[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame • How to set up least privilege access to your encrypted Amazon SQS queue • Three ways to boost your email security and brand reputation with AWS • Considerations for the security operations center in the cloud: deployment using AWS security services • AWS Melbourne Region has achieved HCF Strategic Certification • securityhub: 2 new actions | 2 updated actions • controltower: 9 new actions • snowball: 1 new action • fwd:cloudsec 2023 • Signed Commits

ASD Logo

6
Monday March, 2023

📣 Sponsor

Want to find & fix excess AWS IAM permissions easily and prove to your boss that your policy improvements worked… without help from experts?

Now you can simplify entitlement management in your org and scale out to app & cloud teams using k9’s cloud access management toolkit (CAMT).

Quickly understand what IAM users/roles can do with your APIs & data, then you use k9 infra code to generate least privilege security policies for your intended access.

Start scaling IAM for free!

🐿 In a nutshell

LastPass has released additional details about the second cyber attack on its infrastructure that occurred between August 12, 2022, and October 26, 2022.

The attackers leveraged information stolen during the first attack, as well as a third-party data breach and a vulnerability in a third-party media software package to launch the coordinated attack. The attack targeted LastPass' cloud storage environment, which contained encrypted backups of customer data, and the threat actor was able to access it by obtaining AWS Access Keys and LastPass-generated decryption keys.

LastPass is taking several measures to contain and recover from the incident, and customers may need to take specific actions to protect themselves.

🔦 Highlight of the week

  1. S3 changes to bucket authorization are coming in June 2023
  2. SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
  3. Allow IMDS support to be set to v2-only on an existing AMI, so that all future instances launched from that AMI will use IMDSv2 by default

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

📊 Poll of the week

Q: To enable end-to-end HTTPS connections from the user‘s browser to the origin via CloudFront, which of the following option is valid?

🗳Answer here

Past week poll:

Q: Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest?

Answer: D (25/28 votes) 🎉

Newsletters
[tl;dr sec] #171 - AppSec and CloudSec Resilience, Audit Logs Wall of Shame
Clint at tl;dr secMar 02

🙏 Support

Did you find AWS Security Digest newsletter enjoyable to read?

If so, why not support our next edition by becoming a sponsor?

Additionally, please feel free to share our newsletter with your friends and follow us on Twitter.

AWS Security Blog
How to set up least privilege access to your encrypted Amazon SQS queue
Ahmed BakryMar 3
Amazon Simple Queue Service (Amazon SQS) is a fully-managed message queueing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS provides authentication mechanisms so that you can control who has access to the queue. It also provides encryption in transit with HTTP over …
Three ways to boost your email security and brand reputation with AWS
Michael DavieMar 2
If you own a domain that you use for email, you want to maintain the reputation and goodwill of your domain’s brand. Several industry-standard mechanisms can help prevent your domain from being used as part of a phishing attack. In this post, we’ll show you how to deploy three of …
Considerations for the security operations center in the cloud: deployment using AWS security services
Stuart GreggMar 1
Welcome back. If you’re joining this series for the first time, we recommend that you read the first blog post in this series, Considerations for security operations in the cloud, for some context on what we will discuss and deploy in this blog post. In the earlier post, we talked …
AWS Melbourne Region has achieved HCF Strategic Certification
Lori KlaassenFeb 27
Amazon Web Services (AWS) is delighted to confirm that our new AWS Melbourne Region has achieved Strategic Certification for the Australian Government’s Hosting Certification Framework (HCF). We know that maintaining security and resiliency to keep critical data and infrastructure safe is a top priority for the Australian Government and all …
IAM Permission Changes
securityhub: 2 new actions | 2 updated actions
Mar 4
2 new actions: BatchGetSecurityControls (Grants permission to get details about specific security controls identified by ID or ARN), ListStandardsControlAssociations (Grants permission to list the enablement status of a security control in standards); 2 updated actions: BatchGetStandardsControlAssociations (dependents), BatchUpdateStandardsControlAssociations (dependents)
controltower: 9 new actions
Mar 3
9 new actions: DeleteLandingZone (Grants permission to delete AWS Control Tower landing zone), DescribeLandingZoneConfiguration (Grants permission to describe the current Landing Zone configuration), DescribeRegisterOrganizationalUnitOperation (Grants permission to describe a Register Organizational Unit Operation), GetAccountInfo (Grants permission to describe an account email and validate that it exists), GetLandingZoneDriftStatus (Grants permission to …
snowball: 1 new action
Mar 3
1 new action: ListServiceVersions (Grants permission to list all supported versions for Snow on-device services)
Top Links from Security Folks
fwd:cloudsec 2023
www.eventbrite.com
fwd:cloudsec is the industry’s leading independent, community-driven cloud security conference. All times listed are in US/Pacific time.
Signed Commits
docs.sourceshield.io
SourceShield Documentation
AWS Security Folks
__steele
Aidan W Steele @__steele

Attn: folks who use AWS SAM from GitHub Actions. An extremely welcome change has landed in aws-actions/setup-sam@v2:

You can now pass `with-installer: true` to install SAM directly, bypassing pip. Reduces installation time from 30s+ to 3s.

