Monday,
September 29, 2025

🥖 Palette Cleanser

Have you ever played with one of those Russian Matryoshka dolls? You know, the ones where you open one only to find another, smaller one inside. If you haven't, I have good news for you: AWS Billing View just introduced support for multiple organizations, so you can play virtual Matryoshka dolls with your billing. It's not a security highlight (yet), but it is a fun way to start the week.

Last week was all about the Shai-Hulud npm supply chain attack. It was epic but didn't last long, not least because GitHub took swift and decisive action. And the GitHub team is not letting that crisis go to waste. This week they published a plan to strengthen publishing authentication controls that will annoy a bunch of people but ultimately make the internet safer. Making these kinds of usability trade-offs is necessary but rarely possible without a crisis. So I guess we should be grateful to the crews running amok on software supply chains recently. <3 <3 <3

Have a great week, everyone.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • Using RCP in OpenSearch: Odd fit or a glimpse of the future? by Hafsa Hafeez

    As of September 1, 2025, Amazon OpenSearch Serverless is the first RCP-enabled AWS service that does not support direct cross-account access. The article shows how RCPs can still block calls like "aoss:GetAccountSettings," effectively treating the whole service as a resource in itself, and digs into quirks like wildcard data-access policies that can silently override those safeguards. It’s worth a full read if you design IAM or org-wide guardrails, because it highlights unexpected RCP behaviors you might miss when locking down critical services.

  • Adding Determinism and Safety to Uber IAM Policy Changes by Avinash Srivenkatesh, Zi Wen, Zakir Akram

    Uber built a Policy Simulator to stop IAM policy mistakes from breaking production, after a real incident where a bad policy blocked all order edits on Uber Eats. It grabs recent access logs (via Envoy secure proxy, M3, Hive → Pinot) and replays every actor–action–resource on twin authorization engines to show exactly what a proposed policy would break or over-grant, kind of like CI tests for IAM. It’s probably over-engineering for most teams, but maybe you can adapt some of the ideas with CloudTrail, Access Analyzer, or Step Functions to test and harden policy changes before they go live.

  • IMDS Abused: Hunting Rare Behaviors to Uncover Exploits by Hila Ramati, Gili Tikochinski

    I try to avoid sharing articles with obnoxious sales pitches. Luckily, most corporate blogs stick to a plug at the end, so it’s usually not an issue. I do have to make an exception this time because the work presented in this article is really cool (practical and easy to apply). Hila and Gili show how powerful simple threat hunting can be if you have the right data. They used their logs of requests binaries made to IMDS to find 0-day(ish) exploits by filtering for rarely seen requests to rarely used endpoints.

Bonus: Fantastic AWS Policies and Where to Find Them and The emerging use of malware invoking AI

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

    No bulletins this week.

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.