🥖 Palette Cleanser

Hello friend,

Isn't it great to be poorer reading this issue than we were reading the last one? The timing of that Wiz acquisition looks perfect right about now.

There's good timing (Wiz), and then there's bad timing (Oracle). I held back previously from mentioning news of a potential Oracle Cloud breach but according to Bloomberg, Oracle is now privately confirming to customers that some of its "legacy" cloud systems have been breached. Oracle had previously categorically denied the breach to SecurityWeek. And that dear reader, is why incident response requires time and thorough investigation. Breaches happen. It's how we deal with them that shows our trustworthiness.

Today's issue is heavy on general cloud content. It's all still awesome and worthy of your time. It applies to AWS, but it also happens to apply equally to GCP and Azure. Enjoy!

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Invoking Misconfigured API Gateways from Any External AWS Accounts by Eduard Agavriloae

  Sometimes the words we use in naming things matter more than we expect. In this post, Eduard points out that REST "private" API Gateways are not private in the sense that they can't be invoked from outside your AWS account. They're private in the sense that they can't be invoked outside the AWS network. It's a little bit like that 'Authenticated Users' group S3 has, where most sane people assumed it restricted access to authenticated users in their own account, but it actually means anyone authenticated to any AWS account. Eduard rightly points out that API Gateway IDs are hard to guess, but Awseye says hello.

• Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration by Nathaniel Quist

  As Kat Traxler has pointed out, we need to consume cloud trend reports with a grain of salt. That's true here too, since it relies on data from Palo's slice of internet visibility. However, Nathaniel doesn't just lean on big stats like "116% rise in impossible travel alerts relating to cloud identities" to carry the report. He describes important alerts we should all implement and connects them to real-world threat actor activity.

• IaC Ownership — Tag-based Approach by Dan Abramov

  If you want to operationalize automation in AWS or any other cloud, you need to be able to send work to the right place. Unless you're running a tiny environment, that's not as easy as it sounds. This article explores how Dan scraped together tooling to get Terraform to auto-tag identities with information about what and who created them. I'd love to see Dan publish the code he used, but it's still interesting as a guide to one viable approach to attribution.

Bonusii:

• How I Fell in Love With Cloud Security (And Why You Should Care) by Sena Yakut
• Threat Modeling a Batch Job System by Teri Radichel
• Cloud Heavy, Hybrid Ready: Lessons from BlackBasta and Scattered Spider
• API Gateway Restricting Resource Path with IP Allow Listing with WAF by Lee Gilmore

🥗 AWS security blogs

• 📣 AWS IAM Identity Center is now available in the Asia Pacific (Malaysia) AWS Region
• 📣 Amazon Security Lake now supports Internet Protocol Version 6 (IPv6)
• 📣 Amazon Security Lake achieves FedRamp High and Moderate authorization
• 📣 AWS CDK L2 Construct for Amazon Cognito Identity Pools now generally available
• 📣 IAM Identity Center extends sessions and TIP management capabilities for customers with Microsoft AD
• 📣 AWS Resource Access Manager (RAM) now supports Internet Protocol Version 6 (IPv6)
• Achieving CIS Compliance for Amazon EC2 Instances with GYTPOL by Stefan Schneider
• How to Optimize AWS Cost Intelligence and Security Compliance with Kalos by Stratus10 by Sujit Singh
• Tubi smashes the Super Bowl live stream record by teaming up with AWS by Alex Dunn
• Hosting regulated U.S. State and Local Government Workloads in AWS by Vignesh Srinivasan
• AWS achieves Cloud Security Assurance Program (CSAP) low-tier certification in AWS Seoul Region by Seulun Sung
• Planning for your IAM Roles Anywhere deployment by Liam Wadman

🍛 Reddit threads on r/aws

• I have a website hosted on S3 behind a CloudFront distribution
• Is AWS inspector or AWS Security hub a SIEM tool?
• Logging and monitoring best practices - AWS
• Can't enable billing access for non-root users
• Storing many private keys, how?
• What is the salary difference between AWS Security Officer and Security Specialist in AWS Personnel Security team (Australia)?
• AWS WACL blocking RDP access
• Cloudfront VPC origins - ALB

💸 Sponsor shoutout

Plerion is building an AI cloud security engineer that works like another member of your team.

Want to be a design partner? Let's do it together!

🧁 IAM permission changes

• s3express

🍪 API changes

• Amazon EventBridge
• Agents for Amazon Bedrock
• Amazon Chime SDK Voice
• MailManager
• Amazon Route 53
• Amazon SageMaker Service
• Amazon Simple Email Service
• Amazon Transcribe Service
• Amazon CloudWatch Application Signals
• AWS CodeBuild
• Amazon Lex Model Building V2
• AWS Elemental MediaLive
• AWS Clean Rooms Service
• Amazon SageMaker Service
• Amazon Bedrock Runtime
• AWSDeadlineCloud
• Amazon Elastic Compute Cloud
• Amazon Elastic Kubernetes Service
• AWS Outposts
• AWS S3 Control
• AWS Transfer Family

🍹 IAM managed policy changes

• AIOpsAssistantPolicy
• AmazonBraketFullAccess
• AccessAnalyzerServiceRolePolicy

☕ CloudFormation resource changes

• AWS::ApiGateway::RestApi
• AWS::ApiGateway::DomainName
• AWS::ApiGatewayV2::Api
• AWS::ApiGatewayV2::DomainName

🎮 Amazon Linux vulnerabilities

No new CVEs.

📺 AWS Security Bulletins

• Issue with AWS SAM CLI (CVE-2025-3047, CVE-2025-3048)