What the March 2026 Threat Technique Catalog update means for your AWS environment
Security Blog
This article details the March 2026 Threat Technique Catalog update from AWS CIRT, highlighting three new attack techniques observed in real-world incidents:
- Cognito refresh token abuse enables persistent unauthorized access without user detection
- AMI image deletion removes disaster recovery capabilities and golden images
- UpdateAssumeRolePolicy modifies trust policies to add unauthorized principals
- Threat actors exploit legitimate cloud behaviors to evade detection
- Enable refresh token rotation and reduce token lifetimes for Cognito
- Use Recycle Bin retention rules to protect critical AMIs
- Monitor trust policy modifications and CloudTrail for suspicious API calls
The update emphasizes that modern threats use normal cloud operations in illegitimate contexts, requiring security teams to monitor legitimate actions by wrong principals at wrong times.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.