AWS Security Digest·Week 13 of 2026·Mar 23-30, 2026·5 items
The European Commission Lost Its AWS Account
Over 350 GB stolen from the European Commission's AWS environment, confirmed publicly March 27. AWS clarifies its services were not breached, this is shared-responsibility 101 played out at the highest level of EU government. LiteLLM packages get backdoored to steal IMDS credentials. RSAC 2026 happens in San Francisco.
In this issue2critical2medium1info
Highlights
5 items
$ tail -f /var/log/aws-security.log
critical/Incident/
European Commission AWS Account Breached: 350+ GB Stolen
The European Commission's AWS account hosting Europa.eu infrastructure was breached, detected March 24 and publicly confirmed March 27. The threat actor claimed over 350 GB of data including databases and employee information. AWS stated: "AWS did not experience a security event, and our services operated as designed." The Commission confirmed internal systems were not affected. The breach is attributed to compromised credentials, not an AWS infrastructure failure.
Threat actor TeamPCP compromised LiteLLM PyPI packages v1.82.7 and v1.82.8 on March 24, published between 10:39 and 16:00 UTC. The attack vector: TeamPCP first compromised Trivy (March 19), which LiteLLM's CI/CD used, exfiltrating the PyPI publish token. The malware targeted environment variables, SSH keys, cloud provider credentials (including AWS IMDS), and Kubernetes tokens. Data was exfiltrated to models.litellm[.]cloud (not legitimate LiteLLM infrastructure). Packages were removed from PyPI after discovery. Safe versions: v1.82.6 and earlier.
info/Compliance/
RSAC 2026: AWS Showcases Security Hub Multicloud and AI Security
AWS exhibited at RSAC 2026 (March 23-26, San Francisco, booth S-0466) demonstrating expanded Security Hub multicloud capabilities, AI security features, and AWS Security Agent. Sessions covered expanded Security Hub, AI security, privacy-by-design, and AI-native incident response. Events included an AWS Network Security Event, OCSF Networking Breakfast, and a customer soiree co-hosted with CrowdStrike.
Security Hub
medium/Feature Launch/
Route 53 Profiles: Granular IAM Permissions for DNS Management
Route 53 Profiles now supports granular IAM permissions for resource and VPC associations. Administrators can scope policies to specific operations (associate, disassociate, update) on individual resource types: private hosted zones, Resolver rules, and DNS Firewall rule groups. Permissions can be scoped by resource ARNs, hosted zone names, Resolver rule domain names, DNS Firewall rule group priority ranges, or specific VPC associations. Available at no additional charge.
Route 53IAM
medium/Feature Launch/
Amazon ECS Managed Instances: FIPS Support in GovCloud
ECS Managed Instances now supports FIPS-compliant deployments in AWS GovCloud (US) Regions with FIPS compliance enabled by default. Infrastructure communicates through FIPS-compliant endpoints, uses appropriately configured cryptographic modules, and boots the kernel in FIPS mode. Supports Graviton-based, GPU-accelerated, network-optimized, and burstable performance instances.
ECS
Key Takeaway
1 item
$ cat WEEKLY_SUMMARY.md
The European Commission breach is the starkest shared-responsibility reminder of the year: even one of the world's most prominent institutions can be compromised through credential mismanagement, not AWS infrastructure failure. Combined with the LiteLLM supply chain attack, which specifically targeted AWS IMDS credentials, this week reinforces three non-negotiable controls: enforce IMDSv2, mandate MFA on all accounts, and pin every dependency in your CI/CD pipeline.
Filed Under
European CommissionBreachLiteLLMSupply ChainRSACRoute 53ECSFIPSGovCloud
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.
