December 22, 2025
๐ฅ Palette Cleanser
I'm at the stage of life where friends are losing loved ones, so this week's issue will be brief. There's still some truly incredible content, but apologies, my usual verve is not. Merry Christmas and Happy New Year to all. <3
The zeroday.cloud competition came and went. Lots of cloudy software got pwnt. Full write-up here.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
๐ Chef's selections
-
Introducing Pathfinding.cloud by Seth Art
An extremely nondescriptive title for what may be the best piece of AWS security content released all year. For a long time, AWS privilege escalation has been hard to track and understand. Yes, there are lists, but they are brief and lack metadata. You can't build tooling or a comprehensive framework around them without a lot of work. That's all changing thanks to Seth.
-
AWS Privilege Escalation Techniques by Ben Goodspeed
Speaking of AWS privesc, Ben is having some fun too. He walks through how AWS privilege escalation has evolved from classic IAM misconfigurations into service-driven and now AI-orchestrated attack paths, with modern services like Bedrock and AgentCore acting as new execution and delegation hubs. The key takeaway is that privilege today emerges from how services execute code and chain actions on your behalf, and while many of these paths remain exploitable by default, well-designed SCPs and service-level guardrails can still shut them down reliably.
-
Goodbye to Static Credentials: Embrace Modern Identity Practices by Eyal Estrin
This is a refresher on why static credentials are dangerous and why temporary, identity-based access is the right default, but it largely covers well-established best practices rather than new research. Itโs most useful for cross-cloud environments (AWS, Azure, GCP), Kubernetes workloads, and teams migrating off legacy service accounts, and less useful for organizations that have already standardized on roles, workload identity, and short-lived credentials everywhere.
๐ฅ AWS security blogs
- ๐ฃ AWS Private CA OCSP now available in China and AWS GovCloud (US) Regions
- ๐ฃ Announcing 176 new AWS Security Hub controls in AWS Control Tower
- ๐ฃ Amazon WorkSpaces Applications announces additional health and performance metrics
- ๐ฃ AWS Payment Cryptography is now available in Asia Pacific(Hyderabad) and Europe(Paris)
- ๐ฃ AWS Payment Cryptography reduces API pricing by up to 63% and introduces tiered key pricing
- ๐ฃ AWS Payment Cryptography is now available in Sydney with AS2805 support
- ๐ฃ AWS Artifact enables access to previous versions of compliance reports
- ๐ฃ AWS Security Incident Response introduces integration with Slack
- Search and discover governance controls with Control Catalog in AWS Control Tower by Matej Macek
- Navigating the EU Data Act for IoT Solutions: Part 1- Healthcare Industry lens by Shefali Emmanuel
- Cedar Joins CNCF as a Sandbox Project by Lara Langdon
- Security Hub CSPM automation rule migration to Security Hub by Joe Wagner
- GuardDuty Extended Threat Detection uncovers cryptomining campaign on Amazon EC2 and Amazon ECS by Kyle Koeller
- What AWS Security learned from responding to recent npm supply chain threat campaigns by Nikki Pahliney
- Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure by CJ Moses
๐ Reddit threads on r/aws
๐ธ Sponsor shoutout
Meet Pleri: your AI-powered cloud security teammate. Sheโs not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.
Learn more about Pleri and see her in action.
๐ค Dessert
Dessert is made by robots, for those that enjoy the industrial content.
๐ง IAM permission changes
๐ช API changes
- ARC
- Amazon Connect Service
- EMR Serverless
- AWS IoT
- AWS Wickr Admin API
- Amazon WorkSpaces Web
- Amazon AppStream
- ARC
- AWS Artifact
- Amazon Bedrock AgentCore Control
- Data Automation for Amazon Bedrock
- AWS Clean Rooms Service
- Amazon Elastic Compute Cloud
- Amazon Elastic Container Registry
- Amazon EC2 Container Service
