🥖 Palette Cleanser

fwd:cloudsec North America wrapped up last week in Washington State. A recurring theme was Bedrock AgentCore turning into a real attack surface, with cloud identity and the data perimeter close behind. The full set of talk videos is up; the AWS ones worth your time:

• No Way Out? C2 Through AWS Data Perimeter via Bedrock-AgentCore by Dan Gansel - a working command-and-control channel punched straight through the data perimeter.
• Sub:jugation: Hijacking Cloud Identities by Recycling Namespaces in Global OIDC Issuers by Tal Skverer - reclaim a dead OIDC namespace and assume someone else's IAM roles.
• Discovering New AWS Privilege Escalation Paths with an AI-Driven Workflow by Seth Art - new IAM privesc paths, found and validated by an agent.
• Data Perimeters: Beyond the Marketing by Matt Luttrell - first-party AWS guidance on actually building a data perimeter, the defensive counterweight to Gansel.
• Paying More for Worse Security: An AWS Marketplace Horror Story by Corey Quinn - Marketplace AMIs that cost more and secure less.
• Transforming Security Incident Metadata to Security Outcomes by Cydney Stude and Steve de Vera - a threat-technique catalog built from real AWS incidents.
• Schrödinger's Detection: Finding the "Zombie" Rules in Your SIEM by Gowthamaraj Rajendran - the dead detection rule that silently matches nothing, opening on an AWS IAM privesc Sigma rule.
• I made AI agents apply for my Security Team. Then I gave the agents access to AWS. by Cole Horsman - autonomous AI agents given scoped machine identities and set loose to remediate hundreds of AWS IAM identities.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Sub:jugation: Hijacking Cloud Identities by Recycling Namespaces in Global OIDC Issuers by Tal Skverer

  The advice everyone gives is to ditch static CI/CD keys for OIDC federation, and Tal's fwd:cloudsec talk is the writeup of why that swap has a sharp edge. Issuers like GitHub Actions, GitLab CI, and HCP Terraform are global and shared, and the trust policy you write keys off a subject built from a namespace path like an org or repo name. Delete that org and someone else can register it, mint a token whose subject matches your forgotten IAM role trust policy, and assume the role, with no creds and no phishing. Tal found 14% of the AWS namespaces he checked were unregistered and takeable. If you federate into AWS from anything, this is the one to read.

• No Way Out? Bypassing the AWS Data Perimeter with Bedrock AgentCore by Dan Gansel

  The data perimeter is sold as the boundary that stops your credentials from talking to anything outside your org, and Dan built a working C2 channel right through it using nothing but legitimate AgentCore API calls. Exfil rides the server-side discovery-URL validation requests that originate from AWS's own infrastructure, and the inbound channel rides a Protected Resource Metadata API that answers from inside the VPC even when the endpoint policy denies everything, and never shows up in CloudTrail. AWS patched the inbound half and waved off the exfil half as "standard for OIDC client behavior," which is the part worth arguing about.

• The HazyBeacon Protocol: How Malware Weaponizes AWS Lambda Function URLs by Aniket Harne

  HazyBeacon is a real-world espionage campaign that turns the victim's own AWS account into its command-and-control. With stolen IAM creds it deploys Lambda functions fronted by Function URLs set to AuthType NONE, then proxies its traffic through trusted *.lambda-url.*.on.aws domains so IP and domain reputation never fire. First caught hitting Southeast Asian government networks, it is a clean example of an attacker borrowing AWS infrastructure instead of standing up their own. Aniket's writeup maps the campaign to ATT&CK and gives the high-signal controls that catch it.

