🥖 Palette Cleanser

Welcome back to another edition of your favorite free AWS security newsletter. We all need it to stay free because AWS just changed how its free tier works for new accounts, moving some services away from a 12-month free period to a $100 credit model.

It looks like some form of vector database support is probably coming to S3. We get this sweet gossip thanks to Nick Frichette's ongoing work enumerating undocumented AWS APIs.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Shift-Left Security with Amazon Inspector Code Security by Sena Yakut

  I love this post because you can copy and paste the enclosed code, follow the instructions, and have a working infrastructure-as-code scanning pipeline up and running in under 30 minutes. It's something every company eventually needs to do, but it often causes much wasted effort and heartache. Sena did what AWS should have done and made the process trivial.

• Investigate Your Own AWS Attack with Athena by Rich Mogull

  We love Rich. His newest SLAW lab spins up a booby-trapped CloudFormation stack that deliberately leaks an IAM key and triggers a simulated attack from his account. Your job is to investigate the incident using CloudTrail and Athena, gauge the blast radius, and tidy up the lab before heading back to reality.

• Unmasking Lambda's Hidden Threat - When Your Bootstrap Becomes a Backdoor by Guillermo Fernandez Cano and Sergio Jimenez

  This is a cool variation of existing persistence techniques for Lambda that abuse language-specific bootstrap code. If the target is using a custom runtime, the authors claim modifying the bootstrap file can survive legitimate code deployments. Pretty sweet, if true.

🥗 AWS security blogs

• Strengthen Your AWS Cloud Storage Security with Superna Defender by Andrew Peng
• Introducing: Guidance for a media lake on AWS by Robert Raver
• Proactive strategies for cyber resilience and business continuity on AWS by Devin Gordon
• Macquarie University accelerates cloud transformation with AWS by AWS Public Sector Blog Team
• Spring 2025 SOC 1/2/3 reports are now available with 184 services in scope by Paul Hong
• Establishing a European trust service provider for the AWS European Sovereign Cloud by Colm MacCárthaigh
• Spring 2025 PCI DSS compliance package available now by Will Black
• 2025 CyberVadis report now available for due diligence on third-party suppliers by Tea Jioshvili

🍛 Reddit threads on r/aws

• How many MFA devices do you register on a root account to be sure to have access at all times?
• Api Gateway restrict IP Range
• Best practice for handling user claims from ALB/Cognito in Fargate-deployed apps?

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

No changes this week.

🍪 API changes

• Amazon Elastic Compute Cloud
• AWS Free Tier

🍹 IAM managed policy changes

• AmazonBraketServiceRolePolicy
• SageMakerStudioProjectUserRolePolicy
• AWSDirectoryServiceServiceRolePolicy
• SageMakerStudioAdminProjectUserRolePolicy
• AWSBillingReadOnlyAccess
• SupportUser
• AmazonSageMakerHyperPodObservabilityAdminAccess
• AmazonS3TablesLakeFormationServiceRole
• SageMakerStudioAdminProjectUserRolePolicy
• AWSSSMForSAPServiceLinkedRolePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2025-4674
• CVE-2025-46835
• CVE-2025-27614
• CVE-2025-27613
• CVE-2025-46334
• CVE-2025-7345
• CVE-2025-1220
• CVE-2025-48385
• CVE-2025-48384
• CVE-2025-48386
• CVE-2025-6491
• CVE-2025-1735
• CVE-2024-25178
• CVE-2024-25176
• CVE-2024-25177
• CVE-2025-48367
• CVE-2025-32023

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• dlami Documentation Update
• eks Documentation Update
• eks Documentation Update
• eks Documentation Update
• managedservices Documentation Update
• managedservices Documentation Update
• sagemaker Documentation Update
• IAM Documentation Update
• govcloud-us Documentation Update
• odb Documentation Update
• opsworks Documentation Update
• appsync Documentation Update
• athena Documentation Update
• connect Documentation Update
• connect Documentation Update
• greengrass Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update