< ciso
brief />
Tag Banner

All news with #cloud security tag

605 articles · page 2 of 31

AWS Security Hub Adds AI Security Best Practices

🛡️ AWS Security Hub CSPM introduces the AI Security Best Practices standard, offering 31 automated controls to detect misaligned AI resources. The standard evaluates Amazon Bedrock, Bedrock AgentCore, and Amazon SageMaker workloads against recommended configurations without manual rule creation. It covers domains like network isolation, encryption, VPC placement, KMS usage, private registries, and authorization, producing findings to help teams remediate issues. Available in all Regions where Security Hub CSPM operates, including GovCloud (US) and China.
read more →

AlloyDB Omni: Secure hybrid database for finance

🔒 Google Cloud introduces AlloyDB Omni, a hybrid deployment of AlloyDB for PostgreSQL designed to modernize financial services databases while preserving data residency and regulatory compliance. The offering promises PostgreSQL compatibility to reduce vendor lock-in, high transactional performance, and integrated analytics and AI capabilities delivered on-premises, at the edge, or in hybrid clouds. It targets legacy licensing, sovereignty, and real-time insights gaps, and highlights customer outcomes demonstrating faster transactions and accelerated analytics.
read more →

Cloud Monitoring adds long-lookback PromQL alerts

🔔 Google Cloud announces preview support for long-lookback alert policies in Cloud Monitoring using PromQL, enabling queries across up to two years of metric history. The feature unlocks dynamic thresholding—alerts that compare recent behavior to historical baselines—helping catch anomalies that static thresholds miss. Google outlines example algorithms (moving averages, z-score, and seasonal time-offsets), discusses trade-offs like flakiness for new workloads, and shows a practical use case for preventing runaway spend.
read more →

Designing Azure IaaS for Long-Term Cost Efficiency

🔍 This third post in the Azure IaaS series outlines best practices to design, build, and optimize cloud infrastructure for sustained cost efficiency. It explains how compounded architectural choices across compute, storage, and networking drive costs and offers Azure capabilities—such as VM families, automated tiering, and resilient networking—to align resources with workload needs and reduce TCO.
read more →

AWS Security Hub Adds Microsoft Azure Monitoring

🔒 AWS Security Hub now monitors Microsoft Azure resources, extending risk analytics, cloud security posture management, vulnerability management, and security response across both clouds. The service auto-discovers Azure VMs, ACR images, Function Apps, and identities, evaluating misconfigurations, internet exposure, and software vulnerabilities. Findings from AWS and Azure appear in a single prioritized view with consistent formats and automation workflows, and a 30-day free trial for Azure monitoring is available.
read more →

June 2026 Threat Technique Catalog Update for AWS

🛡️ The AWS CIRT updated the Threat Technique Catalog for June 2026, adding five new entries focused on container security, organization-level trust, and compute hijacking. The update documents EKS workload modification, exploitation of public-facing Kubernetes services, sts:AssumeRoot abuse across AWS Organizations, compute hijacking in clusters, and account invitations into attacker-controlled organizations. It also refreshes three existing entries with expanded detection and mitigation guidance.
read more →

Azure Files boosts Linux workloads with NFS enhancements

📣 Azure Files provides fully managed file storage tailored for modern Linux workloads, combining familiar file access with built-in performance, resilience, and security. The service supports AI inferencing, cloud-native Kubernetes deployments, and enterprise migrations by exposing standard NFS and SMB endpoints and integrating with Azure services. New features like zonal placement, provisioned v2, and faster provisioning improve scale, latency, and cost management for shared file scenarios.
read more →

Turner Industries’ secure cloud-first infrastructure

🔒 Turner Industries migrated to ChromeOS, Google Workspace, Chrome Enterprise Premium, and Cameyo to reduce costs and improve security. The shift extended device lifecycles, cut per-device costs by 40–50%, and saved an estimated $700,000 on new hardware plus $600,000 by converting existing devices with ChromeOS Flex. Faster deployments and simplified management freed IT to focus on strategic work while maintaining strong endpoint protection and legacy app access.
read more →

EC2 AMI Watermarks for Provenance and Governance

🔒 Amazon EC2 now supports AMI watermarks that embed custom identifiers into private AMIs and persist through copies and derived AMIs. Watermarks include metadata such as AMI ID, owner ID, region, and timestamps to support provenance and tracking. You can apply watermarks via the AWS Management Console, AWS CLI, SDKs, or EC2 Image Builder. Watermarks integrate with Allowed AMIs and Declarative Policies to enforce AMI usage across organizations.
read more →

CNAPP evolution: Microsoft aligns with cloud risk platforms

🔍 Cloud security is shifting from mere visibility to context-aware risk reduction across multicloud, Kubernetes, APIs, and AI workloads. The Frost & Sullivan 2026 Frost Radar positions CNAPP as an operational cloud risk platform that correlates posture, workload, identity, data, and runtime signals. Microsoft Defender for Cloud is highlighted among leading vendors for connecting findings into prioritized, actionable attack paths and enabling continuous risk validation across the application lifecycle.
read more →

Amazon Bedrock AgentCore Memory adds cross-account access

🔒 Amazon Bedrock AgentCore Memory now supports cross-account access, enabling multi-account architectures where memory resources and consuming agents span AWS accounts. Administrators can attach resource-based policies to memory resources to grant principals in other accounts permission to call memory data plane APIs by referencing the full memory ARN. Cross-account delivery destinations let memory resources stream payloads and events to Amazon S3, Amazon SNS, and Amazon Kinesis Data Streams in separate accounts. This capability is available in all Regions where AgentCore Memory is supported.
read more →

