Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
AWS IAM policy misconfiguration vulnerability patterns
Wildcard policies, PassRole chains, and trust-policy gaps drive most AWS IAM breaches. Here's how these misconfiguration patterns actually get exploited.
Azure storage account misconfiguration report
A breakdown of what drives Azure storage misconfiguration reports, from the 2023 Wiz-disclosed 38TB leak to SAS token and public access risks in 2025.
GCP IAM privilege escalation paths explained
Attackers escalate GCP privilege using IAM actAs chains, default Editor service accounts, and Cloud Build tokens -- no exploit code required.
Kubernetes secrets management vulnerability guide
Kubernetes Secrets are base64, not encrypted. Real CVEs and the Tesla breach show how attackers exploit that gap — and how to close it.
CI/CD pipeline security vulnerability trends
CI/CD pipelines now hold the keys attackers want most. Here's what tj-actions, Ultralytics, and Jenkins CVE-2024-23897 reveal about the trend.
GitHub Actions workflow injection vulnerabilities
How GitHub Actions workflow injection lets attackers hijack CI pipelines via untrusted input, real CVEs like CVE-2025-30066, and how to detect it.
Jenkins plugin vulnerability trends report
Jenkins plugin CVEs keep piling up—missing permission checks, CSRF gaps, and a critical CVE-2024-23897 that attackers scanned for within days.
Container runtime security (containerd/CRI-O) vulnerability roundup
Container runtime CVEs like the runc Leaky Vessels flaw and CRI-O's cr8escape show how containerd and CRI-O bugs turn into full host takeovers.
OpenTofu and Terraform provider supply chain risk
Terraform and OpenTofu providers run unsandboxed with full pipeline credentials. Here's where the provider supply chain actually breaks down.
AWS TEAM CVE-2025-1969: Spoofed Approvals in IAM Identity Center
AWS Security Bulletin AWS-2025-004 disclosed an input validation flaw in Temporary Elevated Access Management that let users forge approvals. Here's what changed and how to harden TEAM 1.2.2.
Pandoc CVE-2025-51591: SSRF Against EC2 Metadata in the Wild
Wiz documented active exploitation of Pandoc CVE-2025-51591 to reach the AWS IMDS through iframe rendering. Here is the kill chain and the production controls that contained it.
AWS-2025-021: The IMDS Impersonation Bulletin Few Teams Read Carefully
AWS published Security Bulletin AWS-2025-021 warning that EC2 instances may interact with unexpected AWS accounts through the Instance Metadata Service. Here is the technical impact and the IMDSv2 enforcement plan.