It's funny because blameless culture applies to AI too. AI can make mistakes, but it's going to be your organization's lack of planning/monitoring/operational capabilities that causes "the incident".

Whoa, this seems like a hell of a re:invent announcement that leaked too early:

www.youtube.com/watch?v=Q2Zp...

🚀 ¡Nuevo meetup del AWS User Group Sevilla!
Este mes hablamos de seguridad en la nube con AWS 🔐 y de cómo Prowler ayuda a auditar y reforzar tus cuentas AWS.
📅 29 oct, 19:00h · 📍Espacio RES
👉 www.meetup.com/aws-user-gro...

#AWS #CloudSecurity #Prowler #Sevilla

Thanks to folks including @frichetten.com for feedback about our Bedrock API key launch. We're listening. Yesterday, we updated Bedrock and IAM docs (see docs.aws.amazon.com/bedrock/late...) to clarify that these are service-specific credentials and how to prevent their use in your environment. 1/2

followed by this image from our workshop 😂 github.com/unicrons/sec...

I always sent people this challenge from the Cloud Village CTF, so they understand how easy you can misconfigure OIDC unicrons.cloud/en/2024/08/1...

And we couldn't let August end without publishing our writeups for the @cloudvillage-dc.bsky.social CTF at @defcon.bsky.social

unicrons.cloud/en/2025/08/3...

Wiz already released the new challenge for this month, so it is time to show how we solved the previous one!

We always wanted to dig more about containers escaping, so it was a perfect opportunity to learn.
unicrons.cloud/en/2025/08/1...

AWS IAM Privilege Escalation Techniques - Hacking The Cloud Common techniques that can be leveraged to escalate privileges in an AWS account.

Major shout out to @andoniaf.unicrons.cloud for adding three new privilege escalation techniques to the Hacking the Cloud catalog! Contributions like this make everything possible.
hackingthe.cloud/aws/exploita...

Do you want to build "the perfect pipeline"?

@Paco_S and I will present "Level Up Your CI/CD: Building a secure pipeline with OSS" workshop at @cloudvillage-dc.bsky.social @defcon.bsky.social 🚀

We're at @fwdcloudsec.org and we have stickers. I do not know what else to say so just find us (or the stickers we left around 😂)

FinOps for Engineers: How to create real impact in your organization, Thu, Jun 12, 2025, 6:30 PM | Meetup **Talk: "FinOps for Engineers: How to create real impact in your organization"** Learn about FinOps culture from the engineering point of view and how to create a positive

Is your boss telling you to reduce the bill? Then this meetup is perfect for you!

FinOps for Engineers: How to create real impact in your organization 💸
with Ernesto Suarez, CEO at @GlassityStartup

🗓Thu, June 12
⏰⁣18:30h
📍@FlywireEng
office
📝RSVP: www.meetup.com/aws-valencia...

Introducing a New Way to Track AWS Documentation Changes | Miggo Introducing The New Way to Track AWS Documentation Changes

www.miggo.io/resources/in...

An AWS Documentation Change Tracker, cool 👏🏻

awssecuritychanges.com

Capital One's $200M Cloud Data Breach YouTube video by Kevin Fang

Would you prefer a video? I also have a video. www.youtube.com/watch?v=r7HV...

Steal EC2 Metadata Credentials via SSRF - Hacking The Cloud Old faithful; How to steal IAM Role credentials from the EC2 Metadata service via SSRF.

Never heard about this? No problem.

Take a look to hackingthe.cloud/aws/exploita... to quickly understand how attackers do it.

And this github.com/ramimac/aws-... to understand how common (and old) this kind of attacks are.

Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IA...

Friendly reminder: IMDSv2 was released in November 2019.

www.bleepingcomputer.com/news/securit...

How We Saved $70K/Year with an Open Source Private Cloud CA | Paul Schwarzenberger, Q-Solution YouTube video by Prowler

The talk is already available in YT: www.youtube.com/watch?v=p2Cb...

Serverless CA on AWS Serverless CA in AWS with FIPS 140-2 level 3 CA key storage and cost typically under $5 per month

"100% serverless Certificate Authority on AWS, only $50/year"

Never thought I would hear all these words together😅

But it's true, go check this amazing project serverlessca.com by @paulschwarzen

Vaya, parece que @colibid también retransmite partidos de futbol de forma "ilegal"...

New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents

"Vibe coders" are in trouble...

www.pillar.security/blog/new-vul...

GitHub Actions and the Pinning Problem: What 100 Security Projects Reveal Only 7/100 popular security projects pin everything. Here’s what I learned digging into the data.

En casa del herrero, cuchillo de palo. 😅

medium.com/@adan.alvare...

Open Cloud Security agenda is out! 🎉

opencloudsecurity.vfairs.com/en/#agenda

Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data ◆ Truffle Security Co. We scanned Common Crawl - a massive dataset used to train LLMs like DeepSeek - and found ~12,000 hardcoded live API keys and passwords. This highlights a growing issue: LLMs trained on insecure code m...

AWS Root Keys in Front-End Code?! Wtf 🙃

trufflesecurity.com/blog/researc...

Cloud vulnerability teardown: what's important and what you can ignore Breaking down the challenges of vulnerabilities in the cloud and how to identify if your team is at risk

groundedcloudsecurity.substack.com/p/vulnerabil...

Psychological safety is NOT about lack of disagreement.

Psychological safety REQUIRES:

* disagreement and debate
* setting standards for behavior and performance, and enforcing them
* telling people things they don't want to hear
* courage, from the bottom up
* humility, from the top down

Key takeaways for me:
- "False Positives Rate" as the most important metric for measuring detection eng. success
- "Most detections (42%) were custom-built to fit their organization’s unique envs. Vendor-provided come in second at 37%, but few rely on them exclusively."

2025 State of Detection Engineering Report | Anvilogic The 2025 State of Detection Engineering Report reveals key trends & challenges in detection engineering—from AI adoption to skill gaps and data access.

www.anvilogic.com/report/2025-...