AWS Security Digest

Monday,
December 08, 2025

🥖 Palette Cleanser

Every week the internet gods roll a d20, and sometimes it lands on 20, like it did this week. There was a bit of everything for everyone. re:Invent concluded, and all the security talks are live. There's a nice written recap in Chef's selections.

The internet also caught on fire in a big way as a remote code execution (RCE) vulnerability was identified in React Server Components (CVE-2025-55182) and given a fancy name, "React2Shell". The Next.js framework happens to use the vulnerable components and so it is also vulnerable, pre-auth (CVE-2025-66478). Almost immediately several proof-of-concept exploits popped up, quickly leading to mass exploitation and AWS issuing an advisory about "China-nexus cyber threat groups." There was even some social media drama as researchers bypassed Vercel's WAF, only to have Vercel's CEO cry BS and then walk it all back. More deets on the bugs from Datadog here.

Canary tokens are near and dear to my heart. In 2017 I published the first AWS canary token framework. I thought that was cool, but it is child’s play compared to what Tracebit launched this week: a 100% free version of their security canary platform. Once you sign up, you can deploy canaries for AWS sessions, SSH keys, browser cookies, password manager credentials, and emails in under 60 seconds. The beauty of canaries is their asymmetry, because for a tiny amount of effort they give you high-fidelity, real-time breach detection. Props to our sponsor Tracebit.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

re:Invent 2025 recap by Chris Farris

I absolutely love this recap, even if the announcements are largely pre:Invent. Chris has elite snark and too much AWS experience for his own good. I feel like I learned more nuance from this one collection of stuff than from many deep technical posts. For example, "you can now explicitly disable SSE-C - a technique ransomware syndicates use to encrypt your data when you leak an access key."
AWS Lambda Managed Instances: A Security Overview by Eduard Agavriloae

This post provides an early security look at AWS Lambda Managed Instances, a new model where Lambda functions run on Bottlerocket-based EC2 instances controlled by AWS. Eduard found the environment far more locked down than ECS, EKS, or SageMaker nodes, with strict role-modification denials, no direct access paths, and a set of new “Elevator” components orchestrating networking, isolation, and execution. The result is both a hardened design and a rare window into how Lambda likely works under the hood.
Amazon CloudFront mTLS with open-source serverless CA by Paul Schwarzenberger

This guide shows how to set up mutual TLS for Amazon CloudFront using an open source serverless private CA, including how to deploy the CA, create a CloudFront trust store, and validate access with a client certificate. CloudFront mTLS is brand new, and Paul highlights some important early lessons, such as the fact that the CA bundle must be stored in an S3 bucket in us-east-1 with a text/plain content type or CloudFront will not accept it. He is also salty that many services still have their own separate and inconsistent trust store systems, which creates real challenges for anyone trying to run mTLS at scale.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes