🥖 Palette Cleanser

This week in AWS security has been dominated by two major events and not a lot of content otherwise, so I had to take things into my own hands.

First, re:Invent is about to begin. You can live stream the various keynotes if you are into that kind of thing. However, most of the big security announcements have already dropped, and there's a nice summary in chef's selections.

Second, phase 2 of Sha1-Hulud supply chain campaign kicked off, and every security vendor is covering it. There's even a pretty dashboard and search tool, but it seems to cover ~50% of affected repos. Something like 800 GitHub access tokens and 400 AWS credentials were compromised.

See you on the flip side.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Privilege escalation with SageMaker and there's more hiding in execution roles by Daniel Grzelak

  I don't understand SageMaker at all, but I did manage to make it spit out extra privileges by updating a notebook instance config, and it did help me understand a particular category of privilege escalation in AWS. Any time an AWS service executes a code-like thing with an execution role, and the code can be modified after initial creation, that results in an opportunity for privilege escalation. Can you spot that pattern in other services?

• AWS pre:Invent security highlights: what changed and why it matters by Adan Alvarez

  Instead of reading three AWS announcement posts and guessing at the security impact, Adan breaks each update down into the risks, benefits, and detection signals that matter. It’s the version you need if you care about real-world attacker paths, not product announcements.

🥗 AWS security blogs

• 📣 Amazon S3 Block Public Access now supports organization-level enforcement
• 📣 Introducing AWS Network Firewall Proxy in preview
• Announcing AWS CloudTrail Event Aggregation and Insights for Data Events by Isaiah Salinas
• Deploy CrowdStrike Falcon Next-Gen SIEM for AWS through AWS Marketplace by Jenn Reed
• Securing Egress Architectures with Network Firewall Proxy by Tom Adamski
• AWS Private Certificate Authority now supports partitioned CRLs by Kartik Bhatnagar
• How to use the Secrets Store CSI Driver provider Amazon EKS add-on with Secrets Manager by Angad Misra
• AWS Secrets Manager launches Managed External Secrets for Third-Party Credentials by Rohit Panjala
• Introducing guidelines for network scanning by Stephen Goodman

🍛 Reddit threads on r/aws

• Amazon S3 Now Supports Organization Level Block Public Access
• Need help on security standards

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• omics
• apigateway
• security-ir
• cloudwatch
• ecr
• logs
• cloudfront
• omics
• apigateway
• security-ir
• cloudwatch
• ecr
• logs
• cloudfront

🍪 API changes

• Amazon Bedrock Runtime
• AWS Compute Optimizer
• Cost Optimization Hub
• Amazon Elastic Compute Cloud
• AWS Network Firewall
• AWS Organizations
• Amazon Route 53
• Amazon CloudFront
• Amazon CloudWatch Logs

🍹 IAM managed policy changes

• NovaActServiceRolePolicy
• AWSBillingConductorFullAccess
• AmazonS3TablesFullAccess
• AmazonRedshiftFederatedAuthorization
• AWSMcpServiceActionsFullAccess
• AWSIdentityCenterExternalManagementPolicy
• DynamoDBGlobalTableSettingsManagementServiceRolePolicy
• AmazonS3TablesFullAccess
• AmazonConnectSynchronizationServiceRolePolicy
• AWSTransformApplicationECSDeploymentPolicy
• AWSTransformApplicationDeploymentPolicy
• AWSSecurityHubOrganizationsAccess
• AWSSecurityHubFullAccess

☕ CloudFormation resource changes

• AWS::PCS::Cluster
• AWS::CloudFront::ConnectionFunction

🎮 Amazon Linux vulnerabilities

• CVE-2025-66382
• CVE-2025-61915
• CVE-2025-58436
• CVE-2025-13699
• CVE-2025-13674
• CVE-2025-2486
• CVE-2025-13601
• CVE-2025-64505
• CVE-2025-13502
• CVE-2025-65018
• CVE-2025-64720
• CVE-2025-64506

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• sagemaker Documentation Update
• vpc Documentation Update
• waf Documentation Update
• AmazonECS Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• glue Documentation Update
• opensearch-service Documentation Update
• opensearch-service Documentation Update
• redshift Documentation Update
• securityhub Documentation Update
• securityhub Documentation Update
• securityhub Documentation Update
• securityhub Documentation Update