Release Date: 20/07/2025 | Issue: 297
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

The Hidden Cost of Multi-Cloud: Blind Spots, Drift, and Data Exposure

Managing IAM, misconfigurations, and compliance drift across AWS, Azure, and GCP is complex. Each provider has unique policies and access models, making unified visibility and control difficult. This blog shows how to centralize access, automate secure configs, and enforce least privilege across clouds. Get a Cloud Data Risk Assessment to uncover exposure and reduce risk.

Scan Your Cloud Now

This week's articles


NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit
With just three lines of code, attackers can escape containers and gain full root access to the host. From there, the attacker could access, steal, or manipulate the sensitive data and proprietary models of all other customers running on the same shared hardware.   #ai   #attack   #containers


Making file encryption fast and secure for teams with advanced key management
Dropbox has developed an advanced key management solution to enhance team-based file encryption, addressing the needs of customers with sensitive data, such as those in finance or healthcare.   #aws   #build


Enforcing Least Privilege in AWS IAM with Access Analyzer and Last Access Data
A practical guide on enforcing least privilege in AWS IAM by using IAM Access Analyzer and service Last Accessed data. Includes real workflows, auditing strategies, and automation tips.   #aws   #explain   #iam


API Keys for Bedrock: A Brief Security Overview
This new authentication method for Amazon Bedrock introduces some helpful options, but also brings challenges.   #ai   #aws   #iam


I SPy: Escalating to Entra ID's Global Admin with a first-party app
Backdooring Microsoft's applications is far from over. A vulnerable, built-in SP that could have allowed escalation from Application Administrator to any hybrid tenant user, including Global Admin, was discovered.   #attack   #azure


Gatekeeper Constraint Bypass
A bypass was discovered within a template in Open Policy Agent's (OPA) Gatekeeper Library, allowing a latest-tagged image to be deployed even if it had been specifically designated as disallowed.   #attack   #kubernetes   #opa


Abusing Default Machine Joining to Domain Permissions to Attack AWS Managed Active Directory
Post discussing several critical AWS Managed Active Directory security vulnerabilities enabling RBCD attacks via ms-ds-MachineAccountQuota.   #attack   #aws


OCI, Oh My: Remote Code Execution on Oracle Cloud Shell and Code Editor Integrated Services
A Remote Code Execution vulnerability in Oracle Cloud Infrastructure Code Editor, which allowed an attacker to silently 1-click hijack a victim's Cloud Shell environment and potentially pivot across OCI services.   #attack

Sponsor

Secure MCP and AI workflows with Teleport + AWS

As AI agents begin orchestrating real business processes through Amazon Bedrock and Anthropic’s Model Context Protocol (MCP), they’re accessing sensitive data with little oversight. Teleport + AWS show how to secure this new class of workload with least-privilege enforced controls: no static credentials, just-in-time access, audit trails, and OWASP-aligned guardrails for AI systems.

See what most teams miss when securing AI

Tools


open-vbrowser
VBrowser is a secure, containerized browser platform designed for covert web investigations.


KubeForenSys
A Kubernetes Forensic Collection Framework for Azure Kubernetes Service. You can also refer to the companion blog post.


claude-code-router
Decide how to interact with the model while enjoying updates from Anthropic.


Kiro
Kiro is an agentic IDE that works alongside you from prototype to production.


Backlog.md
A tool for managing project collaboration between humans and AI Agents in a git ecosystem.

From the cloud providers


#AWS   How Scale to Win uses AWS WAF to block DDoS events
How Scale to Win configured their network topology and AWS WAF to protect against DDoS events that reached peaks of over 2 million requests per second during the 2024 US presidential election campaign season.


#AWS   Amazon S3 Metadata now supports metadata for all your S3 objects
Amazon S3 Metadata now provides comprehensive visibility into all objects in S3 buckets through live inventory and journal tables, enabling SQL-based analysis of both existing and new objects with automatic updates within an hour of changes.


#AWS   Introducing Amazon Bedrock AgentCore: Securely deploy and operate AI agents at any scale (preview)
Amazon Bedrock AgentCore enables rapid deployment and scaling of AI agents with enterprise-grade security. It provides memory management, identity controls, and tool integration, streamlining development while working with any open-source framework and foundation model.


#AWS   Introducing Amazon S3 Vectors: First cloud storage with native vector support at scale (preview)
Amazon S3 Vectors is a new cloud object store that provides native support for storing and querying vectors at massive scale.


#GCP   Backup for GKE supports cross-project backup and restore
Strengthen disaster recovery, centralize backup management, and improve security with Backup for GKE's cross-project backup and restore.


#GCP   Introducing Cloud Storage bucket relocation
Cloud Storage bucket relocation makes it easy to change a bucket's location, eliminates complex manual planning and prevents extended downtime.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini