Free AWS Security Whitepaper
    Toc Consulting Logo
    WEEK 12026-01-01 - 2026-01-05
    1 high2 medium2 info

    Week 1 - Jan 1-5, 2026

    AWS announces S3 SSE-C encryption will be disabled by default starting April 2026, closing a known ransomware vector. Security Hub and Security Agent updates from re:Invent 2025 continue rolling out.

    Highlights

    $ tail -f /var/log/aws-security.log

    AWS to Disable S3 SSE-C Encryption by Default (April 2026)

    SERVICE UPDATE

    AWS published advance notice that starting April 6, 2026, SSE-C (Server-Side Encryption with Customer-Provided Keys) will be disabled by default on all new S3 buckets and existing buckets without SSE-C data. The Cloud Security Alliance noted this also closes a ransomware attack vector where attackers re-encrypt objects with their own keys.

    S3
    AWS Storage BlogCSA Blog
    SECURITY CARD: S3 Security Card

    176 New Security Hub Controls in AWS Control Tower

    FEATURE LAUNCH

    AWS Control Tower now supports 176 additional Security Hub controls in the Control Catalog, covering security, cost, durability, and operations use cases across multi-account environments.

    Control TowerSecurity Hub
    AWS What's New
    SECURITY CARD: Security Hub Security Card

    AWS Security Agent Now in Preview

    FEATURE LAUNCH

    The AI-powered Security Agent announced at re:Invent 2025 is now available in preview. It conducts automated application security reviews and on-demand penetration testing from design to deployment - a shift-left security tool powered by frontier AI.

    Security Agent
    AWS News BlogSiliconANGLE

    Security Hub GA with Real-Time Analytics & Risk Prioritization

    FEATURE LAUNCH

    Security Hub reached general availability with near real-time analytics, automated risk prioritization, and cross-service correlation across GuardDuty, Inspector, Macie, and CSPM. This is the enhanced version announced at re:Invent 2025.

    Security Hub
    SiliconANGLE
    SECURITY CARD: Security Hub Security CardCOMPARISON: GuardDuty vs Inspector vs Macie vs Security Hub

    CVEs & Vulnerabilities

    $ cat /var/reports/CVE_REPORT.txt

    CVE-2026-22611: AWS SDK for .NET SSRF Vulnerability

    CVE

    Improper validation of the region parameter in the AWS SDK for .NET v4 allows routing API calls to non-AWS hosts, enabling server-side request forgery. Low severity (CVSS 3.7). Affects SDK v4 prior to 4.0.3.3. Fixed in November 2025, disclosed in this period.

    SDK
    GitHub Advisory

    Key Takeaway

    $ cat WEEKLY_SUMMARY.md

    The S3 SSE-C default change is the most impactful news this week. If your applications use SSE-C, audit your buckets before April 6. For everyone else, this is AWS closing a known ransomware vector - a welcome security-by-default improvement.

    S3SSE-CSecurity HubControl TowerSecurity Agentre:Invent
    Next
    Week 2 - Jan 6-12, 2026

    Need Custom Security Briefings?

    These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.

    All DigestsGet in Touch