Security Newsletter - Long list of breaches. Some important vulnerabilities. • SRE Weekly Issue #263 • 📖 [The CloudSecList] Issue 80 • AWS Security Hub integrates with Amazon Macie to automatically ingest sensitive data findings for improved centralized security posture management • How to automate SCAP testing with AWS Systems Manager and Security Hub • How to implement the principle of least privilege with CloudFormation StackSets • "Yesterday (2021-03-28), two malicious commits were pushed to the php-src repo [...]. We don't yet know how exactly this happened, but everything points towards a compromise of the <a href="https://t.co/yl3jPChy5K" target="_blank">git.php.net</a> server" 👀 <a href="https://t.co/eZUqYJXNXb" target="_blank">news-web.php.net/php.internals/…</a> • Uh, there is no Cloudtrail record of AWS applying this policy! 🤬 I know it was applied because it did break a workflow (this key was used by a level of <a href="https://t.co/JcYaW1u5t4" target="_blank">flaws.cloud</a>, no errors a few days ago, then access denieds). If you add a policy to my IAM user, please log it AWS. • I kept telling you all these complex container things were gonna cause a problem. But no. Ya'll wanted to put k8s on your resume. Well now the Suez Canal is blocked. Good job. • I checked the account and saw the new policy, and the access denieds on s3:ListBuckets calls, but I have no CloudTrail record of this policy being attached. So AWS can make IAM changes to my account without any audit record. This does not make me feel good. • 🗒️ awesome-k8s-security by <a href="https://twitter.com/magnologan" target="_blank">@magnologan</a> Great list of resources including: 💊 The Basics 💼 Official Pages 📹 Talks and Videos 📰 Blogs and Articles 📗 Books 📆 Certifications 🔥 CVEs 📑 Slides 🧪 Trainings 🐾 Repositories 📂 Papers <a href="https://t.co/CX4K1mfo6Z" target="_blank">github.com/magnologan/awe…</a> • ☁️ Terraformer Yo dawg, I heard you like Infra *as* Code But what about Infra to ➡️ Code? Terraformer generates tf/json and tfstate from your *existing* infra Supports a number of resources and services at: * AWS * GCP * Azure * &amp; more! 🚀 <a href="https://t.co/esGEbwSjUM" target="_blank">github.com/GoogleCloudPla…</a> • Always happy to see more data events in <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> CloudTrail: This time it's DDB <a href="https://t.co/uBTUBAfoz8" target="_blank">aws.amazon.com/blogs/database…</a> • Haven't a chance to test, but I didn't realise that "Deny" at the Group level don't override "Allow" permissions at other levels (e.g. User) <a href="https://t.co/yTJkyjGXvF" target="_blank">blog.lightspin.io/aws-iam-groups…</a> Just another reason NOT to use <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> IAM Users. If you have to, make them assume a role ASAP... • This is big. Literally (some customers do millions of requests per second). • Come discuss Infrastructure as code scanning with us on Sunday! • Route53 as a database might not be as stupid as it sounds... • Amazon hires former executive Adam Selipsky to run AWS • New Console experience... rant. • End of support for Python 2.7 in AWS Lambda • Amazon DynamoDB now supports audit logging and monitoring using AWS CloudTrail • TLS 1.0, 1.1 officially deprecated • Recovering a whole PEM Private Key when half of it is redacted • Can someone put Cloud Security in Newbie terms? • EMnify Brings Cloud-Native IoT Connectivity to 20 AWS Regions, Simplifying Secure Cellular Device Communication - IoT For All • Sonrai Security Deepens Security Ties With AWS - Security Boulevard • Sonrai Security Advances Relationship with AWS to Accelerate Cloud Security Transformation - Security Boulevard