🔶 Another ECS Privilege Escalation Path

Post covering a privilege escalation vector which relies on using functionality designed for the ECS agent to self-register a compromised EC2 and override a task definition.

https://labs.reversec.com/posts/2025/08/another-ecs-privilege-escalation-path

#aws

🔴 Now available: Cloud HSM as an encryption key service for Workspace client-side encryption

To help highly-regulated organizations meet their encryption key service obligation, Google is now offering Cloud HSM for Google Workspace CSE customers.

https://cloud.google.com/blog/products/identity-security/introducing-cloud-hsm-as-an-encryption-key-service-for-workspace-cse/

#gcp

🔴 From silos to synergy: New Compliance Manager, now in preview

Google Cloud Compliance Manager, now in preview, can help simplify and enhance how organizations manage security, privacy, and compliance in the cloud.

https://cloud.google.com/blog/products/identity-security/streamline-auditing-compliance-manager-is-now-in-preview/

#gcp

🔶 AWS CDK and SaaS Provider Takeover

This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.

https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html

#aws

🔶 A new type of long-lived key on AWS: Bedrock API keys

AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions.

https://www.wiz.io/blog/a-new-type-of-long-lived-key-on-aws-bedrock-api-keys

(Use VPN to open from Russia)

#aws

🔶 AWS CDK and SaaS Provider Takeover

This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.

https://blog.ryanjarv.sh/2025/07/21/saas-provider-takeover.html

(Use VPN to open from Russia)

#aws

🔶 Simplify multi-tenant encryption with a cost-conscious AWS KMS key strategy

An efficient approach to managing encryption keys in a multi-tenant SaaS environment through centralization, addressing challenges like key proliferation, rising costs, and operational complexity across multiple AWS accounts and services.

https://aws.amazon.com/ru/blogs/architecture/simplify-multi-tenant-encryption-with-a-cost-conscious-aws-kms-key-strategy/

(Use VPN to open from Russia)

#aws

🔶 Sandboxed to Compromised: Credential Exfiltration Paths in AWS Code Interpreters

The article discusses security vulnerabilities in AWS Code Interpreters, particularly focusing on sandboxed environments, and demonstrates that even sandboxed interpreters can access certain AWS services like S3, and their role credentials can be extracted through the Metadata Service.

https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/

(Use VPN to open from Russia)

#aws

🔶 Use scalable controls to help prevent access from unexpected networks

AWS has introduced three new global condition keys for scalable access controls based on request origin: aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID.

https://aws.amazon.com/blogs/security/use-scalable-controls-to-help-prevent-access-from-unexpected-networks/

(Use VPN to open from Russia)

#aws

🔶 AWS Shield network security director (preview)

Use network security director to understand your AWS security configuration and to explore ways to strengthen it.

https://docs.aws.amazon.com/waf/latest/developerguide/nsd-chapter.html

(Use VPN to open from Russia)

#aws

🔶 From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover

Exposed cloud credentials become the launchpad for mass phishing, highlighting email services as a prime target in cloud exploitation campaigns.

https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign

#aws

🔶🔴 GCP Workload Identity Federation with AWS ECS Tasks

GCP Workload Identity Federation does not support AWS ECS tasks out of the box. Here is why and what you can do about it.

https://agarabhishek.com/posts/gcp-workload-identity-federation-with-aws-ecs-tasks/

#aws #gcp

🔶 Overview of security services available in AWS Dedicated Local Zones

Dedicated Local Zones provide a robust solution for running regulated workloads for all industries, to meet strict data residency and digital sovereignty, integrating services like AWS Nitro System, AWS KMS External Key Store, ACM, AWS Shield, Amazon GuardDuty, Amazon Inspector, and AWS CloudTrail.

https://aws.amazon.com/ru/blogs/security/overview-of-security-services-available-in-aws-dedicated-local-zones/

(Use VPN to open from Russia)

#aws

🔶🔷🔴 Comparing CSP-Managed Machine Identities

This paper compares the threat models of machine identities managed by the CloudService Providers (CSP-managed) across the three major cloud service providers, with a focus on the risks associated with impersonation and usage.

https://cdn.prod.website-files.com/64e50cbe2b6f932c04238c14/68c18f3c1a686fcdf26e81ac_V_WP_Comparing-CSP-Managed-Machine-Identities_090925_FNL%20(1).pdf

#aws #azure #gcp

🔶 Multi-Region keys: A new approach to key replication in AWS Payment Cryptography

The new Multi-Region key replication feature in Payment Cryptography enhances automatic key replication capabilities, providing improved resilience and simplified management for global payment applications.

https://aws.amazon.com/ru/blogs/security/multi-region-keys-a-new-approach-to-key-replication-in-aws-payment-cryptography/

(Use VPN to open from Russia)

#aws