AWS Security Digest

Monday,
July 21, 2025

🥖 Palette Cleanser

As predicted by security research into non-public APIs cited in last week's issue, vector storage is coming to S3. It's all in support of AI - think RAG, semantic search, or AI agents that need huge context windows.

Next week, we will have over 2,500 new friends joining us as subscribers of AWS Security Digest. AWS Cloud Security Weekly will be sending out its last issue tomorrow and will soon merge into ASD. Thank you to all of you for continuing to support me and the newsletter. I love you all and hope I can keep you entertained and informed for a long time to come.

Speaking of keeping things running, if you want to know how well you're doing at cloud security, our sponsor Plerion is offering free no-commitment cloud security assessments until the end of July.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

Exploring Delegated Admin Risks in AWS Organizations by Ben Zamir

This is a must-read for folks using delegated admin for Organizations. The premise of the post is a previously mis-scoped (now-fixed) policy that allowed abuse, but it turned into a great overview of the risks of delegated admin in general. Ben focuses on three services that, when delegated, could be abused for persistence or privilege escalation: Identity Center, CloudFormation StackSets, and Service Catalog.
API Keys for Bedrock: A Brief Security Overview by Adan Álvarez

My first instinct was not to include this post because it felt too simple, but it feels too fundamentally important not to. Everyone is all in on AI, so it's nice to know that creating a Bedrock long-term API key actually creates an IAM user (WAT?). Also, creating a short-term API key can be done offline and without CloudTrail traces. Not to give it all away, but look out for fake "BedrockAPIKey-xxxx" users in an account near you.
Deep Dive and Nuances of AWS's Programmatic IAM Action List and Service Authorization References (SAR) by Jason Kao

In late 2024, AWS released programmatic service reference information in JSON format. Previously, if you wanted to understand IAM, you had to scrape Service Authorization Reference (SAR) web pages. You'd think (hope?) that these sources had the same data, but alas, Jason and his team of cyber sleuths found heaps of differences. If you're building tooling on top of either, it's best to know what you're dealing with.

Bonusii:

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

CVE-2025-23267
CVE-2025-23266
CVE-2025-27210
CVE-2025-40776
CVE-2025-40918
CVE-2025-5994
CVE-2025-30754
CVE-2025-30761
CVE-2025-50089
CVE-2025-53023
CVE-2025-50099
CVE-2025-50079
CVE-2025-50077
CVE-2025-30752
CVE-2025-53905
CVE-2025-50082
CVE-2025-50094
CVE-2025-50097
CVE-2025-50078
CVE-2025-50076
CVE-2025-50106
CVE-2025-50059
CVE-2025-30749
CVE-2025-53906
CVE-2025-50100
CVE-2025-50063
CVE-2025-6965
CVE-2025-50080
CVE-2025-53032
CVE-2025-50103
CVE-2025-50101
CVE-2025-53101
CVE-2025-53014
CVE-2025-53015
CVE-2025-7519
CVE-2025-53019

📺 AWS security bulletins

No bulletins this week.