Monday,
October 27, 2025

🥖 Palette Cleanser

Earlier this week, I was worried y'all wouldn't get this issue on time because DynamoDB in us-east-1 took too many downers and couldn't balance it out with uppers fast enough. Whoever wrote the post-outage summary at AWS might want to consider using paragraphs next time. Luckily, Gergely Orosz wrote a fantastic, readable summary of the incident.

Whenever there's a big cloud outage, the hot takes come thick and fast. One in particular always comes up: no matter the root cause, it's evidence and impetus to go multi-cloud or move back on-prem. Each organization has to figure that out for themselves, but here's my warning: you already struggle trying to understand, hire for, and do security in AWS. On its own, AWS has ~430 services, 17,000+ API methods, and 19,000+ IAM permissions. Adding another cloud provider to the mix isn't going to make it twice as hard, it's going to make it virtually impossible.

But you don't have to listen to me. I'm just a super serious internet guy.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • My AWS Account Got Hacked - Here Is What Happened by Zvi Wexlstein

    Zvi's story is interesting because it shows how fast and methodical attackers are, and how a single hardcoded key can cascade into organizational control and financial damage. An exposed AWS key in a personal Next.js project led to a full account compromise that started with a spam email flood to hide AWS notifications. The attacker used the leaked key to create IAM users, launch EC2 instances for likely crypto mining, and set up SES DKIM records to prepare a phishing campaign from the victim’s own domains.

  • ECS on EC2: Covering Gaps in IMDS Hardening by Latacora

    Sorry I missed this one in early October. When you run ECS tasks on EC2 instead of Fargate, all containers share the same host and can reach the EC2 instance metadata service, which exposes credentials for other tasks on that instance. Even with IMDSv2 and a hop limit of 1, tasks can sometimes still grab those credentials, so you have to explicitly block metadata access; otherwise, a compromised container can steal IAM roles and move laterally across tasks. More hardening deets inside.

  • Querying Terraform state with AWS Athena by Aidan Steele

    There are some credibility challenges to claiming this is a security post, but it's certainly interesting, and if you squint you might be able to find a security use case. Turns out Athena can turn Terraform state in S3 into a queryable dataset by using the Amazon Ion serde to parse its pretty-printed JSON and unnesting resource arrays with cross joins. It’s a clever trick (Aidan has many) for auditing infrastructure at scale.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

    No bulletins this week.

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.