Karim El-Melhaoui's Avatar

Karim El-Melhaoui

@karimscloud.bsky.social

Principal Security Architect & Partner at http://o3c.no, CloudSec Researcher, Microsoft Security MVP, CSA Norway Board Member

197 Followers  |  69 Following  |  38 Posts  |  Joined: 04.11.2024  |  1.6871

Latest posts by karimscloud.bsky.social on Bluesky

Post image

My first bounty

15.05.2025 18:24 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Waiting… πŸ₯²

08.05.2025 17:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

I find it hard to believe that AWS charges me for having hourly data of costs in my AWS environment.

04.05.2025 14:19 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

.. You'd also have to first elevate yourself in order to remove another principal. It's interesting how a Global Admin has an invisible access to the Root scope.

03.05.2025 06:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

If you were to remove any of the users previously, it had to be done through the REST API, as the permission is inherited on the Tenant Root Group visible in the portal

03.05.2025 06:59 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

You can now see users that have triggered the Elevated Access toggle in Azure.

A simple bypass is to immediately assign the principal the same permissions at the top level management group, Tenant Root Group (tenant ID) rather than the Root scope ("/").

I still think this is an important feature.

03.05.2025 06:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Use cases for Delegated Administrator for AWS Organizations | Wiz Blog Learn about how AWS's recently released Delegated Administrator for AWS Organization can be used to solve common problems at your company and the issues you might run into with it.

Finally read and implemented the AWS Delegated Management - @scottpiper.bsky.social’s article hits the nail on challebges - we built and maintained an internal API to access this information for automation purposes, which I would do again if it wasn’t for this feature www.wiz.io/blog/use-cas...

01.05.2025 16:19 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
fwd:cloudsec | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

We’re also happy to announce our Europe scholarship program. Through this initiative, we hope to give a limited number of students or those looking to make a career change a chance to attend the conference, through a complimentary ticket and a stipend to cover travel expenses..

20.04.2025 06:49 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
fwd:cloudsec Europe 2025 | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

Ticket sales for fwd:cloudsec Europe 2025 goes live on April 22nd, first batch at 9 AM CET and a second batch at 7PM CET. Tickets are sold through Swoogo, link at fwdcloudsec.org/conference/e... ..

20.04.2025 06:48 β€” πŸ‘ 6    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
GitHub - github/audit-actions-workflow-runs: Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded - github/audit-actions-workflow-runs

GitHub has released an unofficial tool to audit GitHub Actions

Released after the Changed-Files debacle

github.com/github/audit...

19.04.2025 13:33 β€” πŸ‘ 21    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Post image

Cloudy at FlΓΈtatind, Sunndal

18.04.2025 13:48 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

or the common "hey how are you" to derail conversation before it has even started

10.04.2025 10:48 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Thanks for sharing! Had this discussion over a few beers with a TAM yesterday that had heard of similar cases

08.04.2025 13:30 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The only liberation we’ve experienced through the past week is the liberation of our savings

08.04.2025 12:17 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

What happens if a lambda that puts an event to an S3 triggers on the same S3… I can’t afford to find out

07.04.2025 19:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Messed up an entire GCP org. trying to clean up inheritance using google_organization_iam_policy rather than binding.

Will never know what random internal service account were assigned a hopefully not critical role.

31.03.2025 18:11 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

It's happening again! We're looking for sponsors that will help support this years European conference🀝

24.03.2025 12:34 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Is there any way to generate an SBOM that describes github actions and their transitive dependencies? Ref tj-actions. I feel like this should be a thing

20.03.2025 07:25 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Given this is the second time I look into an AWS Solutions product and find something interesting, with no AppSec background - I have a strong feeling there's more to be found..

19.02.2025 07:32 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Abusing AWS Serverless Image Handler We recently discovered that the AWS solution β€˜Dynamic Image Transformation for Amazon CloudFront’, previously known as β€˜AWS Serverless Image Handler’, prior to version 6.2.6, contains a configuration ...

Stumbled upon the Serverless Image Handler while looking into AWS Solutions: www.o3c.no/knowledge/ab...

19.02.2025 07:31 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

I'll be in Singapore at that time, but for those lucky enough to make it - ENJOY and hope to see you next year or in Europe this Fall (TBA).

18.02.2025 15:31 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Rather than maintaining a poorly written niche tool, we hope that the functionality will be adopted by more prevalent and widely adopted tools such as BloodHound or commercial offerings such as Wiz Code.

18.02.2025 15:28 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Tool Release: Azure and OIDC - Code to Cloud In conjunction with our talk at HackCon and the release of our latest tool in Research Release, are sharing this as a companion blog post.

Last week, we presented our latest research into Azure and OIDC where we also released our latest tool for mapping attack paths between Azure and GitHub

www.o3c.no/knowledge/to...

18.02.2025 14:49 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
The End of Programming as We Know It

www.oreilly.com/radar/the-en...

18.02.2025 14:47 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
CFP | NA 2025 | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

The CFP for the best cloud security conference on earth is now open! If you'd like your research to be presented alongside the cutting edge of the industry, this is your opportunity!
fwdcloudsec.org/conference/n...

05.02.2025 01:21 β€” πŸ‘ 19    πŸ” 7    πŸ’¬ 0    πŸ“Œ 1

I'll give this a go as well. Thanks for sharing!

30.01.2025 06:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Congrats, great addition to the Wiz team and now you have a reason to visit us in Norway

29.01.2025 17:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Dynamic Image Transformation for Amazon CloudFront | AWS Solutions | AWS Solutions Library Dynamic Image Transformation for Amazon CloudFront (formerly Serverless Image Handler) enables real-time image processing through the global content delivery network (CDN) of Amazon CloudFront.

AWS just renamed the Serverless Image Handler solution to Dynamic Image Transformation for Amazon CloudFront

aws.amazon.com/solutions/im...

29.01.2025 14:16 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Starting the new year above the clouds

01.01.2025 14:23 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Wir wissen wo dein Auto steht - Volksdaten von Volkswagen Bewegungsdaten von 800.000 E-Autos sowie Kontaktinformationen zu den Besitzern standen ungeschΓΌtzt im Netz. Sichtbar war, wer wann zu Hau...

The full recording can be found here:
media.ccc.de/v/38c3-wir-w.... There's an English audio track available.

And the Spiegel article can be found here:
www.spiegel.de/netzwelt/web...

30.12.2024 10:24 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@karimscloud is following 17 prominent accounts