Chad Magee

“It wasn’t hard to spot you since you’re the only ones willing to use it without being forced.”

I heard this quote from my favorite podcast this morning, and it resonates a lot in my consulting journey in cloud security.

"You can lead a horse to water, but you can't make him drink".

We can spread best practices, but at some point, developers will make the final decision.

Great post from @scottpiper.bsky.social echoing what many of us have been saying for a while; OIDC is great! But easy to misconfigure, and when it is it can have serious consequences. Even AWS themselves fell into this trap.

Get Phished by a Public AWS Systems Manager Automation Document You've probably heard the buzz about AWS unveiling the new Nova models at re:Invent 2024. Among them,...

Interesting example of leveraging the AWS Console for phishing. I’ve seen it done with CloudFormation templates but not SSM Documents.

dev.to/aws-builders...

GitHub - CyberSecurityUP/Cloud-Security-Attacks: Azure and AWS Attacks Azure and AWS Attacks. Contribute to CyberSecurityUP/Cloud-Security-Attacks development by creating an account on GitHub.

🌩️🔒 Want to better understand cloud security attacks?

Check out this powerful GitHub repo featuring AWS & Azure attack simulations: github.com/CyberSecurit...

Learn, test, and strengthen your defenses! 💻☁️

#CyberSecurity #CloudSecurity #AWS #Azure

Mishandled OAuth Tokens Open Backdoors ◆ Truffle Security Co. We discovered SaaS providers mishandling our OAuth tokens. Attackers can use this to pivot into corporate accounts on critical services like GitHub, Azure, Slack, and more.

@trufflesec.bsky.social discovered SaaS providers mishandling their OAuth tokens. Attackers can use this to pivot into corporate accounts on critical services like GitHub, Azure, Slack, and more.

See write up ➡️ tinyurl.com/truffl3

🌐 AWS Resource Control Policies (RCPs) enforce centralized access across accounts.

Now supporting:
• S3
• STS
• KMS
• SQS
• Secrets Manager

RCPs set max permissions (e.g., restrict S3 to org-only) but don’t grant permissions.

🔗 Learn more in AWS docs!

#AWS #CloudSecurity

Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages | Datadog Security Labs Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages

New from Datadog Security Research! Threat actors are constantly publishing backdoored software libraries to steal credentials, get C2, and more. @ikretz.bsky.social did something about it. Meet the Supply-Chain Firewall, a tool to block malicious packages.
securitylabs.datadoghq.com/articles/int...

Stop using IAM users—switch to IAM roles! ☁️

✅ Temporary credentials = better security
✅ Simplified access management
✅ Seamless automation & scalability
✅ Compliance-ready & flexible

Future-proof your cloud security today!

#CloudSecurity #IAMRoles #AWS

Brute Force IAM Permissions - Hacking The Cloud Brute force the IAM permissions of a user or role to see what you have access to.

What can an AWS IAM user or role access? Brute-forcing permissions can reveal the answer. Learn how to use the non-destructive enumerate-iam tool for safe API exploration and see which permissions succeed—all while staying aware of OPSEC concerns. Details:

🚨 Security Tip: With read-only permissions, you can access cleartext secrets in AWS Lambda environment variables! 🔑

👉 Use AWS Secrets Manager or Parameter Store to encrypt sensitive data like API keys.

#AWS #CyberSecurity #CloudTips

🔐 Build, train, & deploy ML models securely with AWS SageMaker:

✅ End-to-end ML lifecycle
✅ Data encryption (SSE-KMS)
✅ Access control (IAM)
✅ Audit trails (CloudTrail)

Simplify ML workflows with security & compliance built in.

#AWS #SageMaker #MachineLearning #AI #MLOps

🔒 Protect your data & stay compliant with privacy laws like CCPA/CPRA & CPA using AWS KMS + S3:

✅ Encrypt S3 data (SSE-KMS)
✅ Control access with IAM policies
✅ Track usage with CloudTrail

Simplified security for modern compliance.

#AWS #CloudSecurity #PrivacyCompliance