This week TLDR i.e. 1 minute version (For executives):

1. Amazon Verified Permissions now supports policy store tagging. Link.

2. Amazon Cognito adds enhanced context support for machine-to-machine (M2M) authorization flows. Link.

3. Resource control policies (RCPs) are now available in the AWS GovCloud (US) Regions. Link.

Trending in Cloud & Cyber Security:

1. AWS Security Blogs & Bulletins:

   • Bulletin: CVE-2025-4318 - Input validation issue in AWS Amplify Studio UI component properties. Link.

   • Use an Amazon Bedrock powered chatbot with Amazon Security Lake to help investigate incidents. Link.

   • How to use AWS Transfer Family and GuardDuty for malware protection. Link.

2. General security blogs, articles, reports & trending news/advisories:

   • Why Recreating an IAM Role Doesn't Restore Trust: A Gotcha in Role ARN by Nick Frichette. Link.

   • CloudWatch Dashboard (Over)Sharing: How bugs in Amazon CloudWatch and Cognito allowed attackers to see beyond Dashboards by Leonidas Tsaousis. Link.

   • TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks by Facundo Muñoz. Link.

   • FBI: Phishing Domains Associated with LabHost PhaaS Platform Users. PDF Link.

   • Pushing passkeys forward: Microsoft’s latest updates for simpler, safer sign-ins. Link.

   • Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption. Link.

   • Shifty Business: Encryption in Amazon Redshift, Secure Defaults, and How to Shiftily Create Unencrypted Redshift Clusters by Jason Kao. Link.

   • Cloud Incident Readiness: Critical infrastructure for cloud incident response. Link.

   • TrailAlerts: Take Control of Cloud Detection in AWS by Adan. Link.

   • Presentation: Cloud Attack Emulation: Leveraging the Attacker’s Advantage for Effective Defense. Link.

   • Datadog acquires Eppo. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Verified Permissions now supports tagging of Policy Stores, enabling tag-based IAM access control and cost allocation. You can restrict access using tags (e.g., by tenant) and leverage cost allocation tags for chargeback. Tagging also improves policy store discoverability in the console. Link. Here’s my sample CLI for tagging:

   

2. Amazon Cognito now supports passing custom context in OAuth 2.0 client credentials flow, letting you tailor M2M access tokens based on details like environment or app name. Use ClientMetadata with Lambda triggers to adjust scopes and claims for better access control and rate limiting. Link.

3. Resource control policies (RCPs) are now available in the AWS GovCloud (US) Regions. Link. I see that option in my Gov AWS console now:

   

   Subscribe

   Share