
June 30, 2025
๐ฅ Palette Cleanser
Welcome to fwd:cloudsec North America week - the week of the best cloud security conference there is. I'm not there in person, but I am in spirit. I'll let you all know when the talks are published.
It appears everyone decided to publish their content this week. Sometimes it's a grind to find three high-quality articles; this week it's impossible to choose just three. So I've gone with five instead.
And here's all the stuff that isn't a blog post but is still kick-ass:
- The Cloud Village DEF CON 33 schedule is out
- Free AWS Extreme Red Team Lab
- Presentation on Cloud Security Flaws We Keep Repeating
- Agentic Security Hub - Comprehensive resource for building secure agents
- Video on Declarative Policies for EC2
- ARIA-gv - Access Rights Graph Visualization
Good luck eating all these AWS goodies without gaining weight. <3
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
๐ Chef's selections
-
AWS Account ID Enumeration Through Root User MFA by Michael Magyar
If you know the email associated with any AWS root user, and it has a single registered U2F key, you can politely ask it for the account ID and it will tell you. No auth. No CAPTCHA. Brilliant.
-
Hijacking Amazon EventBridge for launching Cross-Account attacks by Ramesh Ramani
What kind of fun can an attacker have with access to one of your EventBridge buses? Ramesh explains it all. None of it is really exploiting EventBridge - more like abusing legitimate functionality for command and control, exfiltrating data, and so on. There's lots of code, policies, and practical advice for protection and detection.
-
Sign in with your eID: Using AWS IAM Roles Anywhere with a SmartCard Reader by Ben Bridts
In Belgium, every citizen gets an identity card. Since 2005, the cards have contained a chip with a digital certificate signed by the โCitizens CA.โ Ben shows us how to set up AWS IAM Roles Anywhere to let everyone in Belgium access an S3 bucket. It's a really fun example of combining the real world with AWS.
-
The Future of Threat Emulation: Building AI Agents that Hunt Like Cloud Adversaries by Eduard Agavriloae
Let's make AI agents do AWS lateral movement and privilege escalation. Surely it won't work!? Well, it kind of does - at least in some constrained scenarios that I reckon half of all professional penetration testers would fail at. Eduard reckons AI agents could be weaponized to perform cloud attacks at scale and even shows how it could be done with S3 ransomware. Prompts to replicate the work are included in the post.
-
Profiling TradeTraitor: Tactics, History & Defenses by Invictus
TradeTraitor is a DPRK hacking crew that phishes developers, swipes their AWS keys, and then rummages through CloudTrail, IAM, and S3 to plant malicious JavaScript and drain crypto wallets. The post goes through all the incident response steps you might want to take if you get hit by TradeTraitor, or want to avoid getting hit in the first place.
Bonus: Stealthy Persistence in AWS - A Practical Simulation for Defenders
๐ฅ AWS security blogs
- ๐ฃ AWS Firewall Manager provides support for AWS WAF L7 DDOS managed rules
- ๐ฃ AWS WAF announces general availability of Resource-level DDoS protection for Application Load Balancers (ALB)
- ๐ฃ Amazon Cognito introduces AWS WAF support for Managed Login
- ๐ฃ AWS Directory Service for Microsoft AD and AD Connector available in Asia Pacific (Taipei) Region
- ๐ฃ AWS Security Incident Response adds integration with Amazon EventBridge
- ๐ฃ AWS Service Reference Information now supports annotations for service actions
- ๐ฃ AWS Private CA now supports Internet Protocol Version 6 (IPv6)
- Amazon Bedrock baseline architecture in an AWS landing zone by Abdel-Rahman Awad
- Implement secure hybrid and multicloud log ingestion with Amazon OpenSearch Ingestion by Xiaoxue Xu
- Responsible AI: From Principles to Production by Helena Yin Koeppl
- Secure collaboration and file sharing with AWS Wickr by Anne Grahn
- Introducing security group referencing and enhanced DNS support for AWS Cloud WAN by Nicola Arnoldi
- CISPE Data Protection Code of Conduct Public Register now certifies 122 AWS services as adherent by Gokhan Akyuz
๐ Reddit threads on r/aws
๐ธ Sponsor shoutout
Pleri is an AI cloud security teammate โ faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.
