Blog

Field notes on cloud access

Breach breakdowns, query walkthroughs, and the questions a permissions graph cannot answer — one path at a time.

June 10, 2026·5 min read

Bedrock agents are non-human identities — can you say what yours can reach?

Amazon Bedrock supports no resource-based policies — whether a principal can invoke a model or rewrite an agent is decided entirely on the identity side. Three questions to ask about every agent role before it runs.

AWSBedrockNon-human identities

Read post

June 9, 2026·6 min read

LexisNexis: one frontend role could read every secret in the account

A React app task role with account-wide Secrets Manager access turned one compromised container into 3.9 million leaked records. The blast radius was a standing fact you could have queried.

AWSLeast privilegeIncident analysis

Read post

June 8, 2026·6 min read

SCARLETEEL: 8 minutes to admin, and the path was visible the whole time

An AI-assisted attacker went from a leaked credential to full AWS admin in eight minutes. Every hop it used was a standing access path you could have queried the day before.

AWSPrivilege escalationIncident analysis

Read post

Field notes on cloud access

Bedrock agents are non-human identities — can you say what yours can reach?

LexisNexis: one frontend role could read every secret in the account

SCARLETEEL: 8 minutes to admin, and the path was visible the whole time

Know your real posture.Not what your policies say on paper.

Know your real posture.
Not what your policies say on paper.