[tl;dr sec] #173 - What Software Will Be Post GPT-4, the Cybersecurity Landscape • AWS Notification Message • Application Auto Scaling - 2 updated methods • AWS Data Exchange - 6 updated methods • Amazon Elastic Compute Cloud - 3 updated methods • New AWS Security Blog homepage • How to use Google Workspace as an external identity provider for AWS IAM Identity Center • mobilehub: 23 new actions, 1 new resource • apprunner: 4 new actions, 1 new resource • chatbot: 11 new actions

ASD Logo

20
Monday March, 2023

📣 Sponsor

How many rogue AWS accounts do you have?

Find out with a free trial of Nudge Security. In minutes, you’ll have a full inventory of all AWS accounts ever created by anyone (even past employees).

Get alerted as new accounts are spun up, and use automated workflows to enroll them in cloud governance orgs so you can maintain security controls.

Don’t wait for your next monthly bill, or worse, a hacker to discover rogue or abandoned accounts.

Start a free trial now.

🐿 In a nutshell

AWS has revised the AWSCompromisedKeyQuarantineV2 Managed Policy, which is a policy applied to AWS IAM principals when credentials are publicly exposed (such as in a public Git repository). To safeguard against expensive modifications to your AWS account, the following actions have been added:

  • ec2:PurchaseReservedInstancesOffering
  • ec2:AcceptReservedInstancesExchangeQuote
  • ec2:CreateReservedInstancesListing
  • savingsplans:CreateSavingsPlan

📊 Poll of the week

Q: An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and of confidential data that is stored on Amazon S3. The customer security policy that all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team. In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system.

🗳Answer here

Past week's poll:

Q: A third-party auditor is being brought in to review security processes and configurations for all of a company's AWS accounts. Currently, the company does not use any on-premise identity provider. Instead, they rely on IAM accounts in each of their AWS accounts. The auditor needs read-only access to all AWS resources for each AWS account. Given the requirements, what is the best security method for architecting access for the security auditor?

Answer: C (18/21 votes) 🎉

🙏 Support

If you enjoyed reading our AWS Security Digest newsletter, please help us spread the word by becoming a sponsor for our next edition.

Don't forget to share this newsletter with your colleagues and friends, and follow us on Twitter to stay up-to-date with our latest updates.

Application Auto Scaling - 2 updated methods
Mar 14
Application Auto Scaling customers can now use mathematical functions to customize the metric used with Target Tracking policies within the policy configuration itself, saving the cost and effort of publishing the customizations as a separate metric.
AWS Data Exchange - 6 updated methods
Mar 14
This release enables data providers to license direct access to S3 objects encrypted with Customer Managed Keys (CMK) in AWS KMS through AWS Data Exchange. Subscribers can use these keys to decrypt, then use the encrypted S3 objects shared with them, without creating or managing copies.
Amazon Elastic Compute Cloud - 3 updated methods
Mar 14
This release adds a new DnsOptions key (PrivateDnsOnlyForInboundResolverEndpoint) to CreateVpcEndpoint and ModifyVpcEndpoint APIs.
New AWS Security Blog homepage
Anna BrinkmannMar 17
We’ve launched a new AWS Security Blog homepage! While we currently have no plans to deprecate our existing list-view homepage, we have recently launched a new, security-centered homepage to provide readers with more blog info and easy access to the rest of AWS Security. Please bookmark the new page, and …
How to use Google Workspace as an external identity provider for AWS IAM Identity Center
Yegor TokmakovMar 13
March 8, 2023: We updated the post to reflect some name changes (G Suite is now Google Workspace; AWS Single Sign-On is now AWS IAM Identity Center) and associated changes to the user interface and workflow when setting up Google Workspace as an external identity provider for IAM Identity Center. …
mobilehub: 23 new actions, 1 new resource
Mar 18
23 new actions: CreateProject (Create a project), CreateServiceRole (Enable AWS Mobile Hub in the account by creating the required service role), DeleteProject (Delete the specified project), DeleteProjectSnapshot (Delete a saved snapshot of project configuration), DeployToStage (Deploy changes to the specified stage), DescribeBundle (Describe the download bundle), ExportBundle (Export the download …
apprunner: 4 new actions, 1 new resource
Mar 17
4 new actions: AssociateWebAcl (Grants permission to associate the service with an AWS WAF web ACL), DescribeWebAclForService (Grants permission to get the AWS WAF web ACL that is associated with an AWS App Runner service), DisassociateWebAcl (Grants permission to disassociate the service with an AWS WAF web ACL), ListAssociatedServicesForWebAcl (Grants …
chatbot: 11 new actions
Mar 17
11 new actions: CreateMicrosoftTeamsChannelConfiguration (Grants permission to create an AWS Chatbot Microsoft Teams Channel Configuration), DeleteMicrosoftTeamsChannelConfiguration (Grants permission to delete an AWS Chatbot Microsoft Teams Channel Configuration), DeleteMicrosoftTeamsConfiguredTeam (Grants permission to delete the Microsoft Teams configured with AWS Chatbot in an AWS account), DeleteMicrosoftTeamsUserIdentity (Grants permission to delete an AWS …
ben11kehoe
Ben Kehoe @ben11kehoe

