🥖 Palette Cleanser

If you've been following this newsletter for a while, you'll know MAMIP (Monitor AWS Managed IAM Policies). Victor Grenu, the original founder of this newsletter, has been tracking every silent change AWS makes to managed policies since 2019. This week, MAMIP got a major upgrade and a new name: IAMTrail. Same mission, now with a proper interface, visualizations, diffs, and email notifications. Over 1,500 active policies tracked, 4,473 commits of history, and enough data to spot that ReadOnlyAccess has been through 178 versions. Give Victor some love.

Someone turned AWS CloudShell's free persistent storage into a distributed file system spanning multiple regions, complete with UDP hole-punching, and AES-256 encryption. Fun hack, but it's also a reminder that CloudShell's free 1GB of persistent storage per region could serve as attacker infrastructure or a staging area in a compromised AWS environment.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Pwning AI Code Interpreters in AWS Bedrock AgentCore by Kinnaird McQuade

  AWS Bedrock AgentCore Code Interpreter's "Sandbox" mode promises complete network isolation, but Kinnaird found that DNS queries slip right through. To prove the impact, he built a full DNS C2 protocol. The attacker delivers commands inbound via DNS A record responses with each IP octet encoding an ASCII character of base64 data, and the sandbox phones home by embedding output in outbound DNS subdomain queries. The result is a full interactive reverse shell. AWS acknowledged the issue, decided not to fix it, and updated the docs to say "sandbox mode allows DNS resolution." The PoC is open-sourced. If your Code Interpreter's IAM role can touch S3, so can an attacker with a malicious CSV and a DNS server.

• Pentesting a Pentest Agent: Here's What I've Found in AWS Security Agent by Richard Fan

  Richard turned the tables and pentested AWS Security Agent, AWS's own autonomous AI pentesting tool. The most alarming find: a multi-stage chain starting with debug message injection, bypassing guardrails by wrapping malicious requests in emotional narratives, then escalating privileges and escaping the container, and pulling instance credentials straight from IMDS. AWS classified it within their "documented threat model." He also found the agent happily runs DROP TABLE during SQL injection probes and dumps discovered credentials into reports unredacted. As AI agents get more autonomy in your AWS environment, this is the kind of research worth sitting with.

• UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours by Ravie Lakshmanan

  I missed this a few weeks back. UNC6426 is a threat actor tracked by Mandiant. They compromised the nx npm package with a malicious postinstall script that harvested GitHub tokens from developer machines. Those tokens were enough to abuse an overly permissive GitHub Actions-to-AWS OIDC trust relationship and create a brand new admin IAM role in the victim's AWS account. Once in, they used Nord Stream, an open-source tool designed to extract secrets stored in CI/CD pipelines, to hoover up credentials across the environment. The whole environment was cooked in 72 hours. S3 buckets exfiltrated and production intances terminated. OIDC is great but it just outsources your security to Github (or whatever CI/CD platform).

🥗 AWS security blogs

• 📣 AWS Firewall Manager launches in AWS Asia Pacific (New Zealand) Region
• 📣 Amazon Inspector expands agentless EC2 scanning and introduces Windows KB-based findings
• 📣 AWS Elemental MediaConnect adds support for NDI® inputs
• 📣 AWS Security Agent now supports downloading penetration testing reports
• 📣 Amazon Bedrock is now available in Asia Pacific (New Zealand)
• Essential security controls to prevent unauthorized account removal in AWS Organizations by Nivedita Tripathi
• Scale fine-grained permissions across warehouses with Amazon Redshift and AWS IAM Identity Center by Raghu Kuppala
• AWS and Others Invest $12.5M to Defend the Open Source Ecosystem from AI Threats by Mark Ryland
• Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls by CJ Moses
• AWS completes the second GDV community audit with participant insurers in Germany by Flamur Abdyli

🍛 Reddit threads on r/aws

• Help understanding purpose of STS Session Token
• Insecurities about SSO VS IAM.
• looking for suggestion
• I built a AWS security tool after noticing how common basic misconfigs are
• I built a free security scanner for your cloud infra & code — connect GitHub/AWS and get a full report in minutes

💸 Sponsor shoutout

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• aidevops
• batch
• securityhub
• medical-imaging
• aws-marketplace-catalog
• es
• bedrock-agentcore
• interconnect
• vpc-lattice
• uxc
• ecs

🍪 API changes

• Amazon DynamoDB
• Amazon OpenSearch Service
• Amazon Verified Permissions
• AWS Batch
• Amazon Bedrock AgentCore Control
• Amazon Bedrock AgentCore
• Amazon Elastic Compute Cloud
• CloudWatch Observability Admin Service
• Amazon Polly
• Amazon Elastic Compute Cloud
• AWS Elemental MediaConvert
• Amazon Bedrock AgentCore Control
• Amazon EMR
• AWS Glue
• Amazon Bedrock AgentCore
• Amazon Bedrock
• Amazon EC2 Container Service

🍹 IAM managed policy changes

• AWSCompromisedKeyQuarantineV3
• AWSCompromisedKeyQuarantineV3
• AWSCompromisedKeyQuarantineV3

☕ CloudFormation resource changes

• AWS::Glue::Catalog

🎮 Amazon Linux vulnerabilities

• CVE-2026-3842: QEMU hyperv/syndbg out-of-bounds memory access
• CVE-2026-2046: GIMP LBM file parsing heap buffer overflow RCE
• CVE-2006-10003: perl-XML-Parser off-by-one heap overflow on deep element nesting
• CVE-2026-4426: libarchive zisofs decompression undefined behavior DoS
• CVE-2026-4424: libarchive RAR LZSS heap out-of-bounds read, info disclosure
• CVE-2026-4428: AWS-LC CRL validation logic error allows revoked cert bypass
• CVE-2006-10002: perl-XML-Parser UTF-8 buffer overflow DoS
• CVE-2026-23249: kernel XFS missing cursor validation on btree revalidation, DoS
• CVE-2026-23242: kernel RDMA/siw NULL pointer dereference in header processing
• CVE-2026-26740: giflib EGifGCBToExtension buffer overflow DoS
• CVE-2026-23262: kernel GVE driver stats corruption on queue count change
• CVE-2026-23257: kernel liquidio off-by-one in PF setup_nic_devices cleanup, DoS
• CVE-2026-23267: kernel f2fs checkpoint flag inconsistency, DoS
• CVE-2025-71266: kernel NTFS3 indx_find infinite loop on inconsistent metadata, DoS
• CVE-2026-32829: Rust LZ4 decompression leaks uninitialized memory
• CVE-2026-23258: kernel liquidio uninitialized netdev pointer before queue setup, DoS
• CVE-2026-23256: kernel liquidio VF off-by-one in setup_nic_devices cleanup, DoS
• CVE-2026-23255: kernel /proc/net/ptype missing RCU protection
• CVE-2026-23247: kernel TCP timestamp offset flaw in secure_seq, DoS
• CVE-2025-71269: kernel btrfs data reservation leak on inline extent -ENOSPC fallback
• CVE-2026-23250: kernel XFS missing return value check in xchk_scrub_create_subord
• CVE-2026-23259: kernel io_uring iovec not freed on cache put failure, DoS
• CVE-2025-71265: kernel NTFS3 attr_load_runs_range infinite loop on corrupt metadata, DoS
• CVE-2026-23265: kernel f2fs missing sanity check on node footer
• CVE-2026-23254: kernel GRO outer network offset handling issue, DoS
• CVE-2026-23248: kernel perf_mmap refcount bug and potential use-after-free
• CVE-2026-3479: Python pkgutil.get_data() path traversal
• CVE-2026-23270: kernel net/sched act_ct can bind to clsact/ingress qdiscs
• CVE-2026-23244: kernel NVMe memory allocation bug in nvme_pr_read_keys, DoS
• CVE-2026-30922: python-pyasn1 uncontrolled recursion on deeply nested ASN.1 DoS
• CVE-2026-23243: kernel RDMA/umad negative data_len not rejected in ib_umad_write
• CVE-2025-71270: kernel LoongArch exception fixup for ADE subcode, DoS
• CVE-2026-23261: kernel NVMe-FC admin tagset not released on init failure, DoS
• CVE-2026-23245: kernel net/sched act_gate RCU race on snapshot replace
• CVE-2026-23266: kernel fbdev rivafb divide error in nv3_arb, DoS
• CVE-2026-23252: kernel XFS xchk_xfile descriptor cleanup issue, DoS
• CVE-2026-27135: nghttp2 assertion failure on malformed frames after session close, DoS
• CVE-2026-27459: pyOpenSSL buffer overflow when cookie callback returns >256 bytes
• CVE-2026-23253: kernel DVB-core wrong ringbuffer reinitialization on reopen, DoS
• CVE-2026-23260: kernel regmap maple tree free on mas_store_gfp failure, DoS
• CVE-2026-23269: kernel AppArmor DFA start state bounds not validated in unpack_pdb
• CVE-2026-23268: kernel AppArmor unprivileged user can perform privileged policy management
• CVE-2026-27448: pyOpenSSL TLS callback unhandled exceptions may allow connection bypass
• CVE-2025-71268: kernel btrfs inline extent reservation leak on error path, DoS
• CVE-2026-23264: kernel AMD DRM ASPM check revert, DoS
• CVE-2025-71267: kernel NTFS3 zero-sized ATTR_LIST infinite loop, DoS
• CVE-2026-32636: ImageMagick NewXMLTree out-of-bounds write
• CVE-2026-23246: kernel WiFi mac80211 missing bounds check on link_id in ML reconfig
• CVE-2026-23251: kernel XFS xfarray/xfblob destroy called on invalid pointer, DoS
• CVE-2026-23241: kernel audit subsystem missing syscalls for read class, DoS
• CVE-2025-71239: kernel audit missing fchmodat2 in change attributes class, DoS
• CVE-2026-4271: libsoup3 HTTP/2 use-after-free on crafted auth request

