Jonathan Lalou's Blog

Posts Tagged ‘CloudSecurity’

Google Cloud and Workspace offer a comprehensive suite of tools designed to simplify software development and enhance productivity. Richard Seroter’s overview showcased recent advancements, emphasizing infrastructure, AI capabilities, and integrations that empower creators to build efficiently and scalably.

AI Infrastructure and Model Advancements

Richard began with Google Cloud’s vertically integrated AI stack, from foundational infrastructure like TPUs and GPUs to accessible services for model building and deployment. The Model Garden stands out as a hub for discovering over 130 first-party and third-party models, facilitating experimentation.

Gemini models, including 1.5 Pro and Flash, provide multimodal reasoning with expanded context windows—up to two million tokens—enabling complex tasks like video analysis. Vertex AI streamlines customization through techniques like RAG and fine-tuning, supported by tools such as Gemini Code Assist for code generation and debugging.

Agent Builder introduces no-code interfaces for creating conversational agents, integrating with databases and APIs. Security features, including watermarking and red teaming, ensure responsible deployment. Recent updates, as of May 2024, include Gemini 1.5 Flash for low-latency applications.

Data Management and Analytics Enhancements

BigQuery’s evolution incorporates AI for natural language querying, simplifying data exploration. Gemini in BigQuery generates insights and visualizations, while BigQuery Studio unifies workflows for data engineering and ML.

AlloyDB AI embeds vector search for semantic querying, enhancing RAG applications. Data governance tools like Dataplex ensure secure, compliant data handling across hybrid environments.

Spanner’s dual-region configurations and interleaved tables optimize global, low-latency operations. These features, updated in 2024, support scalable, AI-ready data infrastructures.

Application Development and Security Tools

Firebase’s Genkit framework aids in building AI-powered apps, with integrations for observability and deployment. Artifact Registry’s vulnerability scanning bolsters security.

Cloud Run’s CPU allocation during requests improves efficiency for bursty workloads. GKE’s Autopilot mode automates cluster management, reducing operational overhead.

Security enhancements include Confidential Space for sensitive data processing and AI-driven threat detection in Security Command Center. These 2024 updates prioritize secure, performant app development.

Workspace Integrations and Productivity Boosts

Workspace APIs enable embedding features like smart chips and add-ons into custom applications. New REST APIs for Chat and Meet facilitate notifications and event management.

Conversational agents via Dialogflow enhance user interactions. These tools, expanded in 2024, foster seamless productivity ecosystems.

Links:

• Richard Seroter on LinkedIn

Nick Frichette, a cloud security expert, enthralled the DEF CON 32 audience with a deep dive into vulnerabilities within Amazon Web Services (AWS) that enable initial access to cloud environments. Moving beyond traditional misconfiguration exploits, Nick explored flaws in AWS services like AppSync and Amplify, demonstrating how attackers can hijack Identity and Access Management (IAM) roles. His presentation offered practical defensive strategies, empowering organizations to secure their cloud infrastructure against sophisticated attacks.

Understanding IAM Role Exploits

Nick began by explaining how IAM roles establish trust within AWS, relying on mechanisms like sts:AssumeRoleWithWebIdentity to prevent unauthorized access across accounts. He detailed a confused deputy vulnerability in AWS AppSync that allowed attackers to assume roles in other accounts, bypassing trust boundaries. Through a real-world case study, Nick illustrated how this flaw enabled unauthorized access, emphasizing the importance of understanding trust relationships in cloud environments to prevent such breaches.

Amplify Vulnerabilities and Zero-Day Risks

Delving deeper, Nick revealed a critical vulnerability in AWS Amplify that exposed customer IAM roles to takeover, granting attackers a foothold in victim accounts. His demonstration highlighted how adversaries could exploit this flaw without authentication, underscoring the severity of zero-day vulnerabilities in cloud services. Nick’s meticulous analysis of Amplify’s architecture provided insights into how such flaws arise, urging security practitioners to scrutinize service configurations for hidden risks.

