This week TLDR i.e. 1 minute version (For executives):

1. Automated HTTP validated public certificates with Amazon CloudFront.

2. Amazon Cognito now supports refresh token rotation.

3. Amazon EBS now supports additional resource-level permissions for copying EBS snapshots.

4. AWS Account Management now supports IAM-based account name updates.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • How to import existing AWS Organizations SCPs and RCPs to CloudFormation. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Top Tier Target: What it takes to defend a cybersecurity company from today’s adversaries by Tom Hegel, Aleksandar Milenkoski & Jim Walter. Link.

   • Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows by Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, Tom Lancaster. Link.

   • FBI Releases Annual Internet Crime Report. Link.

   • How the April 28, 2025, power outage in Portugal and Spain impacted Internet traffic and connectivity by David Belson. Link.

   • WhatsApp advanced chat privacy feature. Link.

   • Mandiant M-Trends 2025 report. Link.

   • Operation SyncHole: Lazarus APT goes back to the well by Sojun Ryu,

     Vasily Berdnikov. Link.

   • Palo Alto Networks Announces Intent to Acquire Protect AI, a Game-Changing Security for AI Company. Link.

   • Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis by Google Threat Intelligence Group. Link.

   • Phantom DNS Query to GCP VM Metadata Service in My AWS Workload Revealed by Route 53 Resolver Logging by Gabriel Ko. Link.

   • Datadog: State of DevSecOps report. Link.

   • An open letter to third-party suppliers by Patrick Opet, Chief Information Security Officer. Link.

   • Shadow Roles: AWS Defaults Can Open the Door to Service Takeover

     Security Threat, Yakir KadkodaOfek Itach. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Certificate Manager (ACM) now offers automated public TLS certificates for Amazon CloudFront. Customers can simply check a box to have ACM automatically request, issue, associate, and renew certificates for their CloudFront distributions, streamlining the setup of secure applications. Manual certificate management remains an option. Link.

2. Amazon Cognito now supports OAuth 2.0 refresh token rotation for user pool clients. This feature enhances security by automatically replacing refresh tokens at regular intervals, limiting the risk of token compromise, while maintaining access without requiring re-authentication for users. Link. Here’s my config:

   

3. Amazon EBS now supports additional resource-level permissions for copying snapshots with more granular control over who can perform copy operations. You can also apply six EC2-specific condition keys—such as ec2:Encrypted and ec2:VolumeSize—plus global condition keys to fine-tune access permissions for the CopySnapshot actions. Link. Well explained in THIS blog. You can use the script in the git to analyze your existing IAM policies. GitHub Link.

4. AWS launched a new account management API that allows you to update account names using authorized IAM principals—no root access required. AWS Organizations customers can now centrally manage account names across their organization using the management or delegated admin accounts. The API is also available through the AWS CLI and SDK. Link. Please note that management account can only be managed using the standalone context from the management account. Here is my sample CLI:

   

   Subscribe

   Share