Monday,
October 06, 2025

๐Ÿฅ– Palette Cleanser

I always feel uneasy when the internet isn't on fire after it's been burning for a while. Just me?

It's good to see Wiz spending the big bucks on preventing more fires in the clouds, even after agreeing to be acquired by the Big G. This week they announced zeroday.cloud, a cloud and AI hacking competition that will run at Black Hat Europe on December 10 and 11. If you like hacking AI, Kubernetes, containers, virtualization, web servers, databases, or DevOps software, you might want to claim your share of the $4.5 million in bounties on offer. This will be fun to watch from the mean streets of my couch.

I hope you enjoy this week's issue.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

๐Ÿ“‹ Chef's selections

  • Weaponizing AWS X-Ray for Command & Control by Dhiraj Mishra

    Dhiraj shows how attackers can repurpose AWS X-Ray, the distributed tracing service, as a covert bidirectional C2 channel by stuffing commands and results into X-Ray trace annotations and polling TraceSummaries. Implants can use normal SigV4-signed PutTraceSegments and GetTraceSummaries calls, which look like legit tracing traffic in network logs, and the technique relies on tiny details like annotation fields and beacon intervals to encode commands and exfil. You don't need to build it yourselfโ€”the post includes an open-source version, XRayC2.

  • Analysis of AWS CloudControl API as an attack tool by Bleon Proko

    CloudControl is AWS's unified API for create, read, update, delete, and list (CRUD-L) operations on AWS resources, which also makes it handy for attackers to enumerate and tweak resources using ListResources and GetResource, brute-force identifiers based on error types, and even persist changes. The cool trick Bleon shows is a policy that allows all actions only when aws:CalledVia equals "cloudformation.amazonaws.com" and aws:ViaAWSService is true, so the identity appears non-admin while proxying admin privileges through CloudControl.

  • Introducing tokenex: an open source Go library for fetching and refreshing cloud credentials by Toader Sebastian

    tokenex is a Go library that gives workloads secretless, short-lived access across AWS, GCP, Azure, and OCI (thatโ€™s Oracle something or other) by exchanging an ID token for provider creds and streaming updates over a channel so apps never juggle cloud-specific refresh logic. It uses a consistent option pattern (WithClientID, WithScope, etc.), supports K8s secret watching, and implements OAuth2. You may also want to check out Riptidesโ€™ AWS SigV4 Signatures in Portable C with Kernel Compatibility library.

Bonus: Three different LLM Guardrails, and integration with Strands Agents (AWS)

๐Ÿฅ— AWS security blogs

๐Ÿ› Reddit threads on r/aws

๐Ÿ’ธ Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. Sheโ€™s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

๐Ÿค– Dessert

Dessert is made by robots, for those that enjoy the industrial content.

๐Ÿง IAM permission changes

๐Ÿช API changes

๐Ÿน IAM managed policy changes

โ˜• CloudFormation resource changes

๐ŸŽฎ Amazon Linux vulnerabilities

๐Ÿ“บ AWS security bulletins

    No bulletins this week.

๐Ÿšฌ Security documentation changes

YouTube Twitter LinkedIn

Crafted with โค๏ธ by Plerion. We simplify cloud security.