AWS Security Digest

Monday,
November 24, 2025

🥖 Palette Cleanser

Salutations, friends,

It looks like someone unleashed the pre:Invent security announcement cannon this week. There's flat rate pricing for CloudFront. STS can issue IAM roles and users JWTs to authenticate to stuff outside AWS. Developers can get temporary local creds with 'aws login'. Of course, AI agents are helping with incident response. And you can pay to enforce encryption in transit within VPCs, which feels kind of icky but in practice probably makes sense.

I'm not sure yet who is being put out of business this re:Invent, but it has to be someone. In case you are attending, AWS has written a guide for security enjoyers. I'll make sure to get you the YouTube playlist once it's all done and dusted.

Finally, thank you for all the feedback recently. A few of you have called me out for letting a few lower-quality articles slip into a recent issue. I'm sorry. Others have also asked for more chef's selections. I'll do my best to eliminate the former, but I rely on the internet content machine to produce enough of the good stuff for y'all to consume. Sometimes there just isn't enough. Please keep making cool content, and if you do create or find something worthy, send it my way at ilovecontent@awssecuritydigest.com.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

Phishing for AWS Credentials via the New ‘aws login’ Flow by Adan Álvarez Vilchez

Adan didn't even let this feature fall out of his LinkedIn feed before finding a way to abuse it, and I like the simplicity of it. The feature is meant to make it easy for developers to get CLI creds in their local environment, which it does. But in an effort to support an edge case, AWS made it susceptible to phishing. The "--remote" flag was added for login when a browser isn't available on the local system, and so the browser session has to be on a different system by definition, meaning the authentication flow can be intermediated.
All Paths Lead to Your Cloud: A Mapping of Initial Access Vectors to Your AWS Environment by Golan Myers, Ofir Balassiano

I think putting "all paths" and "a mapping" in the title maybe overstates what's in this article. Yes, the resource types mentioned can be exposed, and yes, the descriptions are mostly good background reading and worth understanding for newer folks. However, there are many more resources that can be exposed and more ways to expose the ones mentioned. NLB, anyone? Cool tidbit though: "97% of [Palo] customers have AWS users in their cloud accounts." Yet Datadog claims, "two in five (39%) organizations still use IAM users." What does that say about each customer base? I'll let you pontificate.
Enable Whichever Version of Security Hub AWS is Supporting These Days by Rich Mogull

When there's a free spot in chef's selections, we can always rely on Rich to make a solid tutorial. Be careful you don't accidentally spend all your money on this one though. This piece walks you through the chaos of “new Security Hub vs Security Hub CSPM,” including how AWS split the product in half and stapled the non-CSPM bits back together under a new name. Rich even shows you how to enable delegated admin and org-wide Config (the part that quietly lights your wallet on fire) so you can see exactly how findings flow into the new aggregation layer.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes