[tl;dr sec] #172 - Career Resources, Machine Learning • Establishing a data perimeter on AWS: Allow only trusted resources from my organization • 2022 H2 IRAP report is now available on AWS Artifact for Australian customers • How to use policies to restrict where EC2 instance credentials can be used from • lakeformation: 2 new actions • devops-guru: 1 new condition | 2 updated actions • trustedadvisor: 1 new action • Meet the Newest AWS Heroes – March 2023 | Amazon Web Services • How a single engineer brought down Twitter on Monday • Security Certification Roadmap - Paul Jerimy Media • Update detected · z0ph/MAMIP@47e79f4 • Well this is rather exciting! I’m an AWS Hero now 🎉 • If you have shell access on an EC2 and want to extract creds, instead of remembering how to get them from the 169.254.169.254 path, recent versions of the AWS CLI allow you to use `aws configure export-credentials --format env`. • 🗺️ DevSecOps Roadmap A collection and roadmap for learning <a href="https://twitter.com/hashtag/DevSecOps" target="_blank">#DevSecOps</a>, covering resources and tools for every step of the development process By <a href="https://twitter.com/hahwul" target="_blank">@hahwul</a> <a href="https://t.co/rxUkKJPh2G" target="_blank">github.com/hahwul/DevSecO…</a> • 🚨Security Career Resource Thread 🚨 1️⃣ 2️⃣ resources to break into the field or take your career to the next level 👇 <a href="https://twitter.com/hashtag/infosec" target="_blank">#infosec</a> <a href="https://twitter.com/hashtag/cybersecurity" target="_blank">#cybersecurity</a> <a href="https://twitter.com/hashtag/security" target="_blank">#security</a> • Well well well, if it isn't Mr. Privatize The Gains here to socialize the losses • The reason to point out VC hypocrisy asking for a bailout is not to say they shouldn't get it—it's to say that the next time they argue against regulation that would keep this from happening (but prevent them from lining their pockets), they shouldn't succeed • <a href="https://t.co/9fVsi3dOcI" target="_blank">awsiamguide.com</a> v1.0 is out! Even though it's self published, it definitely wasn't a solo effort... 😅 Thanks to all these great people who helped me: • 👓 Here's a detailed look at implementing Region &amp; Service allowlisting in AWS: <a href="https://t.co/IjycpAxHtH" target="_blank">ramimac.me/aws-allowlisti…</a> Check out the post for a complete walkthrough of the careful roll out of this sort of control, and ways I shot myself in the🦶 • 😍 This "How to" is introducing a new capability on AWS! This appears to be roughly the equivalent of the benefits of enforcing IMDSv2, but possibly less of the usability pain of the access denieds. • I’m happy to share that I’m starting a new position as Director of Engineering Experience <a href="https://twitter.com/oxbotica" target="_blank">@oxbotica</a> Very excited to be joining an innovative, growing organisation with an exciting mission 🚀 • Amazon DynamoDB now supports table deletion protection • Cloud formation Or Terraform • Subscribe to AWS Daily Feature Updates via Amazon SNS • AWS Architecture Icons (Compute) - 3D prints • Top 3 S3 Bucket Security Issues - Check Point Software • Prioritizing AWS Vulnerabilities With Sonrai Identity Insights - Security Boulevard

ASD Logo

13
Monday March, 2023

📣 Sponsor

Are overly-permissive access policies keeping you up at night?

Turn risky permissions into streamlined just-in-time (JIT) access.

Keep your developers happy and your security team confident with Sym!

Implement JIT access today >>

🐿 In a nutshell

AWS launched a new feature for users to receive daily updates on releases and updates to AWS via a simple mechanism. By subscribing to the SNS topic using the email protocol, users will receive daily emails with a summary of updates, and a JSON representation of the daily feature updates, including information about changes and additions to managed policies, AWS regions, services, EC2 instance types, VPC endpoints, service quotas, FIPS endpoints, Amazon ElastiCache, AWS Config managed rules, and more.

The content provided in the Daily Feature Updates will grow as new features are added.

