AWS Security Digest

Monday,
September 01, 2025

🥖 Palette Cleanser

Hello e-citizens of a-mazon,

It's been a minute since the internet was on fire, so the software supply chain attack crews decided it was time to intervene. The fine folks at Wiz reported that on August 26, multiple malicious versions of the widely used Nx build system package were published to the npm registry. They included post-installation malware for harvesting cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. Apparently, 90% of over a thousand leaked GitHub tokens are still valid.

On the bright side (not a fire pun), people got really excited about the new network access control policy conditions AWS released. The request origin keys—aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID—make it much easier to define where requests can come from when accessing S3 buckets. Prior to this, some folks were forced to include long lists of VPC IDs in IAM policies, which seems like an... ambitious practice.

If you happen to like building AI stuff on AWS, you might enjoy my new newsletter, Bedrock Brief. Sign up and let me know what you think.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

AWS CDK and SaaS Provider Takeover by Ryan Gerstenkorn

You cheeky trickster, Ryan! He shows how CDK bootstrap roles, which by default trust their own account’s root principal and lack an "sts:ExternalId" check, can become a takeover risk in a SaaS environment. If a SaaS platform lets users supply arbitrary role ARNs during onboarding, an attacker can simply point it back at one of those internal CDK roles, and the assume-role call succeeds because it’s the same account. The result is the SaaS platform effectively onboarding its own account and exposing provider infrastructure to the attacker.
AWS Detection Engineering — Architecting Security Logging at Scale in AWS by Muh. Fani Akbar

The author recounts investigating a fintech breach where the AWS logging architecture let attackers operate for 127 days undetected, despite CloudTrail, VPC Flow Logs, and GuardDuty being in place. He reckons the problem wasn’t lack of logs but lack of architecture, and shows how to design for scale: prioritize high-value events (like AssumeRole or PutBucketPolicy), enrich logs with context via Kinesis + Lambda before storage, and tier retention across S3 Standard, IA, and Glacier to balance cost against investigative needs. The key lesson is to log for specific detection use cases, not volume, and continuously test pipelines so visibility never silently degrades.
Build a Real Time Threat Detector with IaC by Rich Mogull

This lab shows how to build a real-time EventBridge threat detector that fires on IAM CreateUser events and centralizes alerts through a SecurityAudit account’s SNS topic. Unlike the earlier log-focused Athena detector, this narrower approach relies on forwarding only the specific CloudTrail events of interest across accounts and regions with StackSets.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes