🥖 Palette Cleanser

It was AWS security Christmas last week, and boy did Santa deliver.

In case my metaphors failed to land, Santa is AWS and Christmas is re:Inforce. I was absolutely giddy about the announcements like never before. The keynote from CISO Amy Herzog captures almost everything. For readers, there's an endless stream of highlight content. If you want to catch a session, this repo has a summary and links to all 163 talks.

If it wasn't clear before, it should be clear now: AWS is making a play for the $10B+ CNAPP market, launching or improving many of the features that have become table stakes in products like Wiz and my employer, Plerion. The building blocks are now pretty awesome, but I still can't see how they build the kind of user experience necessary to compete while being stuck in AWS Management Console hell.

My favorites:

• The new-look Security Hub that introduces toxic combinations as "exposures" and makes pretty attack path graphs.
• Amazon Inspector adding static application security testing (SAST), software composition analysis (SCA), and infrastructure as code (IaC) scanning.
• The crazy expensive but cool IAM Access Analyzer internal access findings, which identify who has access to data stores within your organization.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Revoking access to IAM Roles Anywhere using open-source private CA by Paul Schwarzenberger

  Paul walks through setting up IAM Roles Anywhere with Smallstep’s open-source CA, then shows how to shut it all down if something goes sideways. He demos certificate revocation via a custom CRL URL in the trust anchor, effectively killing access without waiting for cert expiration. If you’re rolling your own CA, you’d better also roll a plan to take access back fast.

• Getting Started with CloudTrail Security Queries by Rich Mogull

  How do you use Amazon Athena to find high-risk events in CloudTrail? Rich is glad you asked. He explains how to query tables, filter actions, resources and identities, and pivot on request and response fields to analyze an incident quickly.

🥗 AWS security blogs

• 📣 AWS expands resource control policies (RCPs) support to two additional services
• 📣 AWS Payment Cryptography is now available in AWS Asia Pacific (Mumbai) and Asia Pacific (Osaka)
• 📣 Amazon Inspector launches code security to shift security left in development
• 📣 AWS WAF reduces web application security configuration steps and provides expert-level protection
• 📣 Express.js developers can now add authorization in minutes with Amazon Verified Permissions
• 📣 Introducing AWS Security Hub for risk prioritization and response at scale (Preview)
• 📣 Amazon GuardDuty Extended Threat Detection now supports Amazon EKS
• 📣 AWS Shield introduces network security director (preview)
• 📣 AWS Network Firewall launches support for active threat defense
• 📣 IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources
• 📣 AWS Certificate Manager introduces public certificates you can use anywhere
• 📣 Introducing the reimagined AWS MSSP Competency
• 📣 AWS IAM now enforces MFA for root users across all account types
• 📣 AWS Network Firewall now supports AWS Transit Gateway native integration
• Amazon GuardDuty expands Extended Threat Detection coverage to Amazon EKS clusters by Esra Kayabali
• Unify your security with the new AWS Security Hub for risk prioritization and response at scale (Preview) by Donnie Prakoso
• AWS Backup adds new Multi-party approval for logically air-gapped vaults by Veliswa Boya
• New AWS Shield feature discovers network security issues before they can be exploited (Preview) by Esra Kayabali
• AWS Certificate Manager introduces exportable public SSL/TLS certificates to use anywhere by Channy Yun (윤석찬)
• Verify internal access to critical AWS resources with new IAM Access Analyzer capabilities by Micah Walter
• Securing AI: AWS Marketplace and Partner Solutions from Adoption to Protection by Ella Gille
• Updates to the AWS MSSP Competency: Deliver Turnkey Security Solutions for Customers by Brian Mendenhall
• Amazon Linux 2023 achieves FIPS 140-3 validation by Mahak Arora
• Accelerate threat modeling with generative AI by Edvin Hallvaxhiu
• Enhance email authentication and deliverability with Amazon SES and Valimail by Tom Gilbert
• Secure your Express application APIs in 5 minutes with Cedar by Trevor Schiavone
• Introducing Cedar Analysis: Open Source Tools for Verifying Authorization Policies by Spencer Erickson
• Macquarie University accelerates cloud transformation with AWS by AWS Public Sector Blog Team
• How to prioritize security risks using AWS Security Hub exposure findings by Shahna Campbell
• Empower AI agents with user context using Amazon Cognito by Abrom Douglas
• Secure your Express application APIs in minutes with Amazon Verified Permissions by Trevor Schiavone
• Improve your security posture using Amazon threat intelligence on AWS Network Firewall by Amit Gaur
• How AWS is simplifying security at scale: Four keys to faster innovation from AWS re:Inforce 2025 by Amy Herzog
• Beyond compute: Shifting vulnerability detection left with Amazon Inspector code security capabilities by Nirali Desai
• Introducing the new console experience for AWS WAF by Harith Gaddamanugu
• How AWS improves active defense to empower customers by Stephen Goodman

