AWS Updates - 2025-12-15

AWS News Blog

AWS Weekly Roundup: Amazon ECS, Amazon CloudWatch, Amazon Cognito and more (December 15, 2025)

• Link: https://aws.amazon.com/blogs/aws/aws-weekly-roundup-amazon-ecs-amazon-cloudwatch-amazon-cognito-and-more-december-15-2025/
• Published: 2025-12-15

Can you believe it? We’re nearly at the end of 2025. And what a year it’s been! From re:Invent recap events, to AWS Summits, AWS Innovate, AWS re:Inforce, Community Days, and DevDays and, recently, adding that cherry on the cake, re:Invent 2025, we have lived through a year filled with exciting moments and technology advancements […]

AWS Security Blog

What AWS Security learned from responding to recent npm supply chain threat campaigns

• Link: https://aws.amazon.com/blogs/security/what-aws-security-learned-from-responding-to-recent-npm-supply-chain-threat-campaigns/
• Published: 2025-12-15

AWS incident response operates around the clock to protect our customers, the AWS Cloud, and the AWS global infrastructure. Through that work, we learn from a variety of issues and spot unique trends. Over the past few months, high-profile software supply chain threat campaigns involving third party software repositories have highlighted the importance of protecting […]

Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure

• Link: https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
• Published: 2025-12-15

As we conclude 2025, Amazon Threat Intelligence is sharing insights about a years-long Russian state-sponsored campaign that represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined. This tactical adaptation enables the same […]

AWS Security Bulletins

Overly Permissive Trust Policy in Harmonix on AWS EKS

• Link: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-031/
• Published: 2025-12-15

Bulletin ID: AWS-2025-031
Scope: AWS
Content Type: Informational
Publication Date: 2025/12/15 11:45 AM PST

Description:

Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges.

Resolution:

v0.3.0 through v0.4.1