🥗 AWS security blogs

• 📣 Amazon Cognito now supports multi-Region replication
• 📣 ARC Region switch adds Amazon Aurora scaling and Amazon Neptune global database failover
• 📣 Amazon ElastiCache for Valkey now supports durability
• 📣 Amazon Location Service announces public transit and intermodal routing
• 📣 Quick Research now supports customer managed keys
• 📣 Amazon Bedrock AgentCore Identity now allows you to bring your own secrets with AWS Secrets Manager
• Automating contract intelligence with Doczy.ai™ on AWS by Sanket Nasre
• Improve your application resilience with Amazon Cognito multi-Region replication by Sébastien Stormacq
• Achieve least-privilege access for Amazon Route 53 Profiles by Aanchal Agrawal
• Building secure B2C applications with fine-grained access control using Amazon Cognito and Amazon Verified Permissions by Sowmya Vemuri
• Amazon Cognito unlocks advanced capabilities with next-generation infrastructure by Howie Li
• Gain visibility into DDoS attacks with flow logs in AWS Shield Advanced by Ken Kitts
• Customize federated sign-in with new Amazon Cognito Lambda trigger by Abrom Douglas
• Identify unused AWS KMS keys and prevent accidental key deletions by Andrea Rossi
• Secure multi-tenant AI agents with Amazon Bedrock AgentCore resource-based policies by Satyen Verma
• Spring 2026 SOC 1, 2, and 3 reports are now available with 188 services in scope by Baj Bajwa

🍛 Reddit threads on r/aws

• QuickSight Chatbot Bypasses Data Download Restriction

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• aws-marketplace-catalog
• bedrock-agentcore
• transform-custom
• ivs
• glue
• cognito-idp
• quicksight
• health-agent
• finops-agent
• aidevops
• iot
• securityagent
• sagemaker
• transform
• elasticache
• quicksight
• mgn

🍪 API changes

• EMR Serverless
• AWS Elemental MediaConvert
• Amazon QuickSight
• Amazon SageMaker Service
• AWS Config
• Amazon EMR
• AWS Glue
• Amazon Interactive Video Service
• Amazon SageMaker Service
• AWS Wickr Admin API
• ARC
• AWS Cost Explorer Service
• AWS Compute Optimizer
• Amazon Connect Service
• Inspector2
• AWS End User Messaging Social
• Amazon Elastic Compute Cloud
• Amazon ElastiCache
• Amazon Location Service Routes V2
• Amazon GuardDuty
• Amazon Keyspaces Streams
• AWS Lambda
• Amazon SageMaker Service
• Sagemaker Job Runtime Service
• Amazon Transcribe Service
• Amazon Cognito Identity Provider
• AWS Marketplace Agreement Service
• Amazon QuickSight

