Monday,
June 16, 2025

🥖 Palette Cleanser

What a week!? AWS be dropping releases like Netflix drops seasons.

AWS published their very own and very specific Threat Technique Catalog for AWS based on MITRE ATT&CK. It's very pretty and color-coded but still not as comprehensive as some of us nerds would like. "AWS does not claim that the catalog outlines every type of unauthorized action and behavior performed by threat actors within an AWS account or AWS Organization."

AWS now prevents OIDC misconfigurations with many popular third parties. And AWS Organizations now supports up to 10,000 service control policies (SCPs) per organization. This sounds like a challenge: be the first to 10,000 and win a year's worth of debugging authorization failures!

If you want to have some nerdy fun, check out Nick Frichette's RSA talk on Critiquing Cloud Criminals. Or, for some dark comedy, read how OneLogin returned AWS access keys and secrets in the responses of their API calls.

I hope we find peace soon. 🕊️☮️✌️

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • How to get rekt using AWS Neptune by Daniel Grzelak

    AWS has a cool, scalable graph database called Neptune. I got asked to see how it can be misconfigured, and it turned out to be a pretty wacky service. It feels a bit like RDS, but it has no auth by default. It can only be spun up in a private VPC, but somehow there's a bunch of instances waiting to get rekt on the internet.

  • Hey ARNold: A Guide to All the Amazon Resource Identifiers Formats in AWS by Jason Kao

    Can we get a welfare check on Jason? This post isn't about encryption, which is deeply out of character. This time, Jason programmatically investigated all the possible AWS ARN formats. He found 1,929 different ARNs supported by AWS IAM. If you want to hack something in AWS, you typically need its ARN, so all this variety suggests a lot of attack surface. The data has been published on GitHub.

  • Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere by Itay Saraf

    AWS IAM Roles Anywhere lets off-AWS workloads swap long-term keys for shiny X.509 certs, but the out-of-the-box trust policy has zero conditions, leaving it open to abuse. An attacker who nabs a cert-and-key combo and the three magic ARNs (trust anchor, profile, role) can fire a CreateSession call and mint fresh creds to pivot across every role those profiles touch. The antidote is to add an ArnEquals on the trust policy to pin each role to a single anchor, map cert attributes like CN, and keep an eye on CloudTrail for surprise anchors or profiles so your “roles anywhere” stay exactly where you expect them.

Bonus: Terraform: using import, and some hidden pitfalls

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.