🥖 Palette Cleanser

Copy Fail caught a CISA KEV listing last week. I guess it was worthy of branding because a tiny Python script gets you root on basically any Linux box from the last eight years and leaves nothing on disk for your file integrity tools to notice. AWS responded with bulletin 2026-026 plus five separate AL2023 livepatches. Kernel updates only take effect after restart, so livepatch is the option if you can't reboot, and reboot is the option if livepatch isn't trusted. Bottlerocket and EKS managed node groups get a clean update path but it's still customer-initiated. The exposure is everything else like self-managed nodes, ECS on EC2 with custom AMIs, and whatever long-tail Linux EC2 fleet you stopped looking at in 2024.

AWS doubled most IAM account-level limits this week. Roles, instance profiles, and customer managed policies all went from 5,000 to 10,000. The fun one is OIDC providers jumping 7x to 700. I wonder if there's a philosophical shift coming, with AWS leaning harder on OIDC over long-lived keys?

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• From Leaked AWS Key to Data Exfiltration in 60 Seconds: Are We Ready? by Adan Álvarez

  Adan gave Claude Sonnet and Claude Haiku a leaked AWS access key and a prompt framing them as a pentester in a capture-the-flag competition, then timed the run from key to exfiltrated S3 object. 7 of 12 attempts succeeded in around 60 seconds, Sonnet doing most of the work. Every successful run followed the same path: enumerate IAM, pull cross-account creds from a staging bucket, assume the bigger role, find a bucket, download. If you are interested in detection, there are some decent signals in the article.

• Credential isolation and least privilege for AWS agents by Alex Smolen

  Two weeks in a row from Alex. Maybe we need an ASD t-shirt for repeat offenders. Handing an AI agent real AWS keys is a bad time twice over because the agent can exfiltrate them, and you can't write a least-privilege policy in advance because you don't know yet what calls the agent will actually make. iam-agent-proxy sits between the two and solves both problems. The agent only ever sees fake keys (AKIAPROXY0000000001), so a leak is worthless to anyone who doesn't also have the proxy. The proxy validates the SigV4 on each request against those fakes, re-signs with the real creds, and forwards. Every call is logged as the resolved IAM action, so after a representative run you have a policy generated from observed behaviour rather than imagined behaviour.

• AWS Credential Isolation for Local AI Agents by Alex Smolen

  This is a companion to the iam-agent-proxy piece above. If you want a local AI agent to call AWS without inheriting your shell identity or holding a long-lived key, how do you actually get credentials in? Env vars need manual reinjection on expiry, the ~/.aws files leak every profile you have, and IMDS emulation is a dead end on macOS because the AWS SDK's allowlist excludes host.docker.internal and the feature request to add it got closed as "not planned". Alex lands on Unix sockets and points to an existing tool called elhaz (only 9 stars - careful) that already does the job. It's a background daemon that holds short-lived STS creds in memory and hands them out over a socket file you mount into each agent. Filesystem perms are the access control, creds never touch disk, refresh is automatic. A bit of setup once to get it running but might be worth it.

🥗 AWS security blogs

• 📣 Amazon Route 53 Global Resolver now lets you add and remove AWS Regions for anycast DNS resolution
• 📣 AWS Service Catalog is now available in the AWS Asia Pacific (New Zealand) and Canada West (Calgary) regions
• 📣 AWS India customers can now use UPI Scan and Pay for sign-up and payments
• 📣 Amazon ElastiCache now supports real-time aggregations
• 📣 Amazon ElastiCache now supports real-time hybrid search with vector and full-text
• 📣 Amazon ElastiCache now supports real-time full-text, exact-match, and numeric range search
• 📣 Amazon Bedrock AgentCore Memory announces metadata for long-term memory
• 📣 AWS Directory Service expands directory security settings with STIG-aligned controls for Managed AD
• 📣 AWS IoT Core for Device Location adds Confidence Level Configuration and Measurement Type support
• 📣 Amazon Bedrock AgentCore is now available in AWS GovCloud (US-West)
• 📣 4 new Qwen models for multimodal reasoning, agentic coding, and multilingual applications are now available in Amazon SageMaker JumpStart
• 📣 Amazon Quick introduces Dataset Q&A for conversational analytics against enterprise data
• 📣 Amazon Quick now supports S3 tables bucket as a data source
• 📣 Amazon SageMaker AI launches AI agent experience for model customization
• 📣 AWS Payment Cryptography announces support for cross account key sharing
• Import Historical data from AWS CloudTrail Lake to Amazon CloudWatch by Isaiah Salinas
• Secure AI agents with Amazon Bedrock AgentCore Identity on Amazon ECS by Julian Grüber
• CMMC implementation begins: A new era for defense contractors by Paul Keastead
• ICYMI: April 2026 @AWS Security by Rodolfo Brenes
• AWS achieves SNI 27017, SNI 27018, and SNI 9001 certifications for the AWS Asia Pacific (Jakarta) Region by Ignatius Lee
• New compliance guide available: ISO/IEC 42001:2023 on AWS by Abdul Javid
• Introducing AI traffic analysis dashboards for AWS WAF by Christopher Jen
• Five ways to use Kiro and Amazon Q to strengthen your security posture by Roger Nem
• Securing open proxies in your AWS environment by Dodd Mitchell

🍛 Reddit threads on r/aws

No threads this week.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• aws-external-anthropic
• bedrock-agentcore
• bedrock-agentcore
• braket
• aws-marketplace-catalog
• odb
• bedrock-agentcore
• networkmonitor
• aidevops
• researchstudio
• wisdom
• access-analyzer
• aws-mcp
• securityhub
• redshift