🍛 Reddit threads on r/aws

• IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources
• AWS IAM now enforces MFA for root users across all account types
• AWS expands resource control policies (RCPs) to support ECR and OpenSearch Serverless
• EC2 Hardening: CIS Benchmark Level 1 Compliance
• Open Source Automated Security Helper (ASH)

💸 Sponsor shoutout

Pleri is your AI-powered teammate built to boost your cloud security team — faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

🧁 IAM permission changes

• appsync
• aoss
• profile
• aiops
• connect-campaigns
• mpa
• acm
• backup
• support
• lexv2
• network-firewall
• braket
• datazone
• securityhub

🍪 API changes

• Amazon Bedrock
• Amazon EC2 Container Service
• Amazon Location Service Places V2
• AWS Glue
• AWS Elemental MediaConvert
• EMR Serverless
• AWS Lambda
• Payment Cryptography Data Plane
• Payment Cryptography Control Plane
• Amazon SageMaker Service
• AWS AI Ops
• Auto Scaling
• Amazon CloudWatch Logs
• Amazon Simple Storage Service
• Amazon SageMaker Service
• Access Analyzer
• AWS Certificate Manager
• AWS Backup
• AWS Database Migration Service
• Amazon GuardDuty
• Inspector2
• AWS Multi
• AWS Network Firewall
• AWS Organizations
• AWS SecurityHub
• AWS WAFV2
• Amazon Bedrock
• Amazon Elastic Container Registry
• AWS Network Firewall
• Amazon SageMaker Service

🍹 IAM managed policy changes

• KeyspacesCDCServiceRolePolicy
• AmazonEKSComputePolicy
• AmazonEKSServiceRolePolicy
• AWSConfigServiceRolePolicy
• AWS_ConfigRole
• AmazonDataZoneGlueManageAccessRolePolicy
• AmazonS3TablesLakeFormationServiceRole
• AmazonEKSDashboardConsoleReadOnly
• AWSSupportServiceRolePolicy
• MultiPartyApprovalFullAccess
• MultiPartyApprovalReadOnlyAccess
• SageMakerStudioDomainExecutionRolePolicy
• AWSSecurityHubFullAccess
• AmazonTimestreamConsoleFullAccess

☕ CloudFormation resource changes

• AWS::MPA::ApprovalTeam
• AWS::MPA::IdentitySource

🎮 Amazon Linux vulnerabilities

• CVE-2025-49014
• CVE-2025-50182
• CVE-2025-50181
• CVE-2025-20234
• CVE-2025-1088
• CVE-2025-6018
• CVE-2025-20260
• CVE-2025-49179
• CVE-2025-49175
• CVE-2025-6069
• CVE-2025-6019
• CVE-2025-6020
• CVE-2025-4404
• CVE-2025-49177
• CVE-2025-49180
• CVE-2025-49176
• CVE-2025-6199
• CVE-2025-6196
• CVE-2025-49178
• CVE-2025-27587
• CVE-2025-48988
• CVE-2025-49124
• CVE-2025-6141
• CVE-2025-6120
• CVE-2025-4565
• CVE-2025-4748
• CVE-2025-6119
• CVE-2025-6170
• CVE-2025-48976
• CVE-2025-49125

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• bedrock Documentation Update
• bedrock Documentation Update
• connect Documentation Update
• eks Documentation Update
• eks Documentation Update
• eks Documentation Update
• glue Documentation Update
• inspector Documentation Update
• ivs Documentation Update
• lambda Documentation Update
• network-firewall Documentation Update
• nova Documentation Update
• nova Documentation Update
• powershell Documentation Update
• powershell Documentation Update
• powershell Documentation Update
• securityhub Documentation Update
• securityhub Documentation Update
• serverless-application-model Documentation Update
• singlesignon Documentation Update
• verifiedpermissions Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• vpn Documentation Update
• AmazonECS Documentation Update
• IAM Documentation Update
• IAM Documentation Update
• acm Documentation Update
• acm Documentation Update
• acm Documentation Update
• amplify Documentation Update
• amplify Documentation Update
• athena Documentation Update
• aws-backup Documentation Update
• aws-backup Documentation Update
• aws-backup Documentation Update
• cognito Documentation Update
• config Documentation Update
• dcv Documentation Update
• dcv Documentation Update
• dcv Documentation Update
• dcv Documentation Update
• emr Documentation Update
• general Documentation Update
• guardduty Documentation Update