SRE Weekly Issue #357 • [tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs • AWS MediaTailor - 1 new 2 updated methods • AWS Outposts - 2 updated methods • Amazon SageMaker Runtime - 1 updated methods • Amazon SageMaker Service - 3 updated methods • Visualize AWS WAF logs with an Amazon CloudWatch dashboard • How to run AWS CloudHSM workloads in container environments • United Arab Emirates IAR compliance assessment report is now available with 58 services in scope • How to improve security incident investigations using Amazon Detective finding groups

ASD Logo

30
Monday January, 2023

🐿 In a nutshell

In this article Teri Radichel explains AWS security responsibilities, which include securing the infrastructure and physical facilities, managing the security of the cloud, providing secure access to customers, and providing security-related services.

Reminder: The customer is responsible for securing their own data, applications, and access control.

🔦 Highlight of the week

  1. Dangers of a Service as a Principal in AWS Resource-Based Policies
  2. [Podcast] Solving for Cloud Security at Scale with Chris Farris
  3. Risks and threat model of AWS Lambda

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

📊 Pool of the week

Q: What is the maximum number of AccessKey you can generate for a single IAM User?

  • 0 (should not be used :))
  • 1
  • 2
  • Unlimited

🗳Vote here

Past week pool: What is the maximum number of IAM policies (in-line) that can be attached to a single IAM role? 100 / 50 / Unlimited

Answer: You can use as many inline policies as you want, but the aggregate policy size can't exceed the character quotas. The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.

Newsletters
SRE Weekly Issue #357
Lex NevaJan 30
[tl;dr sec] #166 - 2023 Security Predictions, Vuln Hunting with App Server Logs
Clint at tl;dr secJan 26
AWS API Changes
AWS MediaTailor - 1 new 2 updated methods
Jan 27
This release introduces the As Run logging type, along with API and documentation updates.
AWS Outposts - 2 updated methods
Jan 27
Adding support for payment term in GetOrder, CreateOrder responses.
Amazon SageMaker Runtime - 1 updated methods
Jan 27
This release supports running SageMaker Training jobs with container images that are in a private Docker registry.
Amazon SageMaker Service - 3 updated methods
Jan 27
This release supports running SageMaker Training jobs with container images that are in a private Docker registry.
AWS Security Blog
Visualize AWS WAF logs with an Amazon CloudWatch dashboard
Diana AlvaradoJan 26
AWS WAF is a web application firewall service that helps you protect your applications from common exploits that could affect your application’s availability and your security posture. One of the most useful ways to detect and respond to malicious web activity is to collect and analyze AWS WAF logs. You …
How to run AWS CloudHSM workloads in container environments
Derek TumulakJan 25
January 25, 2023: We updated this post to reflect the fact that CloudHSM SDK3 does not support serverless environments and we strongly recommend deploying SDK5. AWS CloudHSM provides hardware security modules (HSMs) in the AWS Cloud. With CloudHSM, you can generate and use your own encryption keys in the AWS …
United Arab Emirates IAR compliance assessment report is now available with 58 services in scope
Ioana MecuJan 25
Amazon Web Services (AWS) is pleased to announce the publication of our compliance assessment report on the Information Assurance Regulation (IAR) established by the Telecommunications and Digital Government Regulatory Authority (TDRA) of the United Arab Emirates. The report covers the AWS Middle East (UAE) Region, with 58 services in scope …
How to improve security incident investigations using Amazon Detective finding groups
Anna McAbeeJan 25
Uncovering the root cause of an Amazon GuardDuty finding can be a complex task, requiring security operations center (SOC) analysts to collect a variety of logs, correlate information across logs, and determine the full scope of affected resources. Sometimes you need to do this type of in-depth analysis because investigating …
IAM Permission Changes
dynamodb: 2 new actions, 1 new condition | 2 updated actions, 2 updated conditions
Jan 27
2 new actions: DescribeEndpoints (Grants permission to return the regional endpoint information), UpdateGlobalTableVersion (Grants permission to update version of the specified global table); 1 new condition: aws:TagKeys (Filters access by using a condition in IAM policies to control whether specific tag keys can be used on a resource or in …
connect: 1 updated action
Jan 27
1 updated action: StartChatContact (resources, conditions)
iot: 1 new action
Jan 27
1 new action: ListRelatedResourcesForAuditFinding (Grants permission to list related resources for a single audit finding)
AWS Security Folks
Frichette_n
Nick Frichette - @frichetten@fosstodon.org @Frichette_n

