📣 Sponsor
How many rogue AWS accounts do you have?
Find out with a free trial of Nudge Security. In minutes, you’ll have a full inventory of all AWS accounts ever created by anyone (even past employees).
Get alerted as new accounts are spun up, and use automated workflows to enroll them in cloud governance orgs so you can maintain security controls.
Don’t wait for your next monthly bill, or worse, a hacker to discover rogue or abandoned accounts.
Start a free trial now.
🐿 In a nutshell
AWS has revised the AWSCompromisedKeyQuarantineV2 Managed Policy, which is a policy applied to AWS IAM principals when credentials are publicly exposed (such as in a public Git repository). To safeguard against expensive modifications to your AWS account, the following actions have been added:
- ec2:PurchaseReservedInstancesOffering
- ec2:AcceptReservedInstancesExchangeQuote
- ec2:CreateReservedInstancesListing
- savingsplans:CreateSavingsPlan
🔦 Highlight of the week
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSCompromisedKeyQuarantineV2
- AWSGrafanaWorkspacePermissionManagement
- AWSPurchaseOrdersServiceRolePolicy
- AWSSecurityHubServiceRolePolicy
- AWSServiceRoleForImageBuilder
- AWSSupportServiceRolePolicy
- AmazonRDSFullAccess
- AmazonRDSReadOnlyAccess
- ReadOnlyAccess
📊 Poll of the week
Q: An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and of confidential data that is stored on Amazon S3. The customer security policy that all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team. In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system.
Past week's poll:
Q: A third-party auditor is being brought in to review security processes and configurations for all of a company's AWS accounts. Currently, the company does not use any on-premise identity provider. Instead, they rely on IAM accounts in each of their AWS accounts. The auditor needs read-only access to all AWS resources for each AWS account. Given the requirements, what is the best security method for architecting access for the security auditor?
Answer: C (18/21 votes) 🎉
🙏 Support
If you enjoyed reading our AWS Security Digest newsletter, please help us spread the word by becoming a sponsor for our next edition.
Don't forget to share this newsletter with your colleagues and friends, and follow us on Twitter to stay up-to-date with our latest updates.


Repeat after me: S3 is not a filesystem. S3 objects are not files. I will not think about S3 semantics in terms of files.


AWS just released mountpoint - an open ssource high-throughput file client for S3. Written in Rust!
github.com/awslabs/mountp…



"IMDSv2 enabled by default" 😍😍😍

Announcing Amazon Linux 2023
Today, we are announcing the general availability of Amazon Linux 2023 (AL2023), our new Linux-based operating system for AWS that is designed to provide a secure, stable, high-performance environment to develop and run... aws.amazon.com/about-aws/what…



For those redacting AWS account IDs from public posts, if you wish to keep those secret (there is debatable value in doing so) remember to redact access keys (including role session keys), due to `aws sts get-access-key-info`. Also should avoid bucket names.



Thinking about S3 using file concepts is going to mislead you about the semantics of the API, and you will end up making the wrong assumptions and being sad when your system is always slightly broken because those assumptions don't hold.



🔐 End-to-end encryption through Kafka
How to easily set up end-to-end encryption for your data flowing through Kafka, from many producers all the way to end consumers
By @Ockam
docs.ockam.io/guides/example…



New cloud security research! We found a method to bypass CloudTrail logging for both read AND write API actions in AWS Service Catalog! In addition, we also reported an issue with a lack of CloudTrail logging in AWS Control Tower. securitylabs.datadoghq.com/articles/bypas…



👀 A Deeper Look at Modern SAST Tools
@jrozner compares CodeQL and Semgrep as a vulnerability researcher, including licensing, tooling, language support, and automatic fixes
goingbeyondgrep.com/posts/a-deeper…



I Definitely need to up my Cognito skills - thanks @theburningmonk for such a great example! twitter.com/theburningmonk…

Check out my new post!
Passwordless Authentication Made Easy with Cognito: a Step-by-Step Guide, including working demo and complete source code for both frontend and backend.
#aws #security #serverless
theburningmonk.com/2023/03/passwo…



Always a good week when you end up in tl;dr sec - go check it out for the security news, stay for the jokes

📚 tl;dr sec 173
With great work from:
@Ockam, @redcanary, @jrozner, @GHSecurityLab, @Ossillate_inc, @pdiscoveryio, @ramimacisabird, @wiz_io, @slashben81, @AlexFurmansky, @adamshostack, @swyx, @DanielMiessler, @InvestiAnalyst
and more!
tldrsec.com/blog/tldr-sec-…


I know there are some services in AWS that are known to be kind of failed or not good in a general sense. I’m thinking of things like AppMesh where the road map is obviously frozen and the community at large uses other things (istio, Kong, glue, etc.). What are …
- 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
- 📢 Gain visibility for your brand by sponsoring our content
- 💌 If you have any suggestions for future topics, let us know