🥖 Palette Cleanser

A working guest-to-host QEMU escape exploit dropped this week, chaining bugs in an experimental memory-device emulation feature to pop a shell on the hypervisor. QEMU is the open-source virtualization stack behind a lot of non-hyperscaler clouds and on-prem KVM, so the headline reads scary, but the buggy feature is off by default and no cloud provider exposes it to tenants (I think?). AWS shops get a free pass on this one, but it's one more entry in a pretty wild fortnight of public exploit drops.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Authorization Bypass in Amazon Quick: Unauthorized AI Chat Agent Usage by Jason Kao

  Jason found a missing server-side authorization check in Amazon Quick's (formerly QuickSight) Chat Agent API. Custom permissions could deny AI Chat Agent access in the UI, but direct API requests still worked, bypassing the admin restriction entirely. It was reported March 4, fixed silently March 11-12, with no AWS advisory or customer notification. I really don't like when AWS pretends like nothing happened when it comes to security bugs. The Register took them to task.

• The AWS AI Security Framework: Securing AI with the right controls, at the right layers, at the right phases by Riggs Goodman III and Christopher Rae

  Most AWS content these days reads like it was written by AI. This isn't any different but the framework they present is actaully useful if you're trying to understand how you should think about security of AI. The defense-in-depth walkthrough stacks 10 separate controls on a single prompt injection scenario, capped by Bedrock's Automated Reasoning Checks which they claim deliver up to 99% verification accuracy against hallucinations. Buy that number or not, the idea that formal methods verify responses are logically derivable from approved knowledge bases is pretty neat.

• Malicious Coding Agent Skills and the Risk of Dynamic Context by Nick Frichette and Ryan Simon

  This is fun. Claude Code skills support dynamic context with the ! syntax which runs shell commands before the rendered skill content reaches the model. That means model-level prompt injection defenses never get a chance to intervene. A cloned repo can carry skills into a trusted Claude Code session even if the developer never installed one from a marketplace. Skills load from managed policy, the user directory, the project .claude/skills/, plugins, nested project folders, or added directories. Anyone running Claude Code with AWS keys should read this.

🥗 AWS security blogs

• 📣 ARC Region switch adds Lambda event source mapping execution block for event handling during failover
• 📣 Reference stack outputs across accounts and Regions with AWS CloudFormation and CDK
• 📣 AWS Security Agent now supports full repository code reviews
• 📣 AWS WAF introduces dynamic label interpolation for custom request and response handling
• Transforming federal IT with Datadog’s FedRAMP Class D (High) solution by Gina McFarland
• The AWS AI Security Framework: Securing AI with the right controls, at the right layers, at the right phases by Riggs Goodman III
• Regional routing for AWS access portals: Implementing custom vanity domains for IAM Identity Center by Georgi Baghdasaryan
• Automating post-quantum cryptography readiness using AWS Config by Pravin Nair
• Detecting and preventing crypto mining in your AWS environment by Jason Palmer
• Introducing the updated AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption by Krish De
• PCI PIN and P2PE compliance packages for AWS Payment Cryptography are now available by Will Black
• AWS Security Agent full repository code scanning feature now available in preview by Ayush Singh
• Enabling AI sovereignty on AWS by Stéphane Israël
• Complimentary virtual training: Get hands-on with AWS Security Services by Ashley Nelson

🍛 Reddit threads on r/aws

No threads this week.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• cloudfront
• bedrock-agentcore
• sagemaker
• rtbfabric
• dsql
• inspector2-telemetry
• sts
• billing
• odb
• datazone
• logs
• aws-external-anthropic

🍪 API changes

• AWS Elemental MediaPackage v2
• Partner Central Selling API
• Amazon Bedrock
• Amazon CloudFront
• Amazon DataZone
• AWS Glue
• Amazon Managed Grafana
• Application Migration Service
• Amazon Q Connect
• ARC
• Amazon Bedrock AgentCore Control
• Amazon Connect Service
• AmazonConnectCampaignServiceV2
• Amazon Aurora DSQL
• Amazon Elasticsearch Service
• Amazon Lightsail
• Amazon OpenSearch Service
• AWS Parallel Computing Service
• Amazon QuickSight
• RTBFabric
• Amazon SageMaker Service
• AWS Security Agent
• AWS End User Messaging Social

