Click any tag below to further narrow down your results
Links
This article details how attackers can misuse AWS CLI aliases to stealthily maintain persistence in cloud environments. It explains the mechanics of creating malicious aliases that preserve normal command functionality while executing harmful actions, such as credential exfiltration. A proof of concept demonstrates the technique in action.
This article explains how to integrate FortiGate Next-Generation Firewall (NGFW) with AWS Gateway Load Balancer for improved security in hybrid environments. It highlights the benefits of centralized traffic inspection and policy management, simplifying compliance and threat prevention. A free 30-day trial is available for evaluation.
This article explains service-linked roles (SLRs) in AWS, detailing their unique characteristics and how they differ from standard service roles. It covers how SLRs are created, managed, and the implications of AWS owning these roles, including access limitations for users.
Pathfinding.cloud offers resources for security and DevOps professionals to identify and address IAM privilege escalation risks in AWS. It includes a library of exploitation guides and a coverage map, along with upcoming labs for hands-on practice in a controlled setting.
This article details the Quiet Riot tool for enumerating AWS, Azure, and GCP principals without authentication. It explains setup requirements, command usage, and performance insights based on extensive testing. The tool facilitates automated scanning for various account IDs and user details across cloud services.
This article highlights key security updates announced before AWS re:Invent 2025, focusing on AWS local development with console credentials, IAM outbound identity federation, and attribute-based access control for S3. It discusses the benefits of these features, potential risks for attackers, and monitoring strategies using CloudTrail.
This article explores AWS Bottlerocket, a secure operating system designed for container hosting. It tests how Bottlerocket defends against common container escape techniques, demonstrating its effective security measures compared to less hardened systems like Ubuntu.
Fog Security revealed methods to evade AWS Trusted Advisor's S3 security checks, allowing public access to S3 buckets without triggering alerts. Despite reporting these issues to AWS, initial fixes were incomplete, leading to continued inaccurate assessments of bucket security. Their communication regarding the problem's severity was also criticized as insufficient.
The article explores security vulnerabilities in AWS EKS by deploying misconfigured Kubernetes pods. It demonstrates how an attacker can escape from a compromised pod to gain root access on the host and potentially access other services. The focus is on the implications of specific dangerous configurations and their exploitation.
AWS introduced VPC encryption controls to help organizations enforce encryption for traffic within and between VPCs. The feature offers two modes: monitor and enforce, allowing users to audit encryption status and ensure compliance with regulations. It simplifies the process of maintaining encryption across cloud infrastructure without significant performance impact.
This article explains how Vectra AI helps identify security threats that move from AWS to on-premises and SaaS environments. It highlights the platform's capability to detect more high-risk threats faster and offers a chance to see a live demo with a security engineer.
Heimdall is an AWS security scanner that identifies privilege escalation paths that attackers could exploit. It analyzes over 10 AWS services and provides insights into IAM roles, detecting potential vulnerabilities and mapping them with MITRE ATT&CK.
This article discusses a method for privilege escalation in AWS SageMaker, paralleling previous exploits in EC2. It explains how an attacker can manipulate lifecycle configurations to run unauthorized code and gain access to IAM roles. The author provides a proof of concept and highlights the need for better security measures.
AWS Secrets Manager now offers managed external secrets for third-party software credentials, simplifying their management and rotation. This feature standardizes formats and automates processes, reducing operational overhead for organizations that use multiple external services. Users can create and manage these secrets directly in Secrets Manager.
The article discusses how AWS IAM's eventual consistency can leave a 4-second window during which deleted access keys may still be valid. Attackers can exploit this delay to create new keys after the old ones are revoked, posing significant security risks. It outlines mitigation strategies, including using Service Control Policies.
This article offers a comprehensive e-book focused on AWS container services. It covers various aspects like security, monitoring, and management for applications running in AWS environments. You'll find insights tailored for developers and IT professionals working with containers.
