🥖 Palette Cleanser

The best cloud security conference of the year, fwd:cloudsec North America, kicks off today in Washington. If you are not in the room, the talks stream live across two rooms each day, June 1 Room 1, June 1 Room 2, June 2 Room 1, and June 2 Room 2. AWS security content has slowed to a trickle these last few weeks, so the timing could not be better. With this much fresh research about to land on stage, the next few issues should have a lot more to chew on.

Since issue 251 we have tracked the TeamPCP supply-chain campaign that hijacked the Trivy scanner and cascaded through KICS, LiteLLM, and Telnyx, but we never named one of its biggest victims. CERT-EU's April 2 post-mortem provides detail on how they got pwned. A single AWS API key, lifted through the poisoned Trivy build chain on March 19, was enough to breach the AWS account behind Europa's web hosting, and ShinyHunters dumped 350GB spanning 42 Commission entities and dozens of other EU bodies. CERT-EU notes the stolen key also carried management rights that could have reached other Commission AWS accounts, though there is no evidence the attackers went that far. We are circling back now because it is the clearest reminder yet of where these campaigns actually land. In a connected org, one leaked key from one trusted dev tool can turn a single account into an organization-sized blast radius.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Zapocalypse: The Attack Chain That Could Have Hijacked Zapier by Yair Balilti

  Yair started with nothing but a free Zapier account that lets you run Python, and chained it into a working path to code execution in every authenticated Zapier user's browser. The pivot that should scare you is he pulled leftover AWS session tokens straight out of the Lambda process's own memory via /proc/self/mem, used them to read ECR, and found an npm publish token buried inside a container image he pulled down. No zero-day anywhere, just five ordinary AWS misconfigurations stacked into a chain, and the writeup walks every step with the actual scripts.

• Adding Strands Security Agents to Shadow Asset Scanner by Sena Yakut

  Sena keeps shipping practical AWS security tooling in the open. Most scanners just dump a list of misconfigurations, but here she keeps the plain boto3 scanner and layers AWS's open-source Strands agents on top, so it correlates the raw findings into actual attack chains and explains which ones matter. This is a good hands-on look at what an AWS-native security agent looks like in practice.

🥗 AWS security blogs

• 📣 AWS Shield Advanced introduces DDoS attack flow logs
• 📣 AWS Organizations emits CloudTrail events for account membership changes
• 📣 AWS Backup adds OTP verification for Multi-party approval on logically air-gapped vaults
• 📣 Amazon GuardDuty Malware Protection for AWS Backup supports Amazon S3 continuous backups
• AWS Weekly Roundup: AWS Local Zones in Istanbul, open-source ExtendDB, Kiro Web, and more (May 25, 2026) by Daniel Abib
• How Zynga scaled multi-warehouse data governance with Amazon Redshift federated permissions by Johan Eklund, Matthew Wongkee, Noelia Tardón
• Why and how to migrate to a Transit Gateway-attached AWS Network Firewall by Frank Phillis
• Simplifying policy management with URL and Domain Category filtering on AWS Network Firewall by Lawton Pittenger
• Welcoming the AWS Customer Incident Response Team by Jason Hurst
• Well-architected best practices for software supply chain security by Trevor Schiavone

🍛 Reddit threads on r/aws

• Running mostly Lambda and I cannot find security scanning that fits how serverless works
• We migrated to AWS last year - our security posture didn't make the trip.
• I've been experimenting with a forking way about cloud security.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• mgn
• route53resolver
• sesv2
• deadline
• iot
• resiliencehub
• elemental-inference
• backup
• connect
• pi

