Newsletter Logo
19th Monday
June, 2023
📣 Sponsor

Hold on!
Why is your finance S3 bucket public and why are your interns allowed to edit records?

Unintended high levels of AWS access are too common because it's hard to manage all the permissions and identities in the AWS IAM.

Veza analyzes every permission across all users and systems to ensure that no one gets access beyond security policies.

Check out our demo to learn how you can automate access reviews and find and fix policy violations.
🥗 Appetizer

You already know my love for community-driven tools.

This week, a newcomer is out regarding a list of known AWS account IDs from vendors and aws services.

If you are working with some partners and vendors with known AWS (SaaS) Accounts, please consider contributing to our effort to centralize this knowledge.

It will be used in many ways, specifically in AWS forensics and AWS assessments/audits.
📋 Menu of the week
  1. CFN StackSets launches APIs to allow prog trust access with Organizations
  2. Writeup: AWS API Gateway header smuggling and cache confusion
  3. [Community] List of known AWS accounts
👀 Monitor AWS Managed IAM Policies

Policies changed since last week (8):

  • AWSElasticDisasterRecoveryAgentInstallationPolicy
  • AWSElasticDisasterRecoveryEc2InstancePolicy
  • AmazonMacieReadOnlyAccess
  • AmazonSQSReadOnlyAccess
  • AmazonVPCNetworkAccessAnalyzerFullAccessPolicy
  • AmazonVPCReachabilityAnalyzerFullAccessPolicy
  • EMRDescribeClusterPolicyForEMRWAL
  • ReadOnlyAccess
Weekly diff
🍔 AWS API Changes

  1. AWS Application Discovery Service - 1 updated methods
  2. Amazon Simple Storage Service - 5 updated methods
  3. AWS Audit Manager - 1 new 9 updated methods
  4. AWS CloudTrail - 2 updated methods
  5. Amazon CodeGuru Security - 13 new methods
  6. Elastic Disaster Recovery Service - 8 new 19 updated methods
  7. Amazon Elastic Compute Cloud - 3 new 8 updated methods
  8. Amazon Simple Storage Service - 12 updated methods
  9. AWS SecurityHub - 5 new methods
  10. Amazon Verified Permissions - 24 new methods
  11. AWS WAFV2 - 8 updated methods
🍕 AWS Security Blog
  • Removing header remapping from Amazon API Gateway
  • Simplify fine-grained authorization with Verified Permissions and Cognito
  • Prevent account creation fraud with AWS WAF Fraud Control
  • Security Hub launches new capability for automating actions to update findings
  • Post-quantum hybrid SFTP file transfers using AWS Transfer Family
🍓 IAM Permission Changes
  • events: 1 updated action
  • ec2-instance-connect: 1 new action, 1 new resource, 3 new conditions
  • drs: 8 new actions, 1 new resource | 2 updated actions
  • securityhub: 5 new actions, 1 new resource | 3 updated actions
  • logs: 1 updated action
  • verifiedpermissions: 24 new actions, 1 new resource
  • inspector2: 6 new actions
  • codeguru-security: 5 new actions, 3 new conditions
👾 r/aws
  • Why Kubernetes wasn't a good fit for us
  • EC2 Instance Connect supports SSH and RDP connectivity without public IP 
  • US-East-1 down for anybody else?
🖊️ Stay ahead of AWS Security game by subscribing
📢 Gain visibility for your brand by sponsoring our content
💌 If you have any suggestions for future topics, let us know
Twitter social link LinkedIn social link Website social link