Defensive Strategies for Cloud Security

Nick concluded with actionable recommendations, advocating for the use of condition keys in IAM trust policies to block cross-tenant attacks. He demonstrated how setting account-specific conditions thwarted his AppSync exploit, offering a defense-in-depth approach. Nick encouraged organizations to audit IAM roles, particularly those using web identity federation, and to test configurations rigorously before deployment. His work, available at Security Labs, equips defenders with tools to fortify AWS environments.

Links:

• Security Labs website
• Nick Frichette on LinkedIn

Lecturer

Amy Herzog serves as Chief Information Security Officer at Amazon Web Services, where she oversees the global security strategy that protects the world’s most comprehensive cloud platform. With extensive experience in enterprise risk management and cloud-native security architecture, she drives innovations that integrate security as an enabler of business velocity.

Abstract

The keynote articulates a vision of security as foundational infrastructure rather than compliance overhead, demonstrating how AWS services—spanning identity, network, detection, and modernization—embed resilience into application architecture. Through customer case studies and product launches, it establishes architectural patterns that allow organizations to scale securely while accelerating innovation, particularly in generative AI environments.

Security as Innovation Enabler

Security must transition from gatekeeper to accelerator. Traditional models impose friction through manual reviews and fragmented tooling, whereas AWS embeds controls at the infrastructure layer, freeing application teams to experiment. This paradigm shift manifests in four domains: identity and access management, network and data protection, monitoring and incident response, and migration with embedded security.

Identity begins with least privilege by default. IAM Access Analyzer now surfaces internal access findings—unused roles, over-privileged policies, cross-account assumptions—enabling continuous refinement. The new exportable public certificates in AWS Certificate Manager eliminate manual renewal ceremonies, integrating seamlessly with on-premises PKI. Multi-factor authentication enforcement moves beyond recommendation to architectural requirement, with contextual policies that adapt to risk signals.

Network and Data Protection at Scale

Network security evolves from perimeter defense to distributed enforcement. AWS Shield introduces Network Security Director, a centralized policy engine that orchestrates WAF, Shield Advanced, and Network Firewall rules across accounts and regions. The simplified WAF console reduces rule creation from hours to minutes through natural language templates. Network Firewall’s active threat defense integrates real-time threat intelligence to block command-and-control traffic at line rate.

Amazon GuardDuty extends coverage to Kubernetes control plane auditing, EKS runtime monitoring, and RDS login activity, correlating signals across layers. The unified Security Hub aggregates findings from 40+ AWS services and partner solutions, applying automated remediation via EventBridge. This convergence transforms disparate alerts into prioritized actions.

Migration and Modernization with Security Embedded

Migration success hinges on security integration from day one. AWS Migration Evaluator now incorporates security posture assessments, identifying unencrypted volumes and public buckets during planning. Patching automation through Systems Manager leverages GuardDuty malware findings to trigger immediate fleet updates. RedShield’s journey from legacy data centers to AWS illustrates how Shield Advanced absorbed 15 Tbps of DDoS traffic during migration cutover, maintaining business continuity.

Comcast’s Noopur Davis details their transformation: consolidating 27 security operation centers into a cloud-native model using Security Hub and centralized logging. This reduced mean time to detect from days to minutes while supporting 300,000+ daily security events.

Generative AI Security Foundation

Generative AI introduces novel risks—prompt injection, training data poisoning, model theft—that require new controls. Amazon Bedrock Guardrails filter inputs and outputs for policy violations, while CodeWhisperer Security Scans detect vulnerabilities in generated code. BMW Group’s In-Console Cloud Assistant, built on Bedrock, demonstrates secure AI at enterprise scale: analyzing 1,300 accounts to optimize resources with one-click remediation, all within a governed environment.

The MSSP Specialization enhancement validates partners’ ability to operationalize these controls at scale, providing customers with pre-vetted security operations expertise.

Architectural Patterns for Resilient Applications

Resilience emerges from defense in depth. Applications should assume breach and design for containment: cell-based architecture with VPC isolation, immutable infrastructure via ECS Fargate, and data encryption using customer-managed keys. The Well-Architected Framework Security Pillar now includes generative AI lenses, guiding prompt engineering and model access controls.