- AWS IoT
- Amazon OpenSearch Service
- Amazon Simple Email Service
- AWS Systems Manager for SAP
- Amazon GameLift Streams
- Amazon GuardDuty
- Inspector Scan
- Managed Streaming for Kafka Connect
- AWS Elemental MediaConvert
- AWS Elemental MediaPackage v2
- Payment Cryptography Data Plane
- Payment Cryptography Control Plane
- Amazon SageMaker Service
- AWS IoT
- Timestream InfluxDB
- Amazon Connect Service
- Amazon Elastic Compute Cloud
- AWS EntityResolution
- Amazon CloudWatch Logs
- AWS MediaTailor
- Amazon Route 53 Resolver
- Amazon Simple Storage Service
- Service Quotas
๐น IAM managed policy changes
- AIOpsAssistantPolicy
- AWSQuickSetupDeploymentRolePolicy
- AIOpsAssistantPolicy
- AmazonTimestreamInfluxDBFullAccessWithoutMarketplaceAccess
- AmazonTimestreamInfluxDBFullAccess
- AWSResourceExplorerServiceRolePolicy
- AmazonTimestreamInfluxDBFullAccessWithoutMarketplaceAccess
- AmazonTimestreamInfluxDBFullAccess
- AWSResourceExplorerServiceRolePolicy
- AWSArtifactReportsReadOnlyAccess
- ReadOnlyAccess
- AmazonECSInfrastructureRolePolicyForManagedInstances
- AWSEntityResolutionConsoleFullAccess
- AWSUserAttributeCostAllocationPolicy
- AWSCleanRoomsServiceRolePolicy
- CloudWatchNetworkMonitorServiceRolePolicy
โ CloudFormation resource changes
๐ฎ Amazon Linux vulnerabilities
- CVE-2025-14177
- CVE-2025-14180
- CVE-2025-14178
- CVE-2025-14946
- CVE-2025-14876
- CVE-2025-68161
- CVE-2025-68469
- CVE-2025-68324
- CVE-2025-14861
- CVE-2025-14744
- CVE-2025-59529
- CVE-2025-14860
- CVE-2025-43536
- CVE-2025-68118
- CVE-2025-43531
- CVE-2024-29370
- CVE-2025-43541
- CVE-2025-43529
- CVE-2025-43535
- CVE-2025-43501
- CVE-2025-68310
- CVE-2025-40346
- CVE-2025-40362
- CVE-2025-68304
- CVE-2025-68251
- CVE-2025-68223
- CVE-2025-68321
- CVE-2025-68295
- CVE-2025-68265
- CVE-2025-68208
- CVE-2025-68305
- CVE-2025-40349
- CVE-2025-68228
- CVE-2025-68244
- CVE-2025-68245
- CVE-2025-68198
- CVE-2025-68185
- CVE-2025-68308
- CVE-2025-68294
- CVE-2025-68243
- CVE-2025-68212
- CVE-2025-68264
- CVE-2025-68146
- CVE-2025-68171
- CVE-2025-68233
- CVE-2025-68199
- CVE-2025-40353
- CVE-2025-68283
- CVE-2025-68231
- CVE-2025-68186
- CVE-2025-68194
- CVE-2025-68285
- CVE-2025-68219
- CVE-2025-68237
- CVE-2025-68222
- CVE-2025-68306
- CVE-2025-68221
- CVE-2025-68299
- CVE-2025-68259
- CVE-2025-68250
- CVE-2025-68300
- CVE-2025-68200
- CVE-2025-68213
- CVE-2025-68173
- CVE-2025-68188
- CVE-2025-68176
- CVE-2025-68182
- CVE-2025-68207
- CVE-2025-68229
- CVE-2025-68214
- CVE-2025-40350
- CVE-2025-68178
- CVE-2025-68170
- CVE-2025-40359
- CVE-2025-68183
- CVE-2025-68218
- CVE-2025-68215
- CVE-2025-68209
- CVE-2025-68156
- CVE-2025-68307
- CVE-2025-68227
- CVE-2025-40347
- CVE-2025-68206
- CVE-2025-68297
- CVE-2025-68317
- CVE-2025-40360
- CVE-2025-68226
- CVE-2025-68179
- CVE-2025-68169
- CVE-2025-40361
- CVE-2025-40351
- CVE-2025-68167
- CVE-2025-68291
- CVE-2025-40348
- CVE-2025-40357
- CVE-2025-68312
- CVE-2025-68242
- CVE-2025-68301
- CVE-2025-68284
- CVE-2025-68296
- CVE-2025-68168
- CVE-2025-68309
- CVE-2025-68253
- CVE-2025-68193
- CVE-2025-68239
- CVE-2025-68236
- CVE-2025-68288
- CVE-2025-68319
- CVE-2025-68292
- CVE-2025-68204
- CVE-2025-68224
- CVE-2025-68197
- CVE-2025-68293
- CVE-2025-68191
- CVE-2025-68241
- CVE-2025-68281
- CVE-2025-68181
- CVE-2025-40363
- CVE-2025-68287
- CVE-2025-68282
- CVE-2025-68313
- CVE-2025-68298
- CVE-2025-40355
- CVE-2025-68192
- CVE-2025-68232
- CVE-2025-68261
- CVE-2025-68211
๐บ AWS security bulletins
๐ฌ Security documentation changes
- bedrock Documentation Update
- cli Documentation Update
- cli Documentation Update
- cli Documentation Update
- cli Documentation Update
- ec2 Documentation Update
- eks Documentation Update
- eks Documentation Update
- mgn Documentation Update
- nova Documentation Update
- nova Documentation Update
- nova Documentation Update
- nova Documentation Update
- opensearch-service Documentation Update
- securityhub Documentation Update
- vpc-lattice Documentation Update
