Monday,
December 15, 2025

🥖 Palette Cleanser

There is so much tragedy in the world; sometimes it feels like focusing on any single incident is itself an injustice. Long-time readers know I'm based in Sydney, so it feels important to acknowledge what happened at Bondi Beach yesterday. Violence directed at a community leaves wounds far beyond those immediately affected. I hope that, in moments like this, we choose care, solidarity, and looking after one another, and that our response (all of us) is to come together rather than pull apart.

It does put the limits of what we worry about day to day, in cybersecurity, in perspective, though. After last week's zero-day chaos, two additional vulnerabilities have been identified in the React Server Components (RSC) protocol. Luckily, neither of these new issues allows for remote code execution, but it yet again shows that not all bugs are shallow, given enough eyeballs. It takes some very specific, determined eyeballs focused in the right area at times. Regardless, all the usual suspects are taking full advantage.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • Exploiting AWS IAM Eventual Consistency for Persistence by Eduard Agavriloae

    This is super cool. A defender deletes a compromised IAM user’s access key, assumes the account is safe, and moves on, but within the next 3 to 4 seconds the attacker uses that same “deleted” key to call CreateAccessKey and mint a fresh set of credentials. Eduard walks through this exact race using real IAM APIs like DeleteAccessKey, ListAccessKeys, and CreateAccessKey, and then shows the same pattern applying to watching for deny-all policies, creating new roles, and other IAM changes before they actually take effect.

  • Hands On with AWS Bottlerocket: Evaluating the Security of Amazon's Hardened OS by Terry Franklin

    AWS Bottlerocket is Amazon’s minimal, hardened Linux OS for running containers, and this article puts it side by side with a standard Ubuntu node using real container escape techniques. Terry demonstrates that the attacks still work at the container level, but repeatedly fail to turn into host compromise because of Bottlerocket’s design choices, like an immutable root filesystem, enforced SELinux, and kernel lockdown. It’s worth reading because it shows exactly where Bottlerocket draws the line between “container is compromised” and “the node is compromised,” using concrete attacks instead of assumptions.

  • Test S3 ABAC locally with iam-lens by David Kerber

    AWS recently added attribute-based access control (ABAC) support to S3 buckets, but turning it on can change access in ways that are hard to reason about from policies alone. David shows how his open source iam-lens tool lets you locally simulate and diff access before and after ABAC is enabled, using a simple override flag to see exactly which principals gain or lose S3 permissions. It turns a risky, account-wide IAM change into something you can test, review, and understand before you touch a production bucket.

Bonusii: Abusing AWS Systems Manager as a Covert C2 Channel and AWS re:Invent 2025 Shows What "Shift Left" Can Mean for AI Security

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

    No resource updates this week.

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

    No bulletins this week.

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.