惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Heimdal Security Blog
S
Security @ Cisco Blogs
N
News | PayPal Newsroom
J
Java Code Geeks
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
N
News and Events Feed by Topic
V
V2EX
WordPress大学
WordPress大学
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
AI
AI
小众软件
小众软件
The GitHub Blog
The GitHub Blog
MongoDB | Blog
MongoDB | Blog
A
Arctic Wolf
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
美团技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
S
Schneier on Security
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
B
Blog RSS Feed
Forbes - Security
Forbes - Security
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
Jina AI
Jina AI
Cisco Talos Blog
Cisco Talos Blog
U
Unit 42
Project Zero
Project Zero
H
Hacker News: Front Page
Y
Y Combinator Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
The Cloudflare Blog
大猫的无限游戏
大猫的无限游戏
S
Secure Thoughts
The Hacker News
The Hacker News
Microsoft Azure Blog
Microsoft Azure Blog

Blog | Orca Security

Langflow RCE Actively Exploited to Deploy Cryptominers on AI Infrastructure Orca MCP: When Text Stops Scaling Kubernetes Compliance Tools: Automating CIS Benchmarks Risk-Based Vulnerability Management for the Cloud: A 2026 Guide Private Cloud Security: Top Risks and Best Practices (2026) What Is Generative AI in Cybersecurity? Best Vulnerability Management Tools and Software in 2026 2026 State of Application Security Report Recap: What the Data Says and What Security Teams Should Do About It AI Security for Sensitive Data: Best Practices and Guidelines Best AI Code Security Solutions 2026: How to Secure AI-Generated Code From Platform to Program: How to Ensure Your Cloud Security Solution Delivers Best AI Cybersecurity Providers 2026: A Buyer's Guide to AI-Powered Security Platforms Join Orca Security at Black Hat USA 2026 CNAPP Tools That Reduce Security Tool Sprawl: CNAPP vs. Dedicated Solutions What Is Container Runtime Security? A Practical Guide 2026 What Is Application Security Testing? Tools and Types What Is Managed Cloud Security? A Practical Guide What Is SaaS Security Posture Management? SSPM Guide Top 10 Cloud Security Standards for Compliance What is the MIT License? Compliance and Comparisons AI Agents vs. Agentless Security vs. Agent-based Security 144 Mastra npm Packages Compromised via Supply Chain Attack The Complete Guide to LLM Security: Risks, Best Practices, and Solutions Cloud Security LIVE 2026: Top 10 Takeaways Practitioners Can Use Now Cloud Security LIVE 2026: Top 10 Takeaways CISOs Can Use Now (and What to Do Next) How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code What to Look for in Container Security Tools Cloud Application Security Best Practices for DevSecOps Cloud Security Tools: 10 Types Explained for Teams What Is NIST CSF? Framework 2.0 Explained 7 Open Source Incident Response Tools by Category Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution 16 Best Open Source Application Security Tools 2026 What Is Containerization? Security and Best Practices 8 Container Security Best Practices for 2026 Close the Cloud Identity Gap with Orca and AWS IAM Access Analyzer The 5-Step Context-Aware Cloud Vulnerability Prioritization Framework Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover AI Security Best Practices for Regulated Industries Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks SAST vs SCA: Key Differences for AppSec Teams What Is Cloud Security Architecture? Principles, Layers, and Frameworks What Is ASPM? A Guide to Application Security Posture Management What Is SaaS Security? A Practical Guide 2026 What Is a Man-in-the-Middle Attack? A Cloud Security Guide What Is Open Policy Agent? Best Practices and Use Cases 11 Best Open-Source DevSecOps Tools for 2026 How to Secure AI Workloads in Multi-Cloud Environments: A Complete Framework Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites What Is Kubernetes as a Service? KaaS Explained Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers Your FedRAMP Continuous Monitoring Strategy Has a Gap. We Built Something to Fix It. How to Simplify Multi-Cloud Compliance Reporting: The 2026 Checklist Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm Critical RCE in LiquidJS Lets Attackers Execute Arbitrary Commands on Unpatched Hosts Securing Shadow AI: How to Detect Unapproved LLMs in Your Cloud Data Security Posture Management (DSPM) for AI Gitea Container Registry Exposes Private Images to Unauthenticated Attackers Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection Best Palo Alto Networks Cortex (Prisma Cloud) Alternatives in 2026 7 Enterprise AI Security Risks to Manage Critical Pre-Auth RCE in ChromaDB Threatens AI Infrastructure Critical Coder Signature Bypass Exposes Developer Keys and Tokens New “PoolSlip” NGINX Exploit Revives Unpatched Remote Code Execution Risk Critical Drupal SQL Injection Exposes PostgreSQL-Backed Sites to Remote Code Execution AI Security Tools: How to Evaluate Them Across Every ML Attack Phase Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale NIST AI Risk Management Framework (AI RMF) Explained: What It Is and How Organizations Use It The AI Data You Forgot to Lock: How Exposed Vector Databases Put Organizations at Risk What Is Multi-Cloud Security? What Is Cloud Detection and Response (CDR)? Linux kernel vulnerability enables local theft of SSH host keys and /etc/shadow 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated DoS and Potential RCE Announcing Cloud Security Agent Skills for Orca’s MCP Server TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root Critical Apache HTTP Server HTTP/2 Vulnerability Could Enable Remote Code Execution Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace What Is an Incident Response Plan? What Is Cloud Data Security? Risks, Challenges, and 12 Best Practices Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854) Linux Kernel Bug (Copy.Fail) Enables Local Privilege Escalation to Root (CVE-2026-31431) Xinference PyPI package compromise leads to full environment takeover What is Application Security? When AI Accelerates the Offense, Coverage Gaps Become Catastrophic Orca Security Recognized in the 2026 TAG Enterprise AI Security Handbook Navigating Cloud Security in 2026: Join Cloud Security LIVE Anthropic’s Project Glasswing Is a Positive Step Toward Cleaner, Safer Production Kyverno SSRF: Breaking Kubernetes Namespace Isolation (CVE-2026-4789) Streamline Compliance Reporting with Orca and Drata’s Integrated Vulnerability Management CVE-2026-23226: How a Missing Lock in ksmbd’s Channel List Exposes Your Linux SMB3 Server 2026 State of AppSec: When Development Velocity Outpaces Security AI Is Entering Your Infrastructure. Now what? Orca Security Featured in SACR’s 2026 Unified Agentic Defense Platforms Report Supply Chain Attack on Axios Delivers Cross-Platform RAT via Compromised npm Account Credential‑Stealing Malware in LiteLLM Supply Chain Attack Mission Accomplished: Orchestrate Your Remediation Strategy With Orca Missions The Orca Approach to Runtime AI Security
GenAI Risks in Cloud Environments: What Security Teams Are Actually Missing in 2026
The Orca Security Team · 2026-05-19 · via Blog | Orca Security