Repeat after me: S3 is not a filesystem. S3 objects are not files. I will not think about S3 semantics in terms of files.

jrhunt
Randall Hunt @jrhunt

AWS just released mountpoint - an open ssource high-throughput file client for S3. Written in Rust!

github.com/awslabs/mountp…

52Mar 14 · 7:05 PM
0xdabbad00
Scott Piper @0xdabbad00

"IMDSv2 enabled by default" 😍😍😍

awswhatsnew
What's New on AWS (Unoffical) @awswhatsnew

Announcing Amazon Linux 2023

Today, we are announcing the general availability of Amazon Linux 2023 (AL2023), our new Linux-based operating system for AWS that is designed to provide a secure, stable, high-performance environment to develop and run... aws.amazon.com/about-aws/what…

15Mar 15 · 9:56 PM
0xdabbad00
Scott Piper @0xdabbad00

For those redacting AWS account IDs from public posts, if you wish to keep those secret (there is debatable value in doing so) remember to redact access keys (including role session keys), due to `aws sts get-access-key-info`. Also should avoid bucket names.

7Mar 13 · 11:06 PM
ben11kehoe
Ben Kehoe @ben11kehoe

Thinking about S3 using file concepts is going to mislead you about the semantics of the API, and you will end up making the wrong assumptions and being sad when your system is always slightly broken because those assumptions don't hold.

5Mar 14 · 7:10 PM
clintgibler
Clint Gibler @clintgibler

🔐 End-to-end encryption through Kafka

How to easily set up end-to-end encryption for your data flowing through Kafka, from many producers all the way to end consumers

By @Ockam

docs.ockam.io/guides/example…

17Mar 13 · 10:00 PM
Frichette_n
Nick Frichette - @frichetten@fosstodon.org @Frichette_n

New cloud security research! We found a method to bypass CloudTrail logging for both read AND write API actions in AWS Service Catalog! In addition, we also reported an issue with a lack of CloudTrail logging in AWS Control Tower. securitylabs.datadoghq.com/articles/bypas…

12Mar 20 · 3:04 PM
clintgibler
Clint Gibler @clintgibler

👀 A Deeper Look at Modern SAST Tools

@jrozner compares CodeQL and Semgrep as a vulnerability researcher, including licensing, tooling, language support, and automatic fixes

goingbeyondgrep.com/posts/a-deeper…

9Mar 15 · 4:00 PM
elrowan
rowan @elrowan

I Definitely need to up my Cognito skills - thanks @theburningmonk for such a great example! twitter.com/theburningmonk…

theburningmonk
Yan Cui @theburningmonk

Check out my new post!

Passwordless Authentication Made Easy with Cognito: a Step-by-Step Guide, including working demo and complete source code for both frontend and backend.

#aws #security #serverless

theburningmonk.com/2023/03/passwo…

1Mar 13 · 10:21 PM
ramimacisabird
rami @ramimacisabird

Always a good week when you end up in tl;dr sec - go check it out for the security news, stay for the jokes

2Mar 16 · 4:39 PM
Aws services that are known to be failed/bad/on ice

I know there are some services in AWS that are known to be kind of failed or not good in a general sense. I’m thinking of things like AppMesh where the road map is obviously frozen and the community at large uses other things (istio, Kong, glue, etc.). What are …

  • 🖊️ Don't miss out on the latest industry insights - stay ahead of the game by subscribing
  • 📢 Gain visibility for your brand by sponsoring our content
  • 💌 If you have any suggestions for future topics, let us know