🥖 Palette Cleanser

The big news in cloud security this week was that Google lost the game of chicken with Wiz to "strengthen multicloud security". It's how the Luka Dončić trade should've played out but didn't. Last year Google offered $23 billion which wasn't enough billion for the Wiz board. Maybe there was a clerical error and they accidentally got the digits backwards because this week $32 billion turned out to be just the right amount of billion. I hope all my Wiz friends got that sweet accelerated vesting with lots of zeros on the end. <3

Separate from the usual menu I've included three in-depth analyses of the deal from three different perspectives:

• Looking Beyond The Google & Wiz Acquisition
• W is for Wiz: Alphabet’s Audacious Acquisition
• Google Bought Wiz for $32B. Now What?

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• How to use the new CloudTrail network activity events for AWS VPC Endpoints by Rami McCarthy, Scott Piper

  VPC Endpoints let stuff running inside a VPC talk to supported AWS services without going out to the internet. In February AWS added network activity events for VPC endpoints to CloudTrail. Rami and Scott give us some ideas on how to use these logs to safely develop and manage VPC Endpoint policies, and detect data exfiltration. Both authors have written highly prescriptive technical articles in the past, and I wish they added a bit more of that vibe to this one.

• Beyond Configuration Perfection: Redefining ‘Cloud Security’ by Kat Traxler

  This isn't about any single cloud provider like AWS. It's included because it highlights mistakes we all make in decision-making, often based on what we believe to be objective data. One trap from the article that I see organizations fall into all the time is failing to consider opportunity cost. “When excessive brain power is dedicated to misconfiguration remediation and least-privilege, they may have less capacity for threat detection and incident response, security automation and orchestration, and governance and risk management.” Tools and metrics are here to serve us—not the other way around.

• AWS CloudWatch log ingestion to Microsoft Sentinel by Paul Schwarzenberger

  We love a good niche at this newsletter, and this one’s no exception. Paul tested the integration between AWS CloudWatch and Microsoft Sentinel and found that it wasn’t practical for handling hundreds of CloudWatch log groups across multiple AWS accounts. In this article, he explains—code included—how he solved the problem with some help from Microsoft. And if you happen to live in this niche, now you can solve it too.

🥗 AWS security blogs

• 📣 AWS Directory Service for Microsoft AD and AD Connector available in Mexico and Thailand
• 📣 AWS Network Firewall introduces new flow management feature
• 📣 AWS WAF now supports URI fragment field matching
• 📣 AWS Firewall Manager is now available in the AWS Asia Pacific (Thailand) and AWS Mexico (Central) regions
• Knowit’s ADAM Guide to GDPR Compliance on AWS by Shankar Subramaniam
• Improving email security with Amazon SES Mail Manager and Hornetsecurity’s Vade Advanced Email Security Add On by Zip Zieper
• Enable single-sign-on for Amazon WorkMail with IAM Identity Center and Okta Universal Directory by Zip Zieper
• 2024 H2 IRAP report is now available on AWS Artifact for Australian customers by Patrick Chang
• AWS completes the annual UAE Information Assurance Regulation compliance assessment by Vishal Pabari
• AWS KMS CloudWatch metrics help you better track and understand how your KMS keys are being used by Norman Li

🍛 Reddit threads on r/aws

• SSL Termination strategy with ALB + ECS Fargate
• Whispr: An open-source tool to securely talk secrets to your app now supports AWS SSM Parameter Store
• AWS Inspector & EC2 findings
• Implementing Security for AWS (Aurora MySQL)
• AWS Account got attack using federated user

💸 Sponsor shoutout

Plerion is building an AI cloud security engineer that works like another member of your team.

Want to be a design partner? Let's do it together!

🧁 IAM permission changes

• route53-recovery-control-config
• connect
• codestar-connections
• codeconnections
• appsync
• lakeformation
• states
• cleanrooms
• snow-device-management
• sesv2
• sagemaker
• mediaconvert
• translate
• deeplens

🍪 API changes

• Amazon Bedrock
• Amazon DataZone
• AWS Route53 Recovery Control Config
• Amazon SageMaker Service
• AWS Amplify
• Amazon Bedrock
• MailManager
• AWS Network Firewall
• AWS Lambda
• AWS MediaConnect
• Amazon SageMaker Service
• AWS AppSync
• AWS Clean Rooms Service
• AWS Elemental MediaConvert
• Amazon Route 53
• Amazon CloudWatch Application Signals
• Amazon Location Service Maps V2
• CloudWatch RUM
• AWS WAFV2

🍹 IAM managed policy changes

• AWSBackupServiceLinkedRolePolicyForBackup
• SageMakerStudioProjectProvisioningRolePolicy
• SageMakerStudioProjectUserRolePolicy
• ROSAWorkerInstancePolicy
• AmazonRDSCustomInstanceProfileRolePolicy
• AWSFaultInjectionSimulatorRDSAccess
• AWSFaultInjectionSimulatorSSMAccess
• AWSLambda_FullAccess
• AWSLambda_ReadOnlyAccess
• CloudWatchApplicationSignalsServiceRolePolicy

☕ CloudFormation resource changes

• AWS::OpenSearchServerless::SecurityConfig
• AWS::DataZone::Connection

🎮 Amazon Linux vulnerabilities

No new CVEs.

📺 AWS Security Bulletins

• Issue with the AWS CDK CLI and custom credential plugins (CVE-2025-2598)