ANNOUNCEMENT: This newsletter is moving to AWS Security Digest

We are merging into AWS Security Digest (ASD). It’s awesome and I think you’ll love it.

After today, all AWS Cloud Security Weekly subscribers will be automatically subscribed to ASD. Please allowlist the official email address:

Daniel Grzelak <hello@awssecuritydigest.com>

And look out for for “AWS Security Digest #220” in your inbox (or junk) next Monday at 8am ET.

This week TLDR i.e. 1 minute version (For executives):

1. AWS API MCP Server now available Link

2. Improved security and isolation for AI agent operations Link

3. Centralized logging for EventBridge event bus enhances observability Link

4. AWS Private CA increases certificate limits for improved PKI management Link

5. AWS Firewall Manager supports AWS PrivateLink for secure management Link

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Secure authentication beyond IAM access keys Link

   • AWS completes audit with European financial institutions for compliance Link

   • Enhance FSx for Windows security with AI anomaly detection Link

   • Secure multi-tenant agent cost management with Amazon Bedrock Link

   • Secure Amazon Bedrock agent deployment and operations at scale Link

2. General security blogs, articles, reports & trending news/advisories:

   • Exploring Delegated Admin Risks in AWS Organizations Link

   • Code Execution Through Email: How I Used Claude to Hack Itself Link

   • Brewing Trouble — Dissecting a macOS Malware Campaign Link

   • Deep Dive and Nuances of AWS's Programmatic IAM Action List and Service Authorization References (SAR) Link

   • API Keys for Bedrock: A Brief Security Overview Link

   • Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication Link

Subscribe now

Share

ANNOUNCEMENT: AWS Cloud Security Weekly is moving!

This is the second-last issue of AWS Cloud Security Weekly. Next week’s issue 105 will be the last, although the content archive will remain.

We are merging into AWS Security Digest (ASD), maintained by Daniel Grzelak. It’s awesome and I think you’ll love it. It covers much of the same content but includes a lot more detail, like API changes, IAM permission changes, managed policy updates, CloudFormation updates, Amazon Linux CVEs, and more.

If you haven’t seen it yet, check out this week’s issue to compare the content and see if it’s your vibe. After next week’s issue, all AWS Cloud Security Weekly subscribers will be automatically subscribed to ASD. So if it’s not for you, please unsubscribe over the next week.

Thank you for all of your support over the last couple of years. ♥️

This week TLDR i.e. 1 minute version (For executives):

There were no new security announcements this week from AWS but free tier did get a make over.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Blocking DDoS attacks with AWS WAF Link

   • Assessing application resilience across multiple AWS accounts Link

   • New SOC compliance reports covering 184 AWS services Link

   • Establishing a European trust service provider for the AWS European Sovereign Cloud Link

   • PCI DSS compliance package for Spring 2025 Link

2. General security blogs, articles, reports & trending news/advisories:

   • Exploiting Public APP_KEY Leaks to Achieve RCE in Hundreds of Laravel Applications Link

   • Shift-Left Security with Amazon Inspector Code Security Link

   • Career Longevity & The Don't Fire Me Chart Link

   • Unmasking Lambda's Hidden Threat - When Your Bootstrap Becomes a Backdoor Link

   • Would you like an IDOR with that? Leaking 64 million McDonald’s job applications Link

   • Investigate Your Own AWS Attack with Athena Link

   • CVE-2025-48384: Git vulnerable to arbitrary file write on non-Windows systems Link Link

   • Bypassing Meta’s Llama Firewall: A Case Study in Prompt Injection Vulnerabilities Link

Subscribe now

Share

This week TLDR i.e. 1 minute version (For executives):

1. Amazon Inspector expands security vulnerability scanning to more AWS Regions Link

2. Amazon CloudFront supports HTTPS DNS records for enhanced security and performance Link

3. AWS Site-to-Site VPN integrates with AWS Secrets Manager and improves security configurations Link

4. AWS Fargate supports SOCI Index Manifest v2 for improved deployment consistency and integrity Link

5. Amazon CloudWatch PutMetricData API supports CloudTrail logging for security and compliance Link

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Monitor AWS cloud resources for resilience across multiple accounts Link

   • Strengthen security for AWS cloud storage with Superna Defender Link

   • Enhance remote secure access to AWS for hybrid workforces Link

   • CyberVadis report for third-party supplier risk assessment Link

   • Improve backup and recovery resilience with multi-party approval Link

2. General security blogs, articles, reports & trending news/advisories:

   • Building a cloud security roadmap: Tools by layer and when you need them (pt.1) Link

   • How Google Cloud is securing open-source credentials at scale Link

   • Instagram uses expiring certificates as single day TLS certificates Link

   • How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets Link

   • Hijacking Amazon EventBridge for launching Cross-Account attacks Link

   • Marketplace Takeover: How We Could’ve Taken Over Every Developer Using a VSCode Fork; Putting Millions at Risk Link

   • How to get rekt using AWS Neptune Link

Subscribe now

Share

1. AWS WAF now supports automatic application layer distributed denial of service (DDoS) protection.

2. AWS Control Tower now supports seven new compliance frameworks.

3. AWS KMS adds support for post-quantum ML-DSA digital signatures.

4. Amazon Verified Permissions reduces authorization request price by up to 97%.

5. Amazon EKS Pod Identity simplifies the experience for cross-account access.

6. AWS CloudTrail enhances logging for Amazon S3 DeleteObjects API.

7. Amazon S3 extends additional context for HTTP 403 Access Denied error messages to AWS Organizations.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-6031 - Insecure device pairing in end-of-life Amazon Cloud Cam. Link.

   • How to create post-quantum signatures using AWS KMS and ML-DSA. Link.

   • AWS CIRT announces the launch of the Threat Technique Catalog for AWS. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Amazon to launch second Secret Cloud Region in 2025. Link.

   • AWS Temporary Sandbox environment. GitHub Link.

   • Revoking access to IAM Roles Anywhere using open-source private CA by Paul Schwarzenberger. Link.

   • OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys by Julian Catrambone. Link.

   • Hey ARNold: A Guide to All the Amazon Resource Identifiers Formats in AWS by Jason Kao. Link.

   • The Evolution of Linux Binaries in Targeted Cloud Operations by Nathaniel Quist, Bill Batchelor. Link.

   • Attackers Unleash TeamFiltration: Account Takeover Campaign (UNK_SneakyStrike) Leverages Popular Pentesting Tool. Link.

   • First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted by Bill Marczak and John Scott-Railton. Link.

