary-zenā¦
6
302
29 Jun 2024
A šŖ² bug with Google Search's AI Overview feature? Either way its completely incoherent.... in repudiateas in scowlas in spurnas in turn downas..!
143
Michael Chan retweeted
3 Jan 2024
ICYMI!
15 Dec 2023
In mid-2024, we're enhancing your sign-in experience. š Expect a new UI for root & IAM users and an updated switch role page. Improved navigation for a seamless sign in experience.
š” Discover more in our latest blog: go.aws/3v2jHj7
1
6
519
17 Dec 2023
Happy holidays everyone! Wishing you all a happy and secure Christmas season. Gingerbread house kit courtesy of @wiz_io and @SolvangBakery.
5
396
Michael Chan retweeted
2 Nov 2023
Awesome to see this in the docs now! Also check out this great session from @colmmacc where he covers FAS: youtube.com/watch?v=4J8REvs7ā¦
2 Nov 2023
šFor those who want more on AWS security internals, we finally have a great page describing Forward Access Sessions, the vehicle by which many AWS services does things on behalf of you. docs.aws.amazon.com/IAM/lateā¦ @AWSIdentity
1
5
615
2 Nov 2023
šFor those who want more on AWS security internals, we finally have a great page describing Forward Access Sessions, the vehicle by which many AWS services does things on behalf of you. docs.aws.amazon.com/IAM/lateā¦ @AWSIdentity
17
54
9,879
Michael Chan retweeted
2 Oct 2023
As of next year, #google will require premium subscriptions for things like IAM Recommender, Role Insights, etc.
This is the OPPOSITE of their mantra calling for shared fate instead of the shared responsibility model.
A massive loss in credibility.
28 Sep 2023
Policy Intelligence update on September 28, 2023 cloud.google.com/policy-inteā¦ #googlecloud After January 15, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of Security 1/2
4
10
45
19,591
Michael Chan retweeted
2 Oct 2023
Big pricing change to a valuable GCP security feature for least-privilege IAM. Requiring the org-level SCC Premium bundle instead of a pay-as-you-go per-service price will be prohibitively expensive and detrimental to security for many customers in the long run. @philvenables
28 Sep 2023
Policy Intelligence update on September 28, 2023 cloud.google.com/policy-inteā¦ #googlecloud After January 15, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of Security 1/2
1
4
22
10,215
29 Sep 2023
š Wondering today why @googlecloud charges for security features that @awscloud gives away for free. Shouldn't customer security be paramount?
"What will require Security Command Center Premium:
IAM Recommender, including lateral movement insights, role recommendations ..."
4
4
5
1,650
29 Sep 2023
"What will require SCC Premium:
IAM Recommender, including lateral movement insights, role recommendations for non-basic roles, recommendations for custom roles, and recommendation for Google Cloud Storage buckets.
Policy Analyzer at scale (above 20 queries per day)."
1
208
29 Sep 2023
Shame on you @googlecloud. Your competitor's AWS IAM Access Analyzer is free, and will likely remain so. If you cared about customer security, you're certainly not showing it.
1
3
198
18 Sep 2023
Coming from someone reviewing the security controls that can be enabled in Azure, this isn't too comforting. AWS I know has a strong security culture, but much less sure about Microsoft.
š What happened?
While releasing open-source training datasets, Microsoft's AI research team accidentally left the vault door open š
Over 38TB of data (!), including personal backups of employee workstations, private keys, and internal Microsoft Teams messages, were exposed.
1
433
31 Aug 2023
Google's use of the vuln list cloudvulndb.org/ to claim better security than other CSP's is a classic example of misusing statistics by not understanding how the data has been curated and represented. @0xdabbad00
2
2
9
727
14 Aug 2023
Hey @alexadevs, my Alexa skill has earned $$ the past few months, but it's never been credited to my bank account even though I've provided the info as asked in the developer console. Can you assist? I hope no other devs have this issue!
1
265
14 Aug 2023
I was owed a May 13th payment, but its after 90 days, and according to your policy my money is now forfeit! I really hope this is not the case. I have upcoming payments as well :| Talking with Alexa support has not helped either.
94
19 Jul 2023
šFor all you AWS customers that also have to understand GCP lAM lingo, here's a quick clarification on the terminology you need to understand. Especially since an GCP role is not equivalent to an AWS role (a GCP service account is the most equivalent): kattraxler.github.io/
2
1
6
1,382
19 Jul 2023
And if you stay up late worrying about AWS IAM users and their long-lived credentials, well look no further! GCP has the same, and they're called service account keys. In GCP, though, you now can set an expiration date, not that you should depend on this: cloud.google.com/iam/docs/seā¦
125