🍹 IAM managed policy changes

• AWSServiceRoleForLogDeliveryPolicy
• AWSTrustedAdvisorServiceRolePolicy
• SageMakerStudioProjectRoleMachineLearningPolicy
• AmazonAuroraDSQLReadOnlyAccess
• AmazonAuroraDSQLFullAccess
• AmazonAuroraDSQLConsoleFullAccess
• AmazonEBSCSIDriverPolicy
• AWSECRPullThroughCache_ServiceRolePolicy
• SageMakerStudioUserIAMPermissiveExecutionPolicy
• AIDevOpsAgentFullAccess
• AIDevOpsAgentAccessPolicy
• SageMakerStudioUserIAMDefaultExecutionPolicy
• SageMakerStudioProjectUserRolePolicy
• SageMakerStudioAdminIAMPermissiveExecutionPolicy
• SageMakerStudioAdminIAMDefaultExecutionPolicy
• AmazonEKSBlockStoragePolicyV2
• AWSVPCFlowLogsServiceRolePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2026-46483: Vim tar.vim command injection via crafted .tgz filenames
• CVE-2026-45793: Composer/GitHub Actions GITHUB_TOKEN log disclosure
• CVE-2026-43961: Vim netrw Vimscript injection via crafted filename
• CVE-2026-6473: PostgreSQL integer wraparound, possible RCE (8.8)
• CVE-2026-6475: PostgreSQL pg_basebackup symlink follow, file overwrite
• CVE-2026-45205: Apache Commons Configuration YAML-cycle DoS
• CVE-2026-6472: PostgreSQL CREATE TYPE search_path hijack
• CVE-2026-6638: PostgreSQL ALTER SUBSCRIPTION REFRESH SQL injection
• CVE-2026-6479: PostgreSQL SSL/GSS negotiation DoS
• CVE-2026-6474: PostgreSQL timeofday() format string memory leak
• CVE-2026-46469: GStreamer gst-plugins-good MP4 div-by-zero DoS
• CVE-2026-6476: PostgreSQL pg_createsubscriber SQL injection
• CVE-2026-6477: PostgreSQL libpq lo_export buffer overflow (8.8)
• CVE-2026-6637: PostgreSQL refint stack buffer overflow, RCE (8.8)
• CVE-2026-6575: PostgreSQL pg_restore_attribute_stats buffer over-read
• CVE-2026-6478: PostgreSQL MD5 password timing-channel leak
• CVE-2026-46470: GStreamer gst-plugins-good MP4 div-by-zero DoS
• CVE-2026-44431: urllib3 cross-origin redirect leaks auth headers
• CVE-2026-40701: NGINX ssl_verify_client heap UAF
• CVE-2026-44471: gitoxide malicious tree writes symlinks outside checkout
• CVE-2026-42304: Twisted DNS name decompression DoS
• CVE-2026-44432: urllib3 Brotli decompression resource exhaustion
• CVE-2026-42945: NGINX rewrite module heap overflow, RCE if no ASLR (8.1)
• CVE-2026-40460: NGINX HTTP/3 QUIC source IP spoof bypasses authz
• CVE-2026-42946: NGINX scgi/uwsgi MITM memory read or restart
• CVE-2026-42926: NGINX HTTP/2 proxy frame injection
• CVE-2026-8328: Python ftplib ftpcp() PASV port spoof
• CVE-2026-42934: NGINX charset module heap over-read
• CVE-2026-33603: Dovecot SCRAM channel binding MITM
• CVE-2026-8390: Firefox WebAssembly UAF
• CVE-2026-8389: Firefox JS engine JIT miscompilation (8.8)
• CVE-2026-27851: Dovecot safe-filter SQL/LDAP injection in auth
• CVE-2026-8368: Perl LWP redirect leaks Authorization headers
• CVE-2026-44307: Python Mako Windows backslash dir traversal
• CVE-2026-40020: Dovecot IMAP SETACL injects anyone permission (spam)
• CVE-2026-43513: Tomcat LockOutRealm case-sensitivity issue
• CVE-2026-42498: Tomcat WebSocket leaks auth header to wrong host
• CVE-2026-5089: Perl YAML::Syck base60 parse OOB read
• CVE-2026-43512: Tomcat digest auth bypass
• CVE-2026-8391: Firefox JS engine issue (8.8)
• CVE-2026-41293: Tomcat improper input validation
• CVE-2026-43515: Tomcat method-constraint improper authz
• CVE-2026-8388: Firefox JIT boundary conditions
• CVE-2026-8401: Firefox Profile Backup sandbox escape (8.3)
• CVE-2026-40016: Dovecot Sieve CPU time-limit bypass
• CVE-2026-41284: Tomcat resource-exhaustion DoS
• CVE-2026-42006: Dovecot IMAP brace memory exhaustion
• CVE-2025-35979: Intel microcode transient-exec info leak in VMX guest
• CVE-2026-43514: Tomcat AJP secret timing attack

