AWS Security Digest·Week 17 of 2026·Apr 21-27, 2026·7 items
AWS Picks a Fight with Quantum Decryption
Secrets Manager rolls out hybrid post-quantum TLS using ML-KEM, baked into the agent, the Lambda extension, and the CSI driver. Three CVE bulletins land in the same week (QnABot, Ops Wheel, tough/tuftool). AWS finally gives the IAM Service Authorization Reference the deep-dive treatment.
In this issue3high2medium2info
Highlights
7 items
$ tail -f /var/log/aws-security.log
high/Feature Launch/
Secrets Manager Goes Post-Quantum
AWS shipped hybrid post-quantum key exchange to AWS Secrets Manager using ML-KEM, the NIST-standardized post-quantum KEM.
The threat model is "harvest-now-decrypt-later": secrets in transit could be captured today and decrypted decades from now once a cryptographically relevant quantum computer exists.
Hybrid means both classical (X25519) and PQ (ML-KEM) shared secrets are derived and combined, so the connection is no weaker than today even if ML-KEM is later broken.
An authenticated administrator can execute arbitrary code in the fulfillment Lambda by injecting a crafted conditional-chaining expression into the Content Designer interface.
JavaScript prototype manipulation bypasses the static-eval sandbox. The blast radius from a compromised admin account widens to Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables.
The fix removes static-eval entirely and ships a custom expression evaluator.
Two issues in the AWS Ops Wheel sample app, both serious.
CVE-2026-6911: JWT signature verification was not enforced in the v2 API, enabling cross-tenant data manipulation. CVE-2026-6912: weak Cognito attribute permissions allowed self-service privilege escalation.
Workaround for delayed redeploy: restrict API Gateway access via WAF or VPC endpoints.
Multiple security issues in the tough Rust library (TUF repository handling) and the tuftool CLI.
Relevant to anyone using TUF for binary artifact signing, most directly the Bottlerocket update infrastructure.
Affected
tough 0.1.0-0.21.x
tuftool 0.1.0-0.14.x
Fixed In
tough 0.22.0+
tuftool 0.15.0+
medium/Service Update/
Security Hub Extended: Multicloud Walkthrough
AWS published an end-to-end walkthrough of using AWS Security Hub Extended to consolidate findings from curated partner solutions across AWS, Azure, and GCP using OCSF as the common schema. Practical answer to the question many teams ask: "what does the Security Hub multicloud story actually look like in production?"
Security Hub
info/Compliance/
"Can I Do That With Policy?" Demystified
AWS published a how-to for using the Service Authorization Reference to determine whether a given access pattern is even expressible in IAM policy, and to spot the cases where the answer is "no, you need an alternative control." Particularly valuable for teams that have spent hours trying to scope a policy for a service whose Condition keys do not actually support what they wanted.
IAM
info/Service Update/
Shift-Left Tag Compliance, with Terraform
A reusable Terraform module and TDD-style approach for validating tag policies before deployment, leveraging AWS Organizations tag policies. Tag compliance is one of those problems that gets solved last and matters first: for cost allocation, ABAC, and governance reporting alike.
Organizations
Key Takeaway
1 item
$ cat WEEKLY_SUMMARY.md
Three CVE bulletins in one week is unusual but not alarming. None of these are wormable. The Secrets Manager hybrid PQ rollout matters far more for long-term planning. If you have a 10-year secret rotation policy and you want it to still be defensible in 2036, ML-KEM in transit is the floor.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.