   • AWS Data Perimeter policy examples. Github Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS has enhanced WAF application layer (L7) DDoS protection with faster automatic detection and mitigation, responding within seconds, leveraging AWS WAF Managed Rule group, which now detects and blocks DDoS attacks in real time across services like CloudFront and ALB, helping security and reliability teams reduce manual effort while keeping apps available. Link. Here’s my ruleset:

   

2. AWS Control Tower now supports seven additional compliance frameworks in Control Catalog, which include CIS v8.0, FedRAMP r4, ISO/IEC 27001:2013 Annex A, NIST CSF v1.1, NIST SP 800-171 r2, PCI DSS v4.0, and SSAE 18 SOC 2 (Oct 2023). Link.

3. AWS Key Management Service (KMS) now supports the FIPS 203 ML-DSA, a quantum-resistant digital signature algorithm standardized by NIST. Designed to protect sensitive data against future quantum threats, ML-DSA is ideal for use cases like firmware and code signing, where signatures must remain secure and valid for years. Link. Here’s my key:

   

4. Amazon Verified Permissions has reduced pricing for single authorization requests by up to 97%, now costing $5 per million API calls. Link. Updated pricing:

   

5. Amazon EKS Pod Identity now simplifies cross-account access to AWS resources. With updated APIs, you can configure permissions by specifying IAM details from the target account when creating a Pod Identity association. Applications in your EKS cluster receive the required credentials at runtime—no code changes needed. Using IAM role chaining, EKS Pod Identity lets your pods access resources like S3 or DynamoDB in other accounts by assuming a local role and then a target role in the resource account, automatically handling credential delivery. Link. Here’s an example for external access:

   

6. AWS has enhanced Amazon S3 DeleteObjects API logging in AWS CloudTrail to provide deeper visibility into bulk delete operations, helping you better protect and monitor your S3 buckets. Previously, CloudTrail recorded a single event for DeleteObjects API calls, showing who made the request and which bucket was affected, but not which specific objects were deleted. With this update, CloudTrail now also logs individual DeleteObject events for each object in the bulk request, offering detailed insights into exactly what was deleted. Link. For example, here’s my CloudTrail for DeleteObject event, with the details:

   

7. Amazon S3 now provides enhanced context in HTTP 403 Access Denied responses for requests targeting resources in accounts within the same AWS Organization. These responses include details such as the type of policy that blocked the request, the reason for the denial, and information about the IAM user or role that attempted access. This added context helps you diagnose permission issues more effectively, pinpoint the cause of access denials, and correct misconfigured policies. The same detailed information is also captured in AWS CloudTrail logs. Link. Here are my sample errors:

   

   Subscribe now

   Share

1. Amazon VPC Route Server announces logging enhancements.

2. AWS Site-to-Site VPN introduces three new capabilities for enhanced security.

3. AWS KMS launches on-demand key rotation for imported keys.

4. AWS Network Firewall launches new monitoring dashboard.

5. Announcing ASN match support for AWS WAF.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-5688 - Out of Bounds Write in FreeRTOS-Plus-TCP. Link.

   • Building secure foundations: A guide to network and infrastructure security at AWS re:Inforce 2025. Link.

   • Implementing just-in-time privileged access to AWS with Microsoft Entra and AWS IAM Identity Center. Link.

   • How to use on-demand rotation for AWS KMS imported keys. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Bruteforcing the phone number of any Google user. Link.

   • Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine by Jacob Finn, Dmytro Korzhevin, Asheer Malhotra. Link.

   • Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets. Link.

   • Official Root Cause Analysis (RCA) for SentinelOne Global Service Interruption. Link.

   • BladedFeline: Whispering in the dark. Link.

   • Lumma Infostealer – Down but Not Out? Link.

   • Malicious Ruby Gems Exfiltrate Telegram Tokens and Messages Following Vietnam Ban by Kirill Boychenko. Link.

   • AMOS Variant Distributed Via Clickfix In Spectrum-Themed Dynamic Delivery Campaign By Russian Speaking Hackers by Koushik Pal. Link.

   • Orca 2025 State of Cloud Security Report: Cloud Risks Surge Amid Expanding AI Adoption. Link.

   • FBI Advisory: Alert Number: I-060325-PSA on NFT Airdrop Defrauding Techniques. Link.

   • The Cost of a Call: From Voice Phishing to Data Extortion. Link.

   • Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data. Link.

   • Victoria’s Secret & Co. Security Incident Involving Information Technology Systems. Link.

   • Microsoft & Crowdstrike partner on threat actor naming. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon VPC Route Server has added new network metrics to monitor BGP and BFD sessions, troubleshoot connectivity, and view network health in real-time. This update enables faster, independent diagnosis of network issues, with flexible log delivery to CloudWatch, S3, and more. Link. For example, here are my log delivery options:

   

2. AWS Site-to-Site VPN is introducing three new features: a) Secrets Manager integration hides pre-shared keys in API responses. b) A new API tracks VPN encryption details and c) A "recommended" config option promotes best-practice security settings. Link. CLI references HERE and here are my configs:

   

   

3. AWS Key Management Service (KMS) now supports on-demand rotation of symmetric encryption keys with imported key material (BYOK), enabling periodic key rotation, without changing the key identifier. Link. Well explained in THIS blog. For example, here is my on-demand rotation option and remaining rotation counts:

   

4. AWS Network Firewall launched a new monitoring dashboard, providing enhanced visibility into network traffic patterns and activities for better management and troubleshooting. The dashboard offers insights into:

   Top traffic flows, TLS Server Name Indication (SNI), HTTP Host headers,Long- lived TCP flows and Failed TCP handshakes. Link. For example, here is my config:

   

5. AWS WAF has added support for matching incoming requests against Autonomous System Numbers (ASNs), allowing you to mitigate risks from malicious actors Comply with regulatory requirements Optimize web application performance and availability. The new ASN Match Statement integrates with existing WAF rules. Link. For example, here’s my config:

   

   Subscribe now

   Share

1. AWS Security Hub now supports NIST SP 800-171 Revision 2.

2. CloudTrail Lake now supports event enrichment and expanded event size.

3. Announcing Red Hat Enterprise Linux for AWS.

4. Amazon S3 Express One Zone now supports granular access controls with S3 Access Points.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • N/A this week.

2. General security blogs, articles, reports & trending news/advisories:

   • CloudTrail Logging Evasion: Where Policy Size Matters by Abian Morina. Link.

   • PumaBot: Novel Botnet Targeting IoT Surveillance Devices. Link.

   • Mark Your Calendar: APT41 Innovative Tactics. Link.

   • Safari Vulnerability Enables Attackers to Steal Credentials with Fullscreen BitM Attacks. Link.

   • Sublime Email Threat Research Report. Link.

   • CloudRec: open source multi-cloud security posture management (CSPM) platform. GitHub Link. (Important note: Ant Group is a company based in China).