🍪 API changes

• AWS Billing and Cost Management Data Exports
• Amazon Bedrock AgentCore Control
• Amazon Bedrock AgentCore
• Amazon Elastic Compute Cloud
• AWS Invoicing
• Amazon Route 53 Resolver
• Amazon Bedrock AgentCore Control
• AWS Glue
• Amazon Lex Model Building V2
• AmazonMWAA
• Amazon SageMaker Service
• AWS SecurityHub
• Amazon CloudFront
• AWS Marketplace Agreement Service
• AWS MediaTailor
• AWS Health Imaging
• Amazon OpenSearch Service
• Amazon SageMaker Service
• Amazon Bedrock AgentCore Control
• Amazon Elastic Compute Cloud
• Amazon Location Service Routes V2
• Amazon CloudWatch Logs
• AWS Elemental MediaLive
• AWS Security Agent
• Amazon VPC Lattice

🍹 IAM managed policy changes

• AnthropicLimitedAccess
• AWSAppConfigServiceRolePolicy
• AWSSecurityAgentWebAppPolicy
• CloudWatchAPIKeyAccess
• CloudWatchAPIKeyAccess
• AccountManagementFromVercel
• AWSMarketplaceSellerFullAccess
• AWSMarketplaceRead-only
• AWSMarketplaceDiscoveryFullAccess
• SecurityAudit
• ReadOnlyAccess
• AWSMarketplaceManageSubscriptions
• SageMakerStudioProjectProvisioningRolePolicy
• AIDevOpsOperatorAppAccessPolicy
• AIDevOpsAgentAccessPolicy
• AWS_ConfigRole
• AWSConfigServiceRolePolicy
• ReadOnlyAccess
• AWSSecurityHubV2ServiceRolePolicy
• AWSServiceRoleForAWSTransformCustom
• SageMakerStudioProjectProvisioningRolePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2026-42268: mod_security verifySSN/CPF/SVNR underflow
• CVE-2026-8091: Firefox/Thunderbird audio/video bounds, CVSS 8.8
• CVE-2026-42217: OpenEXR readVariableLengthInteger shift UB
• CVE-2026-8090: Firefox/Thunderbird DOM networking UAF, CVSS 8.8
• CVE-2026-8084: gdal HDF-EOS Grid memmove OOB read
• CVE-2026-42216: OpenEXR IDManifest prefix-length OOB read
• CVE-2026-39836: Go net.Dial/LookupPort panic on Windows NUL
• CVE-2026-8092: Firefox/Thunderbird memory safety bugs
• CVE-2026-6502: qemu/qemu-kvm DoS
• CVE-2026-33814: Go HTTP/2 SETTINGS infinite CONTINUATION loop
• CVE-2026-41142: OpenEXR ImageChannel::resize int overflow heap OOB write
• CVE-2026-8093: Firefox memory safety bugs
• CVE-2026-39825: Go ReverseProxy hides query param from Rewrite
• CVE-2026-4430: LibreOffice security advisory
• CVE-2026-8088: gdal HDF-EOS GDfieldinfo OOB read
• CVE-2026-33079: python-mistune LINK_TITLE_RE ReDoS
• CVE-2026-29168: httpd mod_md OCSP resource-limit DoS
• CVE-2026-30923: mod_security hexDecode single-char segfault DoS
• CVE-2026-28780: httpd mod_proxy_ajp heap buffer overflow

📺 AWS security bulletins

• Dirty Frag and other issues in Amazon Linux kernels
• CVE-2026-31431
• CVE-2026-7791 - Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent
• CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver

🚬 Security documentation changes

• API Gateway: mode=overwrite import resets the security policy
• AppStream 2.0: S3 file deletion takes up to 60s during active sessions
• CloudHSM: Client SDK 5 connections fail when CA cert keys are too weak
• Connect screen recording impacted by browser Local Network Access restrictions
• Direct Connect: BGP session route limits documented with overrun consequences
• Lightsail clarifies customer responsibilities for snapshot security
• SageMaker processing/training jobs require kms:DescribeKey for volume KMS keys
• Security IR: API/CLI enablement and delegated admin guidance updated
• Security IR adds iam:CreateServiceLinkedRole and iam:GetPolicy to enablement
• Storage Gateway 3.2.5 / 2.14.4 release notes call out security improvements
• SSM Parameter Store now recommends Secrets Manager for sensitive creds
• SSM Parameter Store strips the path-based access control security note
• IAM SAML "Valid until" date is set by IAM, not the SAML metadata
• Aurora DSQL: root user bypasses resource-based policy restrictions
• CLI: MCP gateway session timeout and response streaming added
• CLI: VPC Lattice endpoint config + TOKEN_EXCHANGE grant params updated
• CLI: VPC Lattice endpoint config description updated
• CLI create-agent-space: VPC config for pentesting + IAM/encryption context
• CLI target-domain verification adds PRIVATE_VPC method
• CLI target-domain verification adds verificationStatusReason field
• CloudHSM auto-sync covers keys only; users/policies need manual resolution
• EKS IAM Authenticator session-name risks in role mappings called out
• ELB max RSA key size raised from 2048-bit to 3072-bit
• EventBridge: CloudTrail data event delivery for cross-account documented
• Marketplace adds a SaaS security policies section
• MediaTailor adds auto-auth for Google Ad Manager / Campaign Manager / DV360
• MemoryDB adds 5 new CVEs to the vulnerability tracking table
• Redshift ODBC 1.x deprecated; migrate to ODBC 2.x
• VPC Resource Config DNS Resolution adds PUBLIC and IN_VPC modes