Monday,
June 30, 2025

๐Ÿฅ– Palette Cleanser

Welcome to fwd:cloudsec North America week - the week of the best cloud security conference there is. I'm not there in person, but I am in spirit. I'll let you all know when the talks are published.

It appears everyone decided to publish their content this week. Sometimes it's a grind to find three high-quality articles; this week it's impossible to choose just three. So I've gone with five instead.

And here's all the stuff that isn't a blog post but is still kick-ass:

Good luck eating all these AWS goodies without gaining weight. <3

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

๐Ÿ“‹ Chef's selections

  • AWS Account ID Enumeration Through Root User MFA by Michael Magyar

    If you know the email associated with any AWS root user, and it has a single registered U2F key, you can politely ask it for the account ID and it will tell you. No auth. No CAPTCHA. Brilliant.

  • Hijacking Amazon EventBridge for launching Cross-Account attacks by Ramesh Ramani

    What kind of fun can an attacker have with access to one of your EventBridge buses? Ramesh explains it all. None of it is really exploiting EventBridge - more like abusing legitimate functionality for command and control, exfiltrating data, and so on. There's lots of code, policies, and practical advice for protection and detection.

  • Sign in with your eID: Using AWS IAM Roles Anywhere with a SmartCard Reader by Ben Bridts

    In Belgium, every citizen gets an identity card. Since 2005, the cards have contained a chip with a digital certificate signed by the โ€œCitizens CA.โ€ Ben shows us how to set up AWS IAM Roles Anywhere to let everyone in Belgium access an S3 bucket. It's a really fun example of combining the real world with AWS.

  • The Future of Threat Emulation: Building AI Agents that Hunt Like Cloud Adversaries by Eduard Agavriloae

    Let's make AI agents do AWS lateral movement and privilege escalation. Surely it won't work!? Well, it kind of does - at least in some constrained scenarios that I reckon half of all professional penetration testers would fail at. Eduard reckons AI agents could be weaponized to perform cloud attacks at scale and even shows how it could be done with S3 ransomware. Prompts to replicate the work are included in the post.

  • Profiling TradeTraitor: Tactics, History & Defenses by Invictus

    TradeTraitor is a DPRK hacking crew that phishes developers, swipes their AWS keys, and then rummages through CloudTrail, IAM, and S3 to plant malicious JavaScript and drain crypto wallets. The post goes through all the incident response steps you might want to take if you get hit by TradeTraitor, or want to avoid getting hit in the first place.

Bonus: Stealthy Persistence in AWS - A Practical Simulation for Defenders

๐Ÿฅ— AWS security blogs

๐Ÿ› Reddit threads on r/aws


๐Ÿ’ธ Sponsor shoutout

Pleri is an AI cloud security teammate โ€” faster reactions, smarter actions, no extra headcount. Meet Pleri and see her in action.

Watch the video


๐Ÿค– Dessert

Dessert is made by robots, for those that enjoy the industrial content.

๐Ÿง IAM permission changes

๐Ÿช API changes

๐Ÿน IAM managed policy changes

โ˜• CloudFormation resource changes

๐ŸŽฎ Amazon Linux vulnerabilities

๐Ÿ“บ AWS security bulletins

    No bulletins this week.

๐Ÿšฌ Security documentation changes

YouTube Twitter LinkedIn