Monday,
June 09, 2025

🥖 Palette Cleanser

Let's make tonight the weekend, I don't wanna wait.

Alibaba Cloud had a weird week. It looks like their "core" domain aliyuncs.com had its name server set to a Shadow Server sinkhole for just over 6 hours. It impacted their object storage, content delivery network, and other cloud services. Yet, I can't find any more information anywhere about how and why this might have happened.

It seems EU citizens are feeling a bit uneasy about having their cloud data controlled by American entities amidst political/policy weirdness. This week AWS announced it is forming a new European Sovereign Cloud (ESC) organization with a locally controlled parent company, and other controls it hopes will put EU companies at ease. Oh by the way, it's re:Inforce next week in Philly!

Since everyone is vibe coding now, AWS or not, it's a perfect time to share these rules for safer vibe coding by Rami-licious. And if you like fixing stuff after you've vibe coded it in the real world, check out Scotty P's Getting Things Fixed keynote.

Finally, I just have to include this dumpster fire at an Indian startup, which includes GitHub data being wiped and AWS access being lost. It might be the worst breach response I've ever seen. The quotes are magnificent. A taste: “Employee offboarding was not being handled properly because there was no full-time HR.” I recommend reading it in one of two ways: 1) as a comedy, with an alcoholic beverage, or 2) as a what-not-to-do-or-say tutorial.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • Phishing Cloud Credentials (AccessKeys) via MCP by CatGG

    Fake MCP servers are going to spread. As CatGG shows, a malicious server can phish AWS credentials as soon as a user points their assistant at it. If you trust an MCP server to act on your behalf, you’ll hand it whatever token it needs. The attacker’s only job is making the MCP URL look legit. OAuth itself isn’t flawed; MCP’s trust model is. Bind tokens to a vetted server or verify the server first, and the phishing angle disappears.

  • 2025 State of Cloud Security Report by Bar Kaduri, Shir Sadon, Todd Stansfield

    We see a lot of cloud security reports pass through ASD each year. Like the others, this one has its pros and cons. It tries to put AI front and center, but there's not much meat on that bone. There's lots of hype about the number of vulnerabilities per asset being bad, but we all know most of those are unreachable and irrelevant. Where the report shines is neglected assets, identity & access, and application security. One fun stat: 32% of assets run unsupported operating systems or have gone unpatched for over 180 days.

  • Cross Account AWS Athena for SecOps (Security Operations/Incident Response) by Rich Mogull

    In this lab, Rich walks you through wiring up Athena in your security account so it can crunch CloudTrail logs from your AWS org. It's not a perfect solution, but it is a quick, cost-aware path to incident-response queries without shelling out for a real SIEM.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.