Scott Piper's Avatar

Scott Piper

@scottpiper.bsky.social

Cloud security historian. Developed http://flaws.cloud, CloudMapper, and Parliament. Founding team for fwdcloudsec.org Principal Cloud Security Researcher at Wiz.

1,764 Followers  |  76 Following  |  166 Posts  |  Joined: 30.05.2023  |  1.9425

Latest posts by scottpiper.bsky.social on Bluesky

Zero Day Quest: Join the largest hacking event with up to $5 million in total bounty awards | MSRC Blog | Microsoft Security Response Center Zero Day Quest: Join the largest hacking event with up to $5 million in total bounty awards

It's great to see Microsoft continue to invest in a public bug bounty program for their cloud. One cloud provider does not have this. msrc.microsoft.com/blog/2025/08...

04.08.2025 17:43 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Google's killing of their Pixelbook killed it for me. That device felt so high quality and lightweight that it could compete with a macbook air on those factors. All the other chromebooks just didn't feel as professional at the price point.

04.08.2025 12:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

AWS growth at 17.5% is healthy but represents a slight deceleration from the 19% growth seen in Q2 2024.

Margins fell 35.5% to 32.9% YoY despite charging profane rates for new things ($9 per resource per month that IAM Internal Access Analyzer watches?!)

31.07.2025 20:21 β€” πŸ‘ 14    πŸ” 1    πŸ’¬ 1    πŸ“Œ 2
Preview
GitHub - aws/aws-sdk-go: This SDK has reached end-of-support. The AWS SDK for Go v2 is available here: https://github.com/aws/aws-sdk-go-v2 This SDK has reached end-of-support. The AWS SDK for Go v2 is available here: https://github.com/aws/aws-sdk-go-v2 - aws/aws-sdk-go

The AWS Golang SDK has reached end of support. It is no longer being updated. You need to use v2 of the SDK. github.com/aws/aws-sdk-go

31.07.2025 20:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Guest Post: GCP CloudQuarry: Searching for Secrets in Public GCP Images β—† Truffle Security Co. We scanned 8,400+ public GCP images and did not find a single exposed secret! That’s a dramatic reversal compared to the hundreds we found in AWS AMIs and dozens in Azure Public images. GCP’s curated,...

8,400+ public GCP images were scanned and no secrets found! This contrasts with the many secrets found in public AWS AMIs and Azure Public images. Interesting to consider why this is. Only marketplace vendors and approved publishers can make images public in GCP.
trufflesecurity.com/blog/guest-p...

31.07.2025 14:44 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

The second challenge in our monthly CTF series is out! This time focused on a container escape.

31.07.2025 14:20 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Memory Dump Issue in AWS CodeBuild

New development in the Q Developer extension backdoor: An open question was, how did the threat actor get write permissions to the repo? Turns out they stole a token via this technique.

aws.amazon.com/security/sec...

26.07.2025 02:17 β€” πŸ‘ 9    πŸ” 6    πŸ’¬ 1    πŸ“Œ 0
Preview
Introducing OSS Rebuild: Open Source, Rebuilt to Last Posted by Matthew Suozzo, Google Open Source Security Team (GOSST) Today we're excited to announce OSS Rebuild, a new project to strengthen ...

I really like that Google has created OSS Rebuild. In my experience of having tried to do something similar for a single application, it's a hard problem to confirm that source code matches the release artifacts. h/t tldrsec for linking to it. security.googleblog.com/2025/07/intr...

24.07.2025 15:23 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I'm hoping they update the linked docs soon to better explain what this means and how it works. :(

23.07.2025 20:10 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0
Preview
Update to latest models Β· boto/botocore@7113bc3

EC2's do a graceful shutdown when you terminate them, which is usually unwanted because you pay by the second so it'd be better if they just ripped the plug out of the wall. Now you can with the skipOsShutdown parameter. github.com/boto/botocor...

23.07.2025 19:56 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Hacker Plants Computer 'Wiping' Commands in Amazon's AI Coding Agent The wiping commands probably wouldn't have worked, but a hacker who says they wanted to expose Amazon’s AI β€œsecurity theater” was able to add code to Amazon’s popular β€˜Q’ AI assistant for VS Code, whi...

New: a hacker compromised a version of Amazon's Q AI agent, added commands to 'wipe' computers, then Amazon released it. Unclear if wipe effective; hacker did it to prove point. β€œRuthless corporations leave no room for vigilance among their over-worked developers.” www.404media.co/hacker-plant...

23.07.2025 13:52 β€” πŸ‘ 103    πŸ” 34    πŸ’¬ 3    πŸ“Œ 7

Every high performing engineering team is convinced their stuff secretly sucks. Not just relentless obsession with improvement, but actual shame and resentment about what holds their system together.

22.07.2025 12:51 β€” πŸ‘ 120    πŸ” 10    πŸ’¬ 12    πŸ“Œ 0

s3:listbucket added is big. Honestly it should have already had it though as folks have been flying blind with being given s3:GetObjectAcl if they weren't already coupling this withViewOnlyAccess.

22.07.2025 01:16 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The movie "The map of tiny perfect things" is under-rated and is the best Amazon Original. There are levels to that movie.

19.07.2025 03:32 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I know of one company with large amounts of S3 data in deep archive storage, so "moving" the S3 bucket involves unfreezing the storage, and then the copies, which would be millions of dollars, along with downtime, so they have to keep the S3 buckets where they are.

