Security Newsletter - Lot's of breaches and leaks. Solarwinds continued. Ryuk income estimated at $150 million so far. • Control VPC sharing in an AWS multi-account setup with service control policies • Default password policy for IAM users • AWS Certificate Manager is now FedRAMP compliant • Today marks 10 years clean from drugs and alcohol 🥲💙 • Did you know Lex, Transcribe, and other AWS AI services will move your data out of the regions you put it in and send your data to AWS affiliates? You should opt out of that. I've described how here. <a href="https://t.co/wGEYgOdDeo" target="_blank">summitroute.com/blog/2021/01/0…</a> • Today marks a pretty interesting milestone for <a href="https://twitter.com/AWSCloudFormer" target="_blank">@AWSCloudFormer</a>, the first time they have had more AWS resource types available than Terraform (664 CFN - 654 TF). Congratulations to <a href="https://twitter.com/MunnOlivier" target="_blank">@MunnOlivier</a>, <a href="https://twitter.com/amjadh" target="_blank">@amjadh</a>, <a href="https://twitter.com/luiscolon1" target="_blank">@luiscolon1</a> and the rest of the team, and may the IaC wars continue! 🪖☁️ • 📚 tl;dr sec 65 * <a href="https://twitter.com/0xdabbad00" target="_blank">@0xdabbad00</a> Lesser known AWS attacks * <a href="https://twitter.com/christophetd" target="_blank">@christophetd</a> Infra as Code scanning tool survey * <a href="https://twitter.com/GoSecure_Inc" target="_blank">@GoSecure_Inc</a> Free template injection workshop * <a href="https://twitter.com/EdOverflow" target="_blank">@EdOverflow</a> Cheatsheet for claiming dangling DNS * <a href="https://twitter.com/DanielMiessler" target="_blank">@DanielMiessler</a> Whose Life Are You Living? <a href="https://t.co/ADXgsJrUyE" target="_blank">tldrsec.com/blog/tldr-sec-…</a> • What other companies have been kicked off AWS other than wikileaks in 2010 and now Parler? <a href="https://t.co/cNZs2EmuLp" target="_blank">aws.amazon.com/message/65348/</a> • <a href="https://twitter.com/0xdabbad00" target="_blank">@0xdabbad00</a> <a href="https://twitter.com/christophetd" target="_blank">@christophetd</a> <a href="https://twitter.com/GoSecure_Inc" target="_blank">@GoSecure_Inc</a> <a href="https://twitter.com/EdOverflow" target="_blank">@EdOverflow</a> <a href="https://twitter.com/DanielMiessler" target="_blank">@DanielMiessler</a> <a href="https://twitter.com/AppSecBuilders" target="_blank">@AppSecBuilders</a> <a href="https://twitter.com/KseniaDmitrieva" target="_blank">@KseniaDmitrieva</a> <a href="https://twitter.com/JbAviat" target="_blank">@JbAviat</a> <a href="https://twitter.com/cktricky" target="_blank">@cktricky</a> <a href="https://twitter.com/sethlaw" target="_blank">@sethlaw</a> <a href="https://twitter.com/lojikil" target="_blank">@lojikil</a> <a href="https://twitter.com/absoluteappsec" target="_blank">@absoluteappsec</a> <a href="https://twitter.com/InsecureNature" target="_blank">@InsecureNature</a> <a href="https://twitter.com/matter_of_cat" target="_blank">@matter_of_cat</a> <a href="https://twitter.com/dcuthbert" target="_blank">@dcuthbert</a> <a href="https://twitter.com/0xpatrik" target="_blank">@0xpatrik</a> Demonstrating max impact for subdomain takeovers <a href="https://t.co/ieF5laQ417" target="_blank">0xpatrik.com/subdomain-take…</a> <a href="https://twitter.com/EdOverflow" target="_blank">@EdOverflow</a> Cheatsheet for claiming dangling DNS <a href="https://t.co/C4qxDl03s1" target="_blank">github.com/EdOverflow/can…</a> <a href="https://twitter.com/circl_lu" target="_blank">@circl_lu</a> Framework to find potential info leaks in unstructured data <a href="https://t.co/bCcNh8nPgX" target="_blank">github.com/ail-project/ai…</a> <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/BugBountyTips" target="_blank">#BugBountyTips</a> • New Year: new additions! The first <a href="https://t.co/B7SoUXwvye" target="_blank">CloudSecList.com</a> issue of 2021 just went out. As first addition, this issue includes the first article focused on Alibaba Cloud (which, given its market share, is probably worth getting used to) <a href="https://t.co/vmptXtkutw" target="_blank">cloudseclist.com/issues/issue-6…</a> • The AWS terraform provider v3.23.0 now has support for managing AWS SSO permission sets! 🎉This makes me unreasonably happy. <a href="https://t.co/SoXocyG6EU" target="_blank">registry.terraform.io/providers/hash…</a> <a href="https://t.co/YZEfwjYF9r" target="_blank">github.com/hashicorp/terr…</a> <a href="https://t.co/Xkwc3Akqru" target="_blank">github.com/hashicorp/terr…</a> • I just want to remind everyone: there is still so much good in this world. I promise. Hold on. • I'm thinking about writing a simple dashboard for Prowler, something pretty straightforward like this mock (+ a page per service with details of checks). Ideally not using a DB, only reading data from output CSVs or JSON files (one per account) from a central location. Ideas? • It looks like <a href="https://twitter.com/amazon" target="_blank">@amazon</a> has quietly included MLK Jr. day as an official holiday for its corporate employees. A win for <a href="https://twitter.com/hashtag/BLM" target="_blank">#BLM</a> awareness! • Here is a picture of Sophia to cleanse your timeline. You’re welcome. ❤️ • I've never seen so much <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> logging information in one place <a