SRE Weekly Issue #359 • [tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security • AWS Notification Message • Updated ebook: Protecting your AWS environment from ransomware • Improve security of Amazon RDS master database credentials using AWS Secrets Manager • The anatomy of ransomware event targeting data residing in Amazon S3 • iotfleetwise: 2 new actions • autoscaling: 1 new action • glue: 4 updated actions • Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console | Datadog Security Labs • Join the Rhino Security Labs Discord Server! • 📚 FREE Offensive Security &amp; Reverse Engineering Course 🗒️ Slides <a href="https://t.co/ehiLeBwB44" target="_blank">github.com/ashemery/explo…</a> 🧪 Labs <a href="https://t.co/ca3vdo5opV" target="_blank">github.com/ashemery/explo…</a> 📺 Videos <a href="https://t.co/gGv8t9CAuR" target="_blank">youtube.com/playlist?list=…</a> By <a href="https://twitter.com/binaryz0ne" target="_blank">@binaryz0ne</a> <a href="https://twitter.com/hashtag/infosec" target="_blank">#infosec</a> <a href="https://twitter.com/hashtag/cybersecurity" target="_blank">#cybersecurity</a> <a href="https://twitter.com/hashtag/pentesting" target="_blank">#pentesting</a> <a href="https://t.co/dbcQico3yI" target="_blank">exploitation.ashemery.com</a> • 📓 130+ page Threat Model of <a href="https://twitter.com/hashtag/Azure" target="_blank">#Azure</a> Storage Covers: 1. Best practices (best security/effort ratio) 2. Implementing controls based on your risk tolerance 3. Understanding threats related to a specific feature class By <a href="https://twitter.com/trustoncloud" target="_blank">@trustoncloud</a> <a href="https://twitter.com/hashtag/cloudsecurity" target="_blank">#cloudsecurity</a> <a href="https://t.co/7izkyOYaoB" target="_blank">trustoncloud.com/the-last-azure…</a> • I found a vulnerability in the login rate limiting algorithm of the AWS Console that allowed to continuously brute-force 280 passwords per minute (4.6/second) on a single IAM user without getting blocked <a href="https://t.co/vCYZ9Ou8Ph" target="_blank">securitylabs.datadoghq.com/articles/aws-c…</a> Now remediated by AWS, only IAM users without MFA • I realize I'll never win this battle, but we should stop calling it "infrastructure". It's no longer "infra" (below). It's not something your application is deployed "onto". You have a graph of resources, some (as few as possible) of which have custom code attached. • New thing: automatic CloudWatch log forwarding across multiple AWS accounts and regions. No Lambda functions that need maintenance. Just a Kinesis Firehose delivery stream, a Step Function state machine, some EventBridge rules and IAM roles. <a href="https://t.co/Ud2YbmwrXc" target="_blank">github.com/aidansteele/ce…</a> • Confirmation from AWS of ransomware events targeting data in S3. Generally good advice but recommending MFA delete in 2023 is bad advice, as it requires the root account (via an access key) to enable it, and the MFA delete functionality can only be used by IAM Users. • Guess who gets to co-present with <a href="https://twitter.com/mauilion" target="_blank">@mauilion</a> <a href="https://twitter.com/IanColdwater" target="_blank">@IanColdwater</a> and <a href="https://twitter.com/raesene" target="_blank">@raesene</a> at KubeCon EU? I am beyond excited to talk about “Malicious Compliance: Reflections on Trusting Container Scanners” with the best geese in the biz. See you all in Amsterdam! <a href="https://t.co/WFqu5vLYtu" target="_blank">kccnceu2023.sched.com/event/05d730c6…</a> • The Wiz State of the Cloud report is out! <a href="https://twitter.com/AmitaiCo" target="_blank">@AmitaiCo</a> and I put this together using Wiz's visibility to provide some stats. <a href="https://t.co/pJRQF1BoWm" target="_blank">wiz.io/lp/state-of-th…</a> • I'll be in Amsterdam this year for my first KubeCon, presenting with <a href="https://twitter.com/diegocomas" target="_blank">@diegocomas</a> how to secure and attack managed Kubernetes environments! <a href="https://t.co/CzMJfipTS3" target="_blank">kccnceu2023.sched.com/event/1HyZm/mi…</a> • I just built a new GitHub Actions deployment pipeline to AWS using OIDC, and wow, it’s so much nicer than dealing with access keys (a bit late to the party, I know). • Guide to Container Management on AWS - Trend Micro • S&P Global and AWS to Pioneer Next Generation Technology for ... - S&P Global Investor Relations • AWS IP Ranges update for 2023-02-01 21:43:07 • AWS IP Ranges update for 2023-02-02 01:43:08

ASD Logo

13
Monday February, 2023

📣 Sponsor

Struggling to understand what access people have via AWS Identity Center (SSO)?

We feel your pain…

See what SSO users/groups are effectively admins and which IAM roles they can use with k9’s new Identity Center reporting.

This data is also available in CSV so that you can integrate with your other data in Splunk, Datadog, and Athena.

Start fixing your IAM problems today!

🐿 In a nutshell

Hey Folks,

I hope you enjoyed your weekend!

A recent security report by my friend Christophe @ Datadog revealed a vulnerability in AWS Console that could allow malicious actors to bypass rate limits, leading to unauthorized access.

The issue was fixed by AWS in response to the report – The vulnerability would have allowed attackers to brute force access using well-known passwords lists.

The report serves as a reminder of the importance of constant security monitoring and the need to stay vigilant against potential threats by using CloudTrail and associated alerting.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

📊 Pool of the week

Q: An application team is designing a solution with two applications. The security team wants the applications' logs to be captured in two different places, because one of the applications produces logs with sensitive data. What solution meets the requirement with the LEAST risk and effort?

🗳Vote here

Past week pool:

Q: From AWS Cert Security Exam sample: A Security Engineer has been informed that a user’s access key has been found on GitHub. The Engineer must ensure that this access key cannot continue to be used, and must assess whether the access key was used to perform any unauthorized activities. What steps must be taken to perform these tasks?

Answer: C (23/30 votes)

Newsletters
SRE Weekly Issue #359
Lex NevaFeb 13
[tl;dr sec] #168 - GCP and Azure Storage Threat Models, macOS Security
Clint at tl;dr secFeb 09
AWS Notification Message
GuardDutyAnnouncementsFeb 08
AWS Security Blog
Updated ebook: Protecting your AWS environment from ransomware
Megan O'NeilFeb 10
Amazon Web Services is excited to announce that we’ve updated the AWS ebook, Protecting your AWS environment from ransomware. The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020. We …
Improve security of Amazon RDS master database credentials using AWS Secrets Manager
Vinod SanthanamFeb 9
Amazon Relational Database Service (Amazon RDS) makes it simpler to set up, operate, and scale a relational database in the AWS Cloud. AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, API keys, and other secrets. Amazon RDS now offers integration with Secrets Manager to manage master database credentials. You no longer have to manage …
The anatomy of ransomware event targeting data residing in Amazon S3
Megan O'NeilFeb 6
Ransomware events have significantly increased over the past several years and captured worldwide attention. Traditional ransomware events affect mostly infrastructure resources like servers, databases, and connected file systems. However, there are also non-traditional events that you may not be as familiar with, such as ransomware events that target data stored …
IAM Permission Changes
iotfleetwise: 2 new actions
Feb 11
2 new actions: BatchCreateVehicle (Grants permission to create a batch of vehicles), BatchUpdateVehicle (Grants permission to update a batch of vehicles)
autoscaling: 1 new action
Feb 11
1 new action: RollbackInstanceRefresh (Grants permission to rollback an instance refresh operation in progress)
glue: 4 updated actions
Feb 11
4 updated actions: CreateBlueprint (resources), CreateJob (resources), CreateTrigger (resources), CreateWorkflow (resources)
Top Links from Security Folks
Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console | Datadog Security Labs
securitylabs.datadoghq.com
In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate …
Join the Rhino Security Labs Discord Server!
discord.com
Check out the Rhino Security Labs community on Discord - hang out with 160 other members and enjoy free voice and text chat.
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