Writer’s deployment of Bedrock with private networking and IAM-bound model access exemplifies this: achieving sub-second latency for 100,000+ daily users while maintaining PCI compliance. Terra and Twine leverage GuardDuty EKS Protection to secure containerized workloads processing sensitive health data.

Conclusion: Security as Strategic Advantage

The convergence of these capabilities—automated identity analysis, intelligent network defense, unified detection, and secure AI primitives—creates a flywheel: reduced operational burden enables faster feature delivery, which generates more telemetry, improving detection efficacy. Security ceases to be a tax on innovation and becomes its catalyst. Organizations that treat security as infrastructure will outpace competitors constrained by legacy approaches, achieving both velocity and vigilance.

Links:

• Lecture Video

Eduard Agavriloae and Matei Josephs, security researchers from KPMG Romania and Syncubes, present a chilling exploration of vulnerabilities in public Amazon Machine Images (AMIs). Their project, scanning 3.1 million AMIs, uncovered exposed AWS access credentials, posing risks of account takeovers. Eduard and Matei share their methodologies and advocate for robust cloud security practices to mitigate these threats.

Uncovering Secrets in Public AMIs

Eduard opens by detailing their CloudQuarry project, which scanned millions of public AMIs using tools like ScoutSuite. They discovered critical findings, such as exposed access keys, that could enable attackers to compromise AWS accounts. Supported by KPMG Romania, Eduard and Matei’s research highlights the pervasive issue of misconfigured cloud resources, a problem they believe will persist due to human error.

Methodologies and Tools

Matei explains their approach, leveraging automated tools to identify public AMIs and extract sensitive data. Their analysis revealed credentials embedded in AMIs, often overlooked by organizations. By responsibly disclosing findings to affected parties, Eduard and Matei avoided exploiting these keys, demonstrating ethical restraint while highlighting the potential for malicious actors to cause widespread damage.

Risks of Account Takeover

The duo delves into the consequences of exposed credentials, which could lead to unauthorized access, data breaches, or ransomware attacks. Their findings, shared with companies expecting only T-shirts in return, underscore the ease of exploiting public AMIs. Eduard emphasizes the adrenaline rush of discovering such vulnerabilities, reflecting the stakes in cloud security.

Strengthening Cloud Security

Concluding, Matei advocates for enhanced configuration reviews and automated monitoring to prevent AMI exposures. Their collaborative approach, inviting community feedback, reinforces the importance of collective vigilance in securing cloud environments. By sharing their tools and lessons, Eduard and Matei empower organizations to fortify their AWS deployments against emerging threats.

Links:

• KPMG Romania website
• Syncubes website

The complexity of cloud environments conceals subtle vulnerabilities, and Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach from Aqua Security reveal how shadow resources in Amazon Web Services (AWS) can be exploited. Their research uncovers six critical vulnerabilities, ranging from remote code execution to information disclosure, enabling potential account takeovers. By mapping internal APIs and releasing an open-source tool, Yakir, Michael, and Ofek empower researchers to probe cloud systems while offering developers robust mitigation strategies.

Uncovering Shadow Resource Vulnerabilities

Yakir introduces shadow resources—services that rely on others, like S3 buckets, for operation. Their research identified vulnerabilities in AWS services, including CloudFormation, Glue, and EMR, where misconfigured buckets allowed attackers to assume admin roles. One severe flaw enabled remote code execution, potentially compromising entire accounts. By analyzing service dependencies, Yakir’s team developed a methodology to uncover these hidden risks systematically.

Mapping and Exploiting Internal APIs

Michael details their approach to mapping AWS’s internal APIs, identifying common patterns that amplify vulnerability impact. Their open-source tool, released during the talk, automates this process, enabling researchers to detect exposed resources. For instance, unclaimed S3 buckets could be hijacked, allowing attackers to manipulate data or escalate privileges. This methodical mapping exposed systemic flaws, highlighting the need for vigilant resource management.