Security researchers identified a major flaw in the AWS Console that could have allowed attackers to seize control of key GitHub repositories, potentially leading to widespread supply chain attacks. The vulnerability, linked to a misconfiguration in AWS CodeBuild CI pipelines, has been addressed by AWS following its disclosure in August 2025. Users are advised to implement certain security measures to mitigate risks.
This article outlines common misconfigurations in AWS that can expose cloud resources to unauthorized access. It focuses on two main issues: service exposure and access by design, highlighting specific services like Lambda, EC2, and ECR that can create vulnerabilities. Understanding these risks is essential for effective cloud security management.
The article details a serious vulnerability in AWS ROSA Classic Clusters that allowed unauthenticated attackers to take control of clusters and access underlying AWS accounts. The exploit involved manipulating cluster transfer requests without proper authorization checks, enabling mass compromises. The author outlines the discovery, mechanics, and potential impacts of the attack.
The article highlights a flaw in the trust policies created by AWS Bedrock for execution roles. These policies allow any agent in the account to assume roles, leading to potential security risks if not properly scoped. The author suggests that AWS should refine these policies to ensure only specific agents can invoke models.
This article details Yelp's approach to handling S3 server access logs at scale. It discusses the challenges of logging, the benefits of object-level logging for debugging and security, and the architecture used to optimize log storage by converting them into a more efficient format.
This article explains how to set up the AWS WAF Anti-DDoS managed rule group to effectively protect web applications from Layer 7 DDoS attacks. It covers the balance between mitigating attacks and ensuring a smooth experience for legitimate users, detailing configurations for different client types and request scenarios.
This article details the evolution of AWS privilege escalation, highlighting the shift from IAM policy abuse to service-based execution and AI orchestration. It discusses the various escalation techniques, including those introduced by new AI services like Bedrock and AgentCore, and outlines which actions can be effectively blocked by security policies.
This article explains AWS's EC2 Instance Attestation, a feature that extends security verification to entire EC2 instances, unlike Nitro Enclaves, which operates in a limited, secure environment. It outlines the differences in deployment complexity, security measures, and potential use cases, emphasizing the need for proactive security in standard EC2 instances.
This article outlines the features and capabilities of FortiGate-VM, a next-generation firewall and VPN solution for AWS environments. It highlights its integration with AWS services, automated security management, and advanced threat protection functionalities. User experiences and pricing details are also discussed.
The author shares their experience of having their AWS account hacked, detailing how the attacker gained access, the immediate steps taken to regain control, and the lessons learned about cloud security. They emphasize the importance of proper security measures and the mindset needed to prevent such incidents.
AWS now offers flat-rate pricing plans for its CloudFront service, eliminating overage charges regardless of traffic spikes. These plans include essential features like CDN, DDoS protection, and analytics, available in various tiers to suit different needs. Users can choose from a free tier up to premium options, making it easier to budget for internet-facing applications.
This article explores how to implement robust authorization for data accessed through Retrieval-Augmented Generation (RAG) using Amazon S3 Access Grants with Amazon Bedrock. It highlights the need to verify permissions directly from the data source to prevent unauthorized information retrieval.
This article analyzes the security features of AWS Lambda Managed Instances, focusing on their Bottlerocket-based architecture and access restrictions. It highlights the limitations on IAM role modifications and instance access, while exploring the underlying components and network configurations that enhance security.
This article provides a step-by-step guide for setting up mutual TLS (mTLS) authentication with Amazon CloudFront using an open-source serverless Certificate Authority (CA). It covers initial CloudFront setup, CA deployment, and testing mTLS access, highlighting security practices and configuration details.
This article discusses the risks associated with using static credentials in cloud environments and offers alternatives for managing identities securely. It emphasizes the importance of temporary credentials and modern identity solutions to reduce vulnerabilities and improve security.
Misconfigured AWS Private API Gateways can be exploited by attackers from external AWS accounts due to overly permissive resource-based policies. This vulnerability allows them to access internal resources and potentially launch further attacks, emphasizing the need for strict policy configurations and monitoring. Proper security measures, such as limiting access to specific VPCs and implementing API authentication, are crucial to protect against these threats.
Small misconfigurations in IAM role trust policies can create significant privilege escalation risks in AWS, allowing low-privileged users to assume high-privileged roles. The article highlights the lack of clear documentation on trust policies and discusses two common misconfigurations that can lead to severe security implications. Understanding these risks is essential for maintaining a secure AWS environment.
The article discusses the integration of AWS VPC endpoints with AWS CloudTrail, highlighting how this setup enhances security and monitoring by enabling users to log and audit VPC endpoint activity. It also provides insights into the benefits of using CloudTrail for tracking API calls made by VPC endpoints, ensuring compliance and better resource management.
AWS CIRT has launched the Threat Technique Catalog for AWS, aimed at providing customers with insights into adversarial tactics and techniques observed during security investigations. This catalog, developed in collaboration with MITRE, categorizes specific threats to AWS and offers guidance on mitigation and detection to enhance customer security.
AWS has launched SRA Verify, an open-source assessment tool designed to help organizations evaluate their alignment with the AWS Security Reference Architecture (AWS SRA). The tool automates checks across various AWS services to ensure that security configurations adhere to best practices, with plans for future enhancements and contributions from the community.
AWS provides guidance on securely implementing and managing Amazon Bedrock API keys, recommending the use of temporary security credentials via AWS STS whenever possible. It outlines best practices for using short-term and long-term API keys, including monitoring, protection strategies, and the importance of adhering to security policies through service control policies (SCPs).
dAWShund is a suite of tools designed to enumerate, evaluate, and visualize AWS IAM policies to ensure comprehensive access management and mitigate misconfigurations. It consolidates Identity-Based Policies and Resource-Based Policies, simulates effective permissions, and provides visual representations of access levels within AWS environments using Neo4j. Contributions to enhance the tool are encouraged, and it operates under the BSD3 License.
AWS has introduced automatic application layer (L7) DDoS protection through AWS WAF, enabling faster detection and mitigation of DDoS events. This enhancement allows cloud security administrators to protect applications with reduced operational overhead by automatically applying rules based on traffic anomalies. The feature is available for AWS WAF and AWS Shield Advanced subscribers across most regions, with configurations customizable to specific application needs.
AWS ECS tasks running on EC2 instances face weak task-level isolation, leading to potential security risks like credential theft. The article highlights the importance of hardening configurations, particularly by restricting access to the EC2 Instance Metadata Service (IMDS), and discusses various networking modes and methods to effectively block IMDS access for ECS tasks.
AWS has launched three new enhanced security services to help organizations manage emerging threats in the generative AI era, introduced at the AWS re:Inforce conference. Notable features include AWS Security Hub for centralized threat management, AWS Shield for proactive network security, and Amazon GuardDuty's Extended Threat Detection for container-based applications. These tools aim to simplify security management and enhance protection for cloud environments.
AWS Identity and Access Management (IAM) Roles Anywhere allows external workloads to authenticate to AWS using digital certificates, enhancing security by eliminating the need for long-term credentials. However, organizations must carefully configure access permissions to avoid vulnerabilities, as the default settings can be overly permissive, potentially exposing cloud environments to risks. Implementing additional restrictions and adhering to the principle of least privilege is crucial for secure deployment.
Envilder is a CLI tool that automates .env and secret management using AWS SSM Parameter Store, streamlining environment setup for development teams. It addresses common issues like outdated secrets, manual onboarding, and security risks by centralizing secrets management, generating consistent .env files, and enhancing CI/CD workflows. Envilder ensures secure, efficient, and idempotent management of environment variables across various environments, making it ideal for DevOps practices.
Securing cloud-native applications necessitates a comprehensive, security-first strategy that incorporates zero-trust principles and the right tools to protect against evolving threats, especially as AI advances. AWS offers a range of on-demand security tools that are free to try and can be scaled based on usage, helping organizations enhance their security posture effectively. Technical resources are also available to assist in deploying these cloud security tools within AWS environments.
AWS has launched a simplified console experience for AWS WAF, reducing web application security configuration steps by up to 80% and providing expert-level protection. This new feature allows security teams to implement comprehensive protection quickly through pre-configured packs tailored to specific application types, enhancing security monitoring and response capabilities.
Verified Entity Identity Lock is a tool that identifies IAM principals in an AWS account that can assume specific permissions, facilitating the auditing of trust relationships. It outputs results in JSON format, allowing users to see who has access and to compare account IDs against a trusted list. The tool can be installed via the Go toolchain or by downloading a pre-built binary.
A critical vulnerability in AWS Lambda functions allows attackers to exploit OS command injection through S3 file uploads, potentially compromising AWS credentials and enabling further malicious actions such as phishing via AWS SES. The article highlights the importance of proper configuration and vulnerability scanning to prevent such attacks in event-driven architectures.
PowerUserAccess in AWS environments can inadvertently grant attackers opportunities similar to those provided by AdministratorAccess, especially in complex setups. The article emphasizes the importance of adhering to the Principle of Least Privilege and advocates for regular IAM audits and the use of custom policies to mitigate risks associated with privilege escalation.
Threat Designer is an AI-powered tool that automates threat modeling for secure system design, utilizing large language models to analyze architectures and identify security threats. It offers a browser-based interface for quick assessments and supports deployment for more advanced features, including an AI assistant and threat catalog management. Developers can choose between Amazon Bedrock and OpenAI models during setup.
Automating certificate management is crucial for organizations using AWS Private CA, especially to handle custom validity periods and monitor expiration dates. Utilizing AWS services like EventBridge, Lambda, and SNS, a scalable solution is proposed to generate audit reports that track certificate statuses and notify stakeholders of upcoming expirations. This approach enhances operational security and ensures timely compliance with certificate management needs.
Organizations can automate the disabling of compromised user accounts in AWS Managed Microsoft Active Directory by utilizing Amazon GuardDuty for threat detection. The article outlines a step-by-step process to set up GuardDuty, configure AWS Systems Manager, and use AWS Step Functions to streamline the response to suspicious activities detected in EC2 instances. This automation minimizes human error and enhances security against potential data breaches.
AWS EventBridge's cross-account capabilities can introduce significant security vulnerabilities if not configured properly, allowing attackers to infiltrate or exfiltrate data. The article outlines various attack patterns, including persistent beaconing, command and control, and reconnaissance, highlighting the stealthy nature of these threats and the importance of securing EventBridge configurations. Practical guidance for mitigating these risks is also provided.
The article discusses the creation of an AI agent designed to automate the triage of AWS GuardDuty alerts using tools and structured outputs. It outlines the technologies used, including PydanticAI and Discord integration, and describes the agent's functionality in assessing alerts, retrieving contextual information, and providing structured responses. The author shares insights from testing the agent with various GuardDuty findings, highlighting its ability to classify alerts accurately based on context.
The article discusses the importance of enforcing least privilege in AWS environments to enhance security and minimize risks. It highlights best practices for implementing this principle effectively, including proper IAM role configurations and regular audits. By following these strategies, organizations can better protect their resources and data from unauthorized access.
Elastic and AWS have announced a five-year strategic collaboration agreement aimed at enhancing AI innovation in generative AI applications, making AI application development easier and more cost-effective. The partnership will leverage tools like Elasticsearch and Amazon Bedrock, focusing on industry-specific solutions and advanced security capabilities to support customers in adopting these technologies.
Privilege escalation risks in AWS's Bedrock AgentCore arise from its Code Interpreter tool, which allows non-agent identities to execute code and potentially gain unauthorized access to IAM roles. Without proper access controls like resource policies, these risks can lead to significant security vulnerabilities, necessitating the use of Service Control Policies for centralized management. Enhanced monitoring and auditing are also essential to prevent misuse of these powerful tools.
