May 19, 2025
🥖 Palette Cleanser
Hello there, gossip enjoyer. It's been another eventful week in the clouds.
AWS itself had some ups and downs. 👍 Law enforcement seized nine DDoS-for-Hire webpages, thanks to assistance from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, among others. 👎 AWS sent a batch of account-suspension warning emails claiming accounts “may have been inappropriately accessed by a third-party” and then proceeded to follow through, taking down some businesses. It’s not clear why this happened, but there were many flustered Reddit posters, some of whom got responses like “the service team confirmed that your account is not at risk of compromise (i.e., this was a false positive trigger)”. If anyone from AWS wants to comment, hit me up.
Also this week, Coinbase filed a disclosure with the SEC about a breach of some customer data that was accessed by their own support personnel. The video announcement by the CEO is a masterpiece in incident comms. The reason I include this story is that most of us work for businesses, we have to provide support to our users, and that is hard to do securely—even if you are Coinbase. Kane Narraway posted a short list of things you can do to reduce the risk of this happening to your business, and it should be mandatory reading.
Finally, if you’re tired of fixing vulnerabilities in Go container images, you might enjoy the near-zero-CVE base images Wiz published this week. If you are looking for other options, or want to compare them to official distribution images, take a look at the base-image vulnerability comparison site from James Berthoty.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
📋 Chef's selections
-
Tales from the cloud trenches: The Attacker doth persist too much, methinks by Martin McCloskey
Another great AWS incident write-up from the threaty folks at Datadog. It's the usual start: an exposed AWS access key. But there's an unusual persistence method—an API Gateway and Lambda function with some SSO manipulation thrown in.
-
Building Uber’s Multi-Cloud Secrets Management Platform to Enhance Security by Matt Mathew, Ludi Li, Chen Xi, Yiting Fan
Uber shared how they built a multi-cloud secrets platform to wrangle 150,000+ secrets across AWS, GCP, and more. It’s a great read for platform engineers or security folks struggling with scattered secrets and leaky tokens. They walk through the various requirements they had, and the challenges they faced. AWS users will especially appreciate the integration ideas with Secrets Manager and Kubernetes that keep everything tidy and automated.
-
Cloud Pentesting or Just Scanning? Let’s Talk. by Sena Yakut
I've heard some pretty awful stories about people claiming to do cloud-penetration tests but instead just running network scans. So I made this video to bring a bit of awareness to the issue. Sena takes it a few steps further by sharing her thoughts on the difference, and some advice on how to do it right.
🥗 AWS security blogs
- 📣 AWS Config rules now available in additional AWS Regions
- 📣 Amazon Cognito now supports OIDC prompt parameter
- 📣 Amazon GuardDuty Malware Protection for EC2 now available in AWS GovCloud (US) Regions
- Key Governance, Risk, and Compliance Sessions at re:Inforce 2025 by Nereida Woo
- Securing Amazon S3 presigned URLs for serverless applications by Raaga N.G
- Audi & Reply: Scaling a GenAI multi-agent devbot from Pilot to Production-Ready by Michael Pawelke
- AWS machine learning supports Scuderia Ferrari HP pit stop analysis by Alessio Ludovici
- Securing Amazon Bedrock Agents: A guide to safeguarding against indirect prompt injections by Hina Chaudhry
- Build an intelligent community agent to revolutionize IT support with Amazon Q Business by Dylan Martin
- Introducing the AWS User Guide to Governance, Risk and Compliance for Responsible AI Adoption within Financial Services Industries by Krish De
- Protect against advanced DNS threats with Amazon Route 53 Resolver DNS Firewall by Lawton Pittenger
- AI lifecycle risk management: ISO/IEC 42001:2023 for AI governance by Abdul Javid
- Mapping AWS security services to MITRE frameworks for threat detection and mitigation by Pratima Singh
- Monitoring and optimizing the cost of the unused access analyzer in IAM Access Analyzer by Oscar Diaz
- Implementing safety guardrails for applications using Amazon SageMaker by Laura Verghote
- Understanding Amazon S3 client-side encryption options by Lior Sadan
🍛 Reddit threads on r/aws
- Is it dangerous to use presigned URLs for an image upload?
- FYI - It appears that Cloudfront (Viewer Request) Functions Execute Prior to WAF execution
- New startup, go with Cognito?