Table of contents

  • Key Takeaways
  • What Is a GenAI Risk in a Cloud Environment?
  • What Are the Most Common GenAI Misconfiguration Classes in Cloud Environments?
  • How Do Attackers Chain GenAI Misconfigurations Into a Full Attack Path?
  • Why Does CVE-2024-34359 Matter for Cloud-Hosted GenAI Workloads?
  • What Detection Capabilities Are Required to Find GenAI Risks in Cloud Environments?
  • Best Practices for Securing GenAI Workloads in Cloud Environments
  • How Orca Security Detects GenAI Risks in Cloud Environments
  • Frequently Asked Questions About GenAI Risks in Cloud Environments

Key Takeaways

  • GenAI cloud risks center on four asset classes that standard CSPM checks do not evaluate: training datasets, model artifacts, inference endpoints, and vector databases powering RAG pipelines.
  • Overprivileged ML service roles (e.g. AmazonSageMakerFullAccess), missing IMDSv2 enforcement, and publicly accessible model storage are the most common misconfiguration patterns in GenAI cloud deployments.
  • Attackers chain individually medium- and high-severity findings into critical attack paths, from an exposed S3 training bucket through a stolen execution role credential to account-wide data access.
  • Only attack path analysis correlating role permissions, storage sensitivity classification, and endpoint exposure simultaneously surfaces the true risk rating of GenAI workloads.