🍹 IAM managed policy changes

• AWSMarketplaceSellerFullAccess
• SageMakerStudioUserIAMPermissiveExecutionPolicy
• SageMakerStudioUserIAMDefaultExecutionPolicy
• SageMakerStudioProjectUserRolePolicy
• SageMakerStudioProjectProvisioningRolePolicy
• SageMakerStudioAdminIAMPermissiveExecutionPolicy
• SageMakerStudioAdminIAMDefaultExecutionPolicy
• CloudWatchAPIKeyAccess
• EC2ImageBuilderExecutionPolicy
• AmazonEKSLoadBalancingPolicy
• FinOpsAgentOperatorPolicy
• FinOpsAgentAgentPolicy
• AWSQuickSetupPatchPolicyTagManagementExecutionPolicy
• AWSQuickSetupPatchPolicyLambdaExecutionPolicy
• AWSQuickSetupManagedInstanceProfileExecutionPolicy
• AmazonSageMakerJobRuntimeAccess
• AmazonSageMakerJobFullAccess
• AWSSecretsManagerClientReadOnlyAccess
• AWSAuditManagerServiceRolePolicy
• SageMakerStudioEMRInstanceRolePolicy
• AIDevOpsOperatorAppAccessPolicy
• AIDevOpsAgentAccessPolicy
• AWSNetworkFirewallServiceRolePolicy
• AWSApplicationMigrationReplicationServerPolicy
• AWSApplicationMigrationFullAccess
• AWSApplicationMigrationFSxProxyVPCPolicy
• AWSApplicationMigrationFSxProxyPolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2026-49261: MariaDB/Galera wsrep_notify_cmd parameter injection (9.0)
• CVE-2026-11332: ansible-galaxy role-install argument injection RCE
• CVE-2026-50265: libinput udev property injection to root code exec
• CVE-2026-49975: mod_http2 HTTP/2 cookie-header counting DoS
• CVE-2026-50219: libexpat use-after-free in nested handlers
• CVE-2026-8829: Perl HTML::Entities heap over-read info leak
• CVE-2026-10805: NetworkManager dhclient MUD-URL local privesc (non-default)
• CVE-2026-50292: libinput device-group udev injection to root code exec
• CVE-2026-7774: Python tarfile.data_filter bypass enables path traversal
• CVE-2026-3276: Python unicodedata.normalize CPU-exhaustion DoS
• CVE-2026-50031: FreeIPMI ipmi-oem response buffer overflows
• CVE-2026-10701: Firefox Graphics text boundary-condition bug
• CVE-2026-10702: Firefox JavaScript JIT miscompilation
• CVE-2026-42507: Go net/textproto error-message log injection
• CVE-2026-27145: Go x509 VerifyHostname quadratic-blowup DoS
• CVE-2026-42504: Go MIME header decode CPU-exhaustion DoS
• CVE-2026-41436: QEMU UEFI pio_xfer_offset validation flaw
• CVE-2026-10294: PackageKit frontend-socket improper authorization
• CVE-2026-10532: logback restricted object-injection via deserialization
• CVE-2026-41439: QEMU UEFI wrap_pkcs7 data-size validation flaw
• CVE-2026-44740: go-billy filesystem DoS on malformed input
• CVE-2026-41437: QEMU UEFI out-of-bounds read
• CVE-2026-10230: Assimp (Qt3D) Half-Life MDL heap overflow
• CVE-2026-41435: QEMU UEFI buffer overrun (7.3)
• CVE-2026-43958: rrdtool rrdcached stack overflow, DoS/RCE (7.8)
• CVE-2026-10232: Assimp (Qt3D) ASE parser use-after-free
• CVE-2026-10275: OpenSC pkcs11-tool buffer overflow
• CVE-2026-49390: Netatalk afp.conf unvalidated server-quantum option
• CVE-2026-10229: Assimp (Qt3D) Half-Life MDL heap overflow
• CVE-2026-10201: Assimp (Qt3D) FBX exporter divide-by-zero
• CVE-2026-10118: Poppler PDF integer overflow, OOB write RCE (7.8)
• CVE-2026-10233: Assimp (Qt3D) Half-Life MDL out-of-bounds read
• CVE-2026-8341: QEMU UEFI integer underflow
• CVE-2026-10231: Assimp (Qt3D) Half-Life MDL heap overflow
• CVE-2026-41438: QEMU UEFI 16-bit integer wrap, memory corruption
• CVE-2026-41440: QEMU UEFI var-service-auth flaw
• CVE-2026-9334: Perl Cpanel::JSON::XS type confusion
• CVE-2026-9516: Perl Cpanel::JSON::XS BOM-shift memory corruption

📺 AWS security bulletins

• Ongoing updates on Copy.fail and variants
• Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)
• Issues with AWS Research and Engineering Studio (RES)
• Issue with FreeRTOS-Plus-TCP - MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow
• Security Findings in SageMaker Python SDK
• Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues (CVE-2026-8596 & CVE-2026-8597)
• CVE-2026-7424 - Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
• Issues with Amazon Athena ODBC Driver
• CVE-2026-11400 and CVE-2026-11401
• Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel
• CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver
• CVE-2026-1386 - Arbitrary Host File Overwrite via Symlink in Firecracker Jailer
• CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
• CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
• [Redirected] Memory Dump Issue in AWS CodeBuild
• Unanchored ACCOUNT_ID webhook filters for CodeBuild
• [Redirected] Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)
• CVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver
• CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation
• CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
• CVE-2025-6031 - Insecure device pairing in end-of-life Amazon Cloud Cam
• CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
• Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins
• CVE-2025-9039 - Issue with Amazon ECS agent introspection server
• CVE-2025-8904 - Issue with Amazon EMR Secret Agent component
• CVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI
• Buffer Over-read when receiving improperly sized ICMPv6 packets
• CVE-2025-11573 - Denial of Service issue in Amazon.IonDotnet
• Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
• IMDS impersonation
• CVE-2025-11462 AWS ClientVPN macOS Client Local Privilege Escalation
• CVE-2026-0830 - Command Injection in Kiro GitLab Merge Request Helper
• Dirty Frag and other issues in Amazon Linux kernels
• CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
• Arbitrary code execution via crafted project files in Kiro IDE
• CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
• CVE-2025-12829 - Integer Overflow issue in Amazon Ion-C
• CVE-2026-31431
• CVE-2025-12815 - RES web portal may display preview of Virtual Desktops that the user shouldn't have access to
• Improper authentication token handling in the Amazon WorkSpaces client for Linux
• CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 - runc container issues
• Privilege Escalation in Aurora PostgreSQL using AWS JDBC Wrapper, AWS Go Wrapper, AWS NodeJS Wrapper, AWS Python Wrapper, AWS PGSQL ODBC driver
• CVE-2025-66478: RCE in React Server Components
• Key Commitment Issues in S3 Encryption Clients
• CVE-2026-4270 - AWS API MCP File Access Restriction Bypass
• Overly Permissive Trust Policy in Harmonix on AWS EKS
• CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer
• CVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit
• CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error
• CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
• CVE-2026-7791 - Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent
• Issue with FreeRTOS-Plus-TCP - IPv6 Router Advertisement Memory Safety Issues
• CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing
• Issues in tough library and tuftool CLI utility
• MariaDB Server Audit Plugin Comment Handling Bypass
• CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
• CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
• CVE-2026-5190 - AWS C Event Stream Streaming Decoder Stack Buffer Overflow