Christophe Tafani-Dereeper also shared his findings on VPC Endpoints on GitHub this week, and AWS published many AWS Managed Policies leading to new features for existing services, particularly in GuardDuty.

🔦 Highlight of the week

  1. Reducing Attack Surface with AWS Allowlisting
  2. The benefits of a customer-centric cloud security mindset
  3. How to visualize IAM Access Analyzer findings with QuickSight

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

📊 Poll of the week

Q: A third-party auditor is being brought in to review security processes and configurations for all of a company's AWS accounts. Currently, the company does not use any on-premise identity provider. Instead, they rely on IAM accounts in each of their AWS accounts. The auditor needs read-only access to all AWS resources for each AWS account. Given the requirements, what is the best security method for architecting access for the security auditor?

🗳Answer here

Past week's poll:

Q: YTo enable end-to-end HTTPS connections from the user‘s browser to the origin via CloudFront, which of the following option is valid?

Answer: C (8/23 votes)

Newsletters
[tl;dr sec] #172 - Career Resources, Machine Learning
Clint at tl;dr secMar 09

🙏 Support

If you enjoyed reading our AWS Security Digest newsletter, please help us spread the word by becoming a sponsor for our next edition.

Don't forget to share this newsletter with your colleagues and friends, and follow us on Twitter to stay up-to-date with our latest updates.

AWS Security Blog
Establishing a data perimeter on AWS: Allow only trusted resources from my organization
Laura ReithMar 9
Companies that store and process data on Amazon Web Services (AWS) want to prevent transfers of that data to or from locations outside of their company’s control. This is to support security strategies, such as data loss prevention, or to comply with the terms and conditions set forth by various …
2022 H2 IRAP report is now available on AWS Artifact for Australian customers
Patrick ChangMar 7
Amazon Web Services (AWS) is excited to announce that a new Information Security Registered Assessors Program (IRAP) report (2022 H2) is now available through AWS Artifact. An independent Australian Signals Directorate (ASD) certified IRAP assessor completed the IRAP assessment of AWS in December 2022. The new IRAP report includes an additional six AWS …
How to use policies to restrict where EC2 instance credentials can be used from
Liam WadmanMar 6
March 7, 2023: We’ve added language clarifying the requirement around using VPC Endpoints, and we’ve corrected a typo in the S3 bucket policy example. Today AWS launched two new global condition context keys that make it simpler for you to write policies in which Amazon Elastic Compute Cloud (Amazon EC2) …
IAM Permission Changes
lakeformation: 2 new actions
Mar 11
2 new actions: GetDataCellsFilter (Grants permission to retrieve a Lake Formation data cell filter), UpdateDataCellsFilter (Grants permission to update a Lake Formation data cell filter)
devops-guru: 1 new condition | 2 updated actions
Mar 11
1 new condition: devops-guru:ServiceNames (Filters access by API to restrict access to given AWS service names); 2 updated actions: ListAnomaliesForInsight (conditions), SearchInsights (conditions)
trustedadvisor: 1 new action
Mar 9
1 new action: DescribeCheckStatusHistoryChanges (Grants permission to view the results and changed statuses for checks in the last 30 days)
Top Links from Security Folks
Meet the Newest AWS Heroes – March 2023 | Amazon Web Services
aws.amazon.com
The AWS Heroes are passionate AWS experts who are dedicated to sharing their in-depth knowledge within the community. They inspire, uplift, and motivate the global …
How a single engineer brought down Twitter on Monday
www.platformer.news
The high cost of cutting expenses
Security Certification Roadmap - Paul Jerimy Media
pauljerimy.com
IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.
Update detected · z0ph/MAMIP@47e79f4
github.com
[MAMIP] Monitor AWS Managed IAM Policies Changes . Contribute to z0ph/MAMIP development by creating an account on GitHub.
AWS Security Folks
__steele
Aidan W Steele @__steele

Well this is rather exciting! I’m an AWS Hero now 🎉

awscloud
Amazon Web Services @awscloud

The #AWS Heroes inspire, uplift, and motivate the global #AWScommunity. 👩‍💻☁️👨‍💻

Today, we’re excited to announce and recognize the newest Heroes in 2023! #CloudComputing 👏 go.aws/3FdjVpw

12Mar 09 · 8:52 PM
0xdabbad00
Scott Piper @0xdabbad00

If you have shell access on an EC2 and want to extract creds, instead of remembering how to get them from the 169.254.169.254 path, recent versions of the AWS CLI allow you to use `aws configure export-credentials --format env`.

