🎉 AWS Security Digest is back

We're back better than ever. There's a big surprise coming next issue. Watch this space!

In the mean time, enjoy this issue. The chef's selection this week is really spicy. 🌶️

📋 Chef's Weekly Selections

• 1. Things you wish you didn't need to know about S3
• 2. Publicly Exposed AWS Document DB Snapshots
• 3. The Best Way to Start with AWS Security Hub

🍹 Updated AWS Managed IAM Policies

1. AccessAnalyzerServiceRolePolicy
2. 🚩 AmplifyBackendDeployFullAccess

🔀 Weekly diff

🤖 Powered by MAMIP | 🚩 Sensitive IAM Actions included

🧁 IAM Permission Changes

• payments: 2 updated actions - 2 updated actions: TagResource (access), UntagResource (access)
• emr-serverless: 1 new action - 1 new action: ListJobRunAttempts (Grants permission to list job run attempts associated with a job r
• application-signals: 15 new actions, 1 new resource, 3 new conditions - 15 new actions: BatchGetServiceLevelObjectiveBudgetReport (Grants permission to batch retrieve a ser
• workspaces-web: 1 updated action - 1 updated action: UntagResource (conditions)
• glue: 11 new actions - 11 new actions: BatchPutDataQualityStatisticAnnotation (Grants permission to annotate datapoints ove
• swf: 2 new actions - 2 new actions: DeleteActivityType (Grants permission to delete the specified activity type), DeleteW
• imagebuilder: 1 updated action - 1 updated action: ImportVmImage (dependents, resources)
• ssm: 7 updated actions - 7 updated actions: DeleteParameter (conditions), DeleteParameters (conditions), GetParameter (condit

🍔 AWS API Changes

• Amazon CodeGuru Security - 1 updated methods
• AWS Launch Wizard - 4 new 2 updated methods
• Agents for Amazon Bedrock - 3 updated methods
• Amazon Bedrock Runtime - 2 new methods
• AWS CloudTrail - 1 updated methods
• Amazon Connect Service - 2 updated methods
• EMR Serverless - 1 new 4 updated methods
• Amazon SageMaker Service - 8 updated methods
• AWS CodeBuild - 5 updated methods
• Amazon Connect Service - 1 updated methods
• AWS Glue - 11 updated methods
• AWS SecurityHub - 4 updated methods
• Amazon Elastic Compute Cloud - 2 updated methods
• Managed Streaming for Kafka - 1 updated methods
• Amazon Simple Workflow Service - 2 new methods

🥗 AWS Security Blog

• How to issue use-case bound certificates with AWS Private CA
• Establishing a data perimeter on AWS: Analyze your account activity to evaluate impact and refine controls
• AWS completes the 2024 Cyber Essentials Plus certification
• The art of possible: Three themes from RSA Conference 2024
• Accelerate incident response with Amazon Security Lake
• Navigating the threat detection and incident response track at re:Inforce 2024

☕︎ CloudFormation Updates

• AWS::SecurityHub::ConfigurationPolicy, AWS::SecurityHub::FindingAggregator, AWS::SecurityHub::OrganizationConfiguration, AWS::SecurityHub::PolicyAssociation
• AWS::SecurityLake::SubscriptionNotification

🍪 Amazon Linux CVEs

No CVE this week 🎉

👾 r/aws

• How do I block http requests using WAF?
• Seeking token storage advice
• IAM Role Credential rotation still a good practice?
• Non-Production Endpoints as an Attack Surface in AWS | Datadog Security Labs
• SCPs enforcing SSL on S3 buckets and effects on other Resources
• S3 Hosting — Advice Needed
• Security considerations for Cognito user pools
• Lambdas and serverless
• Anyone actually enforcing "least privileged" on your cloud environments?
• Security Hub as CloudSec Beginner - Feeling Lost
• Unrecognized new VPC charges