Mitigation Strategies for Cloud Security

Ofek outlines practical defenses, such as using scoped IAM policies with resource account conditions to restrict access to trusted buckets. He recommends verifying bucket ownership with expected bucket owner headers and using randomized bucket names to deter hijacking. These measures, applicable to open-source projects, prevent dangling resources from becoming attack vectors. Ofek emphasizes proactive checks to ensure past vulnerabilities are addressed.

Future Research and Community Collaboration

The trio concludes by urging researchers to explore new cloud attack surfaces, particularly internal API dependencies. Their open-source tool fosters community-driven discovery, encouraging developers to adopt secure practices. By sharing their findings, Yakir, Michael, and Ofek aim to strengthen AWS environments, ensuring that shadow resources no longer serve as gateways for catastrophic breaches.

Links:

• Aqua Security company website

Vulnerability discovery at scale requires rethinking traditional approaches, and Bill Demirkapi, an independent security researcher, demonstrates how big data uncovers overlooked weaknesses. By leveraging unconventional sources like virus scanning platforms, Bill identifies tens of thousands of vulnerabilities, from forgotten cloud assets to leaked secrets. His talk shifts the paradigm from target-specific analysis to correlating vulnerabilities across diverse datasets, exposing systemic flaws in major organizations.

Scaling Vulnerability Discovery

Bill challenges conventional methods that focus on specific targets, advocating for a data-driven approach. By analyzing DNS records for dangling domains and secret patterns in public repositories, he uncovers misconfigurations like exposed AWS keys. His methodology correlates these findings with organizational assets, revealing vulnerabilities that traditional scans miss. A case study highlights an ignored AWS support case, where a leaked key remained active due to a generic billing email.

Exploiting Forgotten Cloud Assets

Dangling domains, pointing to unclaimed IP addresses, offer attackers entry points to compromise services. Bill’s research identifies these through large-scale DNS analysis, exposing forgotten cloud assets in enterprises. By cross-referencing with cloud provider data, he maps vulnerabilities to specific organizations, demonstrating the devastating impact of seemingly trivial oversights.

Addressing Leaked Secrets

Leaked credentials, such as AWS access keys, pose significant risks when posted publicly. Bill’s use of virus scanning platforms to detect these secrets reveals a gap in provider responses—AWS, unlike Google Cloud or Slack, does not automatically revoke exposed keys. He proposes automated revocation mechanisms and shares a tool to streamline key detection, urging providers to prioritize proactive security.

Industry-Wide Solutions

Bill calls for systemic changes, emphasizing provider responsibility to revoke exposed credentials immediately. His open-source tools and methodology, available for community use, enable researchers to replicate his approach across vulnerability classes. By breaking down traditional discovery methods, Bill’s work fosters a collaborative effort to address ecosystem-wide security gaps.

Links:

• Bill Demirkapi on LinkedIn

Lecturer

Leor Hasson serves as Director of Cloud Security Advocacy at Tenable, guiding organizations toward unified exposure management across cloud-native environments.

Abstract

This analytical treatment conceptualizes cloud-native application protection platforms (CNAPP) as evolutionary synthesis beyond CSPM, CWPP, CIEM, and DSPM fragmentation. It articulates cloud-specific security challenges—novel attack vectors, expertise scarcity, tool proliferation, collaboration intensity—and programmatic opportunities. A structured ten-phase iterative progression guides advancement from inventory to automated remediation, emphasizing contextual risk prioritization through Tenable One’s hybrid attack path visualization.

Cloud Security Challenges and Programmatic Opportunities

Cloud computing introduces unprecedented attack surfaces, nascent practitioner expertise, overwhelming toolsets, and intensified cross-functional requirements. Yet programmatic access to configurations and logs, combined with delegated responsibility, unlocks automation potential.

CNAPP unifies visibility across workloads, infrastructure, identities, networks, and sensitive data. Tenable integrates AWS, multi-cloud, identity providers, CI/CD pipelines, and third-party systems.

