Source IP Spoofing in Cloud Logs: A Hands-On Look Across AWS, Azure, and GCP
Eliav Livneh
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Eliav Livneh, a security researcher at Token Security, presented a deep technical exploration of a **defense evasion technique** that allows attackers to spoof the source IP address recorded in cloud provider logs. Originally discovered in AWS in 2021, Livneh systematically tested the technique across all three major cloud providers—AWS, Azure, and GCP—revealing that each handles the scenario differently, with varying levels of exploitability and defensive capability. The research demonstrates that the source IP field in cloud audit logs should never be trusted blindly, as attackers with stolen credentials can manipulate what appears in victim logs by routing API calls through their own cloud infrastructure.
AI review
A technically rigorous cross-cloud comparison of a practical defense evasion technique that every red team operator should have in their toolkit. Livneh does the hard work of testing the same attack primitive across three different cloud providers and clearly documents where it works, where it doesn't, and what artifacts (or lack thereof) each leaves behind.