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Security Hub now supports NIST SP 800-171 Rev. 2, a U.S. cybersecurity framework for protecting sensitive information in non-federal systems. Link. Here is the option in my console:

   

2. AWS CloudTrail Lake now offers event enrichment for easier activity categorization and analysis, and expanded event size (up to 1 MB, from the 256 KB limit) for more detailed API action visibility. Link. For example, here’s my query for a specific principal tag:

   

3. Red Hat Enterprise Linux (RHEL) for AWS is now generally available, starting with RHEL 10. This offering combines Red Hat's enterprise Linux with native AWS integration. Key features include pre-tuned images, Amazon CloudWatch telemetry, integrated AWS CLI, container-native tooling, enhanced security, and optimized networking with ENA support. Link. For example, here are my options in the EC2 launch console:

   

4. Amazon S3 Express One Zone now supports granular access control via S3 Access Points which allows refined access based on prefixes or API actions, enabling tailored policies for teams, applications, or individuals. Each access point offers a unique hostname, customizable permissions, and VPC restrictions, facilitating use cases like write-only data ingestion, read-only analytics, and restricted cross-account sharing. Link. For example, here’s my permission boundary using prefix:

   

   Subscribe now

   Share

1. AWS Secrets Manager announces support for cost allocation tags for secrets.

2. AWS Organizations now supports Internet Protocol Version 6 (IPv6).

3. Amazon EC2 Mac instances now support configurable System Integrity Protection (SIP) settings.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-5279 - Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin. Link.

   • Navigating the threat detection and incident response track at re:Inforce 2025. Link.

   • Elevate your AI security: Must-see re:Inforce 2025 sessions. Link.

   • How to use the new AWS Secrets Manager Cost Allocation Tags feature. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • AWS Built a Security Tool. It Introduced a Security Risk by Eliav Livneh. Link.

   • Cloudy with a Chance of Hijacking Forgotten DNS Records Enable Scam Actor by Jacques Portal, Renée Burton. Link.

   • CISA Advisory: Russian GRU Targeting Western Logistics Entities and Technology Companies. Link.

   • Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation. Link.

   • Cloudflare participates in global operation to disrupt Lumma Stealer. Link.

   • Cloud CISO Perspectives: How Google Cloud’s security team helps build securely. Link.

   • A python in disguise: unpacking PyInstaller malware on macOS. Link.

   • Remote Prompt Injection in GitLab Duo Leads to Source Code Theft by Omer Mayraz. Link.

   • Adidas data breach. Link.

   • Matlab disclosed ransomware attack. Link.

   • Zscaler announced Acquisition of Red Canary. Link.

   • Mandiant: BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique. Link.

   • Worcester College Student to Plead Guilty to Cyber Extortions. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Secrets Manager now allows you to allocate and monitor costs associated with their secret usage. Link. Well explained in THIS blog. For example, here’s my tag:

   

   

2. AWS Organizations now supports Internet Protocol version 6 (IPv6) through new dual-stack endpoints, allowing you to connect over the public internet using IPv6, IPv4, or dual-stack clients. Existing IPv4-only endpoints will continue to be available to ensure backward compatibility. Link. Here’s my endpoint:

   

3. You can now configure System Integrity Protection (SIP) on EC2 Mac instances which allows temporary SIP disablement for testing, installing system extensions, managing drivers, and optimizing development while maintaining security. Link. Well explained in THIS blog.

   Subscribe now

   Share

1. Amazon Elastic Container Registry (ECR) supports image replication between the AWS GovCloud (US) Region.

2. AWS CodeBuild adds support for new IAM condition keys.

3. DynamoDB local is now accessible on AWS CloudShell.

4. Amazon Inspector enhances container security by mapping ECR images to running containers.

5. Amazon Cognito now supports OIDC prompt parameter.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Introducing the AWS User Guide to Governance, Risk and Compliance for Responsible AI Adoption within Financial Services Industries. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Threat modeling Cloud Service providers in 2025 by Chris Farris. Link.

   • Root in prod: The most important security analysis you will never do on your AWS accounts by Daniel Grzelak. Link.

   • KeePass trojanised in advanced malware campaign. Full report HERE.

   • Introducing Docker Hardened Images. Link.

   • Coinbase security incident details. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Elastic Container Registry (ECR) now supports replicating images from private ECR repositories across accounts and/or regions within the AWS GovCloud (US) Regions. This capability reduces startup time for applications by enabling faster, in-region image pulls, minimizing latency & supports backup and disaster recovery objectives. Link. Here’s my sample replication configuration:

   

2. AWS CodeBuild added support for new IAM condition keys for more precise access control over resource-modifying APIs. These keys let you enforce policies on VPC settings, buildspecs, and compute types—helping align CodeBuild usage with organizational security and compliance standards. Link. Here’s my sample policy:

   

3. Amazon DynamoDB local is now generally available in AWS CloudShell. This lets you develop and test DynamoDB apps locally, at no cost, without affecting production. Just use the dynamodb-local alias in CloudShell; no downloads or setup needed. To run CLI commands, use --endpoint-url http://localhost:8000. Link. For example, I created a DynamoDB table locally in my cloudshell using:

   

4. Amazon Inspector now links Amazon ECR images to running ECS tasks and EKS pods, helping you identify which images are actively used and to prioritize patching the most critical, in-use images. You can view image usage, last used time, and associated clusters via the Inspector console or API. Findings are updated automatically and sent to EventBridge. You can also adjust how long images are monitored after last use by setting the ECR re-scan duration. Link. For example, here’s one of my ECR images that hasn’t been used recently and has findings:

   

5. Amazon Cognito now supports the OpenID Connect (OIDC) prompt parameter in Managed Login, allowing finer control over authentication flows. Apps can use login to force re-authentication or none for silent checks. Cognito also supports select_account and consent prompts for federated sign-ins. The login prompt lets apps require users to re-authenticate for sensitive actions without ending their session. The none prompt enables silent session checks, ideal for seamless single sign-on across apps using the same Cognito user pool. Link.

   Subscribe now

   Share

1. Amazon GuardDuty Malware Protection for EC2 now available in AWS GovCloud (US) Regions.

2. Amazon VPC adds CloudTrail logging for VPC resources created by default.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Protect against advanced DNS threats with Amazon Route 53 Resolver DNS Firewall. Link.

   • How to manage migration of hsm1.medium CloudHSM clusters to hsm2m.medium. Link.

   • Implementing safety guardrails for applications using Amazon SageMaker. Link.

   • Monitoring and optimizing the cost of the unused access analyzer in IAM Access Analyzer. Link.

   • Mapping AWS security services to MITRE frameworks for threat detection and mitigation. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Amazon S3 Bucket Name Squatting by Costas Kourmpoglou. Link.

   • The Russian Open Source Project That We Can’t Live Without. Link.

   • Schedule Security Scanning with a Serverless Fanout Pattern by Rich Mogull. Link.

   • Tales from the cloud trenches: The Attacker doth persist too much, methinks by Martin McCloskey. Link.

