🥖 Palette Cleanser - Guest Feast

Well friends, this is my last week as your guest chef before Daniel returns from his European holiday. It’s been a wild ride, and I’ve had a blast shaking things up in the kitchen. But fear not - next week, we’re back to our regularly scheduled programming with the one & only DG to take back the world stage.

Got thoughts on how I did with AWS Security Digest the past few weeks? Loved it? Hated it? You need Daniel to return ASAP?!?! Tell us here.

This issue is also available to share online.

📋 Chef's selections

• AWS VDP disclosed on HackerOne by Nick Frichette

  Imagine an attacker probing your AWS environment - but instead of setting off alarm bells in CloudTrail, their actions fly completely under the radar. That’s exactly what Nick Frichette and his team found: 44 non-production endpoints in AWS DataZone that could be called with valid IAM credentials but didn’t log to CloudTrail.

• Introducing Finders Keypers: A Open Source Tool to Discover Usage and Blast Radius of Encryption Keys in AWS by Jason Kao

  Jason Kao has what he calls an unhealthy obsession with cloud encryption - specifically, AWS KMS. And honestly? After seeing how painful it is to track where your KMS keys are actually being used, we get it.

  AWS gives you two official methods:

  1️⃣ CloudTrail logs (which can be incomplete)

  2️⃣ KMS key permissions (which don’t tell the full story)

  Jason said “no thanks” and built Finders Keypers, an open-source tool that takes a third approach: analyzing each AWS service and its resources to actually determine active KMS key usage. No more guessing, no more surprises - just clean, actionable insights into what your encryption keys are touching.

• DeepSeek AI ~ A Glimpse into the Future of Data Privacy (or Lack Thereof?!) by Jason Murrell

  The DeepSeek AI conversation is still red hot, and for good reason. If you caught Jason Murrell’s previous deep dive here, you already know that this AI-powered chatbot is making serious waves in the data privacy world. Now, he’s back with more insights on just how deep this rabbit hole goes - from sketchy data collection practices to potential state-sponsored surveillance. If you thought your data was safe, as always, think again.

🥗 AWS security blogs

• 📣 AWS Network Firewall simplifies policy management with enhanced console features
• 📣 Amazon RDS now provides visibility into IAM DB Authentication metrics and logs
• 📣 AWS WAF enhances integration with Service Quotas
• 📣 Amazon Verified Permissions now supports the Cedar JSON entity format
• Best practices to respond to security risks across AWS Organizations by Nivedita Tripathi
• Accelerate Security Incident Response and Recovery with AWS Security Incident Response Partners by Dean Lawrence
• Automated remediation: Securing the Volkswagen AWS landing zone at scale by Stephan Traub
• AWS Mainframe Modernization: transforming telco from legacy constraints to digital innovation by Visu Sontam
• How to configure cross-account model deployment using Amazon Bedrock Custom Model Import by Hrushikesh Gangur
• Securely running AI algorithms for 100,000 users on private data by Anne Mickan
• 2025 ISO and CSA STAR certificates now available with four additional services by Nimesh Ravasa
• Support Canada’s CCCS PBHVA overlay compliance with the Landing Zone Accelerator on AWS by Naranjan Goklani
• Four ways to grant cross-account access in AWS by Anshu Bathla
• Connect your on-premises Kubernetes cluster to AWS APIs using IAM Roles Anywhere by Varun Sharma
• Event-driven framework to integrate AWS Backup service with CSPM tools by Abhi Patlolla
• AWS Jam Journeys: New role-based challenges on AWS Skill Builder by Raghava Kumar Vemu
• New course updates from AWS Training and Certification in February 2025 by Training and Certification Blog Editor

🍛 Reddit threads on r/aws

• help with env variables
• how do you access you ec2 instances? putty or session manager?
• WAF Dashboard
• AWS RDS encryption: Confusion around key type
• Is it safe to upload profile picture of user in s3 bucket?
• My AWS services got hacked

💸 Sponsor shoutout

Have you got a long list of AWS security issues you could fix but no idea how bad any of it really is?

