Lex NevaJan 23
23
Monday January, 2023
Sponsor
Are you tired of bulky, memory-intensive web security tools?
Introducing Caido, a new web security auditing toolkit for pentesters and bug bounty hunters.
We just released our public beta! Start for free now and join the future of web security testing.
In a nutshell
Calling all AWS gamers! Test your skills with the latest game from our friends at Cloudonaut.
Synchronize data between S3 buckets and troubleshoot an EC2 instance with the Systems Manager. Can you fix the access denied error?
Play now and show off your AWS expertise!
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSMarketplaceManageSubscriptions
- AWSMarketplaceRead-only
- AWSPanoramaApplianceServiceRolePolicy
- AmazonDetectiveFullAccess
- AmazonDetectiveInvestigatorAccess
- AmazonDetectiveMemberAccess
📊 Pool of the week (NEW)
What is the maximum number of IAM policies (in-line) that can be attached to a single IAM role?
- 100
- 50
- Unlimited
SRE Weekly Issue #356
[tl;dr sec] #165 - Hunting for Malicious Persistence in the Cloud, GitHub Action Security
Clint at tl;dr secJan 19
Amazon Appflow - 12 updated methods
Jan 19
Adding support for Salesforce Pardot connector in Amazon AppFlow.
Amazon Connect Service - 2 updated methods
Jan 19
Amazon Connect Chat introduces Persistent Chat, allowing customers to resume previous conversations with context and transcripts carried over from previous chats, eliminating the need to repeat themselves and allowing agents to provide personalized service with access to entire conversation history.
Amazon Connect Participant Service - 1 updated methods
Jan 19
This release updates Amazon Connect Participant's GetTranscript api to provide transcripts of past chats on a persistent chat session.
Amazon Elastic Compute Cloud - 2 updated methods
Jan 19
Adds SSM Parameter Resource Aliasing support to EC2 Launch Templates. Launch Templates can now store parameter aliases in place of AMI Resource IDs. CreateLaunchTemplateVersion and DescribeLaunchTemplateVersions now support a convenience flag, ResolveAlias, to return the resolved parameter value.
Use AWS WAF CAPTCHA to protect your application against common bot traffic
Abhinav BannerjeeJan 19
In this blog post, you’ll learn how you can use a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) with other AWS WAF controls as part of a layered approach to provide comprehensive protection against bot traffic. We’ll describe a workflow that tracks the number of …
Fall 2022 SOC reports now available in Spanish
Rodrigo FiuzaJan 19
Spanish version >> We continue to listen to our customers, regulators, and stakeholders to understand their needs regarding audit, assurance, certification, and attestation programs at Amazon Web Services (AWS). We are pleased to announce that Fall 2022 System and Organization Controls (SOC) 1, SOC 2, and SOC 3 reports are …
C5 Type 2 attestation report now available with 156 services in scope
Julian HerlinghausJan 18
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS), and we are pleased to announce that AWS has successfully completed the 2022 Cloud Computing Compliance Controls Catalogue (C5) attestation cycle with 156 services in scope. This alignment with C5 requirements demonstrates our ongoing commitment …
Fall 2022 PCI DSS report available with six services added to compliance scope
Michael OyeniyaJan 17
We’re continuing to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that six additional services have been added to the scope of our Payment Card Industry Data Security Standard (PCI DSS) certification. This provides our customers with more options to process …
resource-groups: 2 new actions
Jan 21
2 new actions: GetAccountSettings (Grants permission to get the current status of optional features in Resource Groups), UpdateAccountSettings (Grants permission to update optional features in Resource Groups)
guardduty: 4 new actions
Jan 20
4 new actions: AcceptAdministratorInvitation (Grants permission to accept invitations to become a GuardDuty member account), DisassociateFromAdministratorAccount (Grants permission to disassociate a GuardDuty member account from its GuardDuty administrator account), GetAdministratorAccount (Grants permission to retrieve details of the GuardDuty administrator account associated with a member account), GetRemainingFreeTrialDays (Grants permission to provide …
config: 3 new actions
Jan 20
3 new actions: GetResourceEvaluationSummary (Grants permission to return the summary of resource evaluations for a specific resource evaluation ID), ListResourceEvaluations (Grants permission to list the resource evaluation summaries for an AWS account in an AWS Region), StartResourceEvaluation (Grants permission to evaluate your resource details against the AWS Config rules in …
AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass | Datadog Security Labs
Public disclosure of a method to bypass CloudTrail for specific IAM actions.