📚 FREE Offensive Security & Reverse Engineering Course

🗒️ Slides
github.com/ashemery/explo…

🧪 Labs
github.com/ashemery/explo…

📺 Videos
youtube.com/playlist?list=…

By @binaryz0ne

#infosec #cybersecurity #pentesting

exploitation.ashemery.com

269Feb 07 · 5:00 PM
clintgibler
Clint Gibler @clintgibler

📓 130+ page Threat Model of #Azure Storage

Covers:
1. Best practices (best security/effort ratio)
2. Implementing controls based on your risk tolerance
3. Understanding threats related to a specific feature class

By @trustoncloud

#cloudsecurity

trustoncloud.com/the-last-azure…

77Feb 10 · 5:00 PM
christophetd
Christophe Tafani-Dereeper @christophetd

I found a vulnerability in the login rate limiting algorithm of the AWS Console that allowed to continuously brute-force 280 passwords per minute (4.6/second) on a single IAM user without getting blocked

securitylabs.datadoghq.com/articles/aws-c…

Now remediated by AWS, only IAM users without MFA

54Feb 06 · 5:59 PM
ben11kehoe
Ben Kehoe @ben11kehoe

I realize I'll never win this battle, but we should stop calling it "infrastructure". It's no longer "infra" (below). It's not something your application is deployed "onto". You have a graph of resources, some (as few as possible) of which have custom code attached.

17Feb 07 · 8:37 PM
__steele
Aidan W Steele @__steele

New thing: automatic CloudWatch log forwarding across multiple AWS accounts and regions.

No Lambda functions that need maintenance. Just a Kinesis Firehose delivery stream, a Step Function state machine, some EventBridge rules and IAM roles.

github.com/aidansteele/ce…

11Feb 13 · 12:34 AM
0xdabbad00
Scott Piper @0xdabbad00

Confirmation from AWS of ransomware events targeting data in S3.
Generally good advice but recommending MFA delete in 2023 is bad advice, as it requires the root account (via an access key) to enable it, and the MFA delete functionality can only be used by IAM Users.

AWSBlogUnreal
AWS Blog Unofficial. @AWSBlogUnreal

The AWS Security, Identity & Compliance Blog #AWSSecurity
aws.amazon.com/blogs/security…
By: Megan O'Neil, Kyle Dickinson and Karthik Ram

18Feb 06 · 8:56 PM
bradgeesaman
Brad Geesaman @bradgeesaman

Guess who gets to co-present with @mauilion @IanColdwater and @raesene at KubeCon EU?

I am beyond excited to talk about “Malicious Compliance: Reflections on Trusting Container Scanners” with the best geese in the biz. See you all in Amsterdam!

kccnceu2023.sched.com/event/05d730c6…

10Feb 09 · 12:07 PM
0xdabbad00
Scott Piper @0xdabbad00

The Wiz State of the Cloud report is out! @AmitaiCo and I put this together using Wiz's visibility to provide some stats. wiz.io/lp/state-of-th…

13Feb 07 · 5:09 AM
christophetd
Christophe Tafani-Dereeper @christophetd

I'll be in Amsterdam this year for my first KubeCon, presenting with @diegocomas how to secure and attack managed Kubernetes environments!

kccnceu2023.sched.com/event/1HyZm/mi…

6Feb 09 · 9:11 AM
matthewdfuller
Matt Fuller @matthewdfuller

I just built a new GitHub Actions deployment pipeline to AWS using OIDC, and wow, it’s so much nicer than dealing with access keys (a bit late to the party, I know).

3Feb 10 · 5:37 AM
"AWS Security" on Google News
Guide to Container Management on AWS - Trend Micro
Trend MicroFebruary 9
S&P Global and AWS to Pioneer Next Generation Technology for ... - S&P Global Investor Relations
S&P Global Investor RelationsFebruary 8
AWS IP Ranges Updates
AWS IP Ranges update for 2023-02-01 21:43:07
Changed by -64

Removed 13.34.87.192/26
AWS IP Ranges update for 2023-02-02 01:43:08
Changed by +256

Added 15.230.187.0/24
  • 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
  • 📢 Gain visibility for your brand by sponsoring our content
  • 💌 If you have any suggestions for future topics, let us know