Instead, start a free trial with Plerion. Focus on the 1% of risks that matter & achieve better security outcomes.

Simplify cloud security with Plerion.

🧁 IAM permission changes

• qdeveloper
• redshift-serverless
• sagemaker
• bedrock
• s3
• bedrock
• application-signals
• sesv2
• transcribe
• ecs
• ram
• cloudshell
• codedeploy

🍪 API changes

• Runtime for Amazon Bedrock Data Automation
• Data Automation for Amazon Bedrock
• AWS Database Migration Service
• Amazon Elastic Kubernetes Service
• AWS Elemental MediaConvert
• Agents for Amazon Bedrock Runtime
• QBusiness
• Redshift Serverless
• Amazon SageMaker Service
• AWS Storage Gateway
• Amazon CloudWatch Application Signals
• AWS Batch
• Amazon Elastic Compute Cloud
• AWS IoT FleetWise
• CloudWatch Observability Access Manager
• Amazon SageMaker Service
• AWS CodeBuild
• AWS Device Farm
• Amazon Elastic Compute Cloud
• AWS IoT
• Tax Settings
• Agents for Amazon Bedrock Runtime
• Amazon Bedrock Runtime

🍹 IAM managed policy changes

• SageMakerStudioProjectUserRolePolicy
• AWSBackupSearchOperatorAccess
• AmazonCognitoPowerUser
• AWSConfigServiceRolePolicy
• AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
• AWS_ConfigRole
• SageMakerStudioEMRInstanceRolePolicy
• SageMakerStudioEMRServiceRolePolicy
• SageMakerStudioProjectProvisioningRolePolicy
• SageMakerStudioProjectRoleMachineLearningPolicy
• AmazonEKSServiceRolePolicy
• AmazonFSxConsoleReadOnlyAccess
• SageMakerStudioBedrockFunctionExecutionRolePolicy
• SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy
• SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy
• AWSLakeFormationCrossAccountManager

☕ CloudFormation resource changes

• AWS::OpenSearchServerless::SecurityConfig
• AWS::Batch::ConsumableResource
• AWS::Batch:JobDefinition

🎮 Amazon Linux vulnerabilities

• CVE-2024-57987
• CVE-2025-21757
• CVE-2025-21760
• CVE-2025-21763
• CVE-2025-21729
• CVE-2025-21758
• CVE-2025-21733
• CVE-2024-57979
• CVE-2025-21732
• CVE-2025-21813
• CVE-2021-47634
• CVE-2022-49278
• CVE-2022-49657
• CVE-2022-49576
• CVE-2022-49116
• CVE-2022-49093
• CVE-2022-49493
• CVE-2022-49199
• CVE-2022-49479
• CVE-2022-49196
• CVE-2022-49478
• CVE-2022-49633
• CVE-2022-49667
• CVE-2022-49401
• CVE-2022-49603
• CVE-2022-49291
• CVE-2022-49518
• CVE-2022-49611
• CVE-2021-47650
• CVE-2022-49695
• CVE-2022-49622
• CVE-2022-49084
• CVE-2025-26595
• CVE-2025-26596
• CVE-2025-27110
• CVE-2025-26466
• CVE-2025-26601
• CVE-2025-26594
• CVE-2025-26597
• CVE-2025-26599
• CVE-2025-26598
• CVE-2025-26600
• CVE-2024-45779
• CVE-2025-0690
• CVE-2025-1125
• CVE-2025-0689
• CVE-2025-0684
• CVE-2025-0685
• CVE-2024-45780
• CVE-2023-52926
• CVE-2025-0686
• CVE-2025-0678
• CVE-2024-45782
• CVE-2024-45778

📺 AWS Security Bulletins

No bulletins this week.