🍪 API changes

• Amazon Bedrock AgentCore Control
• Amazon Bedrock
• Amazon Omics
• Amazon QuickSight
• Amazon Route 53 Resolver
• Amazon Simple Email Service
• Amazon AppStream
• Amazon Bedrock AgentCore Control
• Amazon Bedrock AgentCore
• Amazon Bedrock Runtime
• Amazon Bedrock
• AWS Control Catalog
• Amazon Connect Customer Profiles
• AWSDeadlineCloud
• AWS IoT Data Plane
• AWS IoT
• OpenSearch Service Serverless
• AWS Parallel Computing Service
• AWS Resilience Hub V2
• Data Automation for Amazon Bedrock
• Amazon EC2 Container Service
• AWS Elemental Inference
• AWS Elemental MediaLive
• Amazon SageMaker Service
• AWS Backup
• Amazon DataZone
• Amazon GuardDuty
• AWS Resource Groups Tagging API

🍹 IAM managed policy changes

• AWSApplicationMigrationReplicationServerPolicy
• AWSApplicationMigrationFullAccess
• AWSApplicationMigrationFSxProxyVPCPolicy
• AWSApplicationMigrationFSxProxyPolicy
• AWSDeadlineCloud-UserAccessFleets
• SageMakerStudioUserIAMPermissiveExecutionPolicy
• AWSDeadlineCloud-UserAccessFarms
• AmazonEBSCSIDriverEKSClusterScopedPolicy
• AWSResilienceHubServiceRolePolicy
• SageMakerStudioProjectUserRolePolicy
• AmazonConnectServiceLinkedRolePolicy
• ComputeOptimizerServiceRolePolicy
• AmazonConnectCampaignsServiceLinkedRolePolicy
• AmazonSageMakerModelCustomizationCoreAccess
• SageMakerStudioUserIAMPermissiveExecutionPolicy
• SageMakerStudioUserIAMDefaultExecutionPolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2026-48092: 7-Zip memory access violations / OOB read
• CVE-2026-42563: Dulwich merge-driver command injection via malicious branch
• CVE-2026-48111: 7-Zip OOB read
• CVE-2026-48104: 7-Zip OOB read
• CVE-2026-48101: 7-Zip memory access violation
• CVE-2026-48112: 7-Zip OOB read
• CVE-2026-48095: 7-Zip NTFS stream heap overflow
• CVE-2026-48103: 7-Zip OOB read
• CVE-2026-48102: 7-Zip uninitialized memory
• CVE-2024-13745: edk2 TPM partition-table measurement spoof
• CVE-2026-47734: Dulwich memory-exhaustion DoS via pushed tree
• CVE-2026-6324: libsoup chunked-read signed conversion error
• CVE-2026-47712: Dulwich format_patch path traversal via commit subject
• CVE-2026-42305: Dulwich malicious-repo file write to RCE (Windows)
• CVE-2026-9878: Firefox/Thunderbird ANGLE use-after-free RCE (8.8)
• CVE-2026-9969: Firefox/Thunderbird ANGLE input-validation RCE (8.8)
• CVE-2026-9908: Firefox/Thunderbird ANGLE OOB read info leak
• CVE-2026-44604: rpm rpmuncompress command injection
• CVE-2026-10012: Firefox/Thunderbird Skia use-after-free
• CVE-2026-48523: PyJWT algorithm allow-list bypass
• CVE-2026-41565: Perl CryptX AEAD-decrypt stack overflow (8.2)
• CVE-2026-9796: Keycloak manage-clients TOCTOU
• CVE-2026-10028: glib-networking crafted cert-chain flaw
• CVE-2026-9981: Firefox/Thunderbird Skia info leak
• CVE-2026-8643: pip malicious-package install flaw (7.8)
• CVE-2026-9944: Firefox ANGLE uninitialized use, cross-origin leak
• CVE-2026-9879: Firefox/Thunderbird ANGLE OOB write RCE (8.8)
• CVE-2026-9968: Node.js V8 integer overflow RCE (8.1)
• CVE-2026-10020: Firefox/Thunderbird Skia input validation, Android (8.3)
• CVE-2026-9996: Firefox/Thunderbird WebRTC OOB read (Mac)
• CVE-2026-9940: Firefox/Thunderbird ANGLE heap overflow (8.8)
• CVE-2026-9928: Firefox/Thunderbird ANGLE OOB read RCE, Windows (8.8)
• CVE-2026-9892: Firefox/Thunderbird Skia info leak (Android)
