Security Briefing 🔴 Critical

Cloud Under Siege: AWS, Azure & GCP Critical Flaws

6 min read
CRITICAL URGENCY

Executive Summary

Critical vulnerabilities discovered in AWS IAM Identity Center and Azure Active Directory pose immediate risk to cloud environments. Google Cloud Platform confirms unauthorized access to Cloud SQL metadata. Multi-cloud organizations face coordinated attacks exploiting trust relationships between providers.

⚡ Bottom line: Patch AWS IAM Identity Center and Azure AD immediately. Audit cross-cloud trust relationships.

☁️
Critical — CVSS 9.8

CVE-2026-22103: AWS IAM Identity Center Authentication Bypass

Why It Matters

A critical authentication bypass vulnerability in AWS IAM Identity Center allows attackers with network access to federated identity providers to assume any role in connected AWS accounts. Active exploitation detected in the wild.

Impact Description
Account Takeover Full administrative access to all connected AWS accounts
Data Exfiltration Access to S3, RDS, Secrets Manager, and all services
Persistence Creation of backdoor IAM users and roles
Billing Fraud Cryptomining and resource abuse

How to Protect Yourself — Action Items

  • Apply AWS emergency patch via Identity Center console immediately
  • Review CloudTrail logs for suspicious AssumeRole events since Jan 15
  • Enable AWS CloudTrail Lake for enhanced forensics
  • Rotate all federated identity provider certificates
  • Enable IAM Access Analyzer for cross-account access review
🔵
Critical

Azure AD Conditional Access Policy Bypass (CVE-2026-22198)

Why It Matters

A flaw in Azure Active Directory's Conditional Access evaluation engine allows attackers to bypass device compliance and location-based policies using crafted authentication tokens. Microsoft confirms active exploitation targeting enterprises with hybrid Azure AD deployments.

Worst Case Scenario

🔓

MFA Bypass

Bypass of MFA requirements for privileged accounts.

📍

Location Spoofing

Access from untrusted locations/devices appearing legitimate.

🔗

SaaS Compromise

Compromise of Azure AD-connected SaaS applications.

How to Protect Yourself — Action Items

  • Apply Microsoft emergency security update KB5034441
  • Enable Continuous Access Evaluation (CAE) for all critical apps
  • Review Azure AD Sign-in logs for anomalous token claims
  • Implement Azure AD Identity Protection risk-based policies
  • Deploy Microsoft Sentinel detection rules for policy bypass attempts
🟢
Urgent

Google Cloud SQL Metadata Exposure Incident

Why It Matters

Google disclosed unauthorized access to Cloud SQL instance metadata affecting customers in us-central1 and europe-west1 regions. Exposed data includes database connection strings, IP addresses, and in some cases, stored credentials.

How to Protect Yourself — Action Items

  • Rotate all Cloud SQL database credentials
  • Review Cloud SQL instances for unauthorized IP whitelisting
  • Enable Cloud SQL Insights for query monitoring
  • Migrate sensitive workloads to Cloud SQL with Private IP only
  • Review IAM permissions for cloudsql.instances.* roles
🌐
Active Campaign

Cross-Cloud Trust Exploitation Campaign

Why It Matters

Threat actor "CloudHopper 2.0" is actively exploiting trust relationships between AWS, Azure, and GCP in multi-cloud environments. Initial access typically comes from the least-secured cloud, then pivots through shared credentials and federated identities.

How to Protect Yourself — Action Items

  • Audit cross-cloud IAM roles and service accounts
  • Implement unique credentials per cloud provider
  • Deploy cloud-native CSPM tools for unified visibility
  • Segment cloud networks at the identity layer
  • Review cloud-to-cloud VPN and peering configurations
📦
High

Terraform State File Exposure via S3 Misconfiguration

Why It Matters

Researchers discovered 2,400+ publicly accessible Terraform state files in S3 buckets containing cloud credentials, API keys, and infrastructure details. Many belong to Fortune 500 companies.

How to Protect Yourself — Action Items

  • Enable S3 Block Public Access at account level
  • Migrate Terraform state to encrypted backends (S3+DynamoDB with KMS)
  • Use terraform-compliance to audit state configurations
  • Enable AWS Config rules for public S3 detection

Run a KENSAI scan now to see if your cloud infrastructure is affected

🗡️ Scan Your Systems →

Your Action Checklist for This Week

Critical — Do Today
  • Patch AWS IAM Identity Center immediately
  • Apply Azure AD security update KB5034441
  • Rotate Google Cloud SQL credentials if in affected regions
High — Do This Week
  • Audit cross-cloud trust relationships and shared credentials
  • Enable enhanced logging across all cloud providers
  • Review Terraform state file storage and encryption
Medium — Ongoing
  • Implement cloud-native SIEM detection rules
  • Schedule multi-cloud security posture assessment
  • Deploy CSPM tools for unified visibility

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles