This week's articles
The Two Mitigations for the Service-Account Confused Deputy in the Cloud
Two mitigations exist for cloud service-account confused deputy attacks: for customer-managed identities, an attachment gate (GCP actAs, AWS iam:PassRole, Azure assign/action) controls bind-time authorization; for provider-managed identities, the CSP enforces internal checks, with AWS uniquely exposing this via Forward Access Sessions and condition keys.
No single pane of glass: Anatomy of an Azure permission takeover
Sysdig TRT observed an attacker use one leaked service principal (with RoleManagement.ReadWrite.Directory) to self-grant Global Administrator, then elevateAccess to root RBAC Owner, harvest storage/Event Hub/Key Vault keys, and plant backdoors on 26 app registrations.
OIDC tokens can now restrict which AWS roles they assume
AWS STS now supports a new OIDC claim that restricts which role ARNs a token can assume. Enforced before trust policy evaluation. The boolean condition key sts:RoleAuthorizedByIdp enables mandatory enforcement via trust policies or RCPs.
|