   • China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures by Arda Büyükkaya. Link.

   • Google Threat Intelligence: COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs. Link.

   • FBI PSA: Cyber Criminal Proxy Services Exploiting End of Life Routers. Link.

   • Wiz: Cloud Hunting Games. Link.

   • Microsoft: Top MSRC 2025 Q1 Security Researchers. Link.

   • TA406 Pivots to the Front by Greg Lesnewich, Saher Naumaan, Mark Kelly. Link.

   • Orca Security Acquires Opus to Bring Agentic AI to CNAPP. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS now offers Amazon GuardDuty Malware Protection for EC2 in AWS GovCloud (US) Regions, allowing you to to detect potential malware by scanning EBS volumes attached to EC2 instances and container workloads. Link. Here’s my gov console.

   

2. Amazon VPC adds CloudTrail logging for VPC resources created by default. Previously, CloudTrail logs only captured resources explicitly created by customers, requiring manual tracking of default resources for audit purposes. With this update, CloudTrail now logs events related to the automatic creation or deletion of default resources—such as Security Groups, Network ACLs, and Route Tables—when a VPC is created or deleted. Link. Here’s my CloudTrail for a default VPC creation:

   

   Subscribe now

   Share

1. Amazon Verified Permissions now supports policy store tagging. Link.

2. Amazon Cognito adds enhanced context support for machine-to-machine (M2M) authorization flows. Link.

3. Resource control policies (RCPs) are now available in the AWS GovCloud (US) Regions. Link.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-4318 - Input validation issue in AWS Amplify Studio UI component properties. Link.

   • Use an Amazon Bedrock powered chatbot with Amazon Security Lake to help investigate incidents. Link.

   • How to use AWS Transfer Family and GuardDuty for malware protection. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Why Recreating an IAM Role Doesn't Restore Trust: A Gotcha in Role ARN by Nick Frichette. Link.

   • CloudWatch Dashboard (Over)Sharing: How bugs in Amazon CloudWatch and Cognito allowed attackers to see beyond Dashboards by Leonidas Tsaousis. Link.

   • TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks by Facundo Muñoz. Link.

   • FBI: Phishing Domains Associated with LabHost PhaaS Platform Users. PDF Link.

   • Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins. Link.

   • Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption. Link.

   • Shifty Business: Encryption in Amazon Redshift, Secure Defaults, and How to Shiftily Create Unencrypted Redshift Clusters by Jason Kao. Link.

   • Cloud Incident Readiness: Critical infrastructure for cloud incident response. Link.

   • TrailAlerts: Take Control of Cloud Detection in AWS by Adan. Link.

   • Presentation: Cloud Attack Emulation: Leveraging the Attacker’s Advantage for Effective Defense. Link.

   • Datadog acquires Eppo. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Verified Permissions now supports tagging of Policy Stores, enabling tag-based IAM access control and cost allocation. You can restrict access using tags (e.g., by tenant) and leverage cost allocation tags for chargeback. Tagging also improves policy store discoverability in the console. Link. Here’s my sample CLI for tagging:

   

2. Amazon Cognito now supports passing custom context in OAuth 2.0 client credentials flow, letting you tailor M2M access tokens based on details like environment or app name. Use ClientMetadata with Lambda triggers to adjust scopes and claims for better access control and rate limiting. Link.

3. Resource control policies (RCPs) are now available in the AWS GovCloud (US) Regions. Link. I see that option in my Gov AWS console now:

   

   Subscribe now

   Share

1. Automated HTTP validated public certificates with Amazon CloudFront.

2. Amazon Cognito now supports refresh token rotation.

3. Amazon EBS now supports additional resource-level permissions for copying EBS snapshots.

4. AWS Account Management now supports IAM-based account name updates.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • How to import existing AWS Organizations SCPs and RCPs to CloudFormation. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Top Tier Target: What it takes to defend a cybersecurity company from today’s adversaries by Tom Hegel, Aleksandar Milenkoski & Jim Walter. Link.

   • Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows by Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, Tom Lancaster. Link.

   • FBI Releases Annual Internet Crime Report. Link.

   • How the April 28, 2025, power outage in Portugal and Spain impacted Internet traffic and connectivity by David Belson. Link.

   • WhatsApp advanced chat privacy feature. Link.

   • Mandiant M-Trends 2025 report. Link.

   • Operation SyncHole: Lazarus APT goes back to the well by Sojun Ryu,

     Vasily Berdnikov. Link.

   • Palo Alto Networks Announces Intent to Acquire Protect AI, a Game-Changing Security for AI Company. Link.

   • Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis by Google Threat Intelligence Group. Link.

   • Phantom DNS Query to GCP VM Metadata Service in My AWS Workload Revealed by Route 53 Resolver Logging by Gabriel Ko. Link.

   • Datadog: State of DevSecOps report. Link.

   • An open letter to third-party suppliers by Patrick Opet, Chief Information Security Officer. Link.

   • Shadow Roles: AWS Defaults Can Open the Door to Service Takeover

     Security Threat, Yakir KadkodaOfek Itach. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Certificate Manager (ACM) now offers automated public TLS certificates for Amazon CloudFront. Customers can simply check a box to have ACM automatically request, issue, associate, and renew certificates for their CloudFront distributions, streamlining the setup of secure applications. Manual certificate management remains an option. Link.

2. Amazon Cognito now supports OAuth 2.0 refresh token rotation for user pool clients. This feature enhances security by automatically replacing refresh tokens at regular intervals, limiting the risk of token compromise, while maintaining access without requiring re-authentication for users. Link. Here’s my config:

   

3. Amazon EBS now supports additional resource-level permissions for copying snapshots with more granular control over who can perform copy operations. You can also apply six EC2-specific condition keys—such as ec2:Encrypted and ec2:VolumeSize—plus global condition keys to fine-tune access permissions for the CopySnapshot actions. Link. Well explained in THIS blog. You can use the script in the git to analyze your existing IAM policies. GitHub Link.

4. AWS launched a new account management API that allows you to update account names using authorized IAM principals—no root access required. AWS Organizations customers can now centrally manage account names across their organization using the management or delegated admin accounts. The API is also available through the AWS CLI and SDK. Link. Please note that management account can only be managed using the standalone context from the management account. Here is my sample CLI:

   

   Subscribe now

   Share

1. AWS STS global endpoint now serves requests locally in regions enabled by default.

2. Amazon Verified Permissions now supports policy store deletion protection.

3. AWS Security Incident Response now supports integration with AWS PrivateLink.

4. Amazon SES now supports logging email sending events through AWS CloudTrail.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-3857 - Infinite loop condition in Amazon.IonDotnet. Link.

   • How to help prevent hotlinking using referer checking, AWS WAF, and Amazon CloudFront. Link.

   • How to support OpenID AuthZEN requests with Amazon Verified Permissions. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • How to measure Well-Architected maturity? Link.

