All Blog Posts

The MGM Breach and the Role of IdP in Modern Cyber Attacks

A deep dive into the recent MGM breach and our insights into the actor behind the attack and possible mitigations.

By Igal Gofman September 21, 2023

What’s New with CNAPPgoat? 

Read about the newest, expanded features in Ermetic’s open source vulnerable-by-design tool for enhancing your security skills

By Lior Zatlavi September 14, 2023

The Azure Metadata Protection You Didn’t Know Was There

Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration

By Lior Zatlavi September 11, 2023

Stronger Together: Writing a New Chapter in Cloud Security

We’re excited to share that Tenable has announced intent to acquire Ermetic.

By Shai Morag September 7, 2023

The Benefits of Cloud Entitlement Management

Cloud identities and entitlements pose grave challenges - learn about the benefits of CIEM solutions and KPIs for measuring them

By Diane Benjuya August 30, 2023

The Next Step in the IMDSv1 Redemption Journey 

Learn about AWS’s new open source library for enforcing IMDSv2 and Ermetic’s new lab for trying it out

By Lior Zatlavi August 17, 2023

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

All about CNAPPgoat, our open-source project designed to modularly provision vulnerable-by-design components in cloud environments.

By Lior Zatlavi August 2, 2023

Do I Need CNAPP If We’re Only Starting to Deploy to the Cloud? 

It’s a leading question because no matter how new you are to the cloud you need CNAPP – find out…

By Diane Benjuya July 27, 2023

Secure Your Cloud – Know the Difference between CSPM and KSPM

Conventional CSPM tools don’t sufficiently cover K8s clusters – dedicated tools are a must to address Kubernetes’s unique challenges

By Ermetic Team July 13, 2023

Sometimes What Sounds Benign Can Bite You: An Unexpected Implication of Lambda Privileges

Learn how an AWS service usage and permissions combination discovered by Ermetic may increase risk upon a certain non-compliance

By Ermetic Team July 4, 2023

The Default Toxic Combination of GCP Compute Engine Instances

By default, compute instances in GCP are prone to a toxic combination that you should be aware of, and can…

By Lior Zatlavi June 29, 2023

Shared Responsibility Model in the Cloud

CSPs have embraced a “shared responsibility model” to define the security responsibilities for different components of the architecture

By Ermetic Team June 21, 2023

Mastering the Art of Kubernetes Security 

With Kubernetes’ explosive adoption by the development community comes an urgent need to secure K8s clusters and ensure their compliance…

By Ermetic Team June 6, 2023

Uncovering 3 Azure API Management Vulnerabilities – When Good APIs Go Bad

Learn how now-patched Azure API Management service vulnerabilities revealed by the Ermetic research team enabled malicious actions

By Liv Matan May 4, 2023

Cloud Workload Protection (CWP) Best Practice – Focus on Impact, Not Volume

How to do CWP right to prepare your organization and protect it from the next widespread vulnerability

By Ermetic Team April 24, 2023

Terraform Lab: Taking the New VPC Endpoint Condition Keys Out for a Spin

Our new open source Terraform project offers hands-on experience with VPC endpoints and demos AWS's new condition keys for securing…

By Lior Zatlavi April 3, 2023

Federating Kubernetes Workloads with Cloud Identities

Your K8s workloads legitimately need access to sensitive cloud resources – federated identities let you grant it easily and securely

By Lior Zatlavi March 27, 2023

Navigating Cloud Security: Why Segregating Environments from Dev to Production is so Important

Segregation in cloud environments is important for security - this post explores why and offers best practice tips for acting…

By Moshe Ben Dahan March 22, 2023

A New Incentive for Using AWS VPC Endpoints

If you haven’t been using VPC endpoints until now, AWS's two new condition keys should make you consider doing so

By Lior Zatlavi March 9, 2023

Managing Cloud Compliance and Security Posture with Cloud Compliance Tools

Why compliance and access security in the public cloud are so challenging – and how carefully chosen CSPM tools can…