🚬 Security documentation changes

• Athena docs update OAuth 2.0 callback endpoint URL
• CLI renames Security Hub control to Security Hub CSPM control
• CLI warns untrusted package templates risk arbitrary file uploads
• CLI adds applicationLevelDigestResolution for image digest timing
• CLI adds applicationLevelDigestResolution to application output
• CLI adds image digest verification fields to imageConfiguration
• CLI clarifies authToken expiration and refresh behavior
• CLI adds applicationLevelDigestResolution for image digest timing
• CLI removes several finding filter-criteria fields
• CLI documents MediaTailor integration and playback token generation
• CLI documents MediaTailor integration and playback token generation
• CLI updates MediaConvert DRM ClearLeadSegments and trick play
• CLI updates MediaConvert DRM ClearLeadSegments and trick play
• CLI updates MediaConvert DRM ClearLeadSegments and trick play
• CLI adds --included-data for metadata-only access without KMS decrypt
• CLI adds --included-data for metadata-only access without KMS decrypt
• CLI adds maxNonSsoSessionMinutes session-limit parameter
• CLI adds maxNonSsoSessionMinutes session-limit parameter
• CLI adds maxNonSsoSessionMinutes session-limit parameter
• CLI adds maxNonSsoSessionMinutes session-limit parameter
• Direct Connect adds MACsec key distribution with TLS 1.3 + ML-KEM
• EKS documents controller log delivery for Capabilities
• EKS updates GPU XID error-code table and repair actions
• Marketplace adds IAM permissions for seller verification evidence
• Payment Cryptography clarifies KP field KBPK validation
• Redshift Serverless adds events for Secrets Manager + admin-cred failures
• SageMaker AutoML now needs kms:GenerateDataKey for KMS encryption
• SageMaker updates VolumeKmsKey condition key to VolumeKmsKeyArn
• Security Hub expands EFS mount-target public-IP risk guidance
• ACM deprecates certificate-transparency opt-out (all public certs logged)
• Athena adds SageMaker Browser IDC and SageMaker IAM auth
• Athena replaces Ping auth reference with SageMaker IAM
• Athena adds SageMaker endpoint override option
• Athena ODBC 2.2.0.0 adds SageMaker auth and STS ExternalId support
• CLI documents Aurora/Neptune scaling execution block types
• CLI documents Aurora/Neptune scaling execution block types
• CLI updates Nitro v6 TCP idle-timeout defaults
• CLI updates Nitro v6 TCP idle-timeout defaults
• CLI updates Nitro v6 TCP idle-timeout defaults
• CLI adds StorageEncryptionType and durability encryption fields
• CLI adds StorageEncryptionType and durability encryption fields
• CLI adds file-path fields to findings
• CLI removes IAM policy requirements section
• CodeBuild notes secret masking needs exact-value match
• CodeBuild notes secret masking needs exact-value match
• EKS adds bind to Kubernetes RBAC verbs list
• EKS bumps default Kubernetes version
• ELB adds WAF HTTP/2 traffic inspection behavior section
• FSx documents Lustre client install from Amazon FSx repo
• Inspector flags false-positive findings for three CVEs