href="https://t.co/nPn28Fu4BG" target="_blank">matthewdf10.medium.com/how-to-enable-…</a> thanks <a href="https://twitter.com/matthewdfuller" target="_blank">@matthewdfuller</a> for the reference • It's of course worth noting that this is not an apples to apples comparison. Terraform has resources that CloudFormation doesn't, and vice-versa. Also, property coverage varies from type to type. Here's the same graph with the full CloudFormation lifetime: • Would anyone be interested in a blog series on protecting AWS Federation with Azure AD and Domain Controllers in AWS? • This Saturday I was a guest of <a href="https://twitter.com/hashishrajan" target="_blank">@hashishrajan</a> in Cloud Security Podcast (<a href="https://twitter.com/kaizenteq" target="_blank">@kaizenteq</a> ). Want to find out more about <a href="https://twitter.com/hashtag/cloud" target="_blank">#cloud</a> <a href="https://twitter.com/hashtag/security" target="_blank">#security</a> <a href="https://twitter.com/hashtag/assessment" target="_blank">#assessment</a> ? Check out the latest episode: <a href="https://t.co/P1PnQwsqxp" target="_blank">cloudsecuritypodcast.tv/listen-to-the-…</a> • Great question! Please stop messing with the ability to highlight, copy, and paste text from the UI. The S3 console is especially terrible at this. • I finally played with the AWS RDS Data API yesterday. I wanted to be able to connect to it using psql and the various other postgres tools I have on my laptop. So I made a mock pg server that proxies all requests through the data API. Would other people find it useful? • I've just reached more than 100 subscriptions in 24h, you are amazing folks! Proud to see <a href="https://t.co/shsqTIc25Q" target="_blank">amazon.com</a> and <a href="https://t.co/6KQN4Vm8Qf" target="_blank">netflix.com</a> emails in it 💪🏻 The first issue will be delivered next Monday. • This was a horrible design decision, even more so for not being transparent about it. Serverless put themselves in a position now where attackers will value them greatly for supply chain attacks. • What are your biggest cloud compliance/regulatory headaches? • ECS Container Deployments: Hands down the absolute best article I've found to explain ECS deployments. I wish more people read this article! • Lesser Known Techniques for Attacking AWS Environments • AWS Vault is a tool to securely store and access AWS credentials in a development environment
Hi everyone, This was quite a heavy week all around, including for the security industry. The resulting issue is longer than I usually like, even after some heavy filtering :-) …
Amazon Web Services (AWS) customers who establish shared infrastructure services in a multi-account environment through AWS Organizations and AWS Resource Access Manager (RAM) may find that the default permissions assigned to the management account are too broad. This may allow organizational accounts to share virtual private clouds (VPCs) with other …
AWS Certificate Manager(ACM), including Private Certificate Authority(CA) is now authorized as FedRAMPModerate in US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon) and as FedRAMP High in GovCloud(US-West) and GovCloud(US-East). These services are also approved as Department of Defense Cloud Computing …
Did you know Lex, Transcribe, and other AWS AI services will move your data out of the regions you put it in and send your data to AWS affiliates? You should opt out of that. I've described how here. summitroute.com/blog/2021/01/0…
Today marks a pretty interesting milestone for @AWSCloudFormer, the first time they have had more AWS resource types available than Terraform (664 CFN - 654 TF). Congratulations to @MunnOlivier, @amjadh, @luiscolon1 and the rest of the team, and may the IaC wars continue! 🪖☁️
New Year: new additions! The first CloudSecList.com issue of 2021 just went out. As first addition, this issue includes the first article focused on Alibaba Cloud (which, given its market share, is probably worth getting used to) cloudseclist.com/issues/issue-6…
I'm thinking about writing a simple dashboard for Prowler, something pretty straightforward like this mock (+ a page per service with details of checks). Ideally not using a DB, only reading data from output CSVs or JSON files (one per account) from a central location. Ideas?
It's of course worth noting that this is not an apples to apples comparison. Terraform has resources that CloudFormation doesn't, and vice-versa. Also, property coverage varies from type to type. Here's the same graph with the full CloudFormation lifetime:
Question: What do you dislike about using AWS, and what should we prioritise fixing? We care and our design team is passionate about improving your experience.
I finally played with the AWS RDS Data API yesterday. I wanted to be able to connect to it using psql and the various other postgres tools I have on my laptop.
So I made a mock pg server that proxies all requests through the data API. Would other people find it useful?
Folks, I've made an #AWS Security Digest newsletter (weekly) using @mailbrew
Included: 🐦 Best of breed AWS Security Twitter Acc. 📧 Inbox with best Newsletters (inception) 👀 Official SNS: GuarDuty and IPRanges 📰 RSS Feeds 👾 reddit
This was a horrible design decision, even more so for not being transparent about it. Serverless put themselves in a position now where attackers will value them greatly for supply chain attacks.