๐ค Dessert
Dessert is made by robots, for those that enjoy the industrial content.
๐ง IAM permission changes
๐ช API changes
- Amazon Connect Service
- AWS Glue
- Amazon Simple Email Service
- AWSDeadlineCloud
- Amazon Elastic Compute Cloud
- Managed integrations for AWS IoT Device Management
- Amazon Keyspaces
- Amazon Keyspaces Streams
- QBusiness
- Amazon WorkSpaces
- Amazon FSx
- Amazon Simple Storage Service
- AWS S3 Control
- Amazon Textract
- AWS AI Ops
- AWS Batch
- Amazon Bedrock
- Amazon Elastic Compute Cloud
- Amazon GameLift
- AWS License Manager
- Amazon Relational Database Service
- Amazon Route 53 Resolver
- Amazon Transcribe Service
- AWS Glue
- Amazon S3 Tables
- Amazon Workspaces Instances
๐น IAM managed policy changes
- AmazonKeyspacesReadOnlyAccess_v2
- AmazonEKSLocalOutpostServiceRolePolicy
- AmazonFSxConsoleFullAccess
- AmazonFSxFullAccess
- AWSFaultInjectionSimulatorSSMAccess
- SageMakerStudioProjectUserRolePolicy
- AmazonODBServiceRolePolicy
- AWSSecurityHubOrganizationsAccess
- AmazonECSServiceRolePolicy
- AmazonLexReplicationPolicy
- AIOpsConsoleAdminPolicy
- AIOpsOperatorAccess
- AIOpsReadOnlyAccess
- AWSPCSComputeNodePolicy
- AWSResourceExplorerServiceRolePolicy
โ CloudFormation resource changes
๐ฎ Amazon Linux vulnerabilities
- CVE-2025-5449
- CVE-2025-5372
- CVE-2025-4878
- CVE-2025-5987
- CVE-2025-4877
- CVE-2024-11584
- CVE-2024-6174
- CVE-2025-6703
- CVE-2025-52555
- CVE-2025-5351
- CVE-2025-52999
- CVE-2025-6442
- CVE-2025-6434
- CVE-2025-6426
- CVE-2025-6429
- CVE-2025-6427
- CVE-2025-6433
- CVE-2025-6430
- CVE-2025-5318
- CVE-2025-6428
- CVE-2025-6432
- CVE-2025-6424
- CVE-2025-6436
- CVE-2025-6431
- CVE-2025-6425
- CVE-2025-6435
- CVE-2025-6496
- CVE-2025-6497
- CVE-2025-6547
- CVE-2025-6545
- CVE-2025-52968
- CVE-2025-6498
๐บ AWS security bulletins
-
No bulletins this week.
๐ฌ Security documentation changes
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- appsync Documentation Update
- bedrock Documentation Update
- clean-rooms Documentation Update
- cli Documentation Update
- cli Documentation Update
- cloudhsm Documentation Update
- dms Documentation Update
- ec2 Documentation Update
- ec2 Documentation Update
- eks Documentation Update
- eks Documentation Update
- eks Documentation Update
- fsx Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- mediaconvert Documentation Update
- msk Documentation Update
- odb Documentation Update
- res Documentation Update
- res Documentation Update
- secretsmanager Documentation Update
- vpc-lattice Documentation Update
- workspaces Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- IAM Documentation Update
- Route53 Documentation Update
- amazonq Documentation Update
- bedrock Documentation Update
- bedrock Documentation Update
- bedrock Documentation Update
- bedrock Documentation Update
- cognito Documentation Update
- config Documentation Update
- config Documentation Update
- config Documentation Update
- dms Documentation Update
- emr Documentation Update