Security Newsletter - Exchange hacks everywhere. Sigstore released. Spectre PoC.
Dieter Van der StockMar 15
15
Monday March, 2021
SRE Weekly Issue #261
Lex NevaMar 15
📖 [The CloudSecList] Issue 78
Marco from CloudSecListMar 14
[tl;dr sec] #74 - Building Securely on AWS, NFTs
Clint at tl;dr secMar 11
IAM Access Analyzer now enables you to validate public and cross-account access before deploying permissions changes
aws.amazon.comMar 10
AWS Identity and Access Management (IAM) Access Analyzer now enables you to validate access before deploying permissions changes. IAM Access Analyzer uses comprehensive policy analysis to provide provable security and generate findings for resource access. Now with IAM Access Analyzer, you can prevent public and cross-account access before you set …
AWS Security Hub adds 25 new controls to its Foundational Security Best Practices standard
aws.amazon.comMar 8
AWS Security Hub has released 25 new controls for its Foundational Security Best Practice standard. These controls conduct fully automatic checks against security best practices for Amazon API Gateway (APIGateway.1), Amazon Cloudfront (CloudFront.1-4), Amazon DynamoDB (DynamoDB.1-3), Amazon Elastic Compute Cloud (EC2.9-10), Amazon Elastic File System (EFS.2), Amazon Elasticsearch Service (ES.2-3), …
How you can use Amazon GuardDuty to detect suspicious activity within your AWS account
Amit MegiddoMar 13
Amazon GuardDuty is an automated threat detection service that continuously monitors for suspicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. In this post, I’ll share how you can use GuardDuty with its newly enhanced highly-customized machine learning model to better protect …
Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability
Arthur MnevMar 12
As you prepare to build or migrate your workload on Amazon Web Services (AWS), designing your encryption scheme can be a challenging—and sometimes confusing—endeavor. This blog post gives you a framework to select the right AWS cryptographic services and tools for your application to help you with your journey. I …
Victor GRENU @zoph
Dear Architects,
You should read this long interview of @Werner about system design and more especially Amazon S3. It's just a gold mine. Let me cherry-pick some of my preferred quotes in a thread. ⬇️
cacm.acm.org/magazines/2021…
124
39Mar 09 · 5:08 PM
fwd:cloudsec @fwdcloudsec
fwd:cloudsec 2021 will be in Salt Lake City, Utah on September 13 and 14! (2 days! 🤯)
We'll be at the Marriott City Center. It'll be hybrid (in-person and streamed).
CFP will open May 16; remote speakers who can't make it will be streamed in.
9439Mar 09 · 3:41 AM
Brigid Johnson @bjohnso5y
🤠Y’all will want to check this new feature from Access Analyzer out. Here are my reasons why…(1/8)
amzn.to/3vbu5k3
6020Mar 10 · 11:54 PM
Scott Piper @0xdabbad00
The competition of AWS services against one another is fascinating and horrifying. Why are these in Security Hub and not just AWS Config Rules?
What’s New on AWS @awswhatsnew
AWS Security Hub adds 25 new controls to its Foundational Security Best Practices standard
AWS Security Hub has released 25 new controls for its Foundational Security Best Practice standard. These controls conduct fully automatic checks against sec... aws.amazon.com/about-aws/what…
571Mar 10 · 3:24 AM
Clint Gibler @clintgibler
With the proliferation of deepfakes, what could go wrong? 😅
Welp, here are some related tools
Some services to create deepfakes:
impressions.app
deepfakesweb.com
And a few to detect them:
sensity.ai
ambervideo.co
truepic.com
3515Mar 09 · 5:00 PM
Aidan W Steele @__steele
Very impressed with the team’s response to my first bug report. Also impressed it took 5 years of daily, full-time working with AWS Lambda to find my first bug. How much software can you say that about?!
3/3
434Mar 11 · 11:50 PM Aidan W Steele @__steele
The customer obsession is real. A few weeks ago I found a bug in an AWS Lambda API and reported it to AWS Support. The person on the other end of the ticket understood it, reproduced it and forwarded it to the service team.
1/3
433Mar 11 · 11:50 PM Victor GRENU @zoph
"You have to be really consciously careful about API design. APIs are forever. Once you put the API out there, maybe you can version it, but you can't take it away from your customers once you've built it like this."
3410Mar 09 · 5:08 PM
Christophe @christophetd
Honestly, @0xdabbad00's AWS Security Roadmap[1] feels like a much more solid baseline at this point. I also found Trusted Advisor checks[2] and AWS-managed config rules[3] to be good inspiration.
[1]summitroute.com/downloads/aws_…
[2]aws.amazon.com/premiumsupport…
[3]docs.aws.amazon.com/config/latest/…
319Mar 14 · 9:14 PM
Michael Chan @mchancloud
🎉IAM Access Analyzer now lets you preview and validate access for your S3 buckets before performing permission changes! 🥳@AWSIdentity twitter.com/AWSSecurityInf…
AWS Security @AWSSecurityInfo
Discover how to validate access to your S3 buckets before deploying permissions changes with IAM Access Analyzer: go.aws/3colSQM
319Mar 11 · 12:19 AM
I need your opinions about side-channel attack and access pattern infernece on computing machines on cloud system
If gcp, aws, azure cloud sysyem is susceptible to side-channel attack or access pattern inference, how they can keep up their services still without lawsuit or something?
Is it only because there was no severe attack in real?
I wanna get opinion of you guys
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew