📋 Chef's selections

1. CloudFront now supports OAC for Lambda function URL origins
2. IAM Is The Worst
3. We discovered an AWS access vulnerability

🥗 AWS security blogs

• Detecting and remediating inactive user accounts with Amazon Cognito

🍛 Reddit threads on r/aws

• Prevent brute force RDP attacks on EC2
• Revoking token in cognito
• Securing AWS Cognito Signup Route
• Database tier still working after remove outgoing traffic in security group
• SecOps Solution For Our AWS CodePipelines
• Financial Risks of hosting an ELB with a domain
• if I install AWS security tools, do I need to install it for every account?
• Cyber Security swap from Azure to AWS
• Question about IAM Roles Anywhere
• Security Monitoring in AWS: Cloudtrail, Cloudwatch and Eventbridge
• Restricting Administrator user in management account from certain actions
• PassRole Permissions - Using Responsibly?
• Use AWS Gateway API Keys as website password

🧁 IAM permission changes

• datazone: 4 new actions
• rds: 1 new action | 1 updated action
• cleanrooms: 1 new action

🍪 API changes

• Amazon Relational Database Service - 4 updated methods
• AWS CodeBuild - 5 updated methods
• Amazon QuickSight - 1 updated methods

🍹 IAM managed policy changes

1. 🚩 AWSIAMIdentityCenterAllowListForIdentityContext
2. AWSMarketplaceGetEntitlements
3. 🚩 AWSMigrationHubRefactorSpaces-EnvironmentsWithoutBridgesFullAccess
4. 🚩 AWSMigrationHubRefactorSpacesFullAccess
5. AWSSSMForSAPServiceLinkedRolePolicy
6. AWSXrayFullAccess
7. 🚩 AmazonRDSCustomServiceRolePolicy
8. 🚩 AmplifyBackendDeployFullAccess
9. 🚩 CloudWatchApplicationSignalsServiceRolePolicy
10. 🚩 ROSAInstallerPolicy
11. 🚩 ROSASRESupportPolicy
12. 🚩 SecurityAudit

☕ CloudFormation resource changes

• AWS::CloudWatch::Alarm
• AWS::CloudWatch::CompositeAlarm
• AWS::Bedrock::*

🎮 Amazon Linux vulnerabilities