Most cloud security programs were not built for generative AI workloads. The IAM policies, network segmentation rules, and misconfiguration checks that worked for a three-tier web application in 2021 leave serious gaps when the workload is an LLM inference endpoint sitting next to a labeled PII dataset in S3. The attack surface changed. Most security tooling did not. For a foundation on how AI security intersects with cloud environments, see What Is AI Security?

What Is a GenAI Risk in a Cloud Environment?

A GenAI risk in a cloud environment is any misconfiguration, excessive permission, or exposed asset that enables an attacker to read, tamper with, or abuse a generative AI workload’s training data, model artifacts, inference endpoints, or retrieval databases.

GenAI workloads introduce four asset classes that traditional CSPM tooling does not model: training datasets stored in S3, Azure Blob Storage, or GCP Cloud Storage (frequently overexposed during experimentation phases); model artifacts in pickle-based formats (.pkl, .pt) that execute arbitrary code on deserialization; inference endpoints on SageMaker, Vertex AI, or self-hosted FastAPI servers that default to broad access; and vector databases powering RAG pipelines that inherit the network exposure of the databases they run on.

The 2024 Verizon Data Breach Investigations Report identified misconfigured cloud storage as a contributing factor in 15% of all cloud-related breach incidents analyzed that year. When the exposed bucket contains labeled training data rather than generic application logs, the exposure is not just a compliance failure. It is a data poisoning entry point documented in MITRE ATLAS technique AML.T0020 (Poison Training Data), where an attacker with write access injects adversarial examples that alter model behavior at inference time without triggering any runtime alert.

What Are the Most Common GenAI Misconfiguration Classes in Cloud Environments?

Four misconfiguration classes account for the majority of GenAI-specific cloud risk. Each maps to a specific CIS or NIST control that most ML teams have not applied to their AI workloads.

Teams frequently attach the AWS managed policy AmazonSageMakerFullAccess during development and never scope it down. That policy grants overly broad permissions, including s3:* on all S3 buckets, iam:PassRole for any role, and ecr:* on all ECR repositories. This violates CIS AWS Foundations Benchmark v3.0 control 1.16, which requires least-privilege IAM policies for service roles. Almost no ML team applies this control to SageMaker execution roles.

An EC2 training instance without HttpTokens: required allows any process on the instance to retrieve the instance profile credentials via 169.254.169.254. CISA’s cloud security technical reference architecture lists IMDSv2 enforcement as a required control for any compute workload handling sensitive data.

A model artifact in a public S3 bucket is a supply chain risk for every team loading that artifact. A malicious pickle payload replacing the legitimate weight file turns every inference server pulling from that bucket into a remote code execution target on the next reload.

The default SageMaker endpoint configuration does not restrict callers by VPC. Without a resource-based policy explicitly denying calls from outside the account, the endpoint accepts requests from any authenticated AWS principal globally.

How Do Attackers Chain GenAI Misconfigurations Into a Full Attack Path?

One common attack chain begins when a development team stores labeled fine-tuning data in an S3 bucket with BlockPublicAcls: false, attaches AmazonSageMakerFullAccess to the training job role, and does not enforce IMDSv2 on the training instance.

Step 1: An attacker discovers the exposed bucket using public S3 enumeration, documented in MITRE ATLAS technique AML.T0037 (Search for Victim’s Publicly Available Research).

Step 2: If the bucket has write access via a misconfigured policy, the attacker injects adversarially labeled examples into the training dataset before the next run. This alters model behavior at inference time without triggering a runtime alert.

