Week 13 - Mar 23-30, 2026
European Commission AWS account breached with 350+ GB stolen, LiteLLM supply chain compromise targets AWS IMDS credentials, RSAC 2026 showcases Security Hub multicloud vision, and new Route 53 granular IAM permissions launch.
Highlights
European Commission AWS Account Breached — 350+ GB Stolen
The European Commission's AWS account hosting Europa.eu infrastructure was breached, detected March 24 and publicly confirmed March 27. The threat actor claimed over 350 GB of data including databases and employee information. AWS stated: "AWS did not experience a security event, and our services operated as designed." The Commission confirmed internal systems were not affected. The breach is attributed to compromised credentials, not an AWS infrastructure failure.
LiteLLM Supply Chain Compromise Targets AWS IMDS Credentials
Threat actor TeamPCP compromised LiteLLM PyPI packages v1.82.7 and v1.82.8 on March 24, published between 10:39 and 16:00 UTC. The attack vector: TeamPCP first compromised Trivy (March 19), which LiteLLM's CI/CD used, exfiltrating the PyPI publish token. The malware targeted environment variables, SSH keys, cloud provider credentials (including AWS IMDS), and Kubernetes tokens. Data was exfiltrated to models.litellm[.]cloud (not legitimate LiteLLM infrastructure). Packages were removed from PyPI after discovery. Safe versions: v1.82.6 and earlier.
RSAC 2026: AWS Showcases Security Hub Multicloud and AI Security
AWS exhibited at RSAC 2026 (March 23-26, San Francisco, booth S-0466) demonstrating expanded Security Hub multicloud capabilities, AI security features, and AWS Security Agent. Sessions covered expanded Security Hub, AI security, privacy-by-design, and AI-native incident response. Events included an AWS Network Security Event, OCSF Networking Breakfast, and a customer soiree co-hosted with CrowdStrike.
Route 53 Profiles: Granular IAM Permissions for DNS Management
Route 53 Profiles now supports granular IAM permissions for resource and VPC associations. Administrators can scope policies to specific operations (associate, disassociate, update) on individual resource types: private hosted zones, Resolver rules, and DNS Firewall rule groups. Permissions can be scoped by resource ARNs, hosted zone names, Resolver rule domain names, DNS Firewall rule group priority ranges, or specific VPC associations. Available at no additional charge.
Amazon ECS Managed Instances: FIPS Support in GovCloud
ECS Managed Instances now supports FIPS-compliant deployments in AWS GovCloud (US) Regions with FIPS compliance enabled by default. Infrastructure communicates through FIPS-compliant endpoints, uses appropriately configured cryptographic modules, and boots the kernel in FIPS mode. Supports Graviton-based, GPU-accelerated, network-optimized, and burstable performance instances.
Key Takeaway
The European Commission breach is the starkest shared-responsibility reminder of the year: even one of the world's most prominent institutions can be compromised through credential mismanagement, not AWS infrastructure failure. Combined with the LiteLLM supply chain attack — which specifically targeted AWS IMDS credentials — this week reinforces three non-negotiable controls: enforce IMDSv2, mandate MFA on all accounts, and pin every dependency in your CI/CD pipeline.
Need Custom Security Briefings?
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.