46Mar 06 · 9:39 PM
clintgibler
Clint Gibler @clintgibler

🗺️ DevSecOps Roadmap

A collection and roadmap for learning #DevSecOps, covering resources and tools for every step of the development process

By @hahwul

github.com/hahwul/DevSecO…

32Mar 07 · 5:00 PM
clintgibler
Clint Gibler @clintgibler

🚨Security Career Resource Thread 🚨

1️⃣ 2️⃣ resources to break into the field or take your career to the next level 👇

#infosec #cybersecurity #security

30Mar 08 · 5:00 PM
ben11kehoe
Ben Kehoe @ben11kehoe

Well well well, if it isn't Mr. Privatize The Gains here to socialize the losses

DavidSacks
David Sacks @DavidSacks

Where is Powell? Where is Yellen? Stop this crisis NOW. Announce that all depositors will be safe. Place SVB with a Top 4 bank. Do this before Monday open or there will be contagion and the crisis will spread.

9Mar 10 · 11:17 PM
ben11kehoe
Ben Kehoe @ben11kehoe

The reason to point out VC hypocrisy asking for a bailout is not to say they shouldn't get it—it's to say that the next time they argue against regulation that would keep this from happening (but prevent them from lining their pockets), they shouldn't succeed

14Mar 11 · 2:03 AM
elrowan
rowan @elrowan

awsiamguide.com v1.0 is out! Even though it's self published, it definitely wasn't a solo effort... 😅

Thanks to all these great people who helped me:

19Mar 07 · 10:35 AM
ramimacisabird
rami @ramimacisabird

👓 Here's a detailed look at implementing Region & Service allowlisting in AWS: ramimac.me/aws-allowlisti…

Check out the post for a complete walkthrough of the careful roll out of this sort of control, and ways I shot myself in the🦶

10Mar 07 · 9:37 PM
0xdabbad00
Scott Piper @0xdabbad00

😍 This "How to" is introducing a new capability on AWS! This appears to be roughly the equivalent of the benefits of enforcing IMDSv2, but possibly less of the usability pain of the access denieds.

AWSBlogUnreal
AWS Blog Unofficial. @AWSBlogUnreal

The AWS Security, Identity & Compliance Blog #AWSSecurity
aws.amazon.com/blogs/security…
By: Liam Wadman and Josh Levinson*

10Mar 06 · 6:59 PM
steven_bryen
Steven Bryen @steven_bryen

I’m happy to share that I’m starting a new position as Director of Engineering Experience @oxbotica

Very excited to be joining an innovative, growing organisation with an exciting mission 🚀

0Mar 07 · 5:23 PM
r/aws
Amazon DynamoDB now supports table deletion protection
1128aws.amazon.com
Cloud formation Or Terraform
85130

I am work as AWS data engineer and presently use cloud formation for most of our deployments. Recently one of my friends mentioned about Terraform and told me that it's better of if learn Terraform as it's multi cloud. I am planning to continue to work on AWS for atleast …

Subscribe to AWS Daily Feature Updates via Amazon SNS
7611aws.amazon.com
AWS Architecture Icons (Compute) - 3D prints
628imgur.com
"AWS Security" on Google News
Top 3 S3 Bucket Security Issues - Check Point Software
Check Point SoftwareMarch 8
Prioritizing AWS Vulnerabilities With Sonrai Identity Insights - Security Boulevard
Security BoulevardMarch 6
  • 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
  • 📢 Gain visibility for your brand by sponsoring our content
  • 💌 If you have any suggestions for future topics, let us know