   • CheatSheet: Amazon S3 Ransomware attack. Link.

   • Secure Cross-Account Access is Tricky. Four Common Dangerous Misconceptions by Eliav Livneh. Link.

   • CVE Foundation Launched to Secure the Future of the CVE Program. Link.

   • BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets by Fernando Mercês. Link.

   • Google: update on use of country code top-level domains. Link.

   • CISA Releases Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise. Link.

   • Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak by Sudeep Singh. Link.

   • 30+ hidden browser extensions put 4million users at risk of cookie theft by

     John Tuckner. Link.

   • Cisco Webex App Client-Side Remote Code Execution Vulnerability. Link.

   • Tool: Know Your Enemies: Identify third-party vendors with access to your resources. GitHub Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Security Token Service (STS) now routes all requests to the global endpoint (sts.amazonaws.com) through the same AWS Region as your workloads, improving both latency and fault isolation. Previously served exclusively from US East (N. Virginia), requests are now handled locally—for example, applications in US West (Oregon) will have their STS calls processed within that Region. Link. More details @ HERE. For example, this is my CloudTrail logs for my STS request with the details:

   

2. You can now enable deletion protection for Amazon Verified Permissions policy stores to prevent them from being deleted by any user. Deletion protection is enabled by default for new policy stores created via the AWS Console. You can turn it on or off using the AWS Console, CLI, or API. To delete a protected policy store, you must first explicitly disable deletion protection. Link. Here’s my option on the Verified Permissions console:

   

3. AWS introduced AWS Security Incident Response integration with AWS PrivateLink, allowing managing service access directly from within their Amazon VPC, without exposing traffic to the public internet, enhancing security during the handling and recovery of sensitive incidents. Link.

   

4. Amazon Simple Email Service (SES) now supports logging email sending events directly to AWS CloudTrail (data events). You can track actions taken via the SES APIs by users, roles, or AWS services. This eliminates the need for custom-built solutions to store and manage event data, offering a built-in, searchable, and downloadable event history for easier integration into existing workflows. Link. Here’s my CloudTrail for an event, although a lot of details are hidden. (Please Note: Email sending activity via SES SMTP Interface is not logged to CloudTrail events).

   

   Subscribe now

   Share

1. AWS Control Tower now has 223 new AWS Config rules.

2. IAM Identity Center releases new SDK plugin to streamline token exchange with an external Identity Provider.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Enhanced Network Security Control: Flow Management with AWS Network Firewall. Link.

   • Automating AWS Private CA audit reports and certificate expiration alerts. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • IAM Role Trust Policies: Misconfigurations Hiding in Plain Sight by Eliav Livneh. Link.

   • Campaign Targets Amazon EC2 Instance Metadata via SSRF by Merlyn Albery-Speyer. Link.

   • Gaining Long-Term AWS Access with CodeBuild and GitHub by Adan. Link.

   • The Future of Cloud & Security Operations: Analyzing PANW’s Cortex Cloud Bet by Francis Odum. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Control Tower now supports 223 additional managed Config rules in the Control Catalog, covering use cases such as security, cost optimization, durability, and operations. This update allows you to search, discover, enable, and manage these new rules directly within AWS Control Tower, enabling broader governance across your multi-account environment. Link.

2. IAM Identity Center has introduced a new SDK plugin that streamlines AWS resource authorization for applications using external identity providers (IdPs) like Microsoft EntraID, Okta, and others. Supporting trusted identity propagation (TIP), the plugin simplifies the process of exchanging external IdP tokens for IAM Identity Center tokens. These tokens enable fine-grained access to AWS resources—such as Amazon S3—based on user and group memberships defined in the external IdP. Link.

   Subscribe now

   Share

1. Amazon Security Lake now supports Internet Protocol Version 6 (IPv6).

2. AWS CDK L2 Construct for Amazon Cognito Identity Pools now generally available.

3. IAM Identity Center extends sessions and TIP management capabilities for customers with Microsoft AD.

4. Amazon Security Lake achieves FedRamp High and Moderate authorization.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • ML-KEM post-quantum TLS now supported in AWS KMS, ACM, and Secrets Manager. Link.

   • Planning for your IAM Roles Anywhere deployment. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Path Traversal Vulnerability in AWS SSM Agent's Plugin ID Validation by Elad Beber. Link.

   • Tool: The STS OIDC Driver: request temporary AWS security credentials for an IAM role, using ID tokens, from your OpenID Connect(OIDC) provider. GitHub Link.

   • OH-MY-DC: OIDC Misconfigurations in CI/CD by Aviad Hahami. Link.

   • The Complexity of Detecting Amazon S3 and KMS Ransomware by Jason Kao. Link.

   • Google Threat Intelligence: DPRK IT Workers Expanding in Scope and Scale. Link.

   • Verizon: Hacking call records of million of Americans by Evan Connelly. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Security Lake now supports Internet Protocol version 6 (IPv6) through new dual-stack endpoints. Link. For example, here’s my option:

   

2. AWS has announced the general availability of the AWS Cloud Development Kit (AWS CDK) Level 2 (L2) construct for Amazon Cognito Identity Pools. This new library allows developers to define and deploy Identity Pool resources programmatically using familiar programming languages, simplifying the process of providing users with secure access to AWS services within applications. Link. You can find the details HERE.

3. AWS IAM Identity Center (aka AWS SSO) has enhanced session management and trusted identity propagation (TIP) features for Microsoft Active Directory (AD) as identity source. With this release, if you are integrating Microsoft AD with IAM Identity Center, you can now: (a) set session durations for AWS applications and the AWS access portal, ranging from 15 minutes up to 90 days; (b) view and terminate active user sessions; (c) configure an extended 90-day session specifically for Amazon Q Developer Pro while maintaining shorter durations for other AWS applications; and (d) enable trusted identity propagation (TIP) from business intelligence tools that authenticate users through third-party identity providers to AWS services like Amazon Redshift and Amazon Q Business. Link. (Note: I did not have an active AD to demo this feature)

4. Amazon Security Lake has achieved FedRAMP High authorization in AWS GovCloud (US) Region and FedRAMP Moderate in the US East and US West Regions. Link.

   Subscribe now

   Share

1. AWS Network Firewall introduces new flow management feature.

2. AWS Amplify Hosting announces Web Application Firewall Protection in general availability.

3. AWS Network Firewall adds pass action rule alerts and JA4 filtering.

4. AWS Identity and Access Management now supports dual-stack (IPv4 and IPv6) environments and AWS Resource Access Manager (RAM) now supports Internet Protocol Version 6 (IPv6).

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin1: Issue with the AWS CDK CLI and custom credential plugins (CVE-2025-2598). Link.

   • Bulletin2: Issue with tough, versions prior to 0.20.0 (Multiple CVEs). Link.

   • Bulletin3: Issue with AWS SAM CLI (CVE-2025-3047, CVE-2025-3048). Link.

   • Bulletin4: Issues with Kubernetes ingress-nginx controller (Multiple CVEs). Link.

   • Effectively implementing resource control policies in a multi-account environment. Link.

   • Enhancing cloud security in AI/ML: The little pickle story. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • How I Fell in Love With Cloud Security (And Why You Should Care) by Sena Yakut. Link.

   • Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration by Nathaniel Quist. Link.

   • Cloud Incident Readiness: Key logs for cloud incidents. Link.

   • Cyber chiefs unveil new roadmap for post-quantum cryptography migration

     New guidance from the NCSC. Link.

   • Operation FishMedley: ESET researchers detail a global espionage operation by FishMonger. Link.

   • Shedding light on the ABYSSWORKER driver: MEDUSA ransomware attack-chain to disable anti-malware tools. Link.

   • Protecting Remote Desktops at Scale with Cloudflare Access by Mike Borkenstein. Link.

   • GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files by Omer Gil, Aviad Hahami, Asi Greenholts and Yaron Avital. Link.

   • New Phishing Campaign Uses Browser-in-the-Browser Attacks to Target Video Gamers/Counter-Strike 2 Players. Link.

   • VMware Tools for Windows update addresses an authentication bypass vulnerability (CVE-2025-22230). Link.

   • Creating immutable users through a bug in Entra ID restricted administrative units by Katie Knowles. Link.

   • Qualys TRU Discovers Three Bypasses of Ubuntu Unprivileged User Namespace Restrictions by Saeed Abbasi. Link.

   • OpenAI: Security on the Path to AGI, increases reward. Link.

   • New in Gmail: Making end-to-end encrypted emails easy to use for all organizations. Link. Please note the date of the release.

   • Hacking AWS Lambda Functions - S3 File Upload Injection by Teemu. Link.

   • The 'IngressNightmare' vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation by Christophe Tafani-Dereeper, Matt Muir, Frederic Baguelin, Frederic Baguelin, Andy Giron and Adrian Korn. Link.

   • How to use the new CloudTrail network activity events for AWS VPC Endpoints by Rami McCarthy, Scott Piper. Link.

   • Uncovering Hidden Threats: Hunting Non-Human Identities in GitHub by

     Idan Cohen , Ariel Szarf. Link.

     Setting Up AWS Firewall Manager Used For Auditing Security Groups in AWS Organization accounts by Joseph Ndambombi Honpah. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS introduced a new flow management feature for AWS Network Firewall, enabling you to monitor and control active network flows. This feature includes two key functions: Flow Capture, which provides point-in-time snapshots of active flows, and Flow Flush, which allows selective termination of specific connections. With these capabilities, you can now analyze and manage network flows based on parameters such as source/destination IP addresses, ports, and protocols, offering greater control over their network traffic. Link. Here’s my StartFlow Capture sample config:

   

2. AWS Amplify Hosting now offers Web Application Firewall (WAF) Protection in general availability. The integration provides full access to AWS WAF’s capabilities, including managed rules to defend against common web threats like SQL injection and cross-site scripting (XSS). You can also create custom rules, set up rate-based protections against DDoS attacks, and implement geo-blocking to restrict traffic from specific regions. Link. For example, here’s my WAF config:

   

3. AWS introduced new features for AWS Network Firewall, including alert generation for traffic matching pass action rules and JA4 fingerprinting support in firewall rules. The ability to generate alert log events for traffic matching pass action rules enhances network visibility without requiring an additional alert action rule before the pass rule. This helps detect anomalies or potential security threats in traffic that would otherwise be allowed without further inspection. Additionally, JA4 filtering rules enable AWS Network Firewall to analyze traffic using JA4 fingerprints, which identify client and server applications. Link. For example, here’s my config:

   

4. AWS Identity and Access Management now supports dual-stack (IPv4 and IPv6) environments and AWS Resource Access Manager (RAM) now supports Internet Protocol Version 6 (IPv6). Link1 and Link2.

   Subscribe now

   Share

1. Amazon EC2 Allowed AMIs now integrates with AWS Config.

2. AWS WAF now supports URI fragment field matching.

3. Amazon Inspector expands ECR support for minimal container base images and enhanced detections.

4. Amazon GuardDuty Malware Protection for S3 now available in AWS GovCloud (US) Regions.

5. AWS Service Reference Information now supports resources and condition keys.

6. AWS Verified Access achieves FedRAMP High and Moderate authorization.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Manage authorization within a containerized workload using Amazon Verified Permissions. Link.

   • Secure cloud innovation starts at re:Inforce 2025. Link.

   • AWS KMS CloudWatch metrics help you better track and understand how your KMS keys are being used. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • GitLab critical security patch. Link.

   • Inside BRUTED: Black Basta (RaaS) Members Used Automated Brute Forcing Framework to Target Edge Network Devices by Arda Büyükkaya. Link.

   • Harden-Runner detection: tj-actions/changed-files action is compromised by Varun Sharma. Link.

   • Wiz to Join Google Cloud. Link.

   • NEW: Open Cloud Security Conference. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. ‘Allowed AMIs’, an AWS account-wide EC2 setting that restricts AMI usage, now integrates with AWS Config, which allows you to automatically track and detect instances launched with unapproved AMIs using a new AWS Config rule. Link. For example, this is my rule:

   

2. AWS WAF now supports URI fragment field matching, allowing you to inspect and match content within the URI fragment alongside the existing URI path support. This feature enhances security by enabling more precise rule creation based on the portion of the URL after the "#" symbol. For instance, if your login page includes a dynamic fragment like "foo://login.aspx#myFragment," you can create a rule that permits only requests containing the "myFragment" fragment while blocking others. This allows for targeted security measures, such as restricting access to sensitive areas, identifying unauthorized attempts, and improving bot detection by analyzing fragment patterns used by malicious actors. Link. For example, here’s my rule:

   

3. Amazon Inspector now supports scanning for scratch, distroless (Debian/Ubuntu-based), and Chainguard images, expanding security coverage for minimal and security-focused container bases. Additionally, ECR scanning now includes ecosystems like Go toolchain, Oracle JDK & JRE, Apache Tomcat, WordPress, and more, helping you detect vulnerabilities in third-party software. These enhancements are also available via the Amazon Inspector SBOM Scan API.Link.