My talk "What I Wish I Knew Before Pentesting AWS Environments" for SANS Pen Test Hackfest 2022 is now on YouTube! Check it out if you're interested in learning more ways to attack AWS environments.
youtube.com/watch?v=jq8SAF…

30Jan 24 · 5:06 PM
__steele
Aidan W Steele @__steele

5Jan 24 · 1:31 AM
clintgibler
Clint Gibler @clintgibler

🔑 FIDO2, New Hires & Lost Keys

Part 3/3 in @PalantirTech's Passwordless AuthN Series

➡️ How they handle the "chicken and egg" new FIDO2 user problem (Azure TAP codes) and when users lose keys

blog.palantir.com/new-hires-lost…

13Jan 27 · 9:00 PM
ben11kehoe
Ben Kehoe @ben11kehoe

I've seen it pointed out that ChatGPT (et al) has shown that the science fiction has gotten it very wrong when it comes what AI will be like. I demand a reboot of Star Trek TNG where Data is an epic bullshitter with no regard for the truth and a very poor grasp of arithmetic

9Jan 26 · 8:45 PM
kmcquade3
Kinnaird McQuade 💻☁️💥 @kmcquade3

What's the fattest Docker image you've seen in the wild?

2Jan 26 · 1:05 AM
ben11kehoe
Ben Kehoe @ben11kehoe

The hardest part of serverless is giving up control. Everyone says it's good to update your dependencies and runtime versions. It's a *good* thing to be forced to do that. 1/3

2Jan 25 · 10:18 PM
clintgibler
Clint Gibler @clintgibler

📈 Security Drone: Scaling Continuous Security at Revolut

* Scan every PR
* Use Kubernetes cluster to scan independently of CI/CD pipelines

🛠️ Tools: Semgrep for SAST, Snyk for SCA, Checkov for IaC

~3.8% FP rate for SAST!

medium.com/revolut/securi…

13Jan 23 · 11:00 PM
jcfarris
Chris Farris (@jcfarris@infosec.exchange) @jcfarris

@kmcquade3 Don't shame docker images. All containers are beautiful

2Jan 26 · 2:31 AM
0xdabbad00
Scott Piper @0xdabbad00

This is a powerful concept wherein given that Wiz is already scanning disk snapshots for vulnerable libraries and malware, it can also scan for application and OS misconfigurations, including custom checks you create, without a performance impact to the running servers.

wiz_io
Wiz @wiz_io

Say goodbye to tedious config management tasks! Wiz's agentless custom host rules revolutionize the way you manage your infrastructure. No agents or manual commands needed. Create your own rule logic for full coverage across your cloud estate. Learn more: wiz.io/blog/streamlin…

7Jan 26 · 7:50 PM
iann0036
Ian Mckay @iann0036

Wow, global Azure outage? My money is on BGP 👀

msandbu
Marius Sandbu @msandbu

Updated #azure problems with network outages now in status portal affecting network infrastructure in all regions

3Jan 25 · 9:34 AM
r/aws
AWS launches a new Region in Melbourne, Australia.
19227allthingsdistributed.com
Amazon VPC IP Address Manager (IPAM) now manages IP Addresses in your network outside your AWS Organization
6822aws.amazon.com
Accidentally put 500k maximum wcu for provisioned dynamodb
6926

I messed up and saved a 500k max wcu for provisioned dynamodb setting. I realized it 5 min after and immediately deleted the table. The estimated monthly cost is 278k and hourly 1.5k. Will I get charged for 1.5k even though I deleted the table 5 min later? I think …

I took the AWS Purity Test, I think I may spend too much time in AWS….
6515
"AWS Security" on Google News
Skyhawk Security Provides Real Time Cloud Security Reducing Alert Fatigue - Forbes
ForbesJanuary 30
Investegate |Sectigo Announcements | Sectigo: Sectigo Announces ... - InvestEgate
InvestEgateJanuary 30
AWS IP Ranges Updates
AWS IP Ranges update for 2023-01-18 02:43:06
Changed by +128

Added 13.34.89.64/26
Added 13.34.89.128/26
AWS IP Ranges update for 2023-01-18 04:13:06
Changed by +64

Added 13.34.89.192/26
  • 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
  • 📢 Gain visibility for your brand by sponsoring our content
  • 💌 If you have any suggestions for future topics, let us know