developer created a public S3 bucket to share marketing assets. However, the same bucket also contained internal documents. A threat actor found it via a public bucket scanner, downloaded sensitive company roadmaps, and posted them online — triggering an internal investigation and reputation damage.
created a dev environment in their own AWS account using company credit cards. The environment ran a temporary ML model with a permissive IAM role. Months later, the account was compromised, and attackers used the forgotten EC2 instances to launch crypto mining attacks — unnoticed for weeks.
but findings ignored • AWS Config turned on, no remediation setup • Security Hub without aggregation or alerts • WAF deployed, no rules maintained • Shield Advanced without any playbook • No budget for follow-up security team actions
security engineer enabled GuardDuty and AWS Config as part of compliance prep. However, alert emails went to a defunct inbox, and no remediation scripts were deployed. Months later, a compromised IAM key was flagged by GuardDuty — but nobody saw it until after data exfiltration occurred.
response analysis • CloudTrail not centralized or multi-region • No VPC Flow Logs for key subnets • S3 access logs not enabled • Lambda logs not ingested/analyzed • No SIEM or alerting integration • Logs stored but never reviewed
function was exploited via an unvalidated API input. With no logs ingested into a SIEM and no CloudTrail for the region enabled, the security team was unaware until a customer reported unusual behavior.
Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings
Lack of least privilege enforcement • Long-lived IAM users with active keys • Insecure role assumption policies • No session tagging or permissions boundaries • No review of IAM Access Analyzer findings
was granted AdministratorAccess for a “short task.” The credentials were leaked via GitHub, and an attacker spun up 100 high-cost instances across multiple regions. The monthly bill spiked to $70,000 before AWS billing alerts were triggered.
with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement
with outdated packages • No automation for OS-level patching • Long-lived instances without maintenance • Vulnerabilities ignored in CSPM reports • No baseline golden image enforcement
outdated Docker image with a known critical vulnerability. The DevOps pipeline had no image scanning, and patching relied on manual updates. An attacker exploited the flaw to gain shell access and pivot into the internal network.
was deployed in the same VPC as production systems. After the dev app was compromised, the attacker moved laterally to the production RDS instance and downloaded customer data. There were no subnet-level firewalls to isolate workloads.
senayakut
morganepeng
dugsong
skoyamalab
techseoconnect
.png){kind=avatar}
helenjbeal
greggifford
eileencodes
michielstock
nonsquared
coloredviolet
ipullrank
