Security Newsletter - Breachforums marketplace down for now. Insecure image cropping. Pwn2Own in full swing. • [tl;dr sec] #174 - Mitigating SSRF in 2023, Isolation & Container Namespaces • AWS Batch - 4 updated methods • Amazon Chime SDK Identity - 6 new 2 updated methods • Amazon Chime SDK Media Pipelines - 7 new 5 updated methods • Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM • Use backups to recover from security incidents • Simplify management of Network Firewall rule groups with VPC managed prefix lists • How to use Amazon Macie to reduce the cost of discovering sensitive data • chime: 33 new actions, 4 new resources | 44 updated actions • ivs: 7 new actions, 1 new resource | 3 updated actions • refactor-spaces: 2 updated actions • fwd:cloudsec • We updated our RSA SSH host key | The GitHub Blog • 🛡️ Mitigating SSRF in 2023 💯 overview of the challenges in preventing SSRF, and the pros/cons of a number of approaches: * Allowlisting or blocklisting * Secure by default libraries * SSRF jail * Network controls * Request proxy By <a href="https://twitter.com/IncludeSecurity" target="_blank">@IncludeSecurity</a> <a href="https://t.co/n08zhjMHhb" target="_blank">blog.includesecurity.com/2023/03/mitiga…</a> • 🤖 Offensive AI Compilation Great list of useful resources on attacking AI models and using AI for offensive purposes: 🕵️‍♂️ Pentesting 🦠 Malware 🗺️ OSINT 📧 Phishing 👨‍🎤 Generative AI + more <a href="https://t.co/tbwSnWUO1p" target="_blank">github.com/jiep/offensive…</a> • I dream of a day when all AWS API calls that customers can make are documented and that the AWS console uses the same APIs that customers use. I further dream of AWS using a standard interface internally such that all CloudTrail events are documented and logged uniformly. • Anyone who looks at the progress in AI and imagines it will usher in a utopia ignores both the very recent history of capitalism and the much older history. • We just released at <a href="https://twitter.com/1ns0mn1h4ck" target="_blank">@1ns0mn1h4ck</a> the largest available dataset of malicious PyPI packages. Check out our talk "Finding Malicious PyPI Packages in the Wild"! <a href="https://t.co/GeexzY9KU3" target="_blank">github.com/DataDog/malici…</a> <a href="https://t.co/eJE8umPvop" target="_blank">dtdg.co/guarddog-insom…</a> • Passwordless is the theme of the week? After finding <a href="https://twitter.com/theburningmonk" target="_blank">@theburningmonk</a>'s post yesterday, I saw AWS released their own version <a href="https://t.co/Xmk150pCdV" target="_blank">github.com/aws-samples/am…</a> • Another undocumented API by a cloud provider results in a cloudvuln. 😭 This follows on an AWS vuln from earlier this week from undocumented APIs: <a href="https://t.co/1EDsFGtaih" target="_blank">twitter.com/Frichette_n/st…</a> And this thread has some more: <a href="https://t.co/uUo0bYUFmK" target="_blank">twitter.com/0xdabbad00/sta…</a> • do it, bitch. • I'm shocked, shocked I tell you, that OpenAI would try to deflect responsibility for something wrong with their product that could cause harm • Did you know in IAM policies condition keys can be used as policy variables as the value❓This helps you compare dynamic values. With this you can ensure that credentials for instances are only used from the instances to which they were issued. Blog ➡️<a href="https://t.co/6nOgGjih1V" target="_blank">tinyurl.com/msrph364</a> • Amazon is laying off another 9,000 employees across AWS, Twitch, advertising • Application Load Balancer now supports TLS 1.3 • FTC Seeks Comment on Business Practices of Cloud Computing Providers that Could Impact Competition and Data Security • Clean Rooms are now generally available? Clearly my kids didn’t get the message! /s • How to Handle AWS Secrets - Security Boulevard • Runtime Security Observability for Containerized Workloads in AWS - Security Boulevard