16.07.2025 17:16 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Either don't move them (which is what many companies with historic accounts & large S3 buckets choose), or create a new S3 bucket, move the data to it, and if you want the name of the old one, then delete the old, create new one with the same name, and move the data again to that, which is expensive

16.07.2025 17:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Now that AWS fixed the free tier, I think the next biggest technical absurdity, in terms of a thing that seems like a decision made outside of technical considerations, is how you can't move an S3 bucket between accounts.

16.07.2025 13:32 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 4    πŸ“Œ 0
Preview
AWS Free Tier now offers $200 in credits and 6-month free plan to explore AWS at no cost - AWS Discover more about what's new at AWS with AWS Free Tier now offers $200 in credits and 6-month free plan to explore AWS at no cost

The free tier is finally free in the way most expect. "new customers can explore AWS's extensive portfolio of services without incurring costs" Finally you can try out AWS without worrying about a huge billing surprise. aws.amazon.com/about-aws/wh...

16.07.2025 02:41 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1

Everything is calm on the ground here in SLC.

14.07.2025 15:59 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Accelerate AI development with Amazon Bedrock API keys | Amazon Web Services Today, we’re excited to announce a significant improvement to the developer experience of Amazon Bedrock: API keys. API keys provide quick access to the Amazon Bedrock APIs, streamlining the authentic...

A new long lived secret for AWS has appeared: Bedrock API keys. aws.amazon.com/blogs/machin...

09.07.2025 00:59 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

As threat actors pursue LLMJacking more and more (as Permiso found), I’m curious when we’ll see them abusing customer service/customer facing apps. Stealing cloud credentials and using them is hard. Why not just jailbreak LLMs used in web apps for your nefarious purposes?

07.07.2025 22:11 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Trust Issues: What Do All these JSON files actually mean?
YouTube video by fwd:cloudsec Trust Issues: What Do All these JSON files actually mean?

Two interesting open-source tools for AWS IAM discussed at @fwdcloudsec.org .
- David Kerber with iam.cloudcopilot.io
www.youtube.com/watch?v=j0YT...
- Nick Siow with nsiow.github.io/yams/
www.youtube.com/watch?v=nkLN...

03.07.2025 20:08 β€” πŸ‘ 4    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
fwd:cloudsec 2025 North America - Day 2, Breakout 1 Full schedule: https://fwdcloudsec.org/conference/north-america/schedule.html

Day 2 of fwd:cloudsec North America 2025 begins in half an hour! Catch the live-streams here:
- www.youtube.com/live/si9qVVx...
- www.youtube.com/live/0BTBK33...

Schedule: fwdcloudsec.org/conference/n...

01.07.2025 14:29 β€” πŸ‘ 7    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Cloud Security Forum | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

The Cloud Security Forum Slack has some people making last minute changes to their travel plans and offering up their tickets as a result. Message me an email for you and I can get you in, or sign up here: fwdcloudsec.org/forum/ (the form is a bit slower though).

27.06.2025 16:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Folks coming to fwd:cloudsec, my face looks different: I have a beard. Come find me and let's chat about the new CTF I put together. lnkd.in/geRrC3aN

27.06.2025 15:04 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I had a lot of fun making this challenge. I wanted to do a cloud security challenge where the cloud infrastructure is secure (IMDSv2, data perimeters), but something still allows it to be hackable and you need to know some advanced AWS security tricks to abuse it. 🀫 Try it out!

27.06.2025 13:50 β€” πŸ‘ 8    πŸ” 3    πŸ’¬ 0    πŸ“Œ 1
AWS Local Zones Features Learn about AWS Local Zones features that help developers easily run latency-sensitive portions of applications in geographic proximity to end users.

Local zones are within the ec2 service, so even if you're SCP allow-listing, you're probably allowing them to be used.

Some helpful docs:
- aws.amazon.com/about-aws/gl...
- docs.aws.amazon.com/local-zones/...

19.06.2025 19:32 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

A fun way in which data governance assumptions can break with AWS is local zones. Say you SCP restrict regions to us-east-1 only. Now everything is going to stay in Northern Virginia.... right? Well, Local Zones also allows usage of Mexico, Chile, Peru, and Argentina as those are all in us-east-1.

19.06.2025 19:32 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Amazon S3 Express One Zone now supports atomic renaming of objects with a single API call - AWS Discover more about what's new at AWS with Amazon S3 Express One Zone now supports atomic renaming of objects with a single API call

You can rename S3 objects now... but only in S3 Express One Zone. I thought One Zone was a subset of S3 functionality, but it's overlapping circles now. Also interesting that you can use this to overwrite existing objects.
aws.amazon.com/about-aws/wh...

19.06.2025 04:26 β€” πŸ‘ 7    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Securing open-source credentials at scale | Google Cloud Blog We’ve developed a powerful tool to scan open-source package and image files by default for leaked Google Cloud credentials. Here’s how to use it.

> We've set up a web endpoint so vetted ... security researchers can submit suspected exposed credentials for review
> To report exposed Google Cloud credentials, please contact gcp-credentials-reports@google.com

cloud.google.com/blog/product... really buried the lede!

17.06.2025 13:54 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@scottpiper is following 20 prominent accounts