Monday,
October 13, 2025

🥖 Palette Cleanser

Compliance teams rejoice! This week's Ruby Central drama / insider incident is something we can all bring up forever and ever when someone asks why root credentials are bad and why root MFA is important. The Ruby Central root creds were, "stored in a shared enterprise password manager in a shared vault to which only three individuals had access," and one of them appears to have been a naughty boy after being terminated. The actor changed the password and then messed around a little until their access was shut off. The incident timeline is unusually detailed and full of fun times you can quote in PowerPoint decks.

This year's Defcon Cloud Village videos were published this week, and there's lots of AWS goodness among them:

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • How One Project Made AWS Policy Changes Visible to Everyone by Victor Grenu

    Victor, who also happens to be the OG founder of AWS Security Digest, has been running the MAMIP (Monitor AWS Managed IAM Policies) unofficial archive for over 5 years now. He recently put a new coat of paint on all that tooling with a new website, complete with dashboard and search. It's crazy to see just how much managed policies change, given how reliant all of us are on them.

  • Crimson Collective: A New Threat Group Observed Operating in the Cloud by Jakub Zvarik

    A new crew calling themselves Crimson Collective has been ripping through AWS environments using leaked long-term access keys they find with TruffleHog. Once in, they create new IAM users, slap AdministratorAccess on them, and go to town mapping EC2, RDS, S3, and more before pulling data out. Their go-to move seems to be exporting RDS snapshots to S3 and exfiltrating the loot, followed by a nice little extortion note.

  • State of Cloud Security Report October 2025 Update by Datadog

    The 2025 update to Datadog's cloud security report shows solid progress in some areas, but much still does not spark joy. Data perimeters are catching on (about 40% adoption), but most are still applied piecemeal at the resource level instead of org-wide. IMDSv2 enforcement climbed to 49% of EC2s and jumps to 95%+ when "IMDSv2-by-default" is enabled, but fewer than 3% of orgs actually use it. Long-lived creds remain a mess (59% of IAM users have keys older than a year), and 12.2% of third-party roles are still dangerously over-privileged.

Bonus: The Secure Way to Integrate Cloudsec Tools using External IDs

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

    No resource updates this week.

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.