AWS Security Digest

Monday,
October 20, 2025

🥖 Palette Cleanser

Hello lovelies,

Since it was quiet on AWS security island this week, we're doing something a little different. fwd:cloudsec Europe 2025 videos were published this week, and Chef's selection includes all the AWS-relevant videos instead of the usual blog posts. If this upsets you, please publish a blog post this week so I have something to feed my subscribers. Remember to submit your content via email.

This caught my eye this week. For years, if you wanted to rewrite URLs or host headers on AWS, you had to bolt on something like Cloudflare, NGINX, or custom Lambda@Edge hacks. Now ALB just does it natively with regex matching and transforms. I'm excited because this is useful but also because I can't wait for the open redirect chains, host header injection, and sneaky path rewrites that bypass naive WAF rules or origin-based allowlists.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

Ransomware protection with immutable AWS Backup - it's complicated ... by Paul Schwarzenberger & Kurtis Mash

This talk walks through implementing immutable backups with AWS Backup across an AWS Organization and explains the subtle KMS, vault, and policy choices defenders must get right to protect against ransomware in AWS.
Mistrusted Advisor: When AWS Tooling Leaves Public S3 Buckets Undetected by Jason Kao

Research showing how AWS Trusted Advisor and other tooling can miss real S3 public exposures, with concrete AWS-specific techniques and telemetry for detecting and exploiting those blind spots.
Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers by Nick Frichette

A deep dive into advanced AWS honey token strategies and the internals of the AWS API that explain how defenders can reliably detect leaked AWS credentials and avoid common evasion techniques.
Lurking in the (documentation) shadows: Why We Built the AWS Security Changes Project by Liad Eliyahu

This presentation recounts the ALBeast discovery and describes an AWS-focused monitoring project that tracks undocumented AWS service and documentation changes which can silently alter security posture.
From One to Hundreds: Reflections on a Decade of Building the Trenches by Joel Thompson

Operational lessons from growing an AWS account fleet that highlight real-world AWS account organization, governance, and security trade-offs teams face at scale.
Connecting the Cloud-Dots: Constructing a Knowledge Layer from Autonomous Attack Simulation by Itay Gabbay

Describes Cloudots, a system that runs real API-based attack simulations across AWS (and other clouds) to map which AWS telemetry signals actually trigger during attacks for better detection engineering.
Dealing with Storage Data Logs in the Cloud: A Hidden Challenge by Maayan Bentor & Zoe Rabi

Compares AWS S3 DataEvents and logging semantics across clouds and explains the AWS-specific logging gaps and scale problems that complicate incident detection and investigation.
The Cloud is a Spider Web: But with Broken Threads by Nitesh Surana & Nelson William Gamazo Sanchez

Explores CSP design decisions (including AWS scenarios) that enable resource takeovers and URL or credential abuse, highlighting AWS-relevant patterns like universal DNS zones and misused URL tokens.
The File That Contained the Keys Has Been Removed: An Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes by Soufian El Yadmani

Large-scale empirical analysis of secrets found in public cloud storage (including AWS S3), focusing on the types of leaked AWS credentials observed and the outcomes of responsible disclosure to affected organizations.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

AWS Blocked

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

CVE-2025-62168
CVE-2025-11683
CVE-2025-39972
CVE-2025-9640
CVE-2025-39973
CVE-2025-39998
CVE-2025-39994
CVE-2025-39999
CVE-2025-40000
CVE-2025-11687
CVE-2025-39966
CVE-2025-10230
CVE-2025-39997
CVE-2025-39968
CVE-2025-39970
CVE-2025-11568
CVE-2025-39996
CVE-2025-39992
CVE-2025-39991
CVE-2025-39993
CVE-2025-39995
CVE-2025-11714
CVE-2025-55248
CVE-2025-11720
CVE-2025-11715
CVE-2025-11711
CVE-2025-11721
CVE-2025-11708
CVE-2025-55247
CVE-2025-11718
CVE-2025-55315
CVE-2025-11712
CVE-2025-11713
CVE-2025-11716
CVE-2025-11719
CVE-2025-11717
CVE-2025-11731
CVE-2025-11710
CVE-2025-11709
CVE-2025-58185
CVE-2025-39965
CVE-2025-47912
CVE-2025-58187
CVE-2025-61725
CVE-2025-23332
CVE-2025-58183
CVE-2025-23330
CVE-2025-39964
CVE-2025-23345
CVE-2025-23300
CVE-2025-58189
CVE-2025-58186
CVE-2025-61724
CVE-2025-61723
CVE-2025-58188

📺 AWS security bulletins

No bulletins this week.