🥖 Palette Cleanser

Wassup amazing humans?! I can't promise you a $2,000 stimmy check (I mean cybersecurity dividend), but I hope the awesome AWS security content in this week's issue is enough to buy your votes on the socials.

December 1st is almost here, and you know what that means... The barrage of re:Invent announcements is about to start. Which security companies do you think AWS will crush this year? Or will it all be AI AI AI?

Google's acquisition of Wiz got one step closer to reality this week as it cleared US antitrust review. Now we just have to see what vision Europe has for cloud security. The deal is expected to close in 2026.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Weaponizing the AWS CLI for Persistence by Hector Ruiz Ruiz

  Once your workstation or server gets pwned, all bets are off. Still, there's something very pleasant, almost soothing, about a simple CLI alias change that keeps sending creds to an attacker forever. This one is mostly for red teamers, detection engineers, and paranoid ops people who enjoy spiking their paranoia.

• CloudFormation change set privilege escalation by Lucian Patian

  Once upon a time, the late Spencer Gietzen (I miss your work mate 😢) pointed out that you could escalate privileges in AWS by passing a role to CloudFormation. That's interesting, but of course that's why the PassRole permission exists and is often a barrier. Apparently that's not the case if you have the CreateChangeSet and ExecuteChangeSet permissions. Of course, no specific-sounding AWS-managed policy like SecretsManagerReadWrite would ever do such a thing, would it?!

• Hacking India’s largest automaker: Tata Motors by Eaton Zveare

  There are no new lessons here: Don't put AWS access keys and secrets in client-side scripts. Don't implement encryption just for show. Limit the scope of IAM policies, etc. However, it is instructive to see how quickly and easily someone like Eaton can find these things and tear an entire cloud environment apart. Luckily, he's a good guy.

🥗 AWS security blogs

• 📣 Amazon Cognito user pools now supports private connectivity with AWS PrivateLink
• 📣 Amazon DynamoDB Streams expands AWS PrivateLink support to FIPS endpoints
• 📣 AWS Service Reference Information now supports SDK Operation to Action mapping
• 📣 Amazon Cognito removes Machine-to-Machine app client price dimension
• Securing Generative AI: How Enterprises Can Govern Workforce Use of Generative AI with SurePath AI by Ameya Paldhikar
• Enhancing security with WebAuthn redirection in Amazon WorkSpaces by Chirag Mishra
• Configuring the AWS WAF Anti-DDoS managed rule group for your resources and clients by David MacDonald
• How to secure communications beyond encryption with AWS Wickr by Chris O’Rourke
• How Curtin University enhanced security compliance with AWS Managed Services Trusted Remediator by Jason Wei-Lun Hsia
• Reducing SAP Certificate Management Overhead with AWS Certificate Manager by João Bozelli
• Introducing the Overview of the AWS European Sovereign Cloud whitepaper by J.D. Bean
• Migrating from Open Policy Agent to Amazon Verified Permissions by Samuel Folkes
• New whitepaper available – AI for Security and Security for AI: Navigating Opportunities and Challenges by Debashis Das

🍛 Reddit threads on r/aws

• Secure Remote Access for AWS using OpenVPN - Sharing my thoughts
• New AWS Whitepaper with SANS: AI for Security and Security for AI: Navigating Opportunities and Challenges
• CloudFront + WAF with OAC/IP rules --> Lambda Function URL + S3

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• support-console
• profile
• sts
• vpc-lattice
• user-subscriptions
• guardduty
• autoscaling
• batch
• s3tables
• iotmanagedintegrations
• redshift-serverless
• emr-containers
• kms
• support
• cloudfront
• bedrock
• kinesis
• lambda
• cognito-idp
• rtbfabric
• ec2
• autoscaling
• connect
• bedrock-agentcore
• aps
• mediaconnect
• elasticloadbalancingv2

🍪 API changes

• AWS Control Tower
• Amazon Elastic Compute Cloud
• AWS Key Management Service
• Amazon OpenSearch Service
• Amazon VPC Lattice
• Access Analyzer
• AWS Backup
• Amazon Connect Service
• Amazon Elastic Compute Cloud
• Amazon GameLift
• AWS SSO Identity Store
• Amazon QuickSight
• Amazon S3 Tables
• Amazon S3 Vectors
• Amazon SageMaker Service
• Amazon CloudFront
• Amazon DataZone
• Amazon Elastic Compute Cloud
• Amazon FSx
• AWS Ground Station
• Amazon SageMaker Service
• Amazon Pinpoint SMS Voice V2
• Amazon Bedrock AgentCore Control
• Amazon Elastic Compute Cloud
• Amazon Kinesis

🍹 IAM managed policy changes

• SageMakerStudioProjectUserRolePolicy
• CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
• AmazonConnectServiceLinkedRolePolicy
• AWSSecretsManagerClientReadOnlyAccess
• AWSControlTowerCloudTrailRolePolicy
• AmazonFSxConsoleFullAccess
• AWSControlTowerServiceRolePolicy
• AWSControlTowerAccountServiceRolePolicy
• AmazonFSxConsoleFullAccess
• AWSQuickSetupManagedInstanceProfileExecutionPolicy
• AWSQuickSetupDeploymentRolePolicy
• AWSApplicationMigrationNetworkMigrationCustomResource
• AWSDMSServerlessServiceRolePolicy
• AmazonApplicationRecoveryControllerRegionSwitchPlanExecutionPolicy
• BedrockAgentCoreFullAccess
• AWSWAFConsoleReadOnlyAccess
• AWSWAFConsoleFullAccess

☕ CloudFormation resource changes

• AWS::CloudFront::VpcOrigin
• AWS::CloudFront::AnycastIpList
• AWS::BedrockAgentCore::WorkloadIdentity

🎮 Amazon Linux vulnerabilities

• CVE-2025-64329
• CVE-2024-25621
• CVE-2025-46404
• CVE-2025-52881
• CVE-2025-10966
• CVE-2025-11563
• CVE-2025-60753
• CVE-2025-46705
• CVE-2025-46784
• CVE-2025-47151
• CVE-2025-52565
• CVE-2025-31133
• CVE-2025-62507

📺 AWS security bulletins

• CVE-2025-12829 - Integer Overflow issue in Amazon Ion-C
• CVE-2025-12815 - RES web portal may display preview of Virtual Desktops that the user shouldn't have access to
• Improper authentication token handling in the Amazon WorkSpaces client for Linux
• CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 - runc container issues

🚬 Security documentation changes

• appstream2 Documentation Update
• bedrock Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cli Documentation Update
• cloudhsm Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• fsx Documentation Update
• glue Documentation Update
• govcloud-us Documentation Update
• govcloud-us Documentation Update
• guardduty Documentation Update
• guardduty Documentation Update
• inspector Documentation Update
• inspector Documentation Update
• keyspaces Documentation Update
• lake-formation Documentation Update
• marketplace Documentation Update
• marketplace Documentation Update
• mgn Documentation Update
• mgn Documentation Update
• quicksight Documentation Update
• wellarchitected Documentation Update
• workspaces-thin-client Documentation Update
• govcloud-us Documentation Update
• inspector Documentation Update
• marketplace Documentation Update
• marketplace Documentation Update