AWS Security Digest

Issue #151

Monday · February 19, 2024

🥖 Palate Cleanser

Hey folks,

I love learning how other individuals and organizations deploy security controls in AWS, so I read through the comments in the “Security groups vs NACLs” reddit post linked to below.

Not so surprisingly, I’m seeing a lot of responses saying “we leave NACLs alone and only use SGs.”

Personally, I’ve been a fan of using NACLs for very broad rules…like if I know that certain traffic should never be allowed to enter a subnet, I’ll add it to my NACLs and to the security groups. But then make the security group rules a lot tighter.

What about you? Do you think this is overkill and ends up just being additional management overhead for not much benefit? Let me know with a reply.

Bon appetit!
Christophe

📋 Chef's selections

  1. (Almost) Every infrastructure decision I endorse or regret after 4 years running infrastructure at a startup
  2. An analysis of a TeamTNT doppelgänger
  3. Security Playbook for Compromised AWS Account Credentials

🥗 AWS security blogs

🍛 Reddit threads on r/aws

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

Managed Policy changed since last week: 6
  1. AWSPrivateMarketplaceAdminFullAccess
  2. AWSServiceRoleForPrivateMarketplaceAdminPolicy
  3. AWSServiceRolePolicyForBackupRestoreTesting
  4. AWSXRayDaemonWriteAccess
  5. AWSXrayReadOnlyAccess
  6. AmazonGuardDutyServiceRolePolicy
Weekly diff

🤖 Powered by MAMIP | 🚩 Sensitive IAM Actions included

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

This section will show you the latest (Important and Critical) CVEs on Amazon Linux.

No CVE this week 🎉

Get every AWS security change,
on a plate every Monday.

6,700+ engineers, builders and CISOs let us diff the AWS changelog every week.