By Ermetic Team March 8, 2023

A Letter from the CEO

Introducing the Ermetic Cloud-Native Application Protection Platform

By Shai Morag March 2, 2023

Secure Your AWS EC2 Instance Metadata Service (IMDS)

Read this review of IMDS, an important AWS EC2 service component, to understand its two versions and improve your AWS…

By Lior Zatlavi February 27, 2023

Perceived Cloud Security vs. Reality: Test Yourself

Shun complacency -- your cloud security probably needs to be better than you, or your organization, perceive it to be

By Ermetic Team February 16, 2023

How to Implement CIEM – A Checklist

What differentiates a CIEM solution from other cloud security platforms, and how should a CIEM be used in an organization?…

By Ermetic Team February 8, 2023

How Attackers Can Exploit GCP’s Multicloud Workload Solution

A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to…

By Liv Matan February 1, 2023

Fauda: When Hollywood and Cybersecurity Meet

The newest season of Fauda, now streaming on Netflix, is a real Hollywood meets Cybersecurity moment. Find out how realistic…

By Ermetic Team January 24, 2023

EmojiDeploy: Smile! Your Azure web service just got RCE’d ._.

Ermetic’s research team discovered a remote code execution vulnerability affecting services such as Function Apps, App Service and Logic Apps…

By Liv Matan January 19, 2023

A Caveat for Azure VM Public IP Configuration

If you’re not familiar enough with the SKU attribute of the Azure public IP address, you may think you’re configuring…

By Lior Zatlavi January 16, 2023

How to Minimize Unintended Access and Achieve Least Privilege with Ermetic and AWS

Lior Zatlavi explains how to set up the platform in your environment and get maximum value

By Lior Zatlavi January 11, 2023

Why JIT Access is an Essential Part of Cloud Security

Automating JIT in the cloud is win-win for improving security and business productivity -- and cracks a nut that PAM…

By Ermetic Team January 8, 2023

Your Guide to IAM – and IAM Security in the Cloud

A look at how IAM works and how CIEM enhances IAM security in the cloud.

By Ermetic Team December 20, 2022

Usable Cloud Security – The Antidote to Cloud Complexity

Cloud security risk is ubiquitous yet manageable if you accept cloud complexity and seek solutions focused on usability and insights…

By Ermetic Team December 8, 2022

Sealing Off Your Cloud’s Blast Radius

Understand the challenges of securing your cloud and key best practices for minimizing your cloud’s blast radius

By Ermetic Team November 23, 2022

6 Cloud Security Tips For 3rd-Party Risk

It's critical to understand the security risk that third parties pose to your cloud infrastructure and how managing 3rd-party access…

By Ermetic Team November 16, 2022

How to Improve Your Incident Response in the Cloud

A look at the security best practices and mindset to adopt to better detect and recover from malicious activity in…

By Ermetic Team November 3, 2022

What You Should Know about the New OpenSSL Vulnerability

How to detect which OpenSSL version you’re running and if your organization is exposed to the critical OpenSSL vulnerabilities -…

By Ari Eitan October 31, 2022

IBM Cost of a Data Breach 2022 – Highlights for Cloud Security Professionals

Learn from the 2022 IBM report about the true cost of ransomware, compromised credentials and other breaches.

By Ermetic Team October 27, 2022

IAM Role Trust Update – What You Need to Know

When it comes to assuming roles, AWS is changing an aspect of how trust policy is evaluated; here is a…

By Lior Zatlavi October 19, 2022

Verizon’s 2022 Data Breach Report – Insights for Cloud Security Professionals

Wondering which cyber attack trends are putting your organization at risk? Learn about the leading threat vectors – and how…

By Ermetic Team October 12, 2022

Public Network Access to Azure Resources Is Too Easy to Configure

For some types of Microsoft Azure resources and subnets, it’s extremely easy to configure what is essentially public network access.…

By Lior Zatlavi October 6, 2022

Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433

One of the most talked-about sessions at AWS re:Inforce, and my favorite, was IAM433, on AWS IAM’s internal evaluation mechanisms

By Noam Dahan September 29, 2022

Five Lessons Every Cybersecurity Team Can Learn from the Uber Incident

Upon hearing of a cyber security incident, alleged or factual, the most productive thing to do is learn what you…

By Lior Zatlavi September 22, 2022

IDSA Introduces CIEM Best Practices

The Identity Defined Security Alliance recently announced their list of Best Practices for Cloud Infrastructure Entitlement Management.

