🥖 Palette Cleanser

There's no brouhaha this week so instead let's talk about to a tool you probably should be using (more), awscurl. It does what it sounds like it does, with the bonus of magically signing requests with AWS Signature Version 4. If you do any sort of AWS security testing or research, this can be a huge time saver. Give it a go and let me know your favorite use case.

It was Australian Day yesterday. To celebrate, here is a video of the most Australian man ever. His name is also Daniel - coincidence?

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Ransomware in AWS S3: SSE-C by Jason Kao

  Last week's issue linked to a lot of resources related to recent S3 ransomware incident(s?). Jason implies the Halcyon and Amazon write-ups are one and the same, and draws some conclusions about initial access, recon, and impact. But what makes the article worth reading is the resource control policy you (and everyone) can (and should) immediately apply at the org level unless you have some specific need for SSE-C. Maybe AWS should roll this policy into default org creation?

• Plaid's journey to creating a key management system by Shuaiwei Cui and Anirudh Veeraragavan

  There are special kinds of engineers out there who both enjoy hurting themselves and have a genuine need to build their own cryptographic solutions. In this case Plaid (believed they) needed cost-efficiency and scale that commercial solutions couldn't provide. Presumably there was a fire walking ceremony, after which they actually built their own KMS, and then described it at a reasonably high-level in this blog post. Perhaps most telling is the lesson they learned: "Ownership is ongoing". Maybe I'm projecting my own painful experiences though?

• Datadog threat roundup: top insights for Q4 2024 by Matt Muir, Andy Giron, Adrian Korn, Greg Foss, and Oren Margalit.

  Who doesn't love a good canine threat roundup? Since we've covered most of their AWS threat research posts in the past, the most noteworthy topic is the emergence of a number of actors targeting npm and PyPi consumers.

Bonusii: How to create an EC2 WebServer with SSRF to try AWS iMDSv1 exploit and Own (or PWN) the Org with CloudFormation StackSets

🥗 AWS security blogs

• Top Architecture Blog Posts of 2024 by Andrea Courtright
• Level-Up Mood Board Creation with Miro and Amazon Bedrock – Part 2 by Frédéric Nowak
• Security best practices to consider while fine-tuning models in Amazon Bedrock by Vishal Naik
• Video security analysis for privileged access management using generative AI and Amazon Bedrock by Ken Haynes
• Dynamically configuring job settings with AWS Elemental MediaConvert by Morris Pyle
• Securing the future of healthcare in the age of generative AI and connected care by Hector Rodriguez
• AWS launches £5 million cyber education grant to boost security in the UK by Ken Harley
• AWS helps empower small businesses at annual TribalNet conference by AWS Public Sector Blog Team
• Automated Security Monitoring for RISE with SAP and SAP BTP on AWS by Joachim Aumann
• CCN releases guide for Spain’s ENS landing zones using Landing Zone Accelerator on AWS by Tomás Clemente Sánchez
• Using OSCAL to express Canadian cybersecurity requirements as compliance-as-code by Michael Davie
• Safeguard your generative AI workloads from prompt injections by Anna McAbee

🍛 Reddit threads on r/aws

• What's the Difference Between Assigning Policies to Users vs. IAM Roles in AWS? 🤔
• How to Allow Only CloudFront to Access My Application Load Balancer?
• How can I reveal the real IP address behind an AWS EC2 load balancer
• EC2 Ip addrs from Cloudfront dist.
• AWS S3 Static Website Hosting for development environments
• Multi-Account Security Seems Hypocritical
• Beware of Cloudvisor Partner – A Potential Scam!

🧁 IAM permission changes

• ec2
• connect
• datazone
• healthlake
• directconnect
• connect
• codebuild

🍪 API changes

• AWS CloudTrail
• Amazon Elastic Kubernetes Service
• Amazon HealthLake
• AWS Transfer Family
• Amazon Elastic Compute Cloud
• Agents for Amazon Bedrock Runtime
• AWS Elemental MediaLive
• Amazon Connect Service
• AWS IoT SiteWise
• Amazon QuickSight

🍹 IAM managed policy changes

• SecurityAudit
• ReadOnlyAccess
• ReadOnlyAccess
• AWSPrivateCAPrivilegedUser
• AWSPrivateCAUser
• AWSCertificateManagerPrivateCAPrivilegedUser
• AWSCertificateManagerPrivateCAUser
• CloudWatchEventsFullAccess
• AmazonEventBridgeFullAccess
• ROSAAmazonEBSCSIDriverOperatorPolicy
• SageMakerStudioFullAccess

☕ CloudFormation resource changes

• AWS::SNS::Topic

🎮 Amazon Linux vulnerabilities

• CVE-2025-0411
• CVE-2025-0509
• CVE-2025-24030
• CVE-2025-23084
• CVE-2025-0395
• CVE-2025-20128
• CVE-2025-23087
• CVE-2025-23085
• CVE-2025-23089
• CVE-2025-23083
• CVE-2025-23088
• CVE-2025-21518
• CVE-2024-57932
• CVE-2025-21504
• CVE-2025-21534
• CVE-2025-21529
• CVE-2025-21523
• CVE-2025-21521
• CVE-2025-21536
• CVE-2025-21493
• CVE-2025-21494
• CVE-2025-21531
• CVE-2025-21497
• CVE-2025-21503
• CVE-2025-21490
• CVE-2025-21546
• CVE-2025-21540
• CVE-2025-21519
• CVE-2025-21543
• CVE-2025-21501
• CVE-2025-21502
• CVE-2025-21520
• CVE-2025-22150
• CVE-2025-21491
• CVE-2025-21525
• CVE-2025-21492
• CVE-2025-21500
• CVE-2025-21555
• CVE-2024-57360
• CVE-2025-21559
• CVE-2025-21567
• CVE-2025-21505
• CVE-2025-21566
• CVE-2025-21499
• CVE-2025-21522
• CVE-2025-24014
• CVE-2025-21655
• CVE-2024-45336
• CVE-2024-13176
• CVE-2024-45341

📺 AWS Security Bulletins

• Issue with AWS Sign-in IAM User Login Flow – Possible Username Enumeration (CVE-2025-0693)