Issue #139
Monday · January 15, 2024
🥖 Palate Cleanser
Hey folks,AWS is still shipping some new significant features, and there is no (yet) freeze before re:Invent 2023 (in 14 days).
Interestingly, following the announcement of Block Public Sharing for AMI a few weeks ago, AWS introduced the same capacity but for Snapshots.
I've updated my AWS Security Survival Kit (Open Source) with this new capacity to let you apply bare minimal AWS security to your accounts. (Alerting and Configuration)
Victor
📋 Chef's selections
🍛 Reddit threads on r/aws
- AWS Security Incident Response Playbook
- How to limit who can assume the role
- Where can I find an overview of how granular permissions I can make in AWS (for read/delete in storage)?
- Enforce EBS Snapshot and AMI Data Protection Settings Across All Regions
- How to deregister ALL tasks definitions at once [Please help I have been attacked]
- Is there a tool that gets AWS IAM entity (user/role/group/etc) and knows to extract the permissions and tell what exactly can it do?
- Assume role condition on state machine
- Using S3 or something similar, can I grant "append-only" rights, so an agent can add new data but not overwrite?
- AWS Organization Security OU
- What Measures Do You Take to Ensure a Resilient Cloud Infrastructure?
- Enable Universal ReadOnly access for IAMS User
- Account got hacked and get 26000k bill
🍪 API changes
- AWS CloudFormation - 8 updated methods - Added new ConcurrencyMode feature for AWS CloudFormation StackSets for faster deployments to target accounts.
- Amazon Elastic Compute Cloud - 3 new methods - AWS EBS now supports Block Public Access for EBS Snapshots. This release introduces the EnableSnapshotBlockPublicAccess, DisableSnapshotBlockPublicAccess and GetSnapshotBlockPublicAccessState APIs to manage account-level public access settings for EBS Snapshots in an AWS Region.
- Amazon GuardDuty - 1 updated methods - Added API support for new GuardDuty EKS Audit Log finding types.
- AWS Lambda - 13 updated methods - Add Node 20 (nodejs20.x) support to AWS Lambda.
- Amazon Simple Queue Service - 1 updated methods- This release enables customers to call SQS using AWS JSON-1.0 protocol.
- AWS CodeBuild - 11 updated methods - AWS CodeBuild now supports AWS Lambda compute.
🍹 IAM managed policy changes
Managed Policy changed since last week: 16- 🚩 AWSAuditManagerServiceRolePolicy
- 🚩 AWSIAMIdentityCenterAllowListForIdentityContext
- AWSIPAMServiceRolePolicy
- AWSIncidentManagerIncidentAccessServiceRolePolicy
- AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy
- AWSResourceExplorerServiceRolePolicy
- AWSSecurityHubServiceRolePolicy
- AWSServiceCatalogAppRegistryFullAccess
- AWSServiceRolePolicyForBackupRestoreTesting
- AWSTrustedAdvisorServiceRolePolicy
- AccessAnalyzerServiceRolePolicy
- AmazonConnectCampaignsServiceLinkedRolePolicy
- AmazonRekognitionReadOnlyAccess
- 🚩 AmplifyBackendDeployFullAccess
- 🚩 CloudWatchApplicationSignalsServiceRolePolicy
- 🚩 PartnerCentralAccountManagementUserRoleAssociation
🤖 Powered by MAMIP - 🚩 Sensitive IAM Actions included
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
This section will show you the latest (Important and Critical) CVEs on Amazon Linux.- Nothing to see here this week.