By Ermetic Team September 14, 2022

96% Could Have Prevented Their Identity Breach – IDSA

Identity-related breaches are on the rise but security and IAM pros are not idle. Learn from this survey how they…

By Ermetic Team September 7, 2022

Taking Notice of AWS IAM Roles Anywhere

IAM Roles Anywhere may be a pivotal moment for security — the new service lets you enrich the arsenal of…

By Lior Zatlavi August 30, 2022

DevSecOps: An Organizational Fix for Improving Cloud Security – Friction-free

By implementing the DevSecOps culture, tools and training, you’ll be on your way to more shift left security and less…

By Ermetic Team August 24, 2022


Lorem ipsum dolor sit amet. Qui eaque doloribus ut ipsum dolores sit ducimus ratione. Nam laboriosam delectus vel itaque accusamus…

By gil-leadmetrix August 23, 2022

Facing the Shift-Left Security Conundrum. A True Story

Shift left security is hot – until it's not. Dynamic business requirements and cloud complexity pose major least privilege challenges.

By Ermetic Team August 17, 2022

3 Ways to Reduce the Risk from Misused AWS IAM User Access Keys

Used incorrectly, AWS IAM User Access Keys can pose high risk; the good news is that great alternatives, explored here,…

By Lior Zatlavi August 10, 2022

3 Types of Cyber Attackers: Which Organizations Do They Target?

Is an attacker interested in your organization? Probably. Deconstructing the PoV of cyber attackers is key to defending your turf.

By Ermetic Team July 28, 2022

Cloud Native and the Hype of Security

Through proper understanding and support, your organization can ensure it is secure while operating in the cloud and start taking…

By Tanya Janca July 19, 2022

What are CSPM solutions?

What are CSPM solutions and how can they help organizations stay compliant and avoid the security risks of misconfigurations? Answers…

By Diane Benjuya July 15, 2022

Cloud and Data Security for Financial Services

Financial service organizations are adopting the cloud at a rapid pace. A robust solution for compliance and cloud security will…

By Ermetic Team July 5, 2022

AWS, Azure and GCP: The Ultimate IAM Comparison

AWS vs. Azure vs. GCP - how do these cloud providers compare when it comes to IAM? Read on to…

By Ermetic Team June 8, 2022

6 Tips for Successfully Securing Your AWS Environment

Top six actions and practices you can take to protect your AWS environment today.

By Ermetic Team May 25, 2022

Securing Your Cloud with Zero Trust and Least Privilege

Zero trust could be the solution for your modern security perils. Read on to discover what zero trust and least…

By Ermetic Team May 18, 2022

The Advanced Risk of Basic Roles In GCP IAM

Basic roles in GCP allow data-level actions, even though at first glance it might seem like they don’t. Avoid using…

By Lior Zatlavi May 17, 2022

Identity Access Management in Google Cloud Platform (GCP IAM)

An introduction for anyone getting started with GCP or even experienced professionals who are looking for a structured overview.

By Lior Zatlavi May 17, 2022

Hidden Risk in the Default Roles of Google-Managed Service Accounts

Some Google-managed service accounts are binded by default to a role granting access to This hidden risk is (yet…

By Lior Zatlavi May 17, 2022

Verizon’s Data Breach Report – Insights for Cloud Security Professionals

Select highlights from Verizon’s recent Data Breach Investigations Report (DBIR) that may interest cloud security professionals – and suggested actions

By Ermetic Team April 21, 2022

How to Operationalize a Cloud Security Solution

How to successfully operationalize your cloud security solution in 4 easy steps – and why fast and effective operationalization matters

By Ermetic Team April 11, 2022

Lessons Learned in Cloud Security from Lapsus$ Surfacing

Cloud security practitioners can learn about the best practices that reduce the threat of cyber attacks from groups like Lapsus$.

