What the March 2026 Threat Technique Catalog update means for your AWS environment

The AWS CIRT March 2026 update to the Threat Technique Catalog for AWS describes three observed cloud attack techniques—Cognito refresh token abuse (long-lived refresh tokens used for invisible persistence), AMI image deregistration (removing recovery 'golden images'), and updating role trust policies via UpdateAssumeRolePolicy (adding external principals for stealthy privilege escalation)—and provides detection and mitigation guidance for each.