4. AWS announced the availability of Amazon GuardDuty Malware Protection for Amazon S3 in AWS GovCloud (US) regions. This expansion enables scanning of newly uploaded S3 objects for malware, viruses, and other threats, allowing you to detect and isolate suspicious files. Link. Here’s my Gov console:

   

5. AWS now includes resources and condition keys in service reference information, offering a more comprehensive view of service permissions. This enhancement simplifies policy management automation by allowing you to retrieve available actions across AWS services from machine-readable files. Link. For example, this is the reference for Cloudtrail:

   

6. AWS Verified Access achieved FedRAMP High and Moderate authorization. Link.

   

   Subscribe now

   Share

1. AWS Network Firewall simplifies policy management with enhanced console features.

2. Amazon RDS now provides visibility into IAM DB Authentication metrics and logs.

3. AWS WAF now supports PCI DSS4.0 compliance protection with partner solutions.

4. AWS WAF adds JA4 fingerprinting and aggregation on JA3 and JA4 fingerprints for rate-based rules.

5. Amazon EKS now envelope encrypts all Kubernetes API data by default.

6. IAM Access Analyzer now supports Internet Protocol Version 6 (IPv6).

7. Amazon Cognito now supports access token customization for machine-to-machine (M2M) authorization flows.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: Issue with Temporary elevated access management (TEAM) CVE-2025-1969. Link.

   • NEW AWS Heroes 2025. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Securing Datadog’s cloud infrastructure: Our playbook and methodology by Tim Ginda. Link.

   • Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data by Joe Leon. Link.

   • JavaGhost’s Persistent Phishing Attacks From the Cloud by Margaret Kelley. Link.

   • Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware by Joshua Miller and Kyle Cucci. Link.

   • Camera off: Akira deploys ransomware via webcam by Gavin Hull, Cameron Trivella and Jon Seland. Link.

   • Shrinking the haystack: The six phases of cloud threat detection by Brian Davis. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Network Firewall introduced enhanced console capabilities to streamline rule management and policy configuration. Notable improvements include the ability to adjust rule priority directly from the console without requiring deletion and recreation, pre-filled fields for adding descriptions and signature IDs in rules, a default "Alert Established" selection for comprehensive connection logging, and automatic "Reject" action selection in the Stream Exception Policy configuration. Link. For example, I was able to adjust priority from the console:

   

2. Amazon RDS IAM Database Authentication (IAM DB Auth) now offers enhanced observability with metrics and logs, helping diagnose authentication issues. Users can track errors related to IAM policies, expired tokens, throttling, and more. Metrics are available in Amazon CloudWatch, and error logs can be exported via the RDS Export to CloudWatch Logs feature for deeper insights into connection failures. Link. For example, here’s my configuration for the log:

   

3. AWS WAF's new partner solutions page now simplifies discovering and implementing PCI DSS v4.0 compliance solutions. Link. For example, here’s one such solution with the filter in my AWS marketplace console:

   

4. AWS WAF now supports JA4 fingerprinting for incoming requests, allowing you to permit trusted clients or block malicious ones. Additionally, both JA4 and JA3 fingerprints can now be used as aggregation keys in WAF's rate-based rules, enabling better monitoring and control of request rates based on client fingerprints. Link. For example, here are my options for JA4 and JA3 fingerprints as aggregation keys within my WAF's rate-based rule:

   

5. Amazon Elastic Kubernetes Service (EKS) now enables default envelope encryption for all Kubernetes API data in clusters running Kubernetes version 1.28 or later. Previously, Amazon EKS offered optional envelope encryption using the Kubernetes KMS provider v1. Now, this encryption is enabled by default for all objects in the Kubernetes API. By default, AWS owns the encryption keys, but you also have the option to create or import externally generated keys into AWS KMS for use in your cluster’s managed Kubernetes control plane. Link. For example, this is my option:

   

6. AWS Identity and Access Manager (IAM) Access Analyzer now supports IPv6 through new dual-stack endpoints. Existing IPv4-only endpoints will remain available for backward compatibility. The new dual-stack domains can be accessed from the internet or within an Amazon Virtual Private Cloud (VPC) via AWS PrivateLink. Link. For example, here’s my option:

   

7. Amazon Cognito now allows you to customize access tokens for machine-to-machine (M2M) flows, enabling fine-grained authorization for applications, APIs, and workloads. Now, you can define custom claims and scopes in access tokens, providing better control over how automated systems interact with resources. Link. Please note: Access token customization for M2M authorization is available to Essentials or Plus tiers. For example, here is my configuration:

   

   Subscribe now

   Share

This week TLDR i.e. 1 minute version (For executives):

1. AWS WAF enhances Data Protection and logging experience.

2. AWS Network Firewall introduces automated domain lists and insights.

3. Announcing fine-grained access control via AWS Lake Formation with EMR on EKS.

4. Certificate-Based Authentication is now available on Amazon AppStream 2.0 multi-session fleets.

5. Amazon Verified Permissions now supports the Cedar JSON entity format.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Four ways to grant cross-account access in AWS. Link.

   • From log analysis to rule creation: How AWS Network Firewall automates domain-based security for outbound traffic. Link.

   • Connect your on-premises Kubernetes cluster to AWS APIs using IAM Roles Anywhere. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • State of cloud remediation by Idan Perez, Michael St.Onge and Joseph Barringhaus. Link.

   • Locked Out, Dropboxed In: When BEC threats innovate. Link.

   • Removing Jeff Bezos From My Bed by Dylan Ayrey and Jake King. Link.

   • Abusing AWS Serverless Image Handler by Karim El-Melhaoui. Link.

   • Secure RDS authentication using SSO and ephemeral login token. Link.

   • Seeing what your Resource Control Policies (RCPs) are going to break by Michael Kirchner. Link.

   • Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs by Tory Hunt. Link.

   • An inside look at NSA (Equation Group) TTPs from China’s lense. Link.

   • Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Link.

   • FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant by Kevin Su. Link.

   • Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors by Marine Pichon, Alexis Bonnefoi. Link.

   • DMARC for PCI DSS 4.0 mandatory from 2025 by Ahona Rudra. Link.

   • Deceptive Development targets freelance developers by Matěj Harvánek. Link.

   • Weathering the storm: In the midst of a Typhoon by Cisco Talos. Link.

   • Apple pulls iCloud end-to-end encryption feature in the UK. Link.

   • Google announced quantum-safe digital signatures in Cloud KMS. Link.

   • North Korean Unauthorized Activity Involving ETH Cold Wallet $1.5 billion ByBit crypto heist. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS WAF enhanced its Data Protection features with new controls for sensitive data in logs, which allow you to implement customized safeguards for sensitive information, such as passwords, API keys, authentication tokens, and other confidential data, across specific fields like headers, parameters, and body content. You can configure data protection at the web ACL level to apply across all output destinations or limit it to logging, affecting only the data AWS WAF sends to the designated logging destination. Protection can be enforced through substitution, which replaces content with "REDACTED," or hashing for enhanced security. Link. Here’s my sample data protection rule set at WebACL’s page “logging and metrics” section.

