Karim El-Melhaoui
@karimscloud.bsky.social
Principal Security Architect & Partner at http://o3c.no, CloudSec Researcher, Microsoft Security MVP, CSA Norway Board Member
I find it hard to believe that AWS charges me for having hourly data of costs in my AWS environment.
May 4, 2025 at 2:19 PM
I find it hard to believe that AWS charges me for having hourly data of costs in my AWS environment.
You can now see users that have triggered the Elevated Access toggle in Azure.
A simple bypass is to immediately assign the principal the same permissions at the top level management group, Tenant Root Group (tenant ID) rather than the Root scope ("/").
I still think this is an important feature.
A simple bypass is to immediately assign the principal the same permissions at the top level management group, Tenant Root Group (tenant ID) rather than the Root scope ("/").
I still think this is an important feature.
May 3, 2025 at 6:54 AM
You can now see users that have triggered the Elevated Access toggle in Azure.
A simple bypass is to immediately assign the principal the same permissions at the top level management group, Tenant Root Group (tenant ID) rather than the Root scope ("/").
I still think this is an important feature.
A simple bypass is to immediately assign the principal the same permissions at the top level management group, Tenant Root Group (tenant ID) rather than the Root scope ("/").
I still think this is an important feature.
Finally read and implemented the AWS Delegated Management - @scottpiper.bsky.social’s article hits the nail on challebges - we built and maintained an internal API to access this information for automation purposes, which I would do again if it wasn’t for this feature www.wiz.io/blog/use-cas...
Use cases for Delegated Administrator for AWS Organizations | Wiz Blog
Learn about how AWS's recently released Delegated Administrator for AWS Organization can be used to solve common problems at your company and the issues you might run into with it.
www.wiz.io
May 1, 2025 at 4:19 PM
Finally read and implemented the AWS Delegated Management - @scottpiper.bsky.social’s article hits the nail on challebges - we built and maintained an internal API to access this information for automation purposes, which I would do again if it wasn’t for this feature www.wiz.io/blog/use-cas...
Reposted by Karim El-Melhaoui
We’re also happy to announce our Europe scholarship program. Through this initiative, we hope to give a limited number of students or those looking to make a career change a chance to attend the conference, through a complimentary ticket and a stipend to cover travel expenses..
fwd:cloudsec | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
April 20, 2025 at 6:49 AM
We’re also happy to announce our Europe scholarship program. Through this initiative, we hope to give a limited number of students or those looking to make a career change a chance to attend the conference, through a complimentary ticket and a stipend to cover travel expenses..
Reposted by Karim El-Melhaoui
Ticket sales for fwd:cloudsec Europe 2025 goes live on April 22nd, first batch at 9 AM CET and a second batch at 7PM CET. Tickets are sold through Swoogo, link at fwdcloudsec.org/conference/e... ..
fwd:cloudsec Europe 2025 | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
April 20, 2025 at 6:48 AM
Ticket sales for fwd:cloudsec Europe 2025 goes live on April 22nd, first batch at 9 AM CET and a second batch at 7PM CET. Tickets are sold through Swoogo, link at fwdcloudsec.org/conference/e... ..
Reposted by Karim El-Melhaoui
GitHub has released an unofficial tool to audit GitHub Actions
Released after the Changed-Files debacle
github.com/github/audit...
Released after the Changed-Files debacle
github.com/github/audit...
GitHub - github/audit-actions-workflow-runs: Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded
Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded - github/audit-actions-workflow-runs
github.com
April 19, 2025 at 1:33 PM
GitHub has released an unofficial tool to audit GitHub Actions
Released after the Changed-Files debacle
github.com/github/audit...
Released after the Changed-Files debacle
github.com/github/audit...
Cloudy at Fløtatind, Sunndal
April 18, 2025 at 1:48 PM
Cloudy at Fløtatind, Sunndal
The only liberation we’ve experienced through the past week is the liberation of our savings
April 8, 2025 at 12:17 PM
The only liberation we’ve experienced through the past week is the liberation of our savings
What happens if a lambda that puts an event to an S3 triggers on the same S3… I can’t afford to find out
April 7, 2025 at 7:13 PM
What happens if a lambda that puts an event to an S3 triggers on the same S3… I can’t afford to find out
Messed up an entire GCP org. trying to clean up inheritance using google_organization_iam_policy rather than binding.
Will never know what random internal service account were assigned a hopefully not critical role.
Will never know what random internal service account were assigned a hopefully not critical role.
March 31, 2025 at 6:11 PM
Messed up an entire GCP org. trying to clean up inheritance using google_organization_iam_policy rather than binding.
Will never know what random internal service account were assigned a hopefully not critical role.
Will never know what random internal service account were assigned a hopefully not critical role.
It's happening again! We're looking for sponsors that will help support this years European conference🤝
We’re thrilled to announce that the second edition of fwd:cloudsec Europe will take place on September 15-16 in Berlin!
fwdcloudsec.org/conference/e...
fwdcloudsec.org/conference/e...
fwd:cloudsec Europe 2024 | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
March 24, 2025 at 12:34 PM
It's happening again! We're looking for sponsors that will help support this years European conference🤝
Reposted by Karim El-Melhaoui
Is there any way to generate an SBOM that describes github actions and their transitive dependencies? Ref tj-actions. I feel like this should be a thing
March 20, 2025 at 7:25 AM
Is there any way to generate an SBOM that describes github actions and their transitive dependencies? Ref tj-actions. I feel like this should be a thing
Stumbled upon the Serverless Image Handler while looking into AWS Solutions: www.o3c.no/knowledge/ab...
