🥖 Palette Cleanser

AWS made an oopsie this week by pushing a test IAM managed policy to production. Was it a human or an agent? Regardless, it was caught by IAM Trail. A new policy slipping through is relatively harmless, but it raises an uncomfortable question. What happens if an unattended change hits an existing, actively-used AWS managed policy?

It's time to keep an eye on AWS security bulletins for this line: "We thank Anthropic for reporting this concern to the AWS Vulnerability Disclosure Program." It appeared for the first time in bulletin 2026-015, and it's probably a Mythos find. All your security friends are likely headless chickening the Claude Mythos reveal and what it's found. It has already turned up thousands of vulnerabilities across major systems, including a 27-year-old flaw in OpenBSD and a 16-year-old FFmpeg bug that automated testing tools had hit five million times without ever catching. Through Project Glasswing, AWS is one of the launch partners with access to Mythos for scanning their own code, backed by $100M in usage credits and structured 90-day disclosure timelines. This may be the first Mythos-reported vulnerability to land in an AWS security bulletin. It won't be the last.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Escaping the AWS AgentCore Sandbox by Ori Hadad

  AgentCore's Code Interpreter sandbox mode promises "complete isolation with no external access." Ori found that arbitrary DNS lookups sail right through network restrictions, opening a covert bidirectional channel for data exfiltration and C2. The microVM Metadata Service (MMDS) makes it worse: no session token enforcement (think IMDSv1 but for microVMs), so credentials are accessible directly from within the sandbox. In part two, Ori turns to the identity side and finds the AgentCore starter toolkit auto-creates IAM roles with wildcard permissions across every agent in the account - memory, runtimes, ECR repos, code interpreters. The toolkit is meant for dev and testing but one compromised agent can pull every other agent's container image, read their conversation history, and poison their memory. Ori calls it Agent God Mode.

• notyet: AWS IAM Credential Revocation Gaps by Eduard Agavriloae

  When you disable an access key during incident response, IAM takes roughly 4 seconds to propagate that change globally. Given admin-level starting permissions, notyet is a cheeky tool that polls every 0.5 seconds for identity state changes, detects a containment action, and responds before propagation completes - creating new roles, assuming them, provisioning new users with random names you can't pre-target, and rewriting any policies you tamper with. AWS has fixed it so a deactivated key can no longer create a new access key, but it can still perform other IAM actions during the window, so notyet pivots through a temporary role to mint a fresh identity instead. Nigel Sood collaborated on the red-blue testing, throwing nearly a dozen IR containment methods at it: inline policies, managed policies, permission boundaries, group membership, access key deactivation, role deletion, SSM runbooks - none stuck. The most reliable kill switch is an SCP, because a compromised identity in a member account simply cannot detach an Organizations-level policy.

🥗 AWS security blogs

• 📣 AWS Private CA now supports customer managed permissions for cross-account sharing
• 📣 Amazon EC2 Capacity Manager now supports tag-based dimensions
• 📣 Amazon IVS Real-Time Streaming now supports redundant ingest
• 📣 AWS Certificate Manager now supports native certificate search
• 📣 Amazon Verified Permissions now supports policy store aliases and named policies and policy templates
• 📣 Amazon WorkSpaces Personal now supports unique DNS names for PrivateLink
• 📣 AWS announces general availability of Smithy-Java client framework
• AWS Weekly Roundup: AWS DevOps Agent & Security Agent GA, Product Lifecycle updates, and more (April 6, 2026) by Channy Yun (윤석찬)
• A framework for securely collecting forensic artifacts into S3 buckets by Jason Garman
• Building AI defenses at scale: Before the threats emerge by Amy Herzog

🍛 Reddit threads on r/aws

No threads this week.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• es
• bcm-dashboards
• omics
• verifiedpermissions
• observabilityadmin
• bedrock-agentcore
• securitylake
• aws-marketplace-discovery
• workspaces
• deadline
• glue
• bedrock
• ses
• transform
• s3files
• lightsail

🍪 API changes

• Amazon Connect Service
• AWS DevOps Agent Service
• EC2 Image Builder
• AWS Elemental MediaConvert
• CloudWatch Observability Admin Service
• RTBFabric
• Amazon SageMaker Service
• AWS Billing and Cost Management Dashboards
• Amazon Bedrock AgentCore Control
• Amazon Bedrock AgentCore
• AWS MediaConnect
• Redshift Data API Service
• Amazon SageMaker Service
• AWS Backup
• Elastic Disaster Recovery Service
• Amazon Interactive Video Service RealTime
• AWS Marketplace Discovery
• AWS Elemental MediaLive
• AWS Outposts
• Amazon Bedrock AgentCore
• Braket
• Amazon Connect Service
• Amazon DataZone
• Amazon Elastic Compute Cloud
• Amazon EC2 Container Service
• Amazon Elastic Kubernetes Service
• AWS Outposts
• RTBFabric
• Amazon Simple Storage Service
• Amazon S3 Files
• Access Analyzer
• AWSDeadlineCloud
• Amazon Data Lifecycle Manager
• Amazon Lightsail
• AWS MediaTailor
• Amazon Q Connect
• AWS Transfer Family

🍹 IAM managed policy changes

• ROSAKubeControllerPolicy
• ROSAControlPlaneOperatorPolicy
• ConsoleViewOnlyAccessFromVercel
• ConsoleFullAccessFromVercel
• AWSServiceRoleForCodeWhispererPolicy
• AWSBillingReadOnlyAccess
• AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM
• AWSConfigServiceRolePolicy
• AWSDeadlineCloud-UserAccessFarms
• AWSServiceRolePolicyForWorkspacesInstances
• AWSTransformCustomFullAccess
• AWSWAFConsoleFullAccess
• AWSWAFConsoleReadOnlyAccess
• AWSWAFFullAccess
• AWSWAFReadOnlyAccess
• AWS_ConfigRole
• AmazonBedrockLimitedAccess
• AmazonBedrockMantleFullAccess
• AmazonBedrockMantleInferenceAccess
• AmazonElasticFileSystemsUtils
• AmazonS3FilesCSIDriverPolicy
• AmazonS3FilesClientFullAccess
• AmazonS3FilesClientReadOnlyAccess
• AmazonS3FilesClientReadWriteAccess
• AmazonS3FilesFullAccess
• AmazonS3FilesReadOnlyAccess
• AmazonSageMakerCapacityReservationServiceRolePolicy
• Billing
• FMSServiceRolePolicy
• NAPSPropagatorIntegTestManagedPolicy07
• SageMakerStudioProjectUserRolePolicy
• NAPSPropagatorIntegTestManagedPolicy07
• AmazonBedrockMantleInferenceAccess
• AmazonBedrockMantleFullAccess
• AmazonBedrockLimitedAccess
• AmazonSageMakerCapacityReservationServiceRolePolicy
• AWSWAFReadOnlyAccess
• AWSWAFFullAccess
• AWSWAFConsoleReadOnlyAccess
• AWSWAFConsoleFullAccess
• Billing
• AWSBillingReadOnlyAccess
• AWSDeadlineCloud-UserAccessFarms
• SageMakerStudioProjectUserRolePolicy
• AWS_ConfigRole
• AWSTransformCustomFullAccess
• AWSConfigServiceRolePolicy
• AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM
• AWSServiceRolePolicyForWorkspacesInstances
• AmazonS3FilesCSIDriverPolicy
• AmazonElasticFileSystemsUtils
• AmazonS3FilesReadOnlyAccess
• AmazonS3FilesFullAccess
• AmazonS3FilesClientReadWriteAccess
• AmazonS3FilesClientReadOnlyAccess
• AmazonS3FilesClientFullAccess
• FMSServiceRolePolicy

☕ CloudFormation resource changes

• AWS::S3Files::FileSystem
• AWS::S3Files::FileSystemPolicy
• AWS::S3Files::MountTarget
• AWS::S3Files::AccessPoint