16Mar 01 · 11:57 PM
colmmacc
Colm MacCárthaigh @colmmacc

What else should have a "FOR USE BY COMPETENT PERSONS ONLY" warning on it.

12Mar 05 · 2:38 AM
clintgibler
Clint Gibler @clintgibler

💪 How to Achieve Application & Cloud Security Resilience

* Security scanning types
* Where to perform comprehensive vs targeted scans
* Building a high quality detection set
* The art of root cause analysis
* Useful metrics

By @jameschiapet #appsec

betterappsec.com/how-to-scale-a…

16Feb 27 · 7:00 PM
clintgibler
Clint Gibler @clintgibler

🌶️ Audit Logs Wall of Shame

A list of vendors that don’t prioritize high-quality, widely-available audit logs for security and operations teams

Hopefully it influences some companies in the right direction 👀

audit-logs.tax

15Mar 03 · 5:00 PM
christophetd
Christophe Tafani-Dereeper @christophetd

Solid analysis of a real-world AWS attack, although misleading on why IMDSv1 is an issue: sysdig.com/blog/cloud-bre…

My analysis: infosec.exchange/@christophetd/…

9Mar 01 · 9:16 AM
elrowan
rowan @elrowan

I've finally sent out v1.0 of the awsiamguide.com to all the people who bought the draft! They’ve been very patient with me 😊

So many more things I wanted to include, but just had to ship. At least with self publishing is I can always go back and add to it later 📕

7Mar 03 · 4:15 AM
ben11kehoe
Ben Kehoe @ben11kehoe

Tell me you're out of cash without telling me you're out of cash

ZoeSchiffer
Zoë Schiffer @ZoeSchiffer

NEW: Elon Musk just announced Twitter will be making significant performance-based stock and compensation awards for remaining employees.

4Feb 28 · 7:11 PM
0xdabbad00
Scott Piper @0xdabbad00

AWS SDK update:
"This release allows IMDS support to be set to v2-only on an existing AMI, so that all future instances launched from that AMI will use IMDSv2 by default." 😍 github.com/aws/aws-sdk-go…

4Feb 28 · 8:51 PM
__steele
Aidan W Steele @__steele

Oh no. Missy has worked out how to operate the standing desk motor control and now knows she can get my attention 100% of the time by lowering the desk onto my lap 😅😂

0Feb 27 · 11:03 PM
elrowan
rowan @elrowan

It took 2 and a bit years to write awsiamguide.com, and I have learnt so many ways NOT to write a book… maybe I should write a book about it 🤔

Wait, no... that’s how it ended up taking so long in the first place 🤦‍♂️

4Mar 04 · 10:32 AM
r/aws
AWS Employees - How can I give a kudos to an AWS Support engineer that was really helpful with an issue.
15340

I do not want to bore you with the details, but I ran into an issue with some of my AWS accounts regarding SSO and Permission Sets. This support engineer was super helpful in working with internal AWS resources to come up with a resolution to my issue(s).

How can …

RDS now supports PostgreSQL 15
10613aws.amazon.com
Create a break glass role for emergency use in order to limit production console access.
9225github.com
In the Works – AWS Region in Malaysia
8817aws.amazon.com
"AWS Security" on Google News
5 Tactical Tips For Security Teams Using AWS - Security Boulevard
Security BoulevardMarch 6
Going Serverless on AWS Lambda? Recognize Potential Risks - The New Stack
The New StackMarch 6
AWS IP Ranges Updates
AWS IP Ranges update for 2023-02-22 13:43:08
Changed by +5248

Added 96.0.136.0/21
Added 96.0.144.0/21
Added 96.0.152.0/22
Added 13.34.92.64/26
Added 13.34.92.128/26
AWS IP Ranges update for 2023-02-22 15:13:06
Changed by +48

Added 142.4.161.64/27
Added 142.4.161.56/29
Added 142.4.161.96/29
  • 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
  • 📢 Gain visibility for your brand by sponsoring our content
  • 💌 If you have any suggestions for future topics, let us know