📺 AWS security bulletins

• Ongoing updates on Copy.fail and variants
• Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues (CVE-2026-8596 & CVE-2026-8597)
• Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel
• CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
• Dirty Frag and other issues in Amazon Linux kernels

🚬 Security documentation changes

• Amazon MQ docs drop internal-user auth-test recommendation
• Amazon MQ docs drop Access validation troubleshooting
• Amazon MQ docs drop internal-user auth-test recommendation
• Amazon MQ docs drop internal-user auth-test recommendation
• Athena release notes: library updates, auth protocol changes
• Bedrock CLI gains deactivate/delete API key commands
• Bedrock writes to SSE-KMS buckets now need kms:GenerateDataKey
• Clean Rooms troubleshooting now covers AWS MCP
• CLI region-switch plans gain Lambda ESM config
• CLI region-switch Lambda ESM with cross-account params
• CLI adds TOKEN_EXCHANGE auth and requireServiceS3Endpoint
• CLI adds TOKEN_EXCHANGE auth and requireServiceS3Endpoint
• CLI adds TOKEN_EXCHANGE auth method
• CLI adds TOKEN_EXCHANGE auth and requireServiceS3Endpoint
• CLI adds automated-snapshot pause option (max 3 days)
• CLI tag pattern regex now allows 'aws:' prefix
• CLI tag pattern regex now allows 'aws:' prefix
• CLI tag pattern regex now allows 'aws:' prefix
• Cognito warns on priv-esc via attribute-to-principal-tag mapping
• EC2 adds guide for updating Windows Secure Boot certs
• EKS IAM policy example gains resource-tag condition
• EKS docs drop IAM policy warning section
• EMR IAM permission changes coming May 2026, new condition keys
• Lightsail firewall note emphasizes SSH port restrictions
• Lightsail migration adds SSL/TLS cert regeneration step
• AL2023 kernel notice for DirtyFrag (CVE-2026-43284)
• OpenSearch pipeline VPC requires /24 CIDR
• OpenSearch pipeline VPC requires /24 CIDR
• OpenSearch pipeline VPC requires /24 CIDR
• OpenSearch pipeline VPC requires /24 CIDR
• PCS agent release, AL2023 support added
• PCS agent release, AL2023 support added
• SageMaker AL2 notebooks: EoS, CVE notice, AL2023 migration
• SageMaker HyperPod spaces docs added
• AWS VPN Client release notes, ARM64 support added
• Wickr Docker image moved to AWS public ECR
• Wickr Docker setup: drop --network=host, rotation timer, image
• Wickr Docker setup: drop --network=host, rotation timer, image
• Wickr Docker setup: drop --network=host, 10-min rotation, image
• Wickr Docker image and 10-min rotation interval updated
• Wickr Docker setup: drop --network=host, rotation timer, image
• Wickr Docker image moved to AWS public ECR
• Wickr Docker setup: drop --network=host, rotation timer, image
• Wickr Docker setup: drop --network=host, rotation timer, image
• Wickr Docker setup: drop --network=host, 10-min rotation, image
• Wickr Docker setup: drop --network=host, rotation timer, image
• Bedrock invalidate-session docs generalize role to identity
• Bedrock API key docs rewritten with short-term key guidance
• Bedrock cross-account S3 custom model import clarified
• Bedrock API key restrictions section removed