Cloud Under Siege: AWS, Azure & GCP Critical Flaws
6 min readCRITICAL URGENCY
Executive Summary
Critical vulnerabilities discovered in AWS IAM Identity Center and Azure Active Directory pose immediate risk to cloud environments. Google Cloud Platform confirms unauthorized access to Cloud SQL metadata. Multi-cloud organizations face coordinated attacks exploiting trust relationships between providers.
⚡ Bottom line: Patch AWS IAM Identity Center and Azure AD immediately. Audit cross-cloud trust relationships.
☁️
Critical — CVSS 9.8
CVE-2026-22103: AWS IAM Identity Center Authentication Bypass
Why It Matters
A critical authentication bypass vulnerability in AWS IAM Identity Center allows attackers with network access to federated identity providers to assume any role in connected AWS accounts. Active exploitation detected in the wild.
Impact
Description
Account Takeover
Full administrative access to all connected AWS accounts
Data Exfiltration
Access to S3, RDS, Secrets Manager, and all services
Persistence
Creation of backdoor IAM users and roles
Billing Fraud
Cryptomining and resource abuse
How to Protect Yourself — Action Items
Apply AWS emergency patch via Identity Center console immediately
Review CloudTrail logs for suspicious AssumeRole events since Jan 15
Enable AWS CloudTrail Lake for enhanced forensics
Rotate all federated identity provider certificates
Enable IAM Access Analyzer for cross-account access review
🔵
Critical
Azure AD Conditional Access Policy Bypass (CVE-2026-22198)
Why It Matters
A flaw in Azure Active Directory's Conditional Access evaluation engine allows attackers to bypass device compliance and location-based policies using crafted authentication tokens. Microsoft confirms active exploitation targeting enterprises with hybrid Azure AD deployments.
Worst Case Scenario
🔓
MFA Bypass
Bypass of MFA requirements for privileged accounts.
📍
Location Spoofing
Access from untrusted locations/devices appearing legitimate.
🔗
SaaS Compromise
Compromise of Azure AD-connected SaaS applications.
How to Protect Yourself — Action Items
Apply Microsoft emergency security update KB5034441
Enable Continuous Access Evaluation (CAE) for all critical apps
Review Azure AD Sign-in logs for anomalous token claims
Implement Azure AD Identity Protection risk-based policies
Deploy Microsoft Sentinel detection rules for policy bypass attempts
🟢
Urgent
Google Cloud SQL Metadata Exposure Incident
Why It Matters
Google disclosed unauthorized access to Cloud SQL instance metadata affecting customers in us-central1 and europe-west1 regions. Exposed data includes database connection strings, IP addresses, and in some cases, stored credentials.
How to Protect Yourself — Action Items
Rotate all Cloud SQL database credentials
Review Cloud SQL instances for unauthorized IP whitelisting
Enable Cloud SQL Insights for query monitoring
Migrate sensitive workloads to Cloud SQL with Private IP only
Review IAM permissions for cloudsql.instances.* roles
🌐
Active Campaign
Cross-Cloud Trust Exploitation Campaign
Why It Matters
Threat actor "CloudHopper 2.0" is actively exploiting trust relationships between AWS, Azure, and GCP in multi-cloud environments. Initial access typically comes from the least-secured cloud, then pivots through shared credentials and federated identities.
How to Protect Yourself — Action Items
Audit cross-cloud IAM roles and service accounts
Implement unique credentials per cloud provider
Deploy cloud-native CSPM tools for unified visibility
Segment cloud networks at the identity layer
Review cloud-to-cloud VPN and peering configurations
📦
High
Terraform State File Exposure via S3 Misconfiguration
Why It Matters
Researchers discovered 2,400+ publicly accessible Terraform state files in S3 buckets containing cloud credentials, API keys, and infrastructure details. Many belong to Fortune 500 companies.
How to Protect Yourself — Action Items
Enable S3 Block Public Access at account level
Migrate Terraform state to encrypted backends (S3+DynamoDB with KMS)
Use terraform-compliance to audit state configurations
Enable AWS Config rules for public S3 detection
Run a KENSAI scan now to see if your cloud infrastructure is affected