🥖 Palette Cleanser

Welcome back cloud security nerds to another episode of your favorite AWS Security newsletter.

The whole point of this cloud security stuff is to prevent us and our employers getting pwned, and if we do get pwned, make it less bad. So each year many of us eagerly wait for the Verizon Data Breach Investigations Report to give us real-world data on actual breaches. The wait is over for 2025.

If you are still running vendor security appliances in the cloud, this quote should really scare you: "The exploitation of vulnerabilities has seen another year of growth as an initial access vector for breaches, reaching 20%. This value approaches that of credential abuse, which is still the most common vector. This was an increase of 34% in relation to last year’s report and was supported, in part, by zeroday exploits targeting edge devices and virtual private networks (VPNs). The percentage of edge devices and VPNs as a target on our exploitation of vulnerabilities action was 22%, and it grew almost eight-fold from the 3% found in last year’s report."

Finally, this is not a political podcast. Probably because it isn't a podcast and I don't have the energy for politics. I have to admit, Chris Farris slapped me around a little this week with his very thought-provoking post on threat modelling cloud service providers in an era where we can no longer take for granted that the US government is a benevolent and consistent actor. Forget the names and labels that may trigger tribal reactions and consider, does your organization need to manage new risks in the cloud?

Enjoy the virtual food <3

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Simulating, Detecting and Responding to S3 Ransomware Attacks by Raphael Bottino

  Raphael has written an open source S3 Ransomware Simulator. He believes that you should be able to programmatically validate if your own environment is susceptible to this kind of attack, and test your detection and response capabilities. I concur, doctor. The article goes through what the tool does and how to prevent, detect, and respond to such an attack.

• Secret Enumeration in Elastic Beanstalk by Tyler Ramsbey

  Amazon gleefully claims, "With Elastic Beanstalk you can quickly deploy and manage applications in the AWS Cloud without having to learn about the infrastructure that runs those applications." But, it's probably better to learn that putting API keys and other secrets in configuration and code is not optimal, before deploying applications on AWS Cloud. Tyler describes how he hacked a target on a recent pen test and then made his work into a pacu module anyone can use.

• Secure Cross-Account Access is Tricky. Four Common Dangerous Misconceptions by Eliav Livneh

  We all accept that role assumption and cross-account access is a better model than leaving access keys laying around everywhere. Yet as Eliav points out, there is still lots to misunderstand and screw up.

🥗 AWS security blogs

• 📣 Amazon Cognito now supports refresh token rotation
• Simplifying Cloud Governance and Regulatory Compliance with ServiceNow and AWS by Sunil Bemarkar
• SecurityScorecard and AWS Fast Track Supply Chain Risk Management by Dylan Souvage
• How to achieve both data privacy and utility on AWS with DataMasque by Chamandeep Singh
• Protect sensitive data in RAG applications with Amazon Bedrock by Praveen Chamarthi
• How to import existing AWS Organizations SCPs and RCPs to CloudFormation by Swara Gandhi
• AWS empowers global security culture at Wicked6 Cyber Games by Anne Grahn

🍛 Reddit threads on r/aws

• AWS Update: One Less Reason to Use the Account Root - AWS Account Name Management
• How do I make my serverless stack more secure?
• Configuring kms encryption per managed mode in systems manager session manager
• SNS signature verification - flaw in documentation

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🧁 IAM permission changes

• dataexchange
• mq
• acm-pca
• pca-connector-ad
• ecr
• redshift-serverless
• organizations
• account
• qbusiness
• ecs
• apigateway
• ssm

🍪 API changes

• Amazon Bedrock Runtime
• AWS App Runner
• AWS AppSync
• Data Automation for Amazon Bedrock
• Amazon Relational Database Service
• AWS CodeBuild
• Amazon EC2 Container Service
• AWS Account
• Amazon Cognito Identity Provider
• Amazon Elastic Compute Cloud
• AWS EntityResolution
• AmazonMQ
• Redshift Serverless
• AWS Budgets
• AWS MediaTailor
• QBusiness

🍹 IAM managed policy changes

• AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy
• AWSDataSyncFullAccess
• SageMakerStudioProjectProvisioningRolePolicy
• AWSQuickSetupManageJITNAResourcesExecutionPolicy
• AWSOrganizationsFullAccess
• AWSSystemsManagerJustInTimeAccessServicePolicy
• AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-58250
• CVE-2025-43964
• CVE-2025-43961
• CVE-2025-43962
• CVE-2025-43963

📺 AWS security bulletins

• CVE-2025-3857 - Infinite loop condition in Amazon.IonDotnet