惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
C
Cisco Blogs
The Hacker News
The Hacker News
T
Threatpost
S
Schneier on Security
K
Kaspersky official blog
Spread Privacy
Spread Privacy
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
NISL@THU
NISL@THU
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
Security Latest
Security Latest
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News and Events Feed by Topic
爱范儿
爱范儿
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
GbyAI
GbyAI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
T
Tenable Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
Forbes - Security
Forbes - Security
博客园 - 三生石上(FineUI控件)
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News and Events Feed by Topic
V
V2EX
Webroot Blog
Webroot Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Blog — PlanetScale
Blog — PlanetScale
M
MIT News - Artificial intelligence
Scott Helme
Scott Helme
Simon Willison's Weblog
Simon Willison's Weblog
L
LangChain Blog
W
WeLiveSecurity
Cloudbric
Cloudbric

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2025-11-04 · via Vectra AI Blog

Cloud Security Grey Zone: Who Owns the Risk of Managed Identities

Countless hours can be spent enforcing MFA, and locking down permissions. But what about the identities you don’t manage? The ones your cloud provider creates and manages for you?

These "CSP-managed non-human identities" are the automated robots that run services in the background. While they're essential, the way AWS, Google Cloud, and Microsoft have architected them creates unique, non-obvious security risks. If you think a secure setup in AWS is also secure in Azure, you might be surprised.

Let's take a moment to break down the unique risks in each cloud.

AWS: The "Confused Deputy" Problem (It's On You)

In AWS, services are global and shared by everyone. This creates a classic multi-tenant "confused deputy" risk. An attacker in their own account can potentially trick an AWS service into using its permissions to access your account's resources.

  • The Catch: The only thing stopping this is a special setting in your IAM resource policies called a condition key (i.e.,  aws:SourceArn).
  • The Reality: It can be very difficult to use condition keys correctly. This leaves a massive, often-overlooked hole that places the burden of prevention squarely on your shoulders.

Google Cloud: The "Black Box" Problem (It's On Them)

Google takes the opposite approach. Its CSP-managed non-human identities (Service Agents) are single-tenant and locked down in Google-controlled projects. You can't touch them, which prevents the credential abuse seen in other clouds.

  • The Catch: This creates a different problem: transitive access abuse. A service might be so inherently powerful it makes for a juicy target. An attacker can trick it into acting on their behalf, bypassing a check on their own permissions.
  • The Reality: This exact thing happened with the Document AI service. While Google fixed it, you have zero direct controls here. You must trust that the provider has designed all its services securely.

Microsoft Entra ID: "Service Principal Hijacking" (A Present-Day Risk)

Microsoft uses a hybrid model where a local Principal for the Microsoft-owned first-party application lives in your tenant. Historically, this design had a critical flaw: an admin (like Application Admin) could add their own credential to the Service Principal and escalate their permissions.

  • The Catch: Microsoft has a fix called the appInstancePropertyLock. When enabled, it prevents this kind of hijacking.
  • The Reality: The fix isn't retroactive. Microsoft must manually update the 300+ default applications installed in customer tenants. While many have been redeployed with this property enabled, as researchers recently showed, critical apps like Office 365 Exchange Online remain unprotected, making this the most immediate and high-impact risk of the three.

The Takeaway?

Security isn't one-size-fits-all in the cloud. The threat you need to obsess over in AWS is a non-issue in Google, and the biggest risk in Entra ID has a completely different cause.

  • In AWS? Audit your IAM policies for missing condition keys. Confused Deputy Issues are yours to prevent.
  • In Google Cloud? The security of Service Agents rests solely in the hands of Google. Stay updated on vulnerabilities, only enable the services minimally required and monitor for unusual activity.
  • In Microsoft Entra ID? Monitor for credentials being added to local Service Principals. Stay up to date on Service Principal Hijacking being reported in the wild

Threats are not uniform. The most critical threat in one cloud may be a non-issue in another. Defenders and researchers must tailor their strategies, recognizing that there is no “1-to-1” approach to security controls in a multi-cloud environment.

Understanding how cloud providers implement managed identities is only the first step. The harder challenge is continuously identifying when those identities are being misused, granted excessive privileges, or leveraged in ways that create risk across your environment. Learn more about Vectra AI's approach with this podcast.

To dig into the research behind each of these threat models and varying architectures, see the accompanying whitepaper “A Comparative Threat Model of CSP-Managed Machine Identities”.