AWS Security Digest

Monday,
March 02, 2026

🥖 Palette Cleanser

Sometimes we are reminded that the cloud is the real world, not some magical place in the sky. This week, an AWS availability zone in me-central-1 went offline after [weapon-shaped] "objects struck the datacenter," causing a fire and a power shutoff. EC2 APIs were impacted for several hours before recovery began.

A little off topic: I'm tired of vulnerability scanners telling me to fix thousands of CVEs when most of them aren't even exploitable in my cloud environment. Plerion (my ASD enablers and sponsors) let me work on this problem. The idea is to get AI to read everything about a CVE and extract the actual requirements for exploitation, then evaluate those requirements against real environments. This is one of the best AI use cases I've seen. Not because it's clever, but because it actually works. Reach out to the folks at Plerion if this sounds interesting.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

A Backdoor You Can Talk To: Persistence via Bedrock AgentCore by Adan Alvarez

My favorite topic returns - b4ckd00rz. Adan demonstrates how attackers can establish persistence by deploying a Bedrock AgentCore agent that exposes an endpoint authenticated via JWT through an external identity provider like Cognito. He's clearly been working in corporate environments too long. The attacker can literally have a conversation with it to execute actions in the compromised account. A creative twist on post-compromise techniques, showing how GenAI services make life more fun for the bad guys too.
AWS Incident Response: IAM Containment That Survives Eventual Consistency by Eduard Agavriloae

Eduard lives his life a quarter mile at a time: that ~4 second IAM propagation window where your containment policies haven't kicked in yet. Slap a deny-all policy on a compromised admin, and they can just detach it before it propagates?! The fix is to use SCPs to make your quarantine policies irremovable. Keep a break-glass IR role exempt from the SCP, and now you're racing physics instead of attackers.
Post-Exploitation at Scale: The Rise of AILM by Roi Nisimi

Roi has clearly been reading Gartner, as he coins "AI-Induced Lateral Movement" - attackers pivoting through an organization's AI layer instead of traditional network or identity paths. The idea is to stuff malicious prompts into data fields that AI agents blindly consume - EC2 tags, order comments, whatever gets ingested. Roi demos this using Prowler's AI assistant, showing how injected prompts make it talk like a pirate, spill its available tools, and recommend attacker-controlled URLs. LLMs can't tell data from instructions, and we're wiring them into everything.

🥗 AWS security blogs

🍛 Reddit threads on r/aws

AWS KMS best practices

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

🚬 Security documentation changes