By Ermetic Team March 28, 2022

Access Undenied on AWS

Ermetic is launching a new open-source tool: Access Undenied on AWS. The tool parses AWS AccessDenied CloudTrail events, explains the…

By Noam Dahan March 20, 2022

7 Cloud Security Trends That May Impact Your Cloud Security Planning

From leading CSPs to growing interest in multicloud, here’s what’s trending in measurable search traffic around cloud security - and…

By Ermetic Team March 15, 2022

The GCP Shared Responsibility Model: Everything You Need to Know

What the GCP Shared Responsibility Model is and how security teams can get started

By Ermetic Team March 8, 2022

3 Cloud IAM Security Questions You Must Be Able to Answer

It doesn’t matter if it’s AWS, GCP or Azure IAM, cloud deployment is redefining the work of IAM professionals

By Ermetic Team March 1, 2022

Cloud Identities and the Not So Long and Slightly Winding Road to Governance

A look at Forrester’s roadmap for the deployment and use of CIG to decrease the cloud threat surface and the…

By Ermetic Team February 16, 2022

How CSPM and CIEM may Solve your Cloud Compliance Challenges

With compliance essential to your organization, what strategy to take? Can you rely on a standard cloud security posture management…

By Ermetic Team February 9, 2022

Keep Your S3 Safe from CloudTrail Auditors

AWSCloudTrailReadOnlyAccess currently allows s3:GetObject for “*” and s3:ListAllMyBuckets – and reading CloudTrail logs may also give access to bucket object…

By Lior Zatlavi February 3, 2022

Wayward Sheriffs and Confused Deputies: Risks in GCP Third Party Access

Most GCP third-party vendors ask for permanent service account keys for access -- increasing credential leakage risk. Used correctly, short-lived…

By Noam Dahan February 1, 2022
Securing cloud infrastructure in healthcare

How a Healthcare Provider Secures Its Cloud Infrastructure

Insights from a healthcare security executive on how automating risk mitigation and compliance boosted their cloud infrastructure security.

By Larry Viviano January 27, 2022
Cloud Native Application Protection Platform (CNAPP)

Cloud Native Application Protection Platform (CNAPP): An Evolving Approach to Cloud Security

A closer look at the newest Cloud Security category as defined by Gartner: Cloud Native Application Protection Platform (CNAPP).

By Ermetic Team January 19, 2022

Testing the Waters: First Impressions of CloudTrail Lake

Our first impressions of AWS's new managed audit and security lake that allows you to aggregate, immutably store, and query…

By Noam Dahan January 13, 2022

Tracking Adversaries in AWS using Anomaly Detection, Part 2

Going through the cyber “kill chain” with Pacu and using automated analysis to detect anomalous behavior

By Lior Zatlavi January 11, 2022

Tracking Adversaries in AWS using Anomaly Detection, Part 1

Minimizing the impact of a breach by identifying malicious actors’ anomalous behavior and taking action.

By Lior Zatlavi January 11, 2022
SEGA’s Saga of Nearly Compromised Credentials

SEGA’s Saga of Nearly Compromised Credentials

A look at VPNO’s recent findings of publicly accessible S3 buckets on SEGA’s infrastructure and what we can learn from…

By Lior Zatlavi January 6, 2022

Top 7 Questions to Ask During a POC with a Cloud Security Vendor

A useful set of questions to help you get the most out of your upcoming POC -- and ensure that…

By Ermetic Team January 4, 2022
Protect Your AWS Environment Beyond Patching Log4j

Protect Your AWS Environment Beyond Patching Log4j

The crucial strategic lessons overlooked by enterprises dealing with the recently reported Log4j vulnerability.