   

2. AWS Network Firewall now supports automated domain lists and insights, improving network traffic visibility and streamlining firewall rule configuration. This feature analyzes HTTP and HTTPS traffic logs from the past 30 days, identifying frequently accessed domains. With these insights, you can quickly create rules based on observed network traffic patterns. Link. Here is the setting for my network firewall.

   

3. AWS announced the general availability of fine-grained data access control (FGAC) in AWS Lake Formation for Apache Spark on Amazon EMR on EKS which allows enforcing comprehensive FGAC policies—including database, table, column, row, and cell-level controls—on data lake tables from EMR on EKS Spark jobs. Link.

4. Amazon AppStream 2.0 introduced certificate-based authentication (CBA) support for multi-session fleets running Microsoft Windows and joined to an Active Directory. This feature enables administrators to maximize the cost benefits of the multi-session model while improving user access and security. Link.

5. Amazon Verified Permissions now supports the same JSON format for entity and context data as the Cedar SDK, making authorization requests easier for developers. This update brings the Amazon Verified Permissions API in closer alignment with the open-source Cedar SDK. As a result, transitioning between the SDK and Amazon Verified Permissions is now more seamless. Link. Find JSON entity HERE.

   

   Subscribe now

   Share

1. Amazon Inspector enhances the security engine for container images scanning.

2. AWS CloudTrail network activity events for VPC endpoints now generally available.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • How to restrict Amazon S3 bucket access to a specific IAM role? Link.

   • Introducing the AWS Trust Center. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • whoAMI: A cloud image name confusion attack by Seth Art. Link.

   • Uncovering a Hidden CloudTrail Bug by Tracing AWS AssumeRole Chains in a Graph Database by Or Aspir. Link.

   • Tool: Cloud Trail Discover cheat sheet. Link.

   • Find Hidden AWS Resources With Effective Wordlists by Daniel Grzelak. Link.

   • Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector by Aleksandar Milenkoski. Link.

   • North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks by Den Iuzvyk, Tim Peck. Link.

   • New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs by Jan Michael Alcantara. Link.

   • CyberArk snaps up Zilla Security for up to $175M. Link.

   • Storm-2372 conducts device code phishing campaign by Microsoft Threat Intelligence. Link.

   • Oh, Auth 2.0! Device Code Phishing in Google Cloud and Azure by Matt Kiely. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Inspector has upgraded the engine that powers container image scanning for Amazon Elastic Container Registry (ECR), which now offers a more comprehensive view of vulnerabilities in third-party dependencies within container images. Note: The new engine reassesses all existing resources, so you may notice some findings being closed while new vulnerabilities are identified based on the updated dependency collection. Link.

2. AWS announced general availability of network activity events for Amazon Virtual Private Cloud (Amazon VPC) endpoints in AWS CloudTrail, which enables you to log and monitor AWS API activity passing through your VPC endpoints. Previously, VPC endpoint policies could restrict access from external accounts, there was no built-in capability to log denied actions or identify when external credentials were used at a VPC endpoint. Link. For example, this is my config:

   

   

   Subscribe now

   Share

1. AWS IAM announces support for encrypted SAML assertions.

2. AWS Verified Access launches Zero Trust access to resources over non-HTTP(S) protocols.

3. Amazon GuardDuty Malware Protection for S3 announces price reduction.

4. AWS IAM Identity Center now offers improved error messages and AWS CloudTrail logging for provisioning issues.

5. AWS WAF Console adds new top insights visualizations in additional regions.

6. AWS Secrets and Configuration Provider now integrates with Pod Identity for Amazon EKS.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Implementing least privilege access for Amazon Bedrock. Link.

   • Enhancing telecom security with AWS. Link.

   • Announcing ASCP integration with Pod Identity: Enhanced security for secrets management in Amazon EKS. Link.

   • How AWS Network Firewall session state replication maximizes high availability for your application traffic. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Tool: STS SAML Driver: SAML authentication handler for AWS STS that allows you to get temporary credentials using SAML to the AWS CLI. Link.

   • GitHub: AWS Resource control policy examples. Link.

   • AWS IAM User Enumeration by Nate Wilson. Link.

   • How Adversaries Exploit Unmonitored Cloud Regions to Evade Detection by Permiso Team. Link.

   • The Complete Guide to Cloud-Native Ransomware Protection in Amazon S3 and KMS by Jason Kao. Link.

   • Take my money: OCR crypto stealers in Google Play and App Store. Link.

   • Bitcoin to the moon: Trump endorsing, scammers exploiting. Link.

   • Persistent Threats from the Kimsuky Group Using RDP Wrapper. Link.

   • Wiz: The State of AI in the Cloud 2025. Link.

   • Brave Browser: Using custom scriptlets to make the Web work the way you want. Link.

   • 20 AWS influencers to follow right now by Danny Aspinall. Link.

   • Apple patch for “extremely sophisticated attack”. Link.

   • Securing the Identity Attack Surface: A Deep Dive into the New Battlefield of Identity Security by Francis. Link.

   • Drata Acquires SafeBase. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS IAM now supports encrypted SAML assertions, enhancing security for federated single sign-on (SSO). SAML, a widely used open standard, allows identity providers (IdPs) to authenticate users and applications for AWS access. With this update, you can configure your IdP to encrypt SAML assertions before they are sent to IAM, ensuring protection against exposure when transmitted through intermediaries, like a web browsers. Link. For example, here’s the option for my identify provider.

   

2. AWS Verified Access now supports secure access to resources using protocols like TCP, SSH, and RDP. This update enables VPN-less access to corporate applications and resources by leveraging AWS zero trust principles. It simplifies security operations by eliminating the need for separate access and connectivity solutions for non-HTTP(S) resources on AWS. Link. For example, this is an example for a connection for RDS.

   

3. Amazon GuardDuty Malware Protection for S3 is reducing the price for the data scanned dimension by 85%, lowering the cost in US East (N. Virginia) from $0.60 to $0.09 per GB. The pricing for objects evaluated remains unchanged. Link. You can find pricing details HERE.

4. AWS IAM Identity Center now offers enhanced error messages to simplify troubleshooting during user and group synchronization using SCIM or configurable AD sync. This is helpful in automated monitoring and auditing errors. Link. I don’t have a sync app but you can find CloudTrial logs examples HERE.

5. AWS WAF’s console dashboard in the AWS GovCloud (US) Regions now features enhanced visualizations, providing deeper insights into top traffic sources. If you have CloudWatch logging destinations, you can access a new top insights section within the all traffic dashboard, offering richer visibility. Link.

6. AWS Secrets Manager now supports AWS Secrets and Configuration Provider (ASCP) integration with Amazon EKS Pod Identity, simplifying IAM authentication for retrieving secrets and parameters. This enhancement enables more efficient and secure IAM permission management for Kubernetes applications, allowing granular access control using role session tags. Link. Well explained in THIS blog.

   

   Subscribe now

   Share