Step 3: If IMDSv2 is not enforced, a compromised process on the training instance sends a GET request to 169.254.169.254/latest/meta-data/iam/security-credentials/ and retrieves the execution role credentials.

Step 4: With those credentials and s3:* from AmazonSageMakerFullAccess, permissions from AmazonSageMakerFullAccess, the attacker can read every S3 bucket in the account, including production data stores, without interacting with the inference endpoint.

This chain often goes undetected by standard CSPM because no single finding is rated critical. The S3 bucket exposure is high, the IMDSv2 gap is medium, and the overprivileged role is high. No individual alert surfaces the full path from public bucket to account-wide S3 read. Only attack path analysis that correlates all three findings simultaneously exposes the true risk.

Why Does CVE-2024-34359 Matter for Cloud-Hosted GenAI Workloads?

CVE-2024-34359 affected the Hugging Face safetensors library prior to version 0.4.3. Under specific loading conditions, the library allowed arbitrary code execution during model deserialization, despite safetensors being designed as a safer alternative to pickle-based formats.

The cloud-specific risk: a model weight file stored in an S3 bucket with public read access and loaded by a SageMaker endpoint running an overprivileged execution role creates a path from a storage misconfiguration to code execution inside the inference environment. The attacker does not need access to the running inference server directly. They only need write access to the bucket storing the model artifact.

Any SageMaker endpoint or self-hosted inference server that pulled safetensors model files from a shared S3 bucket before the library updated to 0.4.3 was vulnerable to this path. Patching the library is the immediate fix. The structural fix is enforcing S3 Object Lock with governance mode on model artifact storage buckets so that no principal with s3:PutObject can overwrite a locked artifact without the additional s3:BypassGovernanceRetention permission, which should be granted to zero service accounts. For a broader framework on managing CVE remediation timelines across cloud workloads, see A Guide to Vulnerability Management.

What Detection Capabilities Are Required to Find GenAI Risks in Cloud Environments?

Standard CSPM coverage misses three GenAI-specific detection requirements.

1. IAM policy evaluation in data context

The scanner must evaluate IAM policies on SageMaker execution roles, Vertex AI service accounts, and Azure ML compute cluster managed identities against least privilege, with awareness of which storage buckets those roles can access. A role with iam:PassRole and read access to a PII training bucket is a critical finding. Without modeling the relationship between role permissions and data sensitivity, CSPM generates high-severity alerts that look identical to dozens of other role findings, with no connection to sensitive assets.

2. Data classification–aware misconfiguration detection

The scanner must classify bucket contents by data type—PII, PHI, financial records, proprietary model weights—and surface misconfiguration findings in that context. A public bucket containing log files is a medium-severity issue. The same misconfiguration on a bucket containing 50,000 labeled medical images used for fine-tuning is critical, with compliance implications under HIPAA Security Rule section 164.312(a)(2)(iv).

3. ML endpoint exposure analysis

The scanner must evaluate SageMaker endpoint resource-based policies, Vertex AI model IAM bindings, and Azure ML endpoint authentication configurations. An endpoint that accepts unauthenticated requests, or requests from outside the owning account’s VPC, is effectively internet-exposed even without a public URL. This check does not exist in CIS AWS Foundations Benchmark v3.0 because the benchmark predates widespread SageMaker endpoint deployment.

Best Practices for Securing GenAI Workloads in Cloud Environments

Reviews of GenAI deployments across AWS, Azure, and GCP environments consistently show a gap between intended configurations and what is actually running. This gap is often wider for ML workloads than for other workload classes.

A practical starting point for GenAI security reviews is the IAM execution role attached to the training job rather than the storage bucket. Bucket misconfigurations are visible and frequently flagged, while role misconfigurations are often missed by CSPM tools and carry a larger blast radius.

