---

🥖 Palette Cleanser

Welcome back from re:Invent everyone. I trust you've had a chance to recover from your time in Vegas, or from your time watching your friends in Vegas from afar. I hope you made it home without making any bad decisions. Do tattoos stay in Vegas?

If you missed any of the live talks, AWS Events has already dropped them all on YouTube. I've made a playlist of all the security presentations for your convenience.

Now let's murder this issue. Get it? Issue 187?

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Amazon GuardDuty Extended Threat Detection by Matt Lewis

  My mental model for GuardDuty has always been as a toy service. Sorry, AWS friends <3. It's nice if you want compliance or a baseline capability, but serious detection and response teams know single events become noise at scale. It's super exciting to see AWS leaning into "attack sequences" that combine multiple related events and signals. Is AWS moving towards becoming a serious player in CDR?

  For the nerds, Chester Le Bron writes about related detection concepts on his blog.

• Exploiting Public AWS Resources - CLI Attack Playbook by Eduard Agavriloae

  Hacking The Cloud is an awesome community project led by my hero Nick Frichette. I don't often include HTC pages here because it feels a little bit like including Wikipedia articles. They are more of a reference than a new item. This article however reads as both a reference and a cool summary of available research/techniques for hacking public resources.

• CloudGoat Official Walkthrough Series: ‘sqs_flag_shop’ by John De Armas

  CloudGoat is Rhino Security Labs’ tool for deploying “vulnerable by design” AWS infrastructure to practice cloud hacking. John walks us through an attack on a CloudGoat web application that exposes access to an SQS queue. The impact of an attack on an application queue is often determined by how much the attacker can find out about message types and formats.

🥗 AWS security blogs

• 📣 AWS Config now supports a service-linked recorder
• 📣 Amazon Bedrock Guardrails supports multimodal toxicity detection for image content (Preview)
• 📣 Introducing the Amazon Security Lake Ready Specialization
• 📣 Respond and recovery more quickly with AWS Security Incident Response Partners
• 📣 Introducing the AWS Digital Sovereignty Competency
• 📣 AWS Security Competency Update: New AI Security Category
• 📣 Amazon Bedrock Guardrails now supports Automated Reasoning checks (Preview)
• Accelerating AWS Partner Success: New Initiatives to Drive Customer Value in 2025 by Priya Bains
• Meet Sovereignty and Compliance Requirements with AWS Digital Sovereignty Competency Partners by Mayssa Haddad
• Streamline Your Security Data Management with Amazon Security Lake Ready Partner Solutions by Ella Gille
• New AI Security Category for AWS Security Competency Partners by Gilson Wilson
• Energize and Amplify – Data and AI Governance and Security on AWS through Partners by Vitor Freitas
• Announcing AWS Partner Network Launch Partners for resource control policies by Aliaksei Ivanou
• Technology and Business Trends for Executives by Tom Soderstrom
• Migrating to a multi-account strategy for public sector customers by Devin Gordon
• Highlights from the AWS re:Invent 2024 Public Sector Innovation Session by AWS Public Sector Blog Team
• AWS Network Firewall Geographic IP Filtering launch by Prasanjit Tiwari
• AWS post-quantum cryptography migration plan by Matthew Campagna
• Preparing for take-off: Regulatory perspectives on generative AI adoption within Australian financial services by Julian Busic

🍛 Reddit threads on r/aws

• SecretFetch: A Go library that makes AWS Secrets Manager as easy as struct tags 🔐
• Security Group Settings for Lambda and OpenSearch which are in VPCs

🧁 IAM permission changes

• networkflowmonitor
• connect
• qbusiness
• rekognition
• s3tables
• quicksight
• redshift
• connect-campaigns
• s3express
• bedrock
• sagemaker
• redshift-serverless
• dsql
• s3
• aoss
• es
• cleanrooms
• aiops
• opensearch
• personalize
• partnercentral
• glue
• vpc-lattice
• observabilityadmin
• imagebuilder
• eks
• invoicing
• logs
• vpce
• transfer
• memorydb
• config
• chime
• security-ir
• sagemaker-data-science-assistant

🍪 API changes

• Partner Central Selling API
• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• Runtime for Amazon Bedrock Data Automation
• Data Automation for Amazon Bedrock
• Amazon Bedrock Runtime
• Amazon Bedrock
• AWSKendraFrontendService
• Amazon SageMaker Service
• Amazon Athena
• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• Amazon Bedrock Runtime
• Amazon Bedrock
• Amazon DataZone
• Amazon Aurora DSQL
• Amazon DynamoDB
• AWS Glue
• AWS Lake Formation
• QApps
• QBusiness
• Amazon QuickSight
• Redshift Serverless
• Amazon Redshift
• Amazon Simple Storage Service
• Amazon S3 Tables
• Amazon Bedrock Runtime
• AWS S3 Control
• AWS End User Messaging Social
• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• Amazon Bedrock
• Amazon Chime SDK Voice
• AWS Clean Rooms Service
• Amazon Connect Service
• AmazonConnectCampaignServiceV2
• Amazon Connect Customer Profiles
• Amazon Elastic Compute Cloud
• Amazon Elastic Kubernetes Service
• Amazon EventBridge
• Amazon FSx
• Amazon GuardDuty
• EC2 Image Builder
• AWS Invoicing
• Amazon CloudWatch Logs
• Amazon MemoryDB
• Network Flow Monitor
• Amazon OpenSearch Service
• AWS Organizations
• QBusiness
• Amazon Q Connect
• Amazon Relational Database Service
• Amazon Simple Storage Service
• Security Incident Response
• AWS SecurityHub
• AWS Transfer Family
• Amazon VPC Lattice

🍹 IAM managed policy changes

• AWSPartnerCentralOpportunityManagement
• AmazonBedrockFullAccess
• AmazonBedrockReadOnly
• AmazonSageMakerCanvasSMDataScienceAssistantAccess
• AmazonSageMakerFullAccess
• AmazonSageMakerTrainingPlanCreateAccess
• AWSLakeFormationDataAdmin
• AmazonAuroraDSQLConsoleFullAccess
• AmazonAuroraDSQLFullAccess
• AmazonAuroraDSQLReadOnlyAccess
• AmazonS3TablesFullAccess
• AmazonS3TablesReadOnlyAccess
• AuroraDsqlServiceLinkedRolePolicy
• QBusinessQuicksightPluginPolicy
• AmazonDataZoneDomainExecutionRolePolicy
• AIOpsConsoleAdminPolicy
• AIOpsOperatorAccess
• AIOpsReadOnlyAccess
• AIOpsAssistantPolicy
• EC2InstanceProfileForImageBuilder

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

No new CVEs.

📺 AWS Security Bulletins

No bulletins this week.