Issue #268

Monday · July 06, 2026

๐Ÿฅ– Palate Cleanser

Putting together a market survey used to be the domain of big marketing departments, but now someone like Chandrapal Badshah can create a decent cloud security hiring report solo. He grabbed 407 cloud security job postings from June 2026 and extracted some fun facts for us to ponder. If you want a cloud security job, AWS used to be a necessity, but now Azure is catching up fast and has halved AWS's lead in a month. If you're just starting out, you're out of luck, as entry jobs accounted for just 3%.

I'm just as hyped as anyone about AI, but every week I'm more convinced there's a 'f-around and find out' moment coming. Microsoft showed this week that a poisoned MCP tool description, just the text a model reads to decide how to use a tool, is enough to make an agent hand company data to an outsider while following every rule perfectly. No exploit, no broken policy, no alarm. Which sets up this issue nicely. As apps and agents start acting with your identity in AWS, knowing who's doing what, catching it, and reconstructing it afterward stops being optional.

๐Ÿ“‹ Chef's selections

Apps can now impersonate human access to AWS via IAM Identity Center

by Aidan Steele

AWS shipped the ability for server-side apps to assume roles on behalf of their own users through IAM Identity Center, and Aidan reverse-engineered it the same day. His field notes cover what the CloudTrail events actually look like, whether it's ready to turn on today, and the sharp edges the docs skip. If you've ever handed an internal tool a superset of everyone's permissions and then bolted your own authz on top, this is the feature you've been waiting for - along with the caveats to understand before you flip it on.

AWS Forensics: what you need to know

by Nathanael Ndong

Nathanael has written the AWS incident-response primer you wish every forensic analyst had before their first cloud breach. It walks through the account and identity model, then zeroes in on where the evidence actually lives - and where it doesn't, from CloudTrail's 90-day default retention to data events that stay off until you enable them. A grounded field guide to reconstructing what an attacker did, from recon and IAM backdoors to Lambda persistence.

Why I Keep Recommending Amazon GuardDuty

by Sena Yakut

I feature Sena's content pretty regularly because she writes from experience and doesn't overcomplicate things. In this post she makes the case for GuardDuty as the first detection service she reaches for on almost any AWS environment, tracing how it grew from crunching CloudTrail, VPC Flow Logs and DNS logs into today's much broader sensor. It's a practical, experience-driven tour of what the service catches for near-zero setup effort, and the gaps you still have to close yourself. I'm not a fan of the GuardDuty UX but the service works, has improved dramatically recently, and is infinitely better than no breach detection which is what most companies have.

๐Ÿฅ— AWS security blogs

๐Ÿ› Reddit threads on r/aws


๐Ÿค– Dessert

Every machine-tracked change this week. Nobody else assembles this.

๐Ÿง IAM permission changes

๐Ÿช API changes

๐Ÿน IAM managed policy changes

โ˜• CloudFormation resource changes

๐ŸŽฎ Amazon Linux vulnerabilities

๐Ÿ“บ AWS security bulletins

๐Ÿšฌ Security documentation changes

Get every AWS security change,
on a plate every Monday.

6,700+ engineers, builders and CISOs let us diff the AWS changelog every week.