• CVE-2026-9877: Firefox/Thunderbird ANGLE use-after-free (8.3)
• CVE-2026-9900: Firefox/Thunderbird ANGLE OOB write (8.3)
• CVE-2026-9791: Keycloak org-membership API access flaw
• CVE-2026-9793: Keycloak JWE unsigned-claims processing
• CVE-2026-48525: PyJWT detached-JWS b64 verification flaw
• CVE-2026-10009: Firefox/Thunderbird Skia integer overflow RCE
• CVE-2026-9893: Firefox/Thunderbird Skia use-after-free
• CVE-2026-9942: Firefox ANGLE uninit use, site-isolation bypass (8.0)
• CVE-2026-10011: Firefox/Thunderbird Skia info leak
• CVE-2026-9909: Firefox/Thunderbird Skia integer overflow RCE
• CVE-2026-9983: Firefox/Thunderbird Skia type confusion RCE (8.8)
• CVE-2026-9801: Keycloak malicious-LDAP config flaw
• CVE-2026-9938: Node.js V8 RCE (8.8)
• CVE-2026-9923: Firefox/Thunderbird Skia use-after-free heap corruption (8.8)
• CVE-2026-9911: Firefox/Thunderbird ANGLE integer overflow OOB read
• CVE-2026-48522: PyJWT PyJWKClient SSRF via uri
• CVE-2026-9998: Firefox/Thunderbird Skia integer overflow (8.2)
• CVE-2026-9973: Node.js V8 OOB write RCE (8.1)
• CVE-2026-48524: PyJWT JWKS signing-key request flaw
• CVE-2026-48526: PyJWT asymmetric/symmetric key confusion (7.4)
• CVE-2026-47770: jq unbounded recursion stack overflow
• CVE-2026-10019: Firefox/Thunderbird ANGLE cross-origin leak
• CVE-2026-9792: Keycloak client-policy condition bypass
• CVE-2026-10022: Node.js V8 type confusion via malicious extension
• CVE-2026-48959: Perl IO::Compress unzip CPU exhaustion DoS
• CVE-2026-44988: LibVNCClient Tight decoder buffer overflow (8.8)
• CVE-2025-15649: Perl IO::Compress unzip malformed-date exception
• CVE-2026-9759: Wireshark dissector crash DoS
• CVE-2026-49014: GDAL crafted-input flaw (7.4)
• CVE-2026-48961: Perl IO::Compress unzip DoS
• CVE-2026-42306: Docker vulnerability (7.2)
• CVE-2026-8450: Perl HTTP::Daemon send_file OS command injection (8.1)
• CVE-2026-48962: Perl IO::Compress glob eval RCE (7.8)
• CVE-2026-4480: Samba print-command %J shell injection RCE (8.1)
• CVE-2026-24187: NVIDIA driver use-after-free, privesc/RCE (8.8)
• CVE-2026-42497: Perl Archive::Tar hardlink path traversal
• CVE-2026-24195: NVIDIA driver UVM input-validation DoS
• CVE-2026-48715: radvd route-info option stack overflow
• CVE-2026-42496: Perl Archive::Tar symlink path traversal
• CVE-2026-24194: NVIDIA driver permission-handling privesc
• CVE-2026-24190: NVIDIA driver GPU-resource access privesc (7.8)
• CVE-2026-24199: NVIDIA driver race-condition DoS
• CVE-2026-1933: Samba reparse-point read-only bypass
• CVE-2026-3238: Samba AD DC nbt unauth UDP crash DoS
• CVE-2026-24197: NVIDIA driver MIG partition DoS
• CVE-2026-24192: NVIDIA driver heap overflow, privesc/RCE (7.8)
• CVE-2026-2340: Samba vfs_worm rename immutability bypass
• CVE-2026-24191: NVIDIA driver TOCTOU privesc (7.8)
• CVE-2026-3012: Samba cert auto-enroll plain-HTTP MITM (8.0)
• CVE-2025-33221: NVIDIA driver permission-assignment flaw
• CVE-2026-48864: libsolv .solv decompress heap overflow (7.8)
• CVE-2026-24193: NVIDIA driver OOB write, privesc/RCE (7.8)
• CVE-2026-48863: libsolv PGP EdDSA stack overflow DoS
• CVE-2026-4408: Samba SAMR check-password-script command injection (8.1)
• CVE-2026-24182: NVIDIA driver lock leak DoS
• CVE-2026-9538: Perl Archive::Tar memory exhaustion DoS
• CVE-2026-24198: NVIDIA driver race-condition memory leak
• CVE-2026-24196: NVIDIA driver OOB read info leak

