AI Agents Automate AWS Org Deployment Script Creation
My Methodology For Writing an Infrastructure Script With AI Agents How I used AI to write code for this project and why my README file probably won't help as much as understanding my approach This post gives some insight into how I wrote this code using AWS Kiro and custom agents. I just finished testing the script to deploy all my AWS organizations delegated admins and configure the security services and log life cycle requirements without error last night last night. I had to modify the bootstrap role along the way. More testing of the actual logging and resources is needed but in theory all that is deployed and I can repeat the process without using AI tokens and build out new environments. I don’t give AI credentials to deploy things or access to my GitHub account. I’ll write more specifically about my environments and my organization architecture in a future post. https://t.co/ZisDFQIhSr
Never Trust Nondeterministic AI Responses as Deterministic
LLMRisks Archive - OWASP Gen AI Security Project ~ just saw this. My number one would have been: Treating non-deterministic AI responses as deterministic and trusting them. https://t.co/psehlnxxXq
Curl Audit Finds Single Low‑severity CVE, Others False Positives
Mythos on Curl: Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed...
Secure AWS Keys with MFA, IP Restrictions, Least Privilege
Do you add MFA and/or IP address restrictions to AWS Developer access key IAM user policies and trust policies ~ or both? Also create policies that only give necessary permissions. Even with short lived tokens there is a period of time...
Effective Bug Bounties and Triage Prevent IDOR Breaches
I’m reading about the Canvas breach which runs infrastructure on AWS: Canvas login portals hacked in mass ShinyHunters extortion campaigns. The details are light but from what I can gather they may have used IDOR/BOLA to bypass trust boundary between free...
Assess if Cloud Credentials Exposed Beyond Authentication
I need to take a look at this and see if you can essentially expose cloud platform credentials and permissions or it is purely auth with no additional attack surface.
AWS Nitro Isolates Resources, Blocking Copy‑Fail Exploit
If you were wondering if this affects AWS VMs ~ per Google aimode and AWS documentation: The AWS Nitro System mitigates the Copy Fail vulnerability through architectural isolation, specifically by pinning dedicated physical resources and eliminating shared Dom0 kernel components. AWS...
Bug Bounty Pros Question $22K Split ROI Amid AI Rise
I wonder how top bug bounty hunters feel about a $22K cash prize split between a bunch of people. I like the idea about rewarding defenders and programmers for work on AI but the ROI doesn’t seem to be there...
Skilled Triagers and Secure Code Beat AI‑only Solutions
More reason to have a bug bounty program with triagers who know what they are doing, The attackers that find the same vuln aren’t going to report it to a cert. what if the triager asked AI if that was...
User Urges Anthropic to Restore Access to Opus 4.7
Money grab while they can? I really hope Anthropic can figure this out because for a minute there, Opus 4.6 was amazing. I still do not have access to 4.7 in AWS Kiro CLI or access to Mythos.
Goblin Glitch: Unexpected Surge in Model Outputs
Analysis of how goblins started appearing a bit too frequently in OpenAI model output. https://t.co/K2K22kVFpi
GitHub Actions Less Secure Than Private Lambda Deployments
Hardening GitHub Actions: Lessons from Recent Attacks | Wiz Blog ~ really good article but I wrote about why I won’t use GitHub actions at all on a cloud instance. Not as many protections as you can get with Lambda...
Bounty Platforms Need Spam Detection Like Email Systems
Instead of no bug bounty companies like HackerOne need to figure out how to flag potential bounty spam the same way email systems flag spam.
Testing Needed to Gauge Approach Effectiveness Across Models
Interesting but hard to know how useful without being able to test them. Also, I wonder how different approaches affect the results of different models. Haven’t had a chance to test that yet.
Discord Group Hacks Anthropic Model by Guessing URL
Bloomberg reports a certain group got access to Mythos by guessing the URL for the new model. Guessing? Really? From Google: The unauthorized group is a private Discord channel of AI enthusiasts who specialize in tracking and testing unreleased large language models...