Agentic cloud operations: insight to governed action

🧭 Agentic cloud operations use AI-powered agents to turn continuous observability into governed, auditable actions across the cloud lifecycle. Microsoft describes how Azure Copilot’s observability agent—now generally available—analyzes telemetry, traces dependencies, and surfaces grouped signals and contextual recommendations to speed incident resolution and reduce noise. Built-in governance and policy guardrails ensure actions respect controls and remain human-reviewed, while cost and usage intelligence integrate into developer tools to enable continuous optimization.
read more →

AI-assisted Migration Assistant for OpenSearch Service

🚀 Migration Assistant for Amazon OpenSearch Service now includes an AI-assisted experience that simplifies moving self-managed Apache Solr, Elasticsearch, or OpenSearch deployments to OpenSearch Serverless or Managed Clusters. The assistant integrates with AI tools like Kiro and Claude Code to plan migrations, deploy infrastructure, and execute both historical and live traffic migration. It also adds live traffic capture and replay support for Solr and is available in all commercial AWS Regions and AWS GovCloud (US) Regions where OpenSearch Service is offered.
read more →

AWS Transform expands migration target regions

🔁 AWS Transform for migrations now supports deployment to all AWS commercial regions as migration targets, enabling customers to select where migrated resources are provisioned, including landing zones and network infrastructure. The announcement lists newly supported regions such as US East (N. California), Africa (Cape Town), multiple Asia Pacific and European locations, Canada (Calgary), Mexico (Querétaro), and Middle East (Tel Aviv). Target region selection is integrated into the AWS Transform for migrations workflow and documentation lists the current supported target regions.
read more →

Implementing Egress Controls to Prevent Data Exfiltration

🔒 This post outlines an architecture and controls for preventing data exfiltration from AWS environments by combining centralized network inspection, DNS filtering, and data perimeter policies. It explains a hub-and-spoke pattern using Transit Gateway, AWS Network Firewall, and Route 53 Resolver DNS Firewall to inspect and block unauthorized outbound traffic, including scenarios involving compromised workloads and agentic AI. The article details layered preventive, detective, and corrective measures using AWS services such as GuardDuty, Security Hub, IAM Access Analyzer, EventBridge, and Firewall Manager to automate detection and response.
read more →

Amazon EKS adds customer-routed control plane egress

🔐 Amazon EKS now supports customer-routed control plane egress, allowing outbound Kubernetes API server traffic to traverse your Amazon VPC. This includes admission webhook callbacks, OpenID Connect (OIDC) provider lookups, and aggregate API server requests. By routing through your VPC you can manage routing, security groups, and egress paths to meet data perimeter and compliance needs. Enable the feature by setting controlPlaneEgressMode to CUSTOMER_ROUTED and enforce it org-wide with the eks:controlPlaneEgressMode IAM condition key.
read more →

NCSC: 75% of CNI Incidents Linked to Hostile States

🛡️ Richard Horne, CEO of the UK National Cyber Security Centre, told the RUSI Annual Security Lecture that three-quarters of cyber incidents affecting UK critical national infrastructure over the past year were traced to nation-state actors or hostile states. The NCSC handled around 200 incidents between June 2025 and May 2026, with threats described across three contested digital spaces: far, mid and near. Horne warned that AI and cloud supply-chain exploitation increase attacker scale and urged organisations to prioritise continuous defence, fix legacy vulnerabilities and close IT-OT knowledge gaps.
read more →

Google Vertex AI SDK bucket squatting enables RCE

🔒 A design flaw in the Vertex AI SDK for Python allowed attackers to hijack model staging buckets across projects by predicting bucket names derived from project ID and region. Unit 42 researchers called this class of issue Bucket Squatting, where global bucket name uniqueness enabled pre-creation and silent takeover. The flaw could lead to cross-tenant model poisoning and remote code execution via pickle deserialization. Google issued fixes in SDK versions 1.144.0 and 1.148.0 and users should upgrade.
read more →

Oracle Autonomous AI Database Serverless on AWS

🛠️ Oracle Autonomous AI Database Serverless (ADB-S) is now available on Oracle Database@AWS through AWS Marketplace with Bring Your Own License and License Included options. ADB-S runs on Exadata infrastructure as a fully managed service that automates patching, tuning, scaling, backups, and high availability. It supports four workload types—AI Transaction Processing, AI Lakehouse, AI JSON Database, and Oracle APEX—with independent compute and storage scaling. Integrations include AWS KMS for encryption, Amazon CloudWatch for monitoring, and Amazon EventBridge for events.
read more →

Detecting and Preventing Subdomain Takeover Risks

🔎 This post explains how subdomain takeover occurs when dangling DNS CNAME records point to deleted AWS resources and how attackers can reclaim those names to serve malicious content. It describes which AWS services use globally claimable namespaces (notably S3, CloudFront, and Elastic Beanstalk), outlines potential impacts such as reputation damage and phishing, and recommends detection using AWS Config inventory checks rather than DNS resolution. The article also summarizes a reference implementation that deploys a Lambda-based Config rule, Security Hub findings, optional SNS alerts, and mitigation best practices including deleting DNS records before resources and adopting account regional S3 namespaces where applicable.
read more →