By Lior Zatlavi December 29, 2021
Evaluating a cloud security vendor

Top 6 Questions You Should Ask a Cloud Security Vendor

Choosing a cloud security platform and tools is not for the weak of heart – so much at stake! This…

By Ermetic Team December 22, 2021
Ermetic - $70M Series B Financing

Reaching for the Clouds with Our $70M Series B Financing

Ermetic is proud to have closed our Series B financing, enabling us to continue building the best cloud security platform…

By Shai Morag December 15, 2021

How to Start Up Your Cloud Security

Startups may think they can postpone implementing a cloud security program but should in fact take early action - here’s…

By Ermetic Team December 9, 2021

Not Just Buckets: Are You Aware of ALL Your Public Resources?

A misconfiguration of resource based policies can inadvertently make resources public. Do you have such misconfigured policies present in your…

By Lior Zatlavi November 23, 2021
Choosing A cloud security vendor

Useful Tips for Choosing a Cloud Security Vendor

A guide for what to take into account when starting to evaluate cloud security solutions. What to consider, how to…

By Ermetic Team November 18, 2021

How Smart Secrets Storage Can Help You Avoid Cloud Security Risks

The not-so-sensitive locations that may tempt you when storing sensitive information -- why to avoid them and how

By Lior Zatlavi November 3, 2021

The Top 24 Cloud Security Threats for Cyber Security Professionals

The complete checklist of threats and security gaps out to get your cloud

By Diane Benjuya October 28, 2021

The Urgent Threat of Ransomware to S3 Buckets Due to Misconfigurations

Misconfigurations that can lead to S3 ransomware exposure and the mitigation tools you can leverage to prevent it

By Lior Zatlavi October 7, 2021
Five Strategies For Mitigating The S3 Ransomware Threat

Five Strategies for Mitigating Your S3 Misconfiguration Ransomware Threat

Detailed steps for better ransomware protection of your AWS environment

By Lior Zatlavi October 7, 2021

CISO’s First 100 Days: Ermetic’s Guide to Getting Started

Everything you need to know about securing your cloud as a CISO.

By Ermetic Team September 1, 2021

Access Keys: An Unintended Backdoor-by-Design to Azure Storage Accounts Data

The importance of understanding the assignments of Azure resource roles when giving permissions.

By Lior Zatlavi August 10, 2021

The AWS Shared Responsibility Model: Everything You Need to Know

What the Shared Responsibility model means, its many challenges & how to protect your cloud infrastructure.

By Ermetic Team August 2, 2021

AWS Resource Provisioning with Attribute Based Access Control (ABAC) – What You Need To Know

What to pay attention to when using ABAC in order to avoid unnecessary security gaps.

By Ermetic Team July 19, 2021

Why Managing Security Posture and Entitlements from One Place Makes Sense

How a unified CSPM/CIEM platform can provide solutions to highly prioritized security risks, with minimal overhead.

By Ermetic Team July 13, 2021

The Importance of Identity and Access Management (IAM) in Cloud Infrastructure

How to manage human and service identities, and their entitlements, to secure your cloud infrastructure.

By Ermetic Team July 7, 2021

Repokid and Beyond: AWS Least Privilege, Gift-Wrapped

Travis McPeak explains why least privilege is so hard to achieve and how the automated approach works.

By Travis McPeak July 6, 2021

State of Cloud Security 2021: More Aware Yet Very Exposed

Dan Yachin digs into our State of Cloud Security 2021 Report and shares his insight.

By Dan Yachin July 1, 2021

Why Privileged Access Management (PAM) Fails Cloud Infrastructure…and What to do About it

PAM, its challenges for AWS, GCP and Azure environments - and CIEM as a solution.

By Ermetic Team June 20, 2021

TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements

Examining the news that TeamTNT is targeting 16 more applications, including Google Cloud.

By Lior Zatlavi June 14, 2021

AWS Condition Context Keys for Reducing Risk

A Least Privilege cheat sheet on using AWS global condition context keys to achieve least privilege.

By Lior Zatlavi May 25, 2021

Least Privilege Policy: Automated Analysis Trumps Native AWS Tools

AWS methods for granting & controlling access, plus native tools for detecting & repairing excessive permissions.

By Lior Zatlavi May 18, 2021

Best Practices for Securing Public Cloud Infrastructure

Bruce's suggestions for securing public cloud infrastructure, across industries.

