🥖 Palette Cleanser

G'day mate,

RSA, the comically large security trade show and conference just wrapped up in SF. Security folks are coming home tired from all the "work". I've heard some crazy stories about the level of "investment" at the show. Celebs everywhere, monster giveaways. At least 24 security companies got funded in the week leading up to RSA, some with nothing more than a pitch deck. No doubt even more during and after, see the awesome Security, Funded newsletter.

Speaking of monies. This is a reminder that if you run an open source security project that could benefit from some sweet AWS credits, you might be able to score some credits for free. AWS has a program to do just that. The downside is you need to download and submit an Excel spreadsheet application to awsopensourcecredits@amazon.com.

The last round of tickets for fwd:cloudsec North America will go on sale May 6 at 9:59am Denver time. Don't miss out. It's the best cloudsec con out there.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Shadow Roles: AWS Defaults Can Open the Door to Service Takeover by Yakir Kadkoda, Ofek Itach

  AWS services and popular open source tools often create IAM roles automatically. Those roles sometimes have unnecessarily broad permissions, like S3 full access, which can be leveraged to do nasty things. AWS has updated those default permissions to make them better, but it's worth understanding the bad patterns here.

• TrailAlerts: Take Control of Cloud Detection in AWS by Adan Álvarez Vilchez

  Adan hits us with his new open source cloud detection tool, TrailAlerts. It might be a good candidate for those sweet AWS credits. Adan runs TrailDiscover, so he's in a good position to know what good signal looks like when it comes to cloud breaches. There are other open source alternatives, but Adan's pretty YAML rules and serverless architecture make it worth a look if you want something that's easy to operate.

• Encryption in Amazon Redshift, Secure Defaults, and How to Shiftily Create Unencrypted Redshift Clusters by Jason Kao

  Redshift is Amazon's petabyte-scale data warehouse service. AWS made some claims about how Redshift encryption works in both the management console UI and in documentation. Jason found clever ways to demonstrate those claims were false, making ransomware an annoying possibility. I don't see this as a huge deal, but it is important that users be able to rely on documentation to support our security assumptions. Otherwise, all of us will have to test everything like Jason does—and most of us aren't obsessed with encryption like he is.

Bonusii:

• AWS Built a Security Tool. It Introduced a Security Risk.
• Cloud Attack Emulation: Leveraging the Attacker’s Advantage for Effective Defense

🥗 AWS security blogs

• 📣 Resource control policies (RCPs) are now available in the AWS GovCloud (US) Regions
• 📣 AWS WAF Targeted Bot Control and Fraud Control is now available in two additional regions
• 📣 Amazon Cognito adds enhanced context support for machine-to-machine (M2M) authorization flows
• 📣 Automated HTTP validated public certificates with Amazon CloudFront
• Introducing Just-in-time node access using AWS Systems Manager by Chetan Makvana
• Reduce your operational overhead today with Amazon CloudFront SaaS Manager by Veliswa Boya
• How to strengthen Cloud Security with Pulumi ESC and AWS Secrets Manager by Marina Novikova
• Best practices for least privilege configuration in Amazon MWAA by Elizabeth Davis
• Combining Snyk’s Insight with Amazon Q Developer’s Assistance to Streamline Secure Development by Omar Faruk
• Integrate AI-powered coding assistance in secure environments using Continue and Amazon Bedrock by Keith Boaman
• Get started quickly with Wickr Enterprise Embedded Cluster by Troy Barker
• Use an Amazon Bedrock powered chatbot with Amazon Security Lake to help investigate incidents by Madhunika Reddy Mikkili
• How to use AWS Transfer Family and GuardDuty for malware protection by James Abbott

🍛 Reddit threads on r/aws

• Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
• Easiest way to get OIDC Id token
• SNS signature verification - flaw in documentation
• Best Practices for Testing Data Loss Prevention (DLP) Controls on AWS S3 Buckets
• AWS without a phone number

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🧁 IAM permission changes

• sts
• route53resolver
• deadline
• ssm-guiconnect
• ssm
• kinesis
• ec2
• dsql
• payment-cryptography
• dms
• q
• imagebuilder
• s3express
• opensearch
• cloudfront
• bedrock

🍪 API changes

• Data Automation for Amazon Bedrock
• Amazon Connect Service
• Amazon SageMaker Service
• Amazon Verified Permissions
• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• Amazon Bedrock
• AWS Clean Rooms Service
• AWSDeadlineCloud
• Amazon Elastic Compute Cloud
• Amazon CloudWatch Logs
• MailManager
• Amazon Connect Cases
• Amazon Kinesis
• Amazon Pinpoint SMS Voice V2
• QBusiness
• Amazon SageMaker Service
• AWS SSM
• Amazon Simple Systems Manager (SSM)
• AWS Certificate Manager
• Amazon CloudFront
• EC2 Image Builder

🍹 IAM managed policy changes

• AmazonQFullAccess
• AmazonCloudWatchRUMReadOnlyAccess
• AWSDeadlineCloud-WorkerHost
• PowerUserAccess
• AmazonInspector2ServiceRolePolicy
• CloudWatchNetworkFlowMonitorServiceRolePolicy
• SageMakerStudioProjectUserRolePolicy
• CloudFrontReadOnlyAccess
• CloudFrontFullAccess

☕ CloudFormation resource changes

• AWS::Kinesis::StreamConsumer
• AWS::SSMGuiConnect::Preferences
• AWS::CloudFront::Distribution
• AWS::CloudFront::ConnectionGroup
• AWS::CloudFront::DistributionTenant

🎮 Amazon Linux vulnerabilities

• CVE-2025-4056
• CVE-2025-47153
• CVE-2025-23244
• CVE-2025-4086
• CVE-2025-4092
• CVE-2025-4084
• CVE-2025-4093
• CVE-2025-4082
• CVE-2025-4083
• CVE-2025-4090
• CVE-2025-3891
• CVE-2025-4085
• CVE-2025-2817
• CVE-2025-4088
• CVE-2025-4087
• CVE-2025-4089
• CVE-2025-4091
• CVE-2025-4035
• CVE-2025-22235
• CVE-2025-31650
• CVE-2025-31651
• CVE-2025-43857

📺 AWS security bulletins

No bulletins this week.