Ten-Phase Iterative Maturity Pathway

The non-linear progression includes:

1. Asset Inventory – Comprehensive discovery
2. Contextual Exposure – Risk differentiation (public PII vs. isolated)
3. Actionable Remediation – Executable fixes

Advanced phases: IAM Least Privilege (over-permission detection), Network Exposure Graphing, Data Classification, Vulnerability-Exploitability Correlation, IaC Scanning (Terraform instantiation risks), Malicious Code Detection, Automated Ticketing/Webhooks.

\# IaC risk example
resource "aws_s3_bucket" "sensitive" {
  bucket = "confidential-data"
  acl    = "public-read"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

Tenable One correlates cloud findings with endpoint vulnerabilities, tracing access keys from developer machines to sensitive data.

Organizational Implications

Contextual prioritization compresses exposure; hybrid visibility prevents lateral movement. Implications include accelerated maturity, resource optimization, and regulatory alignment.

Links:

• Video: Cloud security novice to expert in 10 steps

As organizations migrate from static credentials to dynamic authentication protocols, overlooked intricacies in implementations create fertile ground for exploitation. Aviad Hahami, a security researcher at Palo Alto Networks, demystifies OpenID Connect (OIDC) in the context of continuous integration and deployment (CI/CD) workflows. His examination reveals vulnerabilities stemming from under-configurations and misconfigurations, enabling unauthorized access to cloud environments. By alternating perspectives among users, identity providers, and CI vendors, Aviad illustrates attack vectors that compromise sensitive resources.

Aviad begins with foundational concepts, clarifying OIDC’s role in secure, short-lived token exchanges. In CI/CD scenarios, tools like GitHub Actions request tokens from identity providers (IdPs) such as GitHub’s OIDC provider. These tokens, containing claims like repository names and commit SHAs, are validated by workload identity federations (WIFs) in clouds like AWS or Azure. Proper configuration ensures tokens originate from trusted sources, but lapses invite abuse.

Common pitfalls include wildcard allowances in policies, permitting access from unintended repositories. Aviad demonstrates how fork pull requests (PRs) exploit these, granting cloud roles without maintainer approval. Such “no configs” scenarios, where minimal effort yields high rewards, underscore the need for precise claim validations.

Advanced Configurations and Misconfigurations

Delving deeper, Aviad explores “advanced configs” that inadvertently become misconfigurations. Features like GitHub’s ID token requests for forks introduce risks if not explicitly enabled. He recounts discovering a vulnerability in CircleCI, where reusable configurations allowed token issuance to forks, bypassing protections.

Shifting to the IdP viewpoint, Aviad discloses a real-world flaw in a popular CI vendor, permitting token claims from any repository within an organization. This enabled cross-project escalations, compromising clouds via simple PRs. Reported responsibly, the issue prompted fixes, emphasizing the cascading effects of IdP errors.

He references Tinder’s research on similar WIF misconfigurations, reinforcing that even sophisticated setups falter without rigorous claim scrutiny.

Exploitation Through CI Vendors

Aviad pivots to CI vendor responsibilities, highlighting how their token issuance logic influences downstream security. In CircleCI’s case, a bug allowed organization-wide token claims, exposing multiple projects. By requesting tokens in fork contexts, attackers could satisfy broad WIF conditions, accessing clouds undetected.

Remediation involved opt-in mechanisms for fork tokens, mirroring GitHub’s approach. Aviad stresses learning claim origins per IdP, avoiding wildcards, and hardening pipelines to prevent trivial breaches.

His tool for auditing Azure CLI configurations exemplifies proactive defense, aiding in identifying exposed resources.

Broader Implications for Secure Authentication

Aviad’s insights extend beyond CI/CD, advocating holistic OIDC understanding to thwart supply chain attacks. By dissecting entity interactions—users, IdPs, and clouds—he equips practitioners to craft resilient policies.

Encouraging bounty hunters to probe these vectors, he underscores OIDC’s maturity yet persistent gaps. Ultimately, robust configurations transform OIDC from vulnerability to asset, safeguarding digital infrastructures.

Links:

• Aviad Hahami on LinkedIn
• Palo Alto Networks company website