- The user should upload/see the objects, but can not download/get them from S3 bucket
- How to Easily Connect to AWS CodeCommit with Only Federated ADFS Access (No Access Keys)
- Do Nitro Enclaves still allow Python to be used?
- Account suspended no DNS so no email
- AWS hacked TWICE. Had remove card details after recovering the account the first time
- Hacked
💸 Sponsor shoutout
Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.
🤖 Dessert
Dessert is made by robots, for those that enjoy the industrial content.
🧁 IAM permission changes
🍪 API changes
- Runtime for Amazon Bedrock Data Automation
- Data Automation for Amazon Bedrock
- AWS CodePipeline
- Amazon EMR
- AWS Glue
- Amazon Neptune
- Service Quotas
- Agents for Amazon Bedrock
- AWS CodeBuild
- AWS Database Migration Service
- AWS Parallel Computing Service
- Amazon WorkSpaces
- Amazon CloudWatch Logs
- AWS Elemental MediaConvert
- Agents for Amazon Bedrock Runtime
- Amazon Bedrock
- AWS Control Tower
- Amazon Aurora DSQL
- Amazon EC2 Container Service
- AWS License Manager
- AWSDeadlineCloud
- Amazon Elastic Compute Cloud
- AWS Elemental MediaLive
- AWS Supply Chain
🍹 IAM managed policy changes
- AmazonEVSServiceRolePolicy
- AmazonEventBridgeSchedulerFullAccess
- AmazonEventBridgeSchedulerReadOnlyAccess
- AmazonRoute53FullAccess
- AWSVPCS2SVpnServiceRolePolicy
- AWSServiceRoleForAWSTransform
- CloudTrailEventContext
- AmazonAuroraDSQLConsoleFullAccess
- AmazonAuroraDSQLFullAccess
- AmazonAuroraDSQLReadOnlyAccess
- EC2FastLaunchServiceRolePolicy
- EC2FastLaunchFullAccess
- AmazonDataZoneBedrockModelConsumptionPolicy
- AmazonQDeveloperAccess
- AmazonQFullAccess
- ViewOnlyAccess
- AWSQuickSightSecretsManagerWritePolicy
- AccessAnalyzerServiceRolePolicy
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
- CVE-2025-4476
- CVE-2025-23165
- CVE-2025-23166
- CVE-2025-4516
- CVE-2025-47287
- CVE-2025-47712
- CVE-2025-23167
- CVE-2025-47711
- CVE-2025-47279
- CVE-2025-4638
- CVE-2025-3877
- CVE-2025-3932
- CVE-2025-3909
- CVE-2025-46836
- CVE-2025-3875
- CVE-2025-26646
- CVE-2025-47905
- CVE-2025-46805
- CVE-2024-45332
- CVE-2025-46803
- CVE-2025-46804
- CVE-2025-24495
- CVE-2025-20103
- CVE-2025-46802
- CVE-2025-4574
- CVE-2024-43420
- CVE-2024-28956
- CVE-2025-47278
- CVE-2025-20054
- CVE-2025-20012
- CVE-2025-23395
- CVE-2025-20623
- CVE-2025-22873
- CVE-2025-22247
- CVE-2025-31215
📺 AWS security bulletins
-
No bulletins this week.
🚬 Security documentation changes
- AmazonECS Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- aurora-dsql Documentation Update
- aws-backup Documentation Update
- bedrock Documentation Update
- bedrock Documentation Update
- cli Documentation Update
- codebuild Documentation Update
- cognito Documentation Update
- cognito Documentation Update
- controltower Documentation Update
- datasync Documentation Update
- datasync Documentation Update
- ebs Documentation Update
- ebs Documentation Update
- ebs Documentation Update
- efs Documentation Update
- eks Documentation Update
- glue Documentation Update
- glue Documentation Update
- guardduty Documentation Update
- m2 Documentation Update
- marketplace Documentation Update
- network-firewall Documentation Update
- sagemaker Documentation Update
- transfer Documentation Update
- aws-backup Documentation Update
- deadline-cloud Documentation Update
- deadline-cloud Documentation Update
- deadline-cloud Documentation Update
- glue Documentation Update
- glue Documentation Update
- linux Documentation Update
- linux Documentation Update
- mgn Documentation Update
- transfer Documentation Update