Recreating an IAM role in AWS does not restore the original trust relationship, which can lead to unexpected permission issues. Understanding the nuances of role ARNs and trust policies is crucial for effective identity and access management in cloud environments. Proper management practices can prevent security risks associated with misconfigured roles.
AWS default IAM roles have been identified as posing security risks, enabling unauthorized access and potential data breaches. Researchers discovered that these roles could allow malicious actors to exploit vulnerabilities in cloud environments. Immediate action is recommended to review and tighten role permissions to enhance security.
Wefox Italy has transitioned to a multi-tenant Software as a Service (SaaS) model using Amazon Elastic Kubernetes Service (EKS) to enhance application deployment and management. This solution incorporates GitOps practices, Terraform for infrastructure management, and a dual-cluster architecture to ensure robust data isolation and operational efficiency. Key benefits include improved security, tenant isolation, and cost efficiency through automated processes and shared services.
Setting up a secure environment for malware analysis on AWS involves addressing unique security, compliance, and operational challenges. Key elements include creating isolated sandboxes, enforcing strict access controls, and implementing robust monitoring and lifecycle management to prevent misuse and maintain adherence to AWS policies.
A vulnerability in AWS Trusted Advisor allowed attackers to bypass checks for unprotected S3 buckets, misleading users about their security status. AWS has since addressed the issue and advised customers to review their S3 bucket permissions to align with security best practices.
Attackers can exploit AWS CodeBuild to gain long-term access to compromised accounts by configuring it as a GitHub Actions runner and backdooring an IAM role. This process allows them to persistently execute commands in the AWS environment, even after the original credentials are revoked. Defenders must monitor CloudTrail logs and audit IAM trust relationships to detect such abuses.
The article discusses methods for enumerating AWS resources quietly and efficiently using CloudTrail and Resource Explorer. It highlights the advantages of utilizing these tools for discovery while minimizing detection risks. Best practices and tips for leveraging these AWS services are also covered to enhance security assessments.
An OpenAI-compatible API can be effectively deployed using AWS Lambda and an Application Load Balancer (ALB) to bypass the limitations of API Gateway's authentication requirements. By setting up the ALB to route traffic directly to the Lambda function, developers can maintain a seamless integration with the OpenAI Python client, ensuring a consistent API experience. This approach offers flexibility and security when exposing custom AI services.
Stay updated with real-time tracking of AWS documentation changes and security updates. This service allows users to monitor modifications across all AWS services to remain informed about critical security developments.
IAMhounddog is a tool designed for penetration testers to efficiently identify privileged principals and second-order privilege escalation opportunities in AWS environments. It streamlines the assessment of permission relationships among AWS roles, users, and policies, reducing the need for manual reviews. Created by Nathan Tucker and released by Virtue Security, it aids in enhancing security testing processes for cloud infrastructures.
AWS Certificate Manager now offers exportable public certificates that can be used across various workloads, both within AWS and externally. These certificates can be quickly issued once domain validation is completed and are priced affordably at $15 per fully qualified domain name. Security measures are in place to restrict the export of previously issued certificates, ensuring secure management and automation through ACM.
IAM Lens is a tool that enables users to analyze and audit IAM permissions across AWS accounts using collected IAM policies. It provides features to simulate requests, discover who can access resources, and evaluate effective permissions for principals. The tool enhances visibility into IAM configurations, allowing for better security and compliance management.
AWS Certificate Manager has announced the release of exportable TLS certificates, allowing users to manage and transfer their certificates more easily. This feature is primarily aimed at enhancing flexibility and usability for developers and system administrators. Overall, the change is viewed positively within the community.
The tool analyzes IAM Role trust policies and S3 bucket policies in AWS accounts to identify third-party vendor access. It uses a reference list of known AWS accounts to highlight potential vulnerabilities, such as IAM roles lacking the ExternalId condition, and generates a detailed markdown report of the findings. Users can customize trusted accounts to differentiate between internal and external access.
