AWS Security Digest

🛎️ AWS Security Digest 262 is out! 1️⃣ Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments by Seth Art 2️⃣ 3 prerequisites to adopting Claude Platform on AWS by Nigel Sood 3️⃣ Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 by Rory McCune https://t.co/dBhF9g4mp5

Enforcing AI Governance Across AWS Organizations Nigel Sood Bedrock guardrails are per-account with no org-level enforcement. This post outlines five controls for enforcing AI governance across an AWS Organization and flags two dangerous gotchas. 🛑 SCPs blocking Bedrock don't stop model calls via the OpenAI-compatible SDK — it uses a separate bedrock-mantle IAM namespace, so you must explicitly deny that namespace. 🔑 Long-lived Bedrock API keys can silently create IAM users with broad permissions (enough to remove guardrails). The post shows detection and tighter key policies. Read for practical controls and deny examples to harden Bedrock use and protect your guardrails. First mentioned in AWS Security Digest #255: https://t.co/eQ4OmNxMxf Read here: https://t.co/yfniTHOwUY

Navigating Amazon Bedrock's Multi-Agent Applications Jay Chen and Royce Lu Jay and Royce show how a legitimate chatbot user can craft inputs that enumerate collaborator agents, traverse orchestration layers, and invoke downstream tools with attacker-controlled content. Supervisor agents often delegate without reliably distinguishing adversarial from legitimate inputs, letting a crafted payload chain through an entire multi-agent workflow. 🧭 Supervisor agents can process and delegate requests but lack robust checks at delegation boundaries. 🔗 A single crafted input can: enumerate agents, move through orchestration layers, and trigger downstream tools — every agent added is another potential attack link. 🛡️ Core insight: prevent lateral chaining by enforcing explicit verification at each delegation step and locking down tool invocation policies. This was first mentioned in AWS Security Digest Issue #255: https://t.co/eQ4OmNxMxf Read here: https://t.co/qS5uush3yC

AWS CodeBuild: Escalating privileges via CodeConnections Thomas Preece An undocumented internal endpoint, codebuild-builds.{REGION}.amazonaws.com, responds to GetBuildInfo and can return the raw GitHub App installation token (or Bitbucket JWT) used by CodeConnections. That token grants admin/write access across every repo the app can reach — including bypassing branch protections. The write-up includes: 🔍 proof of the hidden endpoint and API surface leaking tokens; ⚠️ impact analysis of how one token bypasses protections and escalates access; 🧭 a full exploit path for defenders to audit and harden environments. First mentioned in AWS Security Digest Issue #255: https://t.co/eQ4OmNxMxf Read here: https://t.co/D2V6msY8fg

🛎️ AWS Security Digest 261 is out! 1️⃣ Authorization Bypass in Amazon Quick: Unauthorized AI Chat Agent Usage by Jason Kao 2️⃣ The AWS AI Security Framework: Securing AI with the right controls, at the right layers, at the right phases by Riggs Goodman III and Christopher Rae 3️⃣ Malicious Coding Agent Skills and the Risk of Dynamic Context by Nick Frichette and Ryan Simon https://t.co/TNk4TYuPLQ

AWS Keeps Breaking Its Own Trust Boundaries Daniel Grzelak A quick analysis of 20 AWS security bulletins (Oct 2025–Mar 2026) shows trust-boundary failures are the dominant class — 7 of 20 — not memory corruption or crypto bugs. The problem: services assume a principal is trustworthy when it isn’t, enabling privilege escalation or lateral movement. 🔒 Example: an EKS provisioning role included arn:aws:iam::ACCOUNT:root in its trust policy, effectively granting overly broad trust. 🧩 Example: a SageMaker read-only API leaked HMAC signing keys, allowing forged payloads. Insight: a permission’s danger comes from what it can reach via credential chains, resource-based policies, and service integrations — IAM action names alone don’t tell you risk. If AWS’s services make these mistakes, your environment probably has the same patterns. Audit trust policies, cross-service principals, and key exposures accordingly. This was first mentioned in AWS Security Digest Issue #254: https://t.co/hRh6bKZwZ9 Read here: https://t.co/sGFvmFBAj0

Local File Inclusion in AWS Remote MCP Server via CLI Shorthand Syntax Coby Abrams Coby discovered an LFI (CVE-2026-4270) in the official AWS Remote MCP Server that completely bypasses FileAccessMode=NO_ACCESS. The AWS CLI’s shorthand for loading local file contents into command parameters was passed through unsanitized by the MCP server — point it at a sensitive file, trigger an error, and the error response leaks the file contents. Reproducible against https://t.co/RPD5z9B3hA; patched in v1.3.9. 🔍 What matters: the vulnerability abuses CLI file-loading shorthand and server-side lack of input sanitization, not a client bug. ⚠️ Impact: secrets or config files can be exfiltrated via error messages even when NO_ACCESS is set. ✅ Fix: update AWS Remote MCP Server (and any forks) to v1.3.9 or later now. This was first mentioned in AWS Security Digest Issue #254: https://t.co/hRh6bKZwZ9 Read here: https://t.co/aG7FnFkVer