📺 AWS security bulletins

• Arbitrary code execution via crafted project files in Kiro IDE
• CVE-2026-4270 - AWS API MCP File Access Restriction Bypass
• CVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit
• CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error

🚬 Security documentation changes

• Bedrock: deleting an API key does not delete the associated IAM user
• CLI: cross-account management options (backup, multi-party approval, delegated admin) added
• CLI: enterprise policies and cert management via Secrets Manager; proxy config ARN pattern updated
• CLI: certificate management via Secrets Manager added
• DocumentDB: release notes reorganized by engine version; TLS, client-side encryption, audit logging updates
• EKS: new platform versions with security fixes
• Payment Cryptography: CreateKey required in replica regions for Multi-Region key replication
• ECS: Copilot CLI end-of-support notice added
• ECS: security guidance for bind mounts and privileged containers
• IAM: prefer temporary credentials over service-specific credentials for new development
• IAM: centralized root access requires sts:AssumeRoot; root credentials cannot call sts:AssumeRoot
• Backup: rds:DeleteTenantDatabase added to AWSServiceRolePolicyForBackupRestoreTesting
• CLI: session timeout enforces termination after TTL regardless of activity
• CLI: session timeout enforces termination after TTL regardless of activity
• DMS: four new premigration validation checks added
• DRS: temporary credentials and instance profiles preferred over long-term keys
• DRS: Replication Agent IAM policy must not be attached to IAM users or roles
• EKS: new platform versions for Kubernetes 1.29-1.35 with security fixes
• GuardDuty: overly permissive IAM policy deprecated, scoped-down replacement
• HealthImaging: confused deputy prevention page removed
• HealthImaging: infrastructure security page removed
• IVS: security headers (CORS, CSP, HSTS, X-Content-Type-Options, X-Frame-Options) removed
• IVS: security headers (CORS, HSTS, X-Content-Type-Options) removed
• IVS: security headers (CORS, CSP, HSTS) removed
• IVS: security headers (CORS, HSTS, X-Frame-Options) removed
• IVS: security headers (CSP, HSTS, X-Frame-Options) removed
• IVS: security headers (HSTS, X-Content-Type-Options) removed
• IVS: security headers (CSP, X-Frame-Options) removed
• IVS: security headers (CSP, HSTS, X-Frame-Options) removed
• IVS: security headers (CSP, HSTS) removed
• IVS: security headers removed
• KMS: kms:RequestAlias in Deny policies can be bypassed; use kms:ResourceAliases instead
• Lake Formation: IAM role steps and CLI commands expanded for S3 Tables catalog registration
• Lake Formation: access controls section retitled for S3 Tables integration
• Marketplace: avoid root user for daily ops; KYC requirements clarified for secondary users
• OpenSearch: IAM policy requirements added for direct query data sources
• WorkSpaces Thin Client: v2.20.3 fixes Chromium CVE-2026-3909 and CVE-2026-3910