Monday,
May 05, 2025

🥖 Palette Cleanser

G'day mate,

RSA, the comically large security trade show and conference just wrapped up in SF. Security folks are coming home tired from all the "work". I've heard some crazy stories about the level of "investment" at the show. Celebs everywhere, monster giveaways. At least 24 security companies got funded in the week leading up to RSA, some with nothing more than a pitch deck. No doubt even more during and after, see the awesome Security, Funded newsletter.

Speaking of monies. This is a reminder that if you run an open source security project that could benefit from some sweet AWS credits, you might be able to score some credits for free. AWS has a program to do just that. The downside is you need to download and submit an Excel spreadsheet application to awsopensourcecredits@amazon.com.

The last round of tickets for fwd:cloudsec North America will go on sale May 6 at 9:59am Denver time. Don't miss out. It's the best cloudsec con out there.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • Shadow Roles: AWS Defaults Can Open the Door to Service Takeover by Yakir Kadkoda, Ofek Itach

    AWS services and popular open source tools often create IAM roles automatically. Those roles sometimes have unnecessarily broad permissions, like S3 full access, which can be leveraged to do nasty things. AWS has updated those default permissions to make them better, but it's worth understanding the bad patterns here.

  • TrailAlerts: Take Control of Cloud Detection in AWS by Adan Álvarez Vilchez

    Adan hits us with his new open source cloud detection tool, TrailAlerts. It might be a good candidate for those sweet AWS credits. Adan runs TrailDiscover, so he's in a good position to know what good signal looks like when it comes to cloud breaches. There are other open source alternatives, but Adan's pretty YAML rules and serverless architecture make it worth a look if you want something that's easy to operate.

  • Encryption in Amazon Redshift, Secure Defaults, and How to Shiftily Create Unencrypted Redshift Clusters by Jason Kao

    Redshift is Amazon's petabyte-scale data warehouse service. AWS made some claims about how Redshift encryption works in both the management console UI and in documentation. Jason found clever ways to demonstrate those claims were false, making ransomware an annoying possibility. I don't see this as a huge deal, but it is important that users be able to rely on documentation to support our security assumptions. Otherwise, all of us will have to test everything like Jason does—and most of us aren't obsessed with encryption like he is.

Bonusii:

🥗 AWS security blogs

🍛 Reddit threads on r/aws


💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.


🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

    No bulletins this week.

YouTube Twitter LinkedIn