September 15, 2025
🥖 Palette Cleanser
It's been a slow week for AWS security content. I assume that's because everyone is at fwd:cloudsec in Berlin, hoarding material to unleash all at once for next week's issue. If you aren't there, make sure to catch the live stream (Day 1, Day 2).
I do have a fun little Twitter mystery for you from Aidan Steele. Back in 2022, Aidan posted about an eight-year-old access key that was active but he didn't know what it was doing. This week, that same access key got compromised. Sounds like a fun adventure to follow.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
📋 Chef's selections
-
Comparing CSP-Managed Machine Identities by Kat Traxler
Ever wonder how different cloud providers handle non-human identities? You're a bit weird if you did, but then again, so is Kat. She did a great job breaking it down in this white paper. In AWS, these take the form of Service Principals and Service-Linked Roles, creating a hybrid model where identities span both AWS-controlled and customer accounts. This design makes AWS especially exposed to multi-tenant “confused deputy” attacks unless customers manually implement IAM condition keys like aws:SourceArn, a safeguard that research suggests is dangerously underused.
-
Profiling Sea Turtle: Tactics, History & Defenses by Invictus
Sea Turtle is a Türkiye-linked espionage group that started with DNS hijacking and now focuses on breaking into cloud accounts. In AWS, they have been caught using stolen credentials to modify security groups through the CLI for raw SSH access, then targeting cloud storage like S3. The entire play depends on weak IAM controls and unmonitored API activity.
🥗 AWS security blogs
- 📣 Malware Protection for S3 Expands File Size and Archive Scanning Limits
- 📣 Amazon Athena launches single sign-on support for drivers
- 📣 Amazon Redshift Serverless is now available in the AWS Europe (Milan) and Africa (Cape Town) regions
- 📣 AWS WAF is now available in the AWS Asia Pacific (Taipei) Region
- From Tools to Teammates: CTO’s Guide to Evolving Architecture for Agentic AI by Ishit Vachhrajani
- Overview of security services available in AWS Dedicated Local Zones by Lakshmi VP
🍛 Reddit threads on r/aws
💸 Sponsor shoutout
Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.
Learn more about Pleri and see her in action.
🤖 Dessert
Dessert is made by robots, for those that enjoy the industrial content.
🧁 IAM permission changes
🍪 API changes
-
No changes this week.
🍹 IAM managed policy changes
- ReadOnlyAccess
- AWSQuickSetupStartStopInstancesExecutionPolicy
- AWSQuickSetupStartSSMAssociationsExecutionPolicy
- AWSQuickSetupSSMLifecycleManagementExecutionPolicy
- AWSQuickSetupPatchPolicyPermissionsBoundary
- AWSQuickSetupManagedInstanceProfileExecutionPolicy
- AWSBillingServiceRolePolicy
- SageMakerStudioProjectUserRolePolicy
- AmazonSSMAutomationRole
- AWSPCSServiceRolePolicy
- ROSANodePoolManagementPolicy
- AWSBackupServiceLinkedRolePolicyForBackup
- SageMakerStudioProjectRoleMachineLearningPolicy
- MultiPartyApprovalReadOnlyAccess
- MultiPartyApprovalFullAccess
☕ CloudFormation resource changes
-
No resource updates this week.
🎮 Amazon Linux vulnerabilities
📺 AWS security bulletins
-
No bulletins this week.
🚬 Security documentation changes
- amazonq Documentation Update
- amazonq Documentation Update
- cli Documentation Update
- cli Documentation Update
- cli Documentation Update
- cli Documentation Update
- connect Documentation Update
- connect Documentation Update
- datasync Documentation Update
- datasync Documentation Update
- eks Documentation Update
