Monday,
March 31, 2025

šŸ„– Palette Cleanser

Dear digester,

I bring glorious news from the mothership: the AWS re:Inforce security conference is returning to Philadelphia, Pennsylvania, from June 16ā€“18. Tickets went on sale this week, and apparently, you can get $500 off by using the code ā€œSECURITY500ā€ at registration. This year, there are over 250 technical sessions, hands-on labs, and interactive workshops. If anyone has connections in high places, Iā€™d love to cover the event.

As is now routine, the clouds caught fire again this weekā€”first, due to a beautiful set of Kubernetes plugin vulnerabilities that resulted in remote code execution on ~40% of clusters, discovered by the Wiz research team. And then again, thanks to a trivial authorization bypass in Next.js found by Rachid Allam.

Finally, as an ASD subscriber, you seem to enjoy security digestsā€”this one for the AWS vibes and questionable attempts at humor. If you're looking for broader security content, you might want to check out the Datadog Security Digest. If you do subscribe, let me know what you think of it.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

šŸ“‹ Chef's selections

  • The Cat Flap - How to really Purrsist in AWS Accounts by Michael Gschwender

    This blog post is trivialā€”itā€™s about adding an account ID to the AWSControlTowerExecution roleā€™s trust policy. And yet, it may still be the best blog post ever written. Hereā€™s an excerpt to give you a taste of its flavor: "Trying to hide sh*t is lame, the best is to make sh*t, that looks like other sh*t and then have an organization allowlist it, because your fake sh*t is nearly indistinguishable from the real sh*t."

  • YES3 Scanner: An Open Source Tool to Scan S3 Buckets for Access Misconfigurations and Ransomware Prevention by Jason Kao

    Jason has an unhealthy obsession with encryption. Jason also likes S3. In this post, he combines both passions to release Yet Another S3 Scanner. YES3 is an open-source tool that scans for 10+ settings on S3 buckets and AWS accounts to identify risks to S3 infrastructure. If a commercial cloud security platform like Plerion isnā€™t your cup of tea, this scanner can give you a list of issues to prioritize fixing.

  • Living-off-the-land Dynamic DNS for Route 53 by Dhruv Ahuja

    The premise is simple: create a script with minimal dependencies that uses Route 53 to update a DNS record with the userā€™s current external IP. I confessā€”this isnā€™t a puristā€™s security article. You have to kind of squint to see the security-ness of it, but since Dhruv applies a hacker concept (living off the land) and a defender concept (least privilege), Iā€™m including it and accepting your wrath.

šŸ„— AWS security blogs

šŸ› Reddit threads on r/aws

šŸ’ø Sponsor shoutout

Plerion is building an AI cloud security engineer that works like another member of your team.

Want to be a design partner? Let's do it together!

šŸ¤– Dessert

Dessert is made by robots, for those that enjoy the industrial content.

šŸ§ IAM permission changes

šŸŖ API changes

šŸ¹ IAM managed policy changes

ā˜• CloudFormation resource changes

šŸŽ® Amazon Linux vulnerabilities

    No new CVEs.

šŸ“ŗ AWS Security Bulletins

YouTube Twitter LinkedIn

Crafted with ā¤ļø by Plerion. We simplify cloud security.