Issue #140
Monday · January 22, 2024
🥖 Palate Cleanser
Hey folks,Big shoutout to our latest sponsor, Wiz, for their support with this newsletter – couldn't have done it without them!
This issue features an insightful report from Datadog's research team on Cloud Security's current landscape, offering a valuable perspective by comparing it to previous studies. It's a must-read for grasping corporate trends.
Plus, we've got updates on over 29 IAM Managed Policies.
Victor
📋 Chef's selections
🥗 AWS security blogs
- Download AWS Security Hub CSV report
- 2023 Canadian Centre for Cyber Security Assessment Summary report available with 20 additional services
- Implement an early feedback loop with AWS developer tools to shift security left
- Use scalable controls for AWS services accessing your resources
- Automate and enhance your code security with AI-powered services
- Building sensitive data remediation workflows in multi-account AWS environments
- AWS Speaker Profile: Zach Miller, Senior Worldwide Security Specialist Solutions Architect
- AWS Security Profile: Tom Scholl, VP and Distinguished Engineer, AWS
- Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
- Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP
🍛 Reddit threads on r/aws
- Enforce EBS Snapshot and AMI Data Protection Settings Across All Regions
- Best practices checklist
- Analyzing the security posture of thousands of AWS, Azure and Google Cloud environments
- What am I missing in this AWS Inspector finding? Port range 0 to 65535 is reachable from an Internet Gateway
- GovCloud and FIPS
- Using existing EC2 or create bastion
- Help with SSL certificate
- How do you approach managing complex security group/NACL configurations?
- New resource - Open Source Security - Amazon Web Services (AWS)
- Best Practices When Requiring MFA to Assume a Role
- S3 permissions list for Identity Center
- Cognito IdentityPool KeyID (kid) problem on us-west-2
- Help with Amplify Auth access
- stop processing rules after this rule is applied
- Limit s3 bucket requests
🧁 IAM permission changes
🍪 API changes
- TrustedAdvisor Public API - 10 new methods - AWS Trusted Advisor introduces new APIs to enable you to programmatically access Trusted Advisor best practice checks, recommendations, and prioritized recommendations. Trusted Advisor APIs enable you to integrate Trusted Advisor with your operational tools to automate your workloads.
- AWS Lambda - 8 updated methods - Adds support for logging configuration in Lambda Functions. Customers will have more control how their function logs are captured and to which cloud watch log group they are delivered also.
- Amazon Elastic Compute Cloud - 3 new 24 updated methods - AWS EBS now supports Snapshot Lock, giving users the ability to lock an EBS Snapshot to prohibit deletion of the snapshot. This release introduces the LockSnapshot, UnlockSnapshot & DescribeLockedSnapshots APIs to manage lock configuration for snapshots. The release also includes the dl2q_24xlarge.
🍹 IAM managed policy changes
Managed Policy changed since last week: 29- AWSApplicationAutoscalingSageMakerEndpointPolicy
- 🚩 AWSConfigServiceRolePolicy
- 🚩 AWSDataLifecycleManagerSSMFullAccess
- 🚩 AWSECRPullThroughCache_ServiceRolePolicy
- 🚩 AWSFaultInjectionSimulatorEC2Access
- AWSFaultInjectionSimulatorEKSAccess
- AWSFaultInjectionSimulatorRDSAccess
- AWSGitSyncServiceRolePolicy
- AWSIncidentManagerIncidentAccessServiceRolePolicy
- AWSIoTTwinMakerServiceRolePolicy
- AWSMarketplaceDeploymentServiceRolePolicy
- 🚩 AWSRefactoringToolkitFullAccess
- 🚩 AWSResourceExplorerFullAccess
- 🚩 AWSResourceExplorerOrganizationsAccess
- AWSResourceExplorerReadOnlyAccess
- AWSSSMForSAPServiceLinkedRolePolicy
- AWSSecurityHubFullAccess
- AWSSecurityHubOrganizationsAccess
- AWSServiceRoleForIoTSiteWise
- AWSVPCVerifiedAccessServiceRolePolicy
- 🚩 AWS_ConfigRole
- AWSrePostPrivateCloudWatchAccess
- 🚩 AmazonConnectServiceLinkedRolePolicy
- 🚩 AmazonDataZoneEnvironmentRolePermissionsBoundary
- AmazonDataZoneRedshiftManageAccessRolePolicy
- AmazonGuardDutyFullAccess
- AmazonGuardDutyReadOnlyAccess
- 🚩 AmplifyBackendDeployFullAccess
- EC2ImageBuilderLifecycleExecutionPolicy
🤖 Powered by MAMIP - 🚩 Sensitive IAM Actions included
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
This section will show you the latest (Important and Critical) CVEs on Amazon Linux.- No CVEs published this week on Amazon Linux OS.
