🥖 Palette Cleanser

I have a confession. Last week I speculated that the source of a recent VW data exposure was an open S3 bucket. I was wrong and didn't do the work to get it right. This video from the Chaos Computer Club describes the root cause as an exposed vulnerable Java Spring application which allowed a heap dump to be searched for credentials. The discovered credentials could then be used to impersonate any user and export data from an API. This is still not good but obviously not as lolerskater as a public S3 bucket. Sorry for failing you and VW.

This week parts of the internet are once again being raided due to exploitation of critical vulnerabilities in two networky device thingies that are meant to protect us. Wiz has write ups for both the Aviatrix Controller and Ivanti Connect Secure appliances. Network devices have been getting wrecked lately, so now is a good time to evaluate which ones are truly necessary. My takeaway: you can put complexity behind fancy product marketing but it's still complexity once you peel away the label.

Stay safe out there friends.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Introducing Policy Tester, a test harness for AWS IAM Policies by David Kerber

  Even with the countless tools from AWS and others, creating IAM policies is hard. This tool feels like a meaningful step towards making it easier. Do your editing on the left, complete with all the linting goodies you'd expect, and test the actions you want to run on the right. David has created a short video demo to get you hyped.

• How I automated Certificate expiration alerts with AWS by Tetiana Mostova

  When something breaks it's always DNS unless it's failed certificate renewal. You can solve this problem many ways but I like Tetiana's simple setup for when you don't need other fancy functionality. A Lambda function, an EventBridge, an SNS topic, and you will never let a certificate expire accidentally again. It's definitely DNS.

• Fast Unauthenticated Role Scanning by Ryan Gerstenkorn

  Ryan is an avid bug bounty hunter so finding new attack surface and understanding target environments is critical to his success. There's a long standing approach to enumerating principals in a target AWS account without actually touching the account, using resource policies. It was really slow until QuietcRiot made it fast. Ryan has managed to ~10x the speed again for those willing to take chances with the AWS ban hammer.

🥗 AWS security blogs

• Get Operational Insights Fast with AWS Health and Amazon Q by Tomas Dolezel
• Enforcing enterprise-wide preventive controls with AWS Organizations by Swara Gandhi
• Developer’s Guide to operate game servers on Kubernetes – Part 2 by Serge Poueme
• Efficiently build and tune custom log anomaly detection models with Amazon SageMaker by Nitesh Sehwani
• Unlocking innovation: three key themes from AWS re:Invent 2024 by Anne Grahn
• Securing a city-sized event: How Amazon integrates physical and logical security at re:Invent by Steve Schmidt
• New AWS Skill Builder course available: Securing Generative AI on AWS by Anna McAbee
• Customize the scope of IAM Access Analyzer unused access analysis by Stéphanie Mbappe
• How to enhance Amazon Macie data discovery capabilities using Amazon Textract by ZhiWei Huang

🍛 Reddit threads on r/aws

• CloudSecurityStorage
• help me in API Gateway resource policy
• Securing specific credentials for Static Site
• Making http request to public URL with lambda
• Customized Identity Center access portal URL: Risky?
• IAM alerts when configuration changes

🧁 IAM permission changes

• medialive
• apigateway
• imagebuilder
• thinclient
• workspaces-web
• s3
• secretsmanager
• cloudhsm

🍪 API changes

• AWS CodeBuild
• AWS Compute Optimizer
• Firewall Management Service
• Amazon Route 53
• Amazon SageMaker Service
• AWS CloudHSM V2
• Amazon DynamoDB
• EC2 Image Builder
• AWS Supply Chain

🍹 IAM managed policy changes

• AWSElasticDisasterRecoveryConsoleFullAccess
• AWSCleanRoomsMLFullAccess
• AWSCleanRoomsMLReadOnlyAccess
• AWSCodeCommitFullAccess
• AWSCodeCommitPowerUser
• AWSCodeCommitReadOnly
• AmazonEKSLoadBalancingPolicy
• AmazonDataZoneSageMakerProvisioningRolePolicy
• AmazonWorkSpacesThinClientFullAccess
• AmazonWorkSpacesThinClientReadOnlyAccess
• AWSManagedServices_SelfServiceReporting_ServiceRolePolicy
• AWSApplicationMigrationEC2Access
• AWSApplicationMigrationServiceRolePolicy
• AWSBackupServiceLinkedRolePolicyForBackup
• AWSBackupServiceRolePolicyForRestores
• ReadOnlyAccess

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-57823
• CVE-2025-0306
• CVE-2025-0238
• CVE-2025-0245
• CVE-2024-56826
• CVE-2025-0237
• CVE-2025-0244
• CVE-2025-0247
• CVE-2025-0246
• CVE-2025-0241
• CVE-2025-0243
• CVE-2025-0240
• CVE-2025-0242
• CVE-2025-0239
• CVE-2024-56827
• CVE-2024-46981
• CVE-2025-21613
• CVE-2024-51741

📺 AWS Security Bulletins

No bulletins this week.