📣 Issue 84 is out. Highlights: - Amazon Inspector enhances the security engine for container images scanning. - AWS CloudTrail network activity events for VPC endpoints now generally available. - whoAMI: A cloud image name confusion attack by Seth Art. - Uncovering a Hidden CloudTrail Bug by Tracing AWS AssumeRole Chains in a Graph Database by Or Aspir. - Tool: Cloud Trail Discover cheat sheet. aws-cloudsec.com/p/issue-84

whoAMI attacks give hackers code execution on Amazon EC2 instances - @billtoulas bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

whoAMI research by DataDog. I immediately thought about all the user-data scripts that me be attached to those launched EC2 instance images 🥶 Kudos to @sethsec for the discovery, research, and tool! #aws #cloudsecurity securitylabs.datadoghq.com/a…

The prior name confusion issue: ramimac.me/poisoning-ssm-com…

Excellent research here from @sethsec and crew - including responsible disclosure, AWS hardening enhancement, detection guidance, etc. 🤔 I did report a name confusion in SSM Documents impacting Datadog right before this was found... 😜

What. The.

Fun with Google Cloud's default service accounts (and how to leverage them for offensive purposes) securitylabs.datadoghq.com/a…

🔗In this article we talk about how I exploited a Fortune 500 Through Hidden Supply Chain Links Link 👇 landh.tech/blog/20241028-hid… Thanks to the entire @HashiCorp team ! 🤟 Enjoy 🔥

☁️ State of Cloud Security 2024 update of @Datadog’s report analyzing security posture data from a sample of thousands of orgs across AWS, Azure, and Google Cloud • Long-lived credentials continue to be a major risk. • Adoption of public access blocks in cloud storage services is rapidly increasing, • <1/2 of EC2 instances enforce IMDSv2, but adoption is growing • Securing managed Kubernetes clusters requires non-default, cloud-specific tuning • Insecure IAM roles for third-party integrations leave AWS accounts at risk of exposure • Most cloud incidents are caused by compromised cloud credentials datadoghq.com/state-of-cloud…

Mine & @sabi_elezi's #MaLDAPtive presentation from @defcon is now posted on YouTube! LDAP obfuscation, deobfuscation & detection - all built on our 100% custom LDAP parser. Recording: youtube.com/watch?v=mKRS5Iyy… Tool: github.com/MaLDAPtive/Invoke… @permisosecurity #LDAP #ClippyGotJokes

Excited to share some research I've been working on for the past few months, based on real-world data from thousands of environments using AWS, Azure and Google Cloud! datadoghq.com/state-of-cloud…

Registration for the 2024 CNY Hackathon is now open! cnyhackathon-2024-registrati…

How it feels to be on the other side… #Bluesky

I had such a great time speaking about Cloud Security at @BsidesORL! I saw some great talks, made some new friends, and got to hang with old ones. A huge thank you to all of the volunteers that made this epic event possible!

This is a killer talk! If you have not seen it yet, make some time to watch Nick explain some really cool initial access techniques he found in a super approachable way!

Great blog post from @permisosecurity on LLMHijacking attacks against AWS Bedrock. I remember when we first started seeing this behavior from threat actors and I couldn't figure out why they would target Bedrock. Well, I guess we have on answer. 🧵 permiso.io/blog/exploiting-h…

Really looking forward to speaking at BSides Orlando in two weeks!