AWS Security Digest

Issue #231

Monday · October 13, 2025

๐Ÿฅ– Palate Cleanser

Compliance teams rejoice! This week's Ruby Central drama / insider incident is something we can all bring up forever and ever when someone asks why root credentials are bad and why root MFA is important. The Ruby Central root creds were, "stored in a shared enterprise password manager in a shared vault to which only three individuals had access," and one of them appears to have been a naughty boy after being terminated. The actor changed the password and then messed around a little until their access was shut off. The incident timeline is unusually detailed and full of fun times you can quote in PowerPoint decks.

This year's Defcon Cloud Village videos were published this week, and there's lots of AWS goodness among them:

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

๐Ÿ“‹ Chef's selections

  • How One Project Made AWS Policy Changes Visible to Everyone by Victor Grenu

    Victor, who also happens to be the OG founder of AWS Security Digest, has been running the MAMIP (Monitor AWS Managed IAM Policies) unofficial archive for over 5 years now. He recently put a new coat of paint on all that tooling with a new website, complete with dashboard and search. It's crazy to see just how much managed policies change, given how reliant all of us are on them.

  • Crimson Collective: A New Threat Group Observed Operating in the Cloud by Jakub Zvarik

    A new crew calling themselves Crimson Collective has been ripping through AWS environments using leaked long-term access keys they find with TruffleHog. Once in, they create new IAM users, slap AdministratorAccess on them, and go to town mapping EC2, RDS, S3, and more before pulling data out. Their go-to move seems to be exporting RDS snapshots to S3 and exfiltrating the loot, followed by a nice little extortion note.

  • State of Cloud Security Report October 2025 Update by Datadog

    The 2025 update to Datadog's cloud security report shows solid progress in some areas, but much still does not spark joy. Data perimeters are catching on (about 40% adoption), but most are still applied piecemeal at the resource level instead of org-wide. IMDSv2 enforcement climbed to 49% of EC2s and jumps to 95%+ when "IMDSv2-by-default" is enabled, but fewer than 3% of orgs actually use it. Long-lived creds remain a mess (59% of IAM users have keys older than a year), and 12.2% of third-party roles are still dangerously over-privileged.

Bonus: The Secure Way to Integrate Cloudsec Tools using External IDs

๐Ÿฅ— AWS security blogs

๐Ÿ› Reddit threads on r/aws

๐Ÿค– Dessert

Every machine-tracked change this week. Nobody else assembles this.

๐Ÿง IAM permission changes

๐Ÿช API changes

๐Ÿน IAM managed policy changes

โ˜• CloudFormation resource changes

    No resource updates this week.

๐ŸŽฎ Amazon Linux vulnerabilities

๐Ÿ“บ AWS security bulletins

๐Ÿšฌ Security documentation changes

Get every AWS security change,
on a plate every Monday.

6,700+ engineers, builders and CISOs let us diff the AWS changelog every week.