Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Ben Reser Profile picture
Ben Reser
@BenReser
Principal Cloud Security Architect @Vibes, @TheASF Member (SVN/httpd), @Tesla Fan, Casual Gamer. Opinions my own, RTs ≠ endorsement. He/him.
May 31, 2022 13 tweets 3 min read
I found a security vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA) it's been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert AWS IAM credentials into tokens that can be used to login to Airflow. #AWS The CreateCliToken and CreateWebLoginToken APIs were logging the tokens to Cloudtrail. The event included the hostname for the airflow server, so everything required to login to Airflow was in the event.
Jul 20, 2020 12 tweets 3 min read
Back in January of this year I found that @Okta's multi-account @awscloud integration had overly excessive permissions. Specifically sts:AssumeRole for resource *. It's nearly been 6 months since I reported this to Okta so I'm describing this publicly. 1/13 The problem with this is that this permission allows the IAM user to assume any role in the account the user is in as well as any role that the account's root ARN is allowed to assume. In practice this means that the IAM user can trivially gain unrestricted permissions. 2/13