🥖 Palette Cleanser

I have sad news, dear reader. And that is, there’s so much in the world to talk about that it distracts us from the real news, like AWS fixing a super duper extreme risk username enumeration issue. Instead of talking about how the AWS VPN client supporting concurrent connections, I must discuss DeepSeek.

There are different ways the internet catches on fire. Sometimes it's a vulnerability affecting millions of devices; other times, it's a breach exposing millions of data records. This week, it was tech bros enjoying a few too many puffs with finance bros and persuading the world that their leadership of the AI utopia was in doubt.

While newly minted experts flooded in, the Wiz research team stood out by actually providing expertise and data. They exposed trivially identifiable data leaks in DeepSeek, publishing screenshots showing DeepSeek playing fast and loose with privacy and security. That's my takeaway—everyone runs faster with a knife. In a race for trillions of dollars, security only becomes a priority after the winners are decided. Know the trade offs you are making.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• RogueOIDC: AWS Persistence and Evasion through attacker-controlled OIDC Identity Provider by Eduard Agavriloae

  You're probably already using OIDC magic to authenticate your Github or Terraform Cloud or whatever deployment pipelines into AWS. To make that magic happen, these platforms implement identity providers that you trust via IAM policies. Imagine one day your AWS account gets hacked and the attacker adds their own identity provider which they coded, and modifies the trust relationships you configured to trust their special identity provider. What would that look like, and how would it work? Eduard shows us and gives us the code.

• AWS EKS Access Management & Permissions by Ashley Kingscote

  I've never worked with Kubernetes, and after reading this article, I continue to be happy with my life choices. Ashley explores a scenario in which 2 separate EKS clusters must work together in a secure least-privilege way. To do this, he reviews four separate options, each of which looks insanely complex on its own, and then he settles on using a combination of two. It's a great read, but only if you have a Kube kink.

• AWS Resource Policy Quirks by Stephen Kuenzli

  IAM is weird. 80% of the time, it works the way it's 'supposed' to work. The other 27% of the time, you have to dig through the service documentation—only to realize there's still another 5% you haven't even considered. Surprisingly, this article is a light read, as Stephen breezes through a few quirky examples he's encountered.

Bonusii: Cloud Security predictions for 2025 and The Future of CSPMs

🥗 AWS security blogs

• Enhancing Amazon EKS Security with SentinelOne’s Real-Time eBPF Protection on AWS by Sahil Thapar
• Empowering zero trust in public sector with Cisco Umbrella for Government on AWS by AWS Public Sector Blog Team
• Amazon Redshift enhances security by changing default behavior in 2025 by Yanzhu Ji
• How to deploy an Amazon OpenSearch cluster to ingest logs from Amazon Security Lake by Kevin Low
• Updated whitepaper available: Aligning to the NIST Cybersecurity Framework in the AWS Cloud by Luca Iannario
• Testing and evaluating GuardDuty detections by Marshall Jones
• AWS Firewall Manager retrofitting: Harmonizing central security with application team flexibility by Ian Olson
• Announcing upcoming changes to the AWS Security Token Service global endpoint by Palak Arora
• Building a culture of security: AWS partners with the BBC by Carter Spriggs
• 2024 C5 Type 2 attestation report available with 179 services in scope by Tea Jioshvili
• Enhancing resource-level permission for creating an Amazon EBS volume from a snapshot by Emma Fu
• Design patterns for multi-tenant access control on Amazon S3 by Ran Pergamin

🍛 Reddit threads on r/aws

• How to Allow Only CloudFront to Access My Application Load Balancer?
• Help understanding security group requirements for SSM and EC2
• Monitoring S3 Access via Console
• Help

💸 Sponsor shoutout

Have you got a long list of AWS security issues you could fix but no idea how bad any of it really is?

Instead, start a free trial with Plerion. Focus on the 1% of risks that matter & achieve better security outcomes.

Simplify cloud security with Plerion.

🧁 IAM permission changes

• ec2
• transcribe
• deadline
• cloudtrail
• quicksight

🍪 API changes

• Amazon Prometheus Service
• Agents for Amazon Bedrock Runtime
• AWS CodeBuild
• Amazon Location Service Routes V2
• Amazon SageMaker Service
• Amazon AppStream
• Agents for Amazon Bedrock Runtime
• AWS MediaTailor
• QBusiness
• Amazon S3 Tables
• Amazon Verified Permissions
• MailManager
• AWS AppSync
• AWS DataSync
• AWSDeadlineCloud
• Amazon Kinesis Firehose
• Timestream InfluxDB
• Agents for Amazon Bedrock
• AWS Elemental MediaConvert

🍹 IAM managed policy changes

• SageMakerStudioEMRServiceRolePolicy
• SageMakerStudioProjectProvisioningRolePolicy
• SageMakerStudioQueryExecutionRolePolicy
• AWSIncidentManagerServiceRolePolicy
• AWSCloud9EnvironmentMember
• AWSCloud9User

☕ CloudFormation resource changes

• AWS::Batch:JobDefinition
• AWS::QBusiness::WebExperience

🎮 Amazon Linux vulnerabilities

• CVE-2024-12705
• CVE-2024-11187
• CVE-2024-0135
• CVE-2024-0147
• CVE-2024-0149
• CVE-2025-24368
• CVE-2024-0131
• CVE-2024-0150
• CVE-2025-0577
• CVE-2024-53869
• CVE-2025-22604

📺 AWS Security Bulletins

No bulletins this week.