🥖 Palette Cleanser

Welcome back eager beaver,

I've got red meat for you today! Well, since you are a beaver, I guess it's brown bark. 🤷 On 8th January, the famous VX Underground account tweeted, "We're witnessing the evolution of ransomware... Threat Actors abusing the Amazon Key Management Service (KMS) to encrypt company AWS buckets (or any cloud provider)." This prompted a 100+ message thread on the Cloud Security Forum Slack.

A week later Forbes published the fud-ilicious "New Amazon Ransomware Attack—‘Recovery Impossible’ Without Payment". Much bad, many scare. AWS, being a responsible cloud provider immediately followed with its helpful guidance on preventing said badness.

While this makes for great popcorn eating content, and certainly there's reason to be more vigilant now that threat actors are actively executing S3 ransomware, this is all hardly new. Spencer Gietzen discussed the problem in 2019. Harsh Varagiya pointed to external key stores (XKS) as a means to make attacks more effective in October last year, as did Chris Farris in November. Halcyon published their goodies in January and Kat Traxler has a long-standing whitepaper on the topic. It might be 2025 but we are still fighting 2019 problems.

In lighter news, you can now sign in up to five different identities simultaneously in a single web browser in the AWS Management Console. Enjoy the extra tabs you definitely needed.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• How to Start Threat Modelling in AWS by Ihor Sasovets

  Threat modelling is often like DIY pizza in a wood-fired oven; it's likely to turn out a gooey mess or way overcooked. Ihor does his best to set you up for something that's at least edible, by linking to all the tools and resources you need. It's not just instructions though, there's a worked example to bring the theory to life.

• Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs by Merav Bar and Gili Tikochinski

  Who doesn't like tracking actors? I personally enjoy Donald Trump in Home Alone 2 and The Official Trump Memecoin. More importantly this article describes how detection engineers can utilize combinations of actions, parameters, and context to identify malicious actors, with worked threat actor examples. Part 1 on IOCs was first covered in issue 177, and I really hope there's a part 3 because Merav and team make this stuff really easy to understand.

• Understanding RCPs and SCPs in AWS: Choosing the Right Policy for your Security Needs by Jason Kao

  How much more RCP and SCP content can the world produce? I'm going to need some PCP to dissociate myself from control policies soon. This article is focused on choosing when to use which type of control policy and the limitations of each approach.

Bonus: How to "bypass" honeypots in AWS

🥗 AWS security blogs

• 📣 Amazon GuardDuty is now available in AWS Asia Pacific (Malaysia) Region
• 📣 AWS Security Hub now integrates with Amazon Route 53 Resolver DNS Firewall
• Limit interactive session commands by groups of users using AWS Systems Manager by Adam Spicer
• Amazon Bedrock launches with Claude 3.5 Sonnet in the AWS Top Secret cloud by Jeff Pasqual
• Preventing unintended encryption of Amazon S3 objects by Steve de Vera
• AWS achieves HDS certification for 24 AWS Regions by Tea Jioshvili
• How to implement IAM policy checks with Visual Studio Code and IAM Access Analyzer by Anshu Bathla
• AWS re:Invent 2024: Security, identity, and compliance recap by Marshall Jones
• How to monitor, optimize, and secure Amazon Cognito machine-to-machine authorization by Abrom Douglas

🍛 Reddit threads on r/aws

• New Amazon Ransomware Attack—‘Recovery Impossible’ Without Payment
• Signed URL, or Compromised Key
• How to Securely Handle Credentials in S3+Cloudfront Frontend?
• Publicly accessible RDS instance-Risk Assessment Questions
• PrivateLink vs. Transit Gateway: Pros and Cons
• AWS Network Firewall rule group hit counter
• M$ Defender

🧁 IAM permission changes

• notifications
• rds
• partnercentral
• lakeformation
• execute-api
• kafkaconnect
• datasync
• transcribe

🍪 API changes

• Amazon Elastic Compute Cloud
• AWS User Notifications
• Amazon SageMaker Service
• Agents for Amazon Bedrock Runtime
• Partner Central Selling API
• Amazon Simple Storage Service
• Amazon Simple Email Service
• Amazon WorkSpaces
• Amazon GameLift
• Amazon Route 53
• Amazon Bedrock
• Amazon Elastic Compute Cloud
• Managed Streaming for Kafka Connect
• Amazon Transcribe Service

🍹 IAM managed policy changes

• Billing
• AmazonSageMakerPartnerAppsFullAccess
• AWSDMSServerlessServiceRolePolicy
• AWSServiceRoleForLogDeliveryPolicy
• AmazonConnectServiceLinkedRolePolicy
• AWSConfigServiceRolePolicy
• AWS_ConfigRole
• AWSResourceExplorerServiceRolePolicy
• AWSUserNotificationsServiceLinkedRolePolicy
• SageMakerStudioDomainExecutionRolePolicy
• AWSMarketplaceSellerFullAccess
• AmazonSageMakerCanvasSMDataScienceAssistantAccess
• AWSControlTowerServiceRolePolicy
• AmazonEBSCSIDriverPolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-52005
• CVE-2024-11029
• CVE-2024-57637
• CVE-2025-21171
• CVE-2024-57645
• CVE-2024-57646
• CVE-2024-52006
• CVE-2024-12087
• CVE-2024-12085
• CVE-2024-12086
• CVE-2024-57636
• CVE-2024-57650
• CVE-2024-57658
• CVE-2025-21173
• CVE-2024-57635
• CVE-2024-57640
• CVE-2024-57639
• CVE-2024-57648
• CVE-2024-57655
• CVE-2024-57644
• CVE-2024-12084
• CVE-2024-12088
• CVE-2024-53263
• CVE-2024-57664
• CVE-2024-57663
• CVE-2024-57656
• CVE-2024-57660
• CVE-2025-21176
• CVE-2024-50349
• CVE-2024-57662
• CVE-2024-57657
• CVE-2024-57659
• CVE-2024-57651
• CVE-2025-21172
• CVE-2024-57647
• CVE-2024-57643
• CVE-2024-57649
• CVE-2024-57652
• CVE-2024-12747
• CVE-2024-57638
• CVE-2024-57653
• CVE-2024-57642
• CVE-2024-57641
• CVE-2024-57654
• CVE-2024-57661
• CVE-2025-22134

📺 AWS Security Bulletins

• Issue with Amazon WorkSpaces, Amazon AppStream 2.0, and Amazon DCV (CVE-2025-0500 and CVE-2025-0501)