Abusing AWS Serverless Image Handler
We recently discovered that the AWS solution ‘Dynamic Image Transformation for Amazon CloudFront’, previously known as ‘AWS Serverless Image Handler’, prior to version 6.2.6, contains a configuration ...
www.o3c.no
February 19, 2025 at 7:31 AM
Stumbled upon the Serverless Image Handler while looking into AWS Solutions: www.o3c.no/knowledge/ab...
I'll be in Singapore at that time, but for those lucky enough to make it - ENJOY and hope to see you next year or in Europe this Fall (TBA).
Reminder, tickets go on sale for fwd:cloudsec North America at 10am MDT today (less than 2 hours)! Also remember to book your hotel using the group rate link.
fwdcloudsec.org/conference/n...
fwdcloudsec.org/conference/n...
fwd:cloudsec North America 2025 | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
February 18, 2025 at 3:31 PM
I'll be in Singapore at that time, but for those lucky enough to make it - ENJOY and hope to see you next year or in Europe this Fall (TBA).
Last week, we presented our latest research into Azure and OIDC where we also released our latest tool for mapping attack paths between Azure and GitHub
www.o3c.no/knowledge/to...
www.o3c.no/knowledge/to...
Tool Release: Azure and OIDC - Code to Cloud
In conjunction with our talk at HackCon and the release of our latest tool in Research Release, are sharing this as a companion blog post.
www.o3c.no
February 18, 2025 at 2:49 PM
Last week, we presented our latest research into Azure and OIDC where we also released our latest tool for mapping attack paths between Azure and GitHub
www.o3c.no/knowledge/to...
www.o3c.no/knowledge/to...
Reposted by Karim El-Melhaoui
The CFP for the best cloud security conference on earth is now open! If you'd like your research to be presented alongside the cutting edge of the industry, this is your opportunity!
fwdcloudsec.org/conference/n...
fwdcloudsec.org/conference/n...
CFP | NA 2025 | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
February 5, 2025 at 1:21 AM
The CFP for the best cloud security conference on earth is now open! If you'd like your research to be presented alongside the cutting edge of the industry, this is your opportunity!
fwdcloudsec.org/conference/n...
fwdcloudsec.org/conference/n...
AWS just renamed the Serverless Image Handler solution to Dynamic Image Transformation for Amazon CloudFront
aws.amazon.com/solutions/im...
aws.amazon.com/solutions/im...
Dynamic Image Transformation for Amazon CloudFront | AWS Solutions | AWS Solutions Library
Dynamic Image Transformation for Amazon CloudFront (formerly Serverless Image Handler) enables real-time image processing through the global content delivery network (CDN) of Amazon CloudFront.
aws.amazon.com
January 29, 2025 at 2:16 PM
AWS just renamed the Serverless Image Handler solution to Dynamic Image Transformation for Amazon CloudFront
aws.amazon.com/solutions/im...
aws.amazon.com/solutions/im...
Starting the new year above the clouds
January 1, 2025 at 2:23 PM
Starting the new year above the clouds
Cariad, a subsidiary of Volkswagen Group recently had a data compromise in AWS.
Unlike my initial instinct, this was not related to a Public or Unprotected bucket..
Looking further into the breach, published by the Chaos Computer Club (ccc.de) responsible for the disclosure it was discovered by..
Unlike my initial instinct, this was not related to a Public or Unprotected bucket..
Looking further into the breach, published by the Chaos Computer Club (ccc.de) responsible for the disclosure it was discovered by..
December 30, 2024 at 10:25 AM
Cariad, a subsidiary of Volkswagen Group recently had a data compromise in AWS.
Unlike my initial instinct, this was not related to a Public or Unprotected bucket..
Looking further into the breach, published by the Chaos Computer Club (ccc.de) responsible for the disclosure it was discovered by..
Unlike my initial instinct, this was not related to a Public or Unprotected bucket..
Looking further into the breach, published by the Chaos Computer Club (ccc.de) responsible for the disclosure it was discovered by..
Great writeup on Azure OpenAI Abuse by Matt Graber
redcanary.com/blog/threat-...
redcanary.com/blog/threat-...
Artificial authentication: Monitoring Azure OpenAI abuse
Adversaries can compromise key material in Azure OpenAI to host malicious models, poison trained models, and steal intellectual property.
redcanary.com
December 8, 2024 at 11:14 AM
Great writeup on Azure OpenAI Abuse by Matt Graber
redcanary.com/blog/threat-...
redcanary.com/blog/threat-...
Spent some time on AWS research tonight. I’m looking forward to interact with the new vulnerability disclosure program 🫡
November 28, 2024 at 9:58 PM
Spent some time on AWS research tonight. I’m looking forward to interact with the new vulnerability disclosure program 🫡
Reposted by Karim El-Melhaoui
Are you an Azure Pentester looking for new lateral movement techniques?
Take a look at my blog post about abusing Data Factory to steal secrets and tokens.
Thanks @karimscloud.bsky.social for the inspiration to look into this.
codyburkard.com/abusingselfh...
Take a look at my blog post about abusing Data Factory to steal secrets and tokens.
Thanks @karimscloud.bsky.social for the inspiration to look into this.
codyburkard.com/abusingselfh...
November 25, 2024 at 9:17 AM
Are you an Azure Pentester looking for new lateral movement techniques?
Take a look at my blog post about abusing Data Factory to steal secrets and tokens.
Thanks @karimscloud.bsky.social for the inspiration to look into this.
codyburkard.com/abusingselfh...
Take a look at my blog post about abusing Data Factory to steal secrets and tokens.
Thanks @karimscloud.bsky.social for the inspiration to look into this.
codyburkard.com/abusingselfh...