AWS Security Digest

Monday,
August 18, 2025

🥖 Palette Cleanser

Ain't nobody, loves AWS security better. Makes me happy. Makes me feel this way.

Are you in Europe this September? There are still tickets to the #1 cloud security conference in the world (EU edition). fwd:cloudsec Europe 2025 is on September 15-16 in Berlin, Germany. Check out the awesome schedule and get yourself a ticket.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

A tag to rule them all: Using AWS tags to enumerate cloud resources by Bleon Proko

Did you know you could just list all the tag keys used in an AWS account? I thought the fact you could use the aws:ResourceTag policy condition to enumerate tag values was wild. The AWS resource tagging API and service-based tag APIs are straight up unhinged. This is a brilliant write-up of how those APIs can be abused within an account to identify tags, their values, and identifiers associated with them. It even comes with an open-source tool that makes the work trivial.
Bedrock’s New API Keys: Convenience at a Hidden Security Cost by Sergio Garcia

Sergio's write-up is very similar to Adan's post highlighted in issue 219. The difference is that Sergio digs deeper into the hidden risks of long-term API keys creating their own IAM identities, while Adan focuses more on explaining how the feature works. Sergio also points out that short-term keys can inherit overly broad permissions from the creator, which makes them harder to spot in normal IAM reviews.
Datadog threat roundup: Top insights for Q2 2025 by Greg Foss, Andy Giron, Matt Muir

I love a good threat roundup. It's obviously marketing, but the DD ones don't read like marketing. The details about actors using Amazon API Gateway and AWS Lambda functions to maintain stealthy access are fun. Here's a dead-simple example from 2016 of the AWS CLI running in Lambda as a backdoor.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

CVE-2025-7039
CVE-2025-54409
CVE-2025-8961
CVE-2025-50817
CVE-2025-54389
CVE-2025-8715
CVE-2025-55160
CVE-2025-55005
CVE-2025-8916
CVE-2025-8671
CVE-2025-55154
CVE-2025-55004
CVE-2025-53859
CVE-2025-22839
CVE-2025-26403
CVE-2025-21090
CVE-2025-32086
CVE-2025-8885
CVE-2025-20109
CVE-2025-20053
CVE-2025-22889
CVE-2025-24305
CVE-2025-22840
CVE-2025-8672
CVE-2025-55158
CVE-2025-8843
CVE-2025-55157
CVE-2025-8844
CVE-2025-8846
CVE-2025-8842
CVE-2025-8851
CVE-2025-8845