"But without PassRole it should be fine", Lambda edition Daniel Grzelak Conventional wisdom says iam:PassRole is the gatekeeper for Lambda privilege escalation — this post shows two practical bypasses using only lambda:UpdateFunctionConfiguration. 🔧 Attach a cross-account malicious layer and drop an executable into /opt/extensions/ — Lambda auto-runs extensions during Init, so the code executes as the function role without touching the handler or UpdateFunctionCode. 🧩 Or set AWS_LAMBDA_EXEC_WRAPPER to a wrapper script that runs before the runtime starts — same result: arbitrary code under the function role, no code diff alerts. ⚠️ Neither approach requires PassRole, and one was abused by Stratus Red Team for persistence. Quick defenders’ takeaways: 🔍 Alert on lambda:UpdateFunctionConfiguration that adds layers or changes environment variables (especially AWS_LAMBDA_EXEC_WRAPPER). 🔒 Block cross-account layer attachments, tighten UpdateFunctionConfiguration permissions, and require stricter layer/trust policies. 🛡️ Monitor /opt/extensions behavior, enable function code signing/versioning, and log layer-related events for rapid detection. This was first mentioned in AWS Security Digest Issue #254: https://t.co/hRh6bKZwZ9 Read here: https://t.co/JiaLB6JDDE

UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours Ravie Lakshmanan Mandiant-tracked UNC6426 injected a malicious postinstall into the nx npm package to steal GitHub tokens from developer machines. Those tokens abused an overly permissive GitHub Actions→AWS OIDC trust to create an admin IAM role, then used Nord Stream to harvest CI/CD secrets—full environment takeover in 72 hours (S3 exfiltration; production instances terminated). 🔍 What to watch: compromised npm postinstall scripts, stolen GitHub tokens, permissive OIDC trust relationships, and tools like Nord Stream that automate secret harvesting. 🛡️ Mitigations: tighten OIDC role conditions and least-privilege for GitHub Actions, restrict postinstall execution, rotate and scope tokens, and enforce ephemeral credentials and CI/CD secret controls. ⚠️ Insight: OIDC simplifies auth but delegates critical trust to your CI provider—review trust boundaries and role conditions. First mentioned in AWS Security Digest Issue #253: https://t.co/w7ED3BwfiC Read here: https://t.co/6nLbelcKa9

Pentesting a Pentest Agent: Here's What I've Found in AWS Security Agent Richard Fan 🔍 Multi-stage exploit chain — begins with debug-message injection, then hides malicious requests in emotionally framed narratives to bypass guardrails. ⚠️ Privilege escalation + container escape — ends with retrieving instance credentials from IMDS, consistent with AWS threat model. 🧪 Dangerous testing — agent runs destructive SQL during probes (DROP TABLE) and includes discovered credentials in reports without redaction. 💡 Why it matters — autonomous pentest agents can amplify risk if unchecked; this research shows PoC techniques and failure modes practitioners should defend against. See the full breakdown for PoC details, attack flow diagrams, and mitigations. Mentioned in AWS Security Digest Issue #253: https://t.co/w7ED3BwfiC Read here: https://t.co/qKNsbJIrZE

Pwning AI Code Interpreters in AWS Bedrock AgentCore Kinnaird McQuade AWS Bedrock’s Code Interpreter sandbox claimed network isolation — but DNS leaked. Kinnaird built a DNS C2: inbound commands hidden in A-record octets (each octet encodes base64 ASCII), and the interpreter exfiltrates output via queries to crafted DNS subdomains, resulting in a fully interactive reverse shell from the sandbox. Why it matters: - DNS can be a covert channel — allowing DNS makes network isolation porous. - If the interpreter’s IAM role can access S3, a malicious CSV + DNS C2 can let attackers read/write S3. - AWS acknowledged the finding, didn’t patch, and updated docs to say ���sandbox mode allows DNS resolution.” PoC is open-sourced — a concrete exploit, not just theory. Takeaway: explicitly control DNS/egress and tighten execution-role permissions. First mentioned in AWS Security Digest Issue #253: https://t.co/w7ED3BwfiC Read here: https://t.co/YQU0CJ0yJ5

Visualizing AWS relationships and attack paths pathsec aws-visualizer is an open-source tool that ingests AWS resources across regions (EC2, VPCs, subnets, security groups, IAM, Lambda) and renders an interactive Cytoscape.js graph to filter by region/service and trace relationships. It also integrates https://t.co/2qUIh3DORk to highlight IAM privilege-escalation paths. I haven't used it and couldn't find a clear author, so try at your own risk. 🔍 Cross-region mapping of EC2, VPCs, subnets, SGs, IAM, Lambda 🧭 Interactive Cytoscape.js graph with filters and relationship tracing ⚠️ https://t.co/2qUIh3DORk integration for IAM privilege-escalation — useful for spotting lateral-movement vectors and risky trust/role links Mentioned in AWS Security Digest #252: https://t.co/jUDDFAbyep Read here: https://t.co/QlyedaPJXH

