🥖 Palette Cleanser

Hello weary cloud warriors,

Now that all the conference excitement is definitely over for the year, we can all relax and play a nice round of the The Cloud Hunting Games. The goal of this CTF is to identify the steps taken by the attacker and trace them back to the initial access point.

And if you still have time after that, I would really appreciate it if you could share this issue with one colleague who hasn't seen ASD before. AWS security is my passion, but I can't do it without your support.

<3
Your secret nerd crush, DG.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• EKS vs. GKE — Security by Jason Umiker

  Some people like to inflict pain on themselves by using Kubernetes. Jason likes a special kind of pain — doing it across multiple cloud providers' managed services. This post is great if you are trying to decide between AWS’ Elastic Kubernetes Service (EKS) and GCP’s Google Kubernetes Engine (GKE), but even better if you are trying to translate your existing security knowledge from one platform to the other.

• PEP and PDP for Secure Authorization with AVP and ABAC by Jimmy Dahlqvist

  You may not know you need this post, and the previous 1st and 2nd installments, because there are too many damn acronyms. So allow me to translate from Jimmy to English.

  • PEP = Policy Enforcement Point
  • PDP = Policy Decision Point
  • AVP = Amazon Verified Permissions
  • ABAC = Attribute-Based Access Control
  
  So basically, if you have a system with complex authorization requirements that you want to implement in a standard and repeatable way, this might be an option for you. Note: much brainpower is required.

• What Analyzing Hundreds of Thousands of Cloud Environments Taught Us About Data Exposure by Wiz

  Some light reading to finish. It isn't Wiz's best or most comprehensive work, but it still has some interesting nuggets. For example, "72% of cloud environments have publicly exposed PaaS databases that lack sufficient access controls." I wonder if buckets that host websites are included in that list and blow out the numbers? [Wiz has reached out and said they aren't] Anyway, enjoy the stats if you want to show your boss that your cloud environment isn't THAT bad, relatively speaking.

Bonusii:

• Amazon S3 Bucket Name Squatting
• CloudTrail wish: almost granted
• Cloud Incident Readiness: Critical infrastructure for cloud incident response

🥗 AWS security blogs

• 📣 AWS Security Incident Response is now available in three additional AWS Regions
• 📣 AWS Shield Advanced is now available in AWS Asia Pacific (Thailand) and AWS Mexico (Central) regions
• 📣 Amazon Verified Permissions now supports policy store tagging
• 📣 AWS WAF is expanding the availability of its enhanced rate-based rules feature across multiple regions
• Prevent Secret Sprawl with HCP Vault Radar by ngumina
• Ingest and Enrich Security Findings Delivered by Amazon EventBridge with Dynatrace by Shashiraj Jeripotula
• Building your first AWS WAF web ACL to protect against evolving threats by Jonathan Woods
• Security best practices that accelerate nonprofit mission impact by David Marsh
• How to manage migration of hsm1.medium CloudHSM clusters to hsm2m.medium by Roshith Alankandy
• AWS expands Spain’s ENS High certification across 174 services by Daniel Fuertes
• AWS renews its AAA Pinakes rating for the Spanish financial sector by Daniel Fuertes
• Introducing the AWS User Guide to Governance, Risk and Compliance for Responsible AI Adoption within Financial Services Industries by Krish De
• Introducing the AWS Zero Trust Accelerator for Government by Derek Doerr

🍛 Reddit threads on r/aws

• How would you ensure AWS CloudShell was only used on network isolated laptop?
• Security Hub finding "S3 general purpose buckets should block public access"...false positive?
• AWS Guard Duty Explanation
• How do you keep track of which AWS Network Firewall rules are being used and what is your workflow to update them?

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🧁 IAM permission changes

• guardduty
• verifiedpermissions
• backup-gateway
• qbusiness

🍪 API changes

• Synthetics
• AWS CodePipeline
• Amazon Elastic Compute Cloud
• AWS Glue
• Amazon Elastic Compute Cloud
• AWS Elemental MediaLive
• Amazon SageMaker Service
• Synthetics
• Amazon Elastic Compute Cloud
• Amazon DataZone
• AWS Device Farm
• Amazon Elastic Compute Cloud
• AWS Elemental MediaConvert

🍹 IAM managed policy changes

• AuroraDsqlServiceLinkedRolePolicy
• AmazonEKSDashboardServiceRolePolicy
• AWSMarketplaceFullAccess
• AWSMarketplaceRead-only
• AWSDataSyncFullAccess
• AWSWAFConsoleFullAccess
• AWSWAFConsoleReadOnlyAccess
• AWSWAFFullAccess
• AWSWAFReadOnlyAccess
• SecurityAudit
• ROSANodePoolManagementPolicy
• AWSQuickSetupSSMDeploymentRolePolicy

☕ CloudFormation resource changes

• AWS::DataZone::DomainUnit
• AWS::DataZone::Owner

🎮 Amazon Linux vulnerabilities

• CVE-2025-4373
• CVE-2025-47268

📺 AWS security bulletins

• CVE-2025-4318 - Input validation issue in AWS Amplify Studio UI component properties