Incident report: stolen AWS access keys
Here we walk through what happens when attackers steal a set of AWS access keys. Recently, our SOC, threat hunting, and detection engineering teams collaborated …
Nick Frichette - @frichetten@fosstodon.org Most threat actors take the noisy approach of brute forcing to enumerate permissions and resources in the environment. We saw this just recently in a…
Clint Gibler 🗒️ Incident report: stolen AWS access keys How @ExpelSecurity got an initial lead that something was off (unexpected Kali Linux user agent and IP ad…
Nick Frichette - @frichetten@fosstodon.org @Frichette_n
New cloud security research! We found a method to bypass CloudTrail logging for specific IAM actions via an undocumented API service! Attackers could perform some reconnaissance activities while being undetected.
securitylabs.datadoghq.com/articles/iamad…
243
99Jan 17 · 4:52 PM Clint Gibler @clintgibler
🧠 GraphQL exploitation – All you need to know
@fand0mas gives an overview of GraphQL, common vulnerabilities to test for, useful tools, and more
#bugbounty #bugbountytips
cybervelia.com/?p=736
10842Jan 20 · 5:00 PM Clint Gibler @clintgibler
🤬 XML Security in Java
Turns out, it's crazy!
Varying mitigations, security features that don't work as documented, and more
@0xDC0DE and @ermil0v give probably the most through treatment of Java XML security I've seen
semgrep.dev/blog/2022/xml-…
8933Jan 18 · 5:00 PM
Scott Piper @0xdabbad00
The idea that access for a user should be revoked via an SCP, instead of through the identity provider integration somehow, seems very wrong. In my opinion, SCP creation and modification should be very rare and planned events, not an expected workflow for employee off-boarding.
AWS Blog Unofficial. @AWSBlogUnreal
The AWS Security, Identity & Compliance Blog #AWSSecurity
aws.amazon.com/blogs/security…
By: Matt Howard
873Jan 17 · 1:06 AM
rami @ramimacisabird
📜 Trying to get better at putting out rougher work!
To that end, I'm starting to externalize some of my internal knowledge hub - starting with an enumeration of Lambda risks. Let me know what I'm missing!
ramimac.github.io/wiki/lambda-ri…
3212Jan 18 · 6:19 PM Nick Frichette - @frichetten@fosstodon.org @Frichette_n
CSRF still happens in the cloud 😅 Nice find from @ErmeticSec. Also cool that Azure awarded a bounty. Cloud bug hunting takes a ton of time and, in some cases, cloud-specific specialized knowledge. I wish some other cloud providers awarded bounties -_-
ermetic.com/blog/azure/emo…
367Jan 21 · 10:25 PM
Santosh Ananthakrishnan @santosh_ankr
My team at Block (formerly Square) is hiring. Come help us build secure defaults into our rapidly growing cloud platform
jobs.smartrecruiters.com/Square/7439998…
257Jan 20 · 11:11 PM
Colm MacCárthaigh @colmmacc
Without noticing or intending to, I hadn't played guitar for a 26 day period. Longest break in a while, and wow does it make a big difference. Even after a week, my callouses haven't caught up and my fingers hurt like hell. Crazy how that works.
270Jan 17 · 5:04 AM rami @ramimacisabird
Following up on last week's discussion of AWS phishing with a Security #awswishlist: AWS could do more about Device Auth phishing
I call out where AWS is failing to provide customers reasonable security controls, and offer a variety of possible solutions
ramimac.me/aws-device-auth
195Jan 17 · 8:04 PM
Ben Kehoe @ben11kehoe
The problem isn't going to be obvious errors. It's going to be when the errors are subtle but impactful, and there are no sources of news that aren't AI-generated and no economic way to have any fact-checking
Jon Christian @Jon_Christian
Anyway, here's our story:
CNET's Article-Writing AI Is Already Publishing Very Dumb Errors
futurism.com/cnet-ai-errors
163Jan 17 · 6:11 PM
Please teach me: I cannot for the life of me understand why I should use ECS over running containers on EC2
Just spent a day of my weekend trying to get ECS basic functionality to work. What I mean by basic functionality is:
- Deploying the app
- Autoscaling
- Deployments and Updates
I got 1 and 2 correct as it was pretty easy, but I could not for the life of me get …
AWS IP Ranges update for 2023-01-10 21:13:06
Changed by +8
Added 142.4.161.16/29
Added 142.4.161.16/29
AWS IP Ranges update for 2023-01-11 11:43:08
No changes to IPs
- 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
- 📢 Gain visibility for your brand by sponsoring our content
- 💌 If you have any suggestions for future topics, let us know
