AWS Security Digest

Monday,
March 17, 2025

🥖 Palette Cleanser

Did someone ask for red meat?

This week, the folks at Step Security reported the tj-actions/changed-files GitHub Action used by 23,000+ repositories got backdoored. Apparently, the attacker somehow compromised a GitHub personal access token (PAT) and used it to inject code that attempts to dump sensitive data from the GitHub Actions runner’s memory. Folks are reporting that AWS access keys are among the leaked goods, which seems bad. Check your usage.

On a positive note, AWS has updated their programmatic service reference to include condition keys. It's not clear if it's as complete as some of the scraped open-source references that came before it, but it is good to see AWS investing in supporting automation.

If you are a fan of all things open and open-source cloudy things, the folks from Open Cloud Security have announced their first virtual conference and call for presentations. Submissions close March 20.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

State of Cloud Remediation by Idan Perez, Michael St.Onge, Joseph Barringhaus

Cloud vulnerability teardown: what's important and what you can ignore by Ethan Chen

Some people might say it's an abuse of power to include two articles in a slot. They're right, and no one can stop me. I personally hate that we call notifications about misconfigurations or vulnerabilities "alerts". Let's reserve alerts for malicious behavior, my dudes. Misconfigurations and vulnerabilities are just things we put on a to do list ordered by priority. Nonetheless, both articles are A+ reads.

The State of Cloud Remediation report highlights that critical security findings remain unresolved for an average of 128 days, pointing to a systemic issue in cloud remediation processes. Meanwhile, Vulnerability Teardown breaks down why traditional vulnerability management strategies often fail in cloud environments, emphasizing the need for risk-based prioritization over exhaustive patching. Read together, these pieces underscore the inefficiencies in cloud security remediation - one with hard data on the problem, the other with practical strategies for security teams to navigate the complexity of cloud vulnerability management.
PowerUserAccess vs. AdministratorAccess from an attacker's perspective by Eduard Agavriloae

Is there a real security difference between PowerUserAccess and AdministratorAccess? It certainly feels less bad to attach PowerUserAccess to an identity. Eduard claims attackers can escalate privileges by modifying and invoking a Lambda function, using SSM SendCommand to exfiltrate access credentials from the EC2 instance, or altering a CloudFormation template to include a privilege escalation vector. Note the clever use of NotAction inside the policy.
whoAMI: A cloud image name confusion attack by Seth Art

Yes, I know this article is a few weeks old, but we missed it, and it’s awesome. Let’s call it retribution for Seth’s failure to send us Milo memes. This is a beautifully simple and obnoxiously practical attack. It works because a lot of code searches the AMI catalog by image name, retrieves a list of image IDs, and starts EC2 instances using those IDs. The problem is that anyone can publish an AMI to the Community AMI catalog and name their image anything they want. So all an attacker needs to do is duplicate a popular image—including its name—drop some malicious code on it, and wait for it to be run. Genius.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS Security Bulletins