🎮 Amazon Linux vulnerabilities

• CVE-2026-31412: Linux kernel - integer overflow in USB gadget mass storage driver
• CVE-2026-39977: flatpak-builder - arbitrary host file read via symlink in license-files
• CVE-2026-24880: Tomcat - HTTP request smuggling via invalid chunk extensions
• CVE-2026-34757: libpng - use-after-free in palette/transparency setters
• CVE-2026-32288: Go - unbounded memory allocation parsing GNU sparse tar archives
• CVE-2026-32289: Go html/template - incorrect escaping of JS template literals enables XSS
• CVE-2026-32282: Go os.Root - Chmod follows symlinks outside root via TOCTOU race
• CVE-2026-27140: Go toolchain - SWIG code smuggling enables arbitrary code execution at build time
• CVE-2026-32283: Go crypto/tls - TLS 1.3 key update flooding causes connection deadlock
• CVE-2026-32280: Go crypto/x509 - DoS via excessive intermediate certificates in chain building
• CVE-2026-27144: Go compiler - incorrect no-op interface conversion causes memory corruption
• CVE-2026-5795: Jetty - ThreadLocal leak in JASPI auth leads to privilege escalation
• CVE-2026-4878: libcap - local privilege escalation via TOCTOU race in cap_set_file()
• CVE-2026-33810: Go crypto/x509 - DNS constraints not applied to wildcard SANs with different case
• CVE-2026-31411: Linux kernel - DoS via unvalidated vcc pointer in ATM send path
• CVE-2026-39881: Vim - ex command injection via NetBeans integration
• CVE-2026-32281: Go crypto/x509 - DoS via large policy mappings in certificate chains
• CVE-2026-27143: Go compiler - arithmetic overflow on loop induction variables
• CVE-2026-39892: python-cryptography - buffer overflow with non-contiguous buffers
• CVE-2026-28387: OpenSSL - use-after-free in DANE client code
• CVE-2026-20911: LibRaw - heap buffer overflow in HuffTable::initval
• CVE-2026-34080: xdg-dbus-proxy - D-Bus filter bypass via whitespace in match rules
• CVE-2026-28388: OpenSSL - NULL dereference processing delta CRLs
• CVE-2026-5735: Firefox/Thunderbird - memory safety bugs enabling potential RCE
• CVE-2026-20884: LibRaw - integer overflow in deflate_dng_load_raw (CVSS 9.8 NVD)
• CVE-2026-31790: OpenSSL - incorrect failure handling in RSA KEM encapsulation
• CVE-2026-21413: LibRaw - heap buffer overflow in lossless JPEG loader
• CVE-2026-20889: LibRaw - heap buffer overflow in x3f_thumb_loader
• CVE-2026-31789: OpenSSL - heap buffer overflow in hex conversion
• CVE-2026-5732: Firefox/Thunderbird - integer overflow in Graphics: Text (CVSS 8.8)
• CVE-2026-5733: Firefox/Thunderbird - boundary error in WebGPU (CVSS 8.8)
• CVE-2026-28389: OpenSSL - NULL dereference processing CMS KeyAgreeRecipientInfo
• CVE-2026-34079: Flatpak - arbitrary host file deletion via cache manipulation
• CVE-2026-24660: LibRaw - heap buffer overflow in x3f_load_huffman (CVSS 9.8 NVD)
• CVE-2026-24450: LibRaw - integer overflow in uncompressed DNG loader (CVSS 9.8 NVD)
• CVE-2026-39373: python-jwcrypto - memory exhaustion via compressed JWE tokens (250KB to 100MB)
• CVE-2026-28386: OpenSSL - out-of-bounds read in AES-CFB-128 on AVX-512
• CVE-2026-5731: Firefox/Thunderbird - memory safety bugs enabling potential RCE
• CVE-2026-5745: libarchive - NULL dereference in ACL parsing causes DoS
• CVE-2026-34078: Flatpak - sandbox escape via symlink in portal options (CVSS 8.2)
• CVE-2026-5734: Firefox/Thunderbird - memory safety bugs enabling potential RCE
• CVE-2026-39316: CUPS - use-after-free when deleting temporary printers
• CVE-2026-39314: CUPS - integer underflow via negative job-password-supported crashes cupsd
• CVE-2026-28390: OpenSSL - NULL dereference processing CMS KeyTransportRecipientInfo

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• Bedrock Marketplace: child subscribers now lose model access when parent subscription expires
• AWS CLI: added MediaLive router input encryption config, SRT minimum port raised to 1024
• AWS CLI: MediaLive router input type with encryption config and SRT port floor change
• AWS CLI: added MediaConnect Router output encryption and container settings docs
• AWS CLI: added MediaConnect Router encryption, availability zone, and container config docs
• EKS Auto: removed custom AWS tags section including IAM policy example for tag propagation
• Inspector SBOM Generator: CVE-2026-32280 fix and updated malicious package detection stats
• Inspector SBOM Generator: new release for Linux AMD64 and ARM64
• Amazon Linux 2023: new release with package updates
• Amazon Linux 2023: new packages including kernel, MariaDB, Python, Ruby
• Amazon Linux 2023: kernel updates plus security packages for libssh, PHP, Node.js, PostgreSQL
• Amazon Linux 2023: version comparison with bumps across security-sensitive components
• Amazon Linux 2023: updated aide, container-selinux, libssh, selinux-policy
• Neptune: replaced insecure curl -k examples with proper authenticated CLI/SDK calls
• Neptune: replaced insecure query plan cache examples with authenticated calls
• Security Hub: new EC2.183 control requiring VPN use IKEv2, updated EC2.1 and EC2.182
• Security Hub: new EKS.9 control requiring node groups run supported Kubernetes versions
• Security Hub: added post-quantum TLS policies and removed older SSL/TLS policies
• WorkSpaces: Office/Visio/Project 2021 end-of-support October 2026, migrate to LTSC