Issue #136
Monday · July 15, 2023
🥖 Palate Cleanser
Hey folks,Got some cool stuff for you this week, particularly a must-read on essential monitoring for AWS Containers, courtesy of Cloudonaut.
Heads up, AWS has made AMI Block Public Access the default setting for new accounts and those without a public AMI since July 15, 2023. A smart move to avoid unintentional sharing and beef up security. Need a public AMI? You can turn it off manually. This is global, by the way.
I'm digging how AWS is ramping up security measures at the account level and making them default.
That's Security by Design for you.
Victor
📋 Chef's selections
🍛 Reddit threads on r/aws
- Storing Customer API Keys
- Networking: what would be the most secure way to set up a remotely accessible instance?
- AWS Identity Center: CI/CD User
- Management account has production workloads and IAM identity center
- Attacking AWS Cognito with Pacu
- Issuing OIDC token using IAM directly
- Setting up VPN/VPC access
🍪 API changes
- AWS Service Catalog - 12 updated methodsIntroduce support for EXTERNAL product and provisioning artifact type in CreateProduct and CreateProvisioningArtifact APIs.
- Amazon Relational Database Service - 14 updated methodsThis release adds support for upgrading the storage file system configuration on the DB instance using a blue/green deployment or a read replica.
- Amazon GuardDuty - 1 updated methodsAdd domainWithSuffix finding field to dnsRequestAction
- AWS CloudFormation - 1 updated methodsSDK and documentation updates for UpdateReplacePolicy
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
This section will show you the latest (Important and Critical) CVEs on Amazon Linux.Amazon Linux 2023
- ALAS-2023-394 (important): golang - CVE-2023-39323, CVE-2023-39325, CVE-2023-44487
- ALAS-2023-393 (important): nginx - CVE-2023-44487
- ALAS-2023-392 (important): nghttp2 - CVE-2023-44487
- ALAS-2023-391 (important): nodejs - CVE-2023-44487
- ALAS-2023-390 (important): tomcat9 - CVE-2023-44487
- ALAS-2023-389 (important): dotnet6.0 - CVE-2023-44487
Amazon Linux 2
- ALAS-2023-2316 (important): yum
- ALAS-2023-2313 (important): golang - CVE-2023-39323, CVE-2023-39325, CVE-2023-44487
- ALAS-2023-2312 (important): nghttp2 - CVE-2023-44487
- ALASNITRO-ENCLAVES-2023-030 (important): docker - CVE-2023-39325
- ALASNITRO-ENCLAVES-2023-031 (important): containerd - CVE-2023-39325
- ALASNITRO-ENCLAVES-2023-032 (important): runc - CVE-2023-39325
- ALASDOCKER-2023-033 (important): runc - CVE-2023-39325
- ALASDOCKER-2023-032 (important): containerd - CVE-2023-39325
- ALASDOCKER-2023-031 (important): docker - CVE-2023-39325
- ALASTOMCAT8.5-2023-016 (important): tomcat - CVE-2023-42795, CVE-2023-44487, CVE-2023-45648
- ALASTOMCAT9-2023-010 (important): tomcat - CVE-2023-42795, CVE-2023-44487, CVE-2023-45648
- ALASNGINX1-2023-006 (important): nginx - CVE-2023-44487