The article discusses the concept of CloudTrail logging evasion in AWS, emphasizing the importance of policy size when creating effective logging mechanisms. It highlights how attackers can exploit insufficiently sized policies to avoid detection and the need for robust configurations to enhance security.
AI bots, categorized into scrapers, tools, and agents, pose significant challenges to web applications by overwhelming servers and compromising security. To manage these bots effectively, AWS WAF offers solutions such as bot control rules, robots.txt files, and rate limiting to enhance application security and performance. The article outlines strategies for detecting, managing, and mitigating the impact of AI bot activity on web applications.
AWS Resource Control Policies (RCPs) enhance security by allowing organizations to build data perimeters and manage resource-based policies, complementing existing Service Control Policies (SCPs). This article discusses the benefits, challenges, and use cases of RCPs and SCPs, along with examples of policy syntax and guidance for migrating from SCPs to RCPs effectively.
Secure cross-account access in AWS is complicated by common misconceptions that can lead to serious security risks. Organizations often underestimate the implications of trusting external principals, particularly when it comes to the management account and the direction of trust relationships, which can create dangerous privilege escalation pathways. It is crucial for organizations to align their cross-account trust policies with their security hierarchies to mitigate these risks effectively.
Organizations often overlook the extensive permissions granted within their AWS production environments, potentially allowing unauthorized access to critical resources. This article provides guidance on identifying AWS accounts, assessing production environments, and analyzing who holds administrative access, helping teams visualize and manage their security posture more effectively.
AWS has introduced Amazon Bedrock API keys, which include long-term and short-term options for AI development. While these keys offer benefits such as being scoped to Bedrock services and monitored through CloudTrail, they also raise security concerns, particularly regarding IAM user creation and the potential for persistent access key misuse.
The blog post discusses the concept of AWS honey tokens, which are deceptive tools used to detect unauthorized access or data breaches. It evaluates their effectiveness, potential drawbacks, and the best practices for implementation in cloud security strategies. The article emphasizes the importance of maintaining vigilance against insider threats and the usefulness of honey tokens in identifying vulnerabilities.
The research conducted on AWS ARN formats reveals a comprehensive list of 1,929 different ARNs supported by AWS IAM, highlighting discrepancies with AWS's Policy Generator which only supports 397 ARNs. The findings include details on unique ARNs, the absence of Account IDs in certain cases, and guidance on crafting IAM policies for least privilege security.
AWS is preparing for potential quantum computing threats by implementing post-quantum Transport Layer Security (PQ TLS) using ML-KEM. The article provides a guide on testing PQ TLS in Python applications through a container setup that includes OpenSSL 3.5, enabling users to establish secure connections and validate their network configurations. It encourages developers to vet their applications to ensure readiness for future PQ TLS migrations.
Hybrid cloud architectures are increasingly adopted for their cost-efficiency and flexibility, but they necessitate robust security measures due to their complexity and unique attack vectors. The FortiGate Next Generation Firewall offers a centralized security solution that integrates with AWS services, enabling consistent security policies across both on-premises and cloud environments. By utilizing tools like the Gateway Load Balancer and configuring security profiles, organizations can effectively monitor and protect their hybrid networks.
Cloud logging best practices are essential for organizations migrating to cloud environments, helping them meet security, regulatory, and business needs. By understanding the differences between data and control plane logging across major cloud service providers, organizations can develop a customized logging framework that optimizes visibility and compliance. Collaboration with legal and compliance teams is crucial for navigating regulatory requirements and ensuring effective logging strategies.
Relying on long-term IAM access keys for AWS authentication poses significant security risks. This article outlines more secure alternatives such as AWS CloudShell, IAM Identity Center, and IAM roles, encouraging users to adopt temporary credentials and implement the principle of least privilege to enhance security practices in their AWS environments.