July 07, 2025
๐ฅ Palette Cleanser
The internet ghosted us this week.
After giving us content overload last issue, there's been barely a whisper since. The good news is fwd:cloudsec USA talks are live, so there's plenty of interesting content to consume nonetheless.
Apparently, edge network devices have been trying to catch the internet on fire again. This time it's Citrix Netscaler ADC and Netscaler Gateway. I don't know how bad this is, but ReliaQuest has reported "indications of exploitation" in the wild. Maybe these kinds of devices just need a rethink.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
๐ Chef's selections
-
Building a cloud security roadmap: Tools by layer and when you need them (pt.1) by Ethan Chen
If you've ever wondered what all the security things are that you might need to implement in your cloud environment, this is a decent place to start. It's more of a taxonomy of tools than a guide โ I assume the guide will come in part 2? I'll confess I didn't know people still used/referred to what was once called intrusion detection systems (IDS) and intrusion prevention systems (IPS), especially in the cloud.
-
fwd:cloudsec USA 2025 Conference Talk Summaries by Christophe Limpalair
Christophe used AI to elegantly summarize every talk from this year's con, and I picked out the AWS ones for you to enjoy:
- Exploiting Managed Prompt Templates to Take Over Amazon Bedrock Agents
- ECS-cape โ Hijacking IAM Privileges in Amazon ECS
- Data Perimeter Implementation Strategies: Lessons Learned Rolling Out SCPs/RCPs
- The Duplicitous Nature of AWS Identity and Access Management (IAM)
- What would you ask a crystal ball for AWS IAM?
- Challenges implementing egress controls in a large AWS environment
- Introducing GRC Engineering: A New Era of AWS Compliance
- Building a production-ready AWS environment from scratch
๐ฅ AWS security blogs
- ๐ฃ Amazon Inspector now available in additional AWS Regions
- ๐ฃ AWS Config rules add classifications from AWS Control Tower Control Catalog
- Elevate User Experience and Security of Application Load Balancer for SAP workloads on AWS by Ferry Mulyadi
- Remote access to AWS: A guide for hybrid workforces by Itay Meller
- AWS Certificate Manager now supports exporting public certificates by Pravin Nair
๐ Reddit threads on r/aws
๐ธ Sponsor shoutout
Meet Pleri: your AI-powered cloud security teammate. Sheโs not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.
Learn more about Pleri and see her in action.
๐ค Dessert
Dessert is made by robots, for those that enjoy the industrial content.
๐ง IAM permission changes
๐ช API changes
- Amazon Connect Customer Profiles
- AWSDeadlineCloud
- Amazon Elastic Compute Cloud
- AWS Elemental MediaPackage v2
- Amazon Route 53
- Amazon SageMaker Service
- Amazon Connect Cases
- Amazon Simple Storage Service
- AWS Clean Rooms ML
- Amazon DataZone
- Amazon Elastic Compute Cloud
- odb
- QBusiness
- AWS ARC
- AWS B2B Data Interchange
- Amazon Bedrock Runtime
- Amazon Bedrock
- AWS CloudFormation
- AWS Config
- Amazon Connect Service
- Amazon DynamoDB
- AWS Glue
- AWS Identity and Access Management
- AWS Health Imaging
- Amazon QuickSight
- Amazon Simple Systems Manager (SSM)
- AWS Transfer Family
๐น IAM managed policy changes
- SageMakerStudioProjectProvisioningRolePolicy
- AmazonODBServiceRolePolicy
- AmazonInspector2FullAccess_v2
- AWSApplicationMigrationSSMAccess
- SecurityAudit
- AWSApplicationMigrationFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess_v2
- AWSElasticDisasterRecoveryLaunchActionsPolicy
- AWSZoneGroupAccessManagementServiceRolePolicy
- AmazonConnectServiceLinkedRolePolicy
- AWSZonalAutoshiftPracticeRunSLRPolicy
- AmazonKeyspacesFullAccess
- AmazonKeyspacesReadOnlyAccess
- AmazonBedrockFullAccess
- AmazonBedrockLimitedAccess
- AmazonBedrockMarketplaceAccess
โ CloudFormation resource changes
๐ฎ Amazon Linux vulnerabilities
๐บ AWS security bulletins
-
No bulletins this week.
๐ฌ Security documentation changes
- AmazonECS Documentation Update
- amazonq Documentation Update
- amazonq Documentation Update
- apigateway Documentation Update
- apigateway Documentation Update
- artifact Documentation Update
- audit-manager Documentation Update
- audit-manager Documentation Update
- audit-manager Documentation Update
- clean-rooms Documentation Update
- cli Documentation Update
- cli Documentation Update
- cli Documentation Update
- cognito Documentation Update
- config Documentation Update
- connect Documentation Update
- controltower Documentation Update
- datasync Documentation Update
- datasync Documentation Update
- efs Documentation Update
- efs Documentation Update
- eks Documentation Update
- emr Documentation Update
- emr Documentation Update
- kms Documentation Update
- lake-formation Documentation Update
- macie Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- managedservices Documentation Update
- marketplace Documentation Update
- marketplace Documentation Update
- odb Documentation Update
- odb Documentation Update
- powershell Documentation Update
- rekognition Documentation Update
- rekognition Documentation Update
- sms-voice Documentation Update
- transfer Documentation Update
- transfer Documentation Update
- transfer Documentation Update
- transfer Documentation Update
- verifiedpermissions Documentation Update
- vpn Documentation Update
- wellarchitected Documentation Update
- wellarchitected Documentation Update
- wellarchitected Documentation Update
- wellarchitected Documentation Update
- wellarchitected Documentation Update