Recommended sequence before any GenAI workload moves to production:

  • Replace AmazonSageMakerFullAccess with a scoped policy granting s3:GetObject and s3:ListBucket on the exact bucket ARN and prefix for that training job only. Remove iam:PassRole unless the job explicitly requires it.
  • Set HttpTokens: required on all EC2 training instances at launch. Apply an AWS Organizations SCP denying ec2:RunInstances where MetadataHttpTokens is not set to required. This prevents any team from launching a training instance without IMDSv2 enforcement.
  • Add a resource-based policy to every SageMaker endpoint denying calls from principals outside the owning account and outside the designated VPC. The condition is aws:SourceVpc with the specific VPC ID.
  • Enable S3 Object Lock with governance mode on all model artifact and training data buckets. Overwriting a locked object requires s3:BypassGovernanceRetention, which should be granted to zero service accounts.
  • Run a CSPM scan correlating training data sensitivity with storage and role misconfigurations before the first training run. Fixing a bucket policy takes minutes; identifying adversarially injected training data after a poisoning attack has no clean forensic solution.

For reference on MITRE ATLAS techniques, attack path terminology, and NIST AI RMF controls referenced in these steps, see the Orca Security Glossary.

How Orca Security Detects GenAI Risks in Cloud Environments

Orca Security detects GenAI-specific cloud risks by reading workload configurations, IAM policy documents, and storage bucket metadata directly from cloud provider APIs and block storage snapshots using agentless SideScanning™, without requiring an agent on the training instance or inference endpoint.

Orca Security’s attack path analysis correlates SageMaker execution role permissions with the sensitivity classification of the S3 buckets those roles can access. The result is a single prioritized finding showing the full chain from overprivileged role to sensitive training data, rather than two separate medium and high severity alerts with no visible connection.

Orca Security flags IMDSv2 enforcement status on EC2 instances running GPU workloads, and includes the instance profile’s effective permissions in the finding context. The full credential theft path, from missing HttpTokens: required to account-wide S3 read via the stolen execution role, appears in a single view. Inference endpoint exposure is detected by evaluating SageMaker endpoint resource-based policies against Orca Security’s internet exposure model. An endpoint with no aws:SourceVpc condition is classified as internet-exposed regardless of whether it has a public DNS entry.For further reading on cloud-native security practices and AI security frameworks, visit the Orca Security Cloud Security Learning Hub. Teams running GenAI workloads on AWS, Azure, or GCP can see the full attack path map for their environment at Orca Security or Get a Demo.

Frequently Asked Questions About GenAI Risks in Cloud Environments

What are the main GenAI risk categories in cloud environments?

GenAI cloud risks fall into four categories: training data poisoning via misconfigured storage buckets, model artifact tampering through exposed model weight files, unauthenticated inference endpoint access, and overprivileged ML service roles enabling lateral movement from a compromised training job to production data stores.

How do attackers poison training data in cloud-hosted AI workloads?

Attackers use MITRE ATLAS technique AML.T0020 (Poison Training Data). If a training dataset stored in S3 or GCS has write permissions granted to overly broad principals, an attacker injects adversarially labeled examples before the next training run, altering model behavior at inference time without triggering any runtime alert.

Why is IMDSv2 enforcement critical for SageMaker training instances?

Without HttpTokens: required, any process on the EC2 training instance retrieves the instance profile credentials via a GET request to 169.254.169.254. If the execution role has s3:* permissions, those credentials give an attacker read access to every S3 bucket in the account.

What IAM permissions should a SageMaker execution role have?

The execution role should be scoped to s3:GetObject and s3:ListBucket on the specific bucket ARN and prefix for that training job. AmazonSageMakerFullAccess, which grants s3:* and iam:PassRole to any role, should never be attached to a production training job.

How does attack path analysis detect GenAI risks that standard CSPM misses?

Standard CSPM scores each misconfiguration independently. Attack path analysis correlates an overprivileged ML service role, the sensitivity of the storage buckets that role can access, and the network exposure of the inference endpoint into a single prioritized chain. Findings rated medium and high in isolation frequently rate critical when the full chain is visible.