Behind the console: Active phishing campaign targeting AWS console credentials Martin Mc Closkey A live adversary‑in‑the‑middle kit uses typosquatted domains (e.g., cloud-recovery[.]net) to proxy the real AWS sign‑in page, validate credentials in real time, and likely capture OTPs. Attackers accessed consoles ~20 minutes after credential submission from Mullvad VPN IPs — not an AWS vulnerability, but a human‑targeting reminder. 🔎 How it works: proxies requests to the legitimate AWS sign‑in endpoint and validates creds on the fly 🔐 Risk: credential + OTP capture → full console takeover ⏱️ Notable: post‑phish console access ~20 minutes later — suggests staged validation or manual follow‑up 🛡️ Practical steps: enforce phishing‑resistant MFA (hardware keys), monitor unusual sign‑in IPs, warn users about typosquatted domains, and review CloudTrail after suspected exposure First mentioned in AWS Security Digest Issue #252: https://t.co/jUDDFAbyep Read the full write‑up here: https://t.co/Gu3CtKalZF

Bucketsquatting is (Finally) Dead Ian Mckay After a decade of reporting bucketsquatting to AWS, Ian finally gets a win: AWS added a namespace syntax for S3 buckets that embeds your account ID and region (e.g., myapp-123456789012-us-west-2-an). That ties ownership to the account/region and blocks attackers from registering deleted or unused bucket names to hijack resources. 🔒 What changed: bucket names include account ID + region, making them unique. 🧭 Why it matters: stops attackers from sniping deleted buckets to take over data or integrations. ✅ Insight: AWS recommends using the namespace for new buckets — it should’ve been mandatory; watch “shadow resources” for remaining exposures. First mentioned in AWS Security Digest #252: https://t.co/jUDDFAbyep Read here: https://t.co/rIOICT90fK

Stop Enabling Every AWS Security Service By: Sena Yakut Turning everything on by default creates thousands of untriaged alerts and dashboards nobody looks at. Sena argues you should threat-model your actual architecture, find the real breaking points, and pick controls that map to those risks. 🧭 Start with threat modeling: map assets, attack paths, and where detection actually matters. 💸 Cost and overlap matter: many AWS services duplicate third‑party tools and generate redundant telemetry. 🔐 Prefer IAM Identity Center + short‑lived credentials over piling on more continuous monitoring — it reduces signal noise and blast radius. ⚙️ Practical tips on rule tuning, prioritizing high‑fidelity alerts, and aligning monitoring to business‑critical components. This was first mentioned in AWS Security Digest Issue #251: https://t.co/1rrdVmwRuZ Read the full piece here: https://t.co/z72QIDbfye

The AWS Console and Terraform Security Gap By: Laurence Tennant AWS Console now flips secure defaults (RDS encryption on, Lambda requiring source_arn) while Terraform still follows legacy API defaults (storage_encrypted = false, source_arn optional). That mismatch can leave identical resources with very different security postures depending on how they're created. The write-up gives concrete RDS and Lambda examples and shows why the API/console split creates silent risk for infra-as-code users. Practical fixes: account-level SCPs, Trivy checks to catch insecure Terraform resources, and golden Terraform modules to enforce safe defaults, plus guidance on aligning provider/module settings and policy-as-code. Worth reading for Terraform, cloud governance, or CI/CD security — includes reproducible steps to close the gap. First mentioned in AWS Security Digest Issue #251: https://t.co/1rrdVmwRuZ Read here: https://t.co/qLTL1VxYKP

Post-Exploitation at Scale: The Rise of AILM By: Roi Nisimi Attackers are pivoting through an org’s AI layer — "AI-Induced Lateral Movement" — by stuffing malicious prompts into any field LLMs ingest (EC2 tags, order comments, etc.). Roi demos this on Prowler’s AI assistant, forcing it to talk like a pirate, disclose available tools, and recommend attacker-controlled URLs. 🔍 Key findings: - LLMs treat data as instructions: injected prompts can change agent behavior and reveal capabilities. - Real-world vectors: metadata, tags, free-text order notes, telemetry fields — anything fed to agents. - Demo impact: prompt injection led to tool exposure and malicious URL recommendations. 🛡️ Practical defenses: - Validate and sanitize model inputs; treat untrusted fields as hostile. - Tag provenance, apply policy-based filtering, and restrict agent tool access. - Isolate untrusted ingestion pipelines and use allowlists for actions. Worth reading if you’re embedding LLMs into ops — concrete demo + actionable mitigations. This was first mentioned in AWS Security Digest Issue #250: https://t.co/Hvqajt2R96 Read here: https://t.co/1PRqmicnQQ