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• IAM adds GitLab.com OIDC condition keys with security guidance
• Amazon MQ docs drop credential management section
• API Gateway drops mTLS client-cert logging limitation note
• AppConfig docs drop programmatic-access setup, link out
• AppFabric docs drop admin-user requirement, fix broken link
• AppFabric docs drop admin-user creation requirement
• App Studio docs drop account/admin-user setup, link out
• Bedrock Computer Use docs restructured with new risk warnings
• Blockchain Templates docs drop signup/IAM setup, link out
• CLI payment cred provider adds Secrets Manager support
• CLI adds required-permission and URL-encoding notes
• CLI adds Linux shell-escaping note for secret ARNs
• Cloud Map docs drop programmatic-access/access-key setup
• CodeGuru docs drop root-user best-practices section
• CodePipeline adds required codestar-connections:UseConnection perm
• DataZone tightens add-member permission to project owner only
• Deadline Cloud adds license-limit automation via submission hooks
• Deadline Cloud rewrites Unreal Engine integration (Perforce creds)
• DocumentDB perms reference renamed to confused-deputy prevention
• DocumentDB adds confused-deputy link, drops GovCloud TLS link
• EKS adds new platform versions with security fixes
• ELB adds low-reputation-packet and sticky-session metrics
• New service quotas for connection and messaging APIs
• GuardDuty doc history updated (filter criteria, retired findings)
• GuardDuty drops two retired Kubernetes findings + remediation
• GuardDuty removes two retired Kubernetes findings from table
• GuardDuty adds two retired K8s finding types (privesc, sensitive mount)
• HealthLake documents bulk-member-match consent validation
• Inspector adds VM Scanner feature and SBOM false-positive note
• IoT expands MQTT connection management docs
• Payment Cryptography warns of alias-update consistency risk
• Payment Cryptography adds HMAC key verification to KCV docs
• Redshift updates ODBC driver config and logging docs
• SageMaker May 27 AMI release (kernel/OpenSSL/NVIDIA bumps)
• SageMaker drops kms:Encrypt from training/processing IAM examples
• SAM docs drop IAM user/access-key setup, link out
• SMS Voice adds business-name verification matching requirement
• Systems Manager adds OS support policy ending at vendor EOL
• Route53 DNSSEC transfer now requires DS removal + 24h wait
• AWS Backup fixes service-linked role name in KMS key policy
• AWS Backup adds KMS key policy example for confused-deputy prevention
• AWS Backup explains building customer managed policies from managed ones
• CLI adds malware-scan time-range params (ContinuousScanDetails)
• EMR adds S3 Bucket Keys tip to cut KMS costs
• SageMaker adds task governance for inference workloads (Kueue)
• SageMaker documents built-in vs default lifecycle config scripts
• Snowball Edge deprecation notice plus IAM/KMS ARN fixes
• Client VPN adds IdpCertDaysToExpiry SAML cert-expiry metric
• VPN Windows client 5.3.5 security improvements + hashes
• WAF adds kms:GenerateDataKey/Decrypt for KMS encryption