Hacker News: nutbear

Authorization Bypass in AWS's Agentic AI for Enterprise: Amazon Quick

nutbear — Wed, 13 May 2026 12:14:57 +0000

Article URL: https://www.fogsecurity.io/blog/authorization-bypass-in-amazon-quick-ai-agents

Comments URL: https://news.ycombinator.com/item?id=48120918

Points: 2

# Comments: 0

New comment by nutbear in "Launch HN: Slauth (YC S22) – auto-generate secure IAM policies for AWS and GCP"

nutbear — Mon, 04 Dec 2023 19:00:52 +0000

Good catch on the bucket vs object level permissions with S3 and s3:PutObject.

I'd also be curious for future plans with resource policies as that's another layer of complexity to manage - where the resource policy would manage access to potentially many applications -> 1 resource. Vs 1 application -> many resources which I think is the use case Slauth is solving for initially.

Confused Deputy would be interesting, could be done via Condition Keys such as SourceArn and SourceAccount, but gets complex for cross-account use cases.

New comment by nutbear in "Launch HN: Slauth (YC S22) – auto-generate secure IAM policies for AWS and GCP"

nutbear — Mon, 04 Dec 2023 17:30:50 +0000

Yes. Good points. Agreed with patchwork as sometimes IAM can take a backseat to different priorities such as application development or feature development.

There's a couple different models for IAM ownership. At some places, the application teams own IAM along with the application. Sometimes, it's owned by central teams (such as security).

And agreed, with companies growing and changing, ownership changes as well.

Those factors can all complicated IAM development and policy maintenance as it becomes more difficult to find the right fit for IAM to application. For that, it would require someone who knows exactly what the application needs access to and the IAM actions taken as well as how to configure IAM.

New comment by nutbear in "Launch HN: Slauth (YC S22) – auto-generate secure IAM policies for AWS and GCP"

nutbear — Mon, 04 Dec 2023 16:20:26 +0000

IAM Policies in AWS are inherently difficult - there's a lot of nuance to the policies such as evaluation logic (allow/deny decisions), resource scoping, conditionals, and more. It's often more straightforward to start with a broad IAM policy and then leave it without reducing privilege as to not adversely impact the application. Proper IAM also takes dev cycles, and may not be top priority to get a policy correct. I think it's rare to find a 100% properly scoped IAM policy for an application.

Datadog recently did a State of Cloud Security and one of their findings in https://www.datadoghq.com/state-of-cloud-security/ is that a substantial portion of cloud workloads are excessively privileged (with more data points there).

New comment by nutbear in "AWS S3 beginning to apply 2 security best practices all new buckets by default"

nutbear — Sun, 09 Apr 2023 16:05:05 +0000

I wrote a blog detailing what this change means on S3 ACLs and Block Public Access on by default: https://www.cloudquery.io/blog/finding-enabled-s3-acls-and-d...

Cisco Announces Intent to Acquire Lightspin (Cloud Security)

nutbear — Wed, 29 Mar 2023 17:03:56 +0000

Article URL: https://blogs.cisco.com/news/blogs-cisco-com-news-cisco-announces-its-intent-to-acquire-cloud-security-software-company

Comments URL: https://news.ycombinator.com/item?id=35360069

Points: 1

# Comments: 0

Outdated by Default: AWS IAM Policy Language Version and Legacy Evaluation Logic

nutbear — Thu, 16 Feb 2023 19:01:16 +0000

Article URL: https://www.cloudquery.io/blog/outdated-aws-iam-policy-language

Comments URL: https://news.ycombinator.com/item?id=34823881

Points: 2

# Comments: 0

New comment by nutbear in "S3 will automatically block public access and disable ACL for new buckets"

nutbear — Mon, 30 Jan 2023 21:35:50 +0000

We wrote a post on this and some of the nuances/discrepancies for these S3 settings: https://www.cloudquery.io/blog/finding-enabled-s3-acls-and-d...

New comment by nutbear in "Nike.com allows easy account take over"

nutbear — Tue, 19 Jul 2022 17:05:24 +0000

Thanks for sharing your story!

A decent amount of disclosure programs explicitly call out social engineering as unacceptable conduct and submissions.

However, social engineering is a very valid method for attackers and in many cases, offers the path of least resistance.

While I understand why companies don’t want good faith security research to call and try to trick the human factor, this is still a very real attack vector that needs attention and to be fixed as in what you’ve described.

Uncontrollable AWS IAM: Sts:GetSessionToken, GetCallerIdentity, and Policy Sim

nutbear — Fri, 17 Jun 2022 14:10:35 +0000

Article URL: https://www.praetorian.com/blog/stsgetsessiontoken-role-chaining-in-aws/

Comments URL: https://news.ycombinator.com/item?id=31778442

Points: 2

# Comments: 0

Shared VPCs in AWS

nutbear — Wed, 05 Dec 2018 06:04:33 +0000

Article URL: https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-virtual-private-clouds-can-now-be-shared-with-other-aws-accounts/

Comments URL: https://news.ycombinator.com/item?id=18606016

Points: 4

# Comments: 0