By Bruce Gibson May 6, 2021

Cloud Security: What’s Good for Fintech Is Good for… All Our Clients

Mohara shares how Ermetic keeps things secure and management-sane inside their cloud software development shop.

By Ermetic Team April 20, 2021

The ABCs of Azure Identity Governance Tools

The main Azure mechanisms for governing identities and providing access permissions.

By Lior Zatlavi April 12, 2021

AWS’s Access Analyzer Preview Access is Great — But Is It Enough?

Learn the ins and outs of the preview access capability in Access Analyzer.

By Lior Zatlavi March 16, 2021

Deconstructing Azure Access Management using RBAC

The basics of Azure RBAC -- the main mechanism in Azure for granting permissions to resources.

By Lior Zatlavi March 10, 2021

Keep Your IAM Users Close, Keep Your Third Parties Even Closer

An in-depth review on third-party access configuration and control with IAM permissions

By Ermetic Team January 28, 2021

Introducing the Ermetic Advisory Board: Gerhard Eschelbeck, Former CISO of Google

We recently announced the formation of the Ermetic Advisory Board which includes a who’s who of CISOs and cloud security experts from…

By Ermetic Team January 24, 2021

Auditing IAM PassRole: A Problematic Privilege Escalation Permission

How to determine which identities need iam:PassRole to help enforce “use it or lose it” least-privilege.

By Noam Dahan January 13, 2021

Cloud infrastructure is not immune from the SolarWinds Orion breach

Organizations exposed to the SolarWinds breach must identify exposed credentials and rotate them asap.

By Noam Dahan December 23, 2020

The AWS Managed Policies Trap

The “AWS Managed Policies Trap” and how to escape using automated analysis of environment configuration and activity logs.

By Ermetic Team December 20, 2020

Introducing the Ermetic Advisory Board: Elie AbenMoha of Publicis Groupe

Thoughts on cloud security from advisory board member Elie AbenMoha of Publicis Groupe

By Ermetic Team December 9, 2020

Who Holds the Keys to the Kingdom? (Part 2 of 2)

Part 2 takes a look at sensitive AWS Resources – secret strings and keys used in AWS.

By Ermetic Team November 25, 2020

Who Holds the Keys to the Kingdom? (Part 1 of 2)

Part 1 of a series takes a look at sensitive AWS Resources - secret strings and keys used in AWS.

By Ermetic Team November 15, 2020

Introducing the Ermetic Advisory Board: Adrian Ludwig of Atlassian

Adrian Ludwig of Atlassian shares his predictions and insights on public cloud security.

By Ermetic Team November 1, 2020

AWS Identity Federation and Least Privilege – Friends or Foes?

How to address the challenges in basic and advanced implementations of AWS federation.

By Ermetic Team October 7, 2020

The Three Ways of DevOps

Applying least privilege to cloud instances without adding bulk and delays to your pipeline.

By Tanya Janca September 30, 2020

Protect Applications and Data with Cloud Infrastructure Entitlements Management (CIEM)

Breaking down the hype around Cloud Infrastructure Entitlements Management (CIEM).

By Ermetic Team August 3, 2020

The Challenges of Securing Data Access in the Cloud, Part 4 (of 4)

Part 4 (of 4) - Sharing and Chaining Roles

By Arick Goomanovsky July 22, 2020

The Challenges of Securing Data Access in the Cloud, Part 3 (of 4)

Part 3 - Looking beyond AWS IAM roles

By Arick Goomanovsky July 14, 2020

The Challenges of Securing Data Access in the Cloud, Part 2 (of 4)

Part 2 (of 4): A closer look at IAM policies

By Arick Goomanovsky June 25, 2020

The Challenges of Securing Data Access in the Cloud, Part 1 (of 4)

Part 1: Why is it so complicated to manage identities and entitlements in the cloud?

By Arick Goomanovsky June 20, 2020

Why Information Security Must be as Adaptable as the Environment it Protects

Why information security must be more deeply integrated into everyday processes through intelligent automation.

By Dan Yachin May 13, 2020
Skip to content