---

🎤 AWS re:Inforce 2024 highlights

AWS re:Inforce 2024 is in the bag. The gossip at the watercooler is the quality of non-AI talks this year was excellent because non-AI presentation slots were at a premium.

There was a lot of rah rah about security culture, which is great. Did the announcements match the focus? You decide:

• Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty

  This is my personal favorite. If you allow user uploads, you probably don't want to be hosting malware or worse. It's been expensive or painful to solve this problem prior to this announcement. Apparently multiple engines are supported/used but it's unclear which.

• AWS Identity and Access Management now supports passkey as a second authentication factor

  A great security and quality of life improvement. You can now configure AWS account authentication using passkeys including built-in authenticators, such as Touch ID on Apple MacBooks and Windows Hello facial recognition on PCs.

• AWS IAM Access Analyzer now offers recommendations to refine unused access

  Anything that makes doing the actual security work easier is a win. UX is often forgotten in security-land but it's also often the thing that turns nice ideas into improved security posture.

• AWS Private CA introduces Connector for SCEP for mobile devices (Preview)

• AWS CloudTrail Lake announces AI-powered natural language query generation (preview)

🎤 fwd:cloudsec is here

fwd:cloudsec North America starts today in Arlington, Virginia. Talks will be live streamed on YouTube:

• Ballroom AB, Day 1
• Ballroom DE, Day 1
• Ballroom AB, Day 2
• Ballroom DE, Day 2

I'm at the conference in person, distributing Milo and being weird. Come say hi. 👋

📋 Chef's weekly selections

1. Apple alerted Amazon about a potential cloud security risk, prompting a change in AWS's data-deletion process

   Behind a paywall but a fascinating read about account deletion failings and improvements.

2. Encryption At Rest: Whose Threat Model Is It Anyway?

   It's important that we keep revisiting this topic because it's so misunderstood.

Bonus: Issue with AWS Deployment Framework - CVE-2024-37293

🥗 AWS security blog

• How to create a pipeline for hardening Amazon EKS nodes and automate updates
• AWS completes Police-Assured Secure Facilities (PASF) audit in the Europe (London) Region
• Implementing a compliance and reporting strategy for NIST SP 800-53 Rev. 5
• Passkeys enhance security and usability as AWS expands MFA requirements

🧁 IAM permission changes

• datazone: 7 new actions - 7 new actions: AssociateEnvironmentRole (Grants permission to associate a role in a default service
• apptest: 2 updated actions - 2 updated actions: DeleteTestRun (dependents), StartTestRun (dependents)
• tax: 1 new action - 1 new action: BatchDeleteTaxRegistration (Grants permission to batch delete tax registration data)
• connect: 2 new actions - 2 new actions: SearchContactFlowModules (Grants permission to search contact flow module resources i
• apptest: 24 new actions, 4 new resources, 3 new conditions - 24 new actions: CreateTestCase (Grants permission to create a test case), CreateTestConfiguration (G
• cloudtrail: 1 new action | 1 updated action - 1 new action: GenerateQuery (Grants permission to generate a query for a specified event data store
• entityresolution: 1 new action - 1 new action: BatchDeleteUniqueId (Grants permission to batch delete unique Id)
• guardduty: 5 new actions, 1 new resource | 3 updated actions - 5 new actions: CreateMalwareProtectionPlan (Grants permission to create a new Malware Protection pla
• pca-connector-scep: 12 new actions, 2 new resources, 3 new conditions - 12 new actions: CreateChallenge (Grants permission to create a Challenge for a Connector), CreateCon
• ecs: 1 new condition | 4 updated actions - 1 new condition: ecs:fargate-ephemeral-storage-kms-key (Filters access by the AWS KMS key id provide
• access-analyzer: 3 new actions - 3 new actions: CheckNoPublicAccess (Grants permission to check that public access is not allowed by
• s3: 1 new action, 2 new conditions | 1 updated action - 1 new action: PauseReplication (Grants permission to pause S3 Replication from target source buckets

🍔 AWS API Changes

• Amazon DataZone - 7 new 4 updated methods - This release introduces a new default service blueprint for custom environment creation.
• Amazon Macie 2 - 2 new 4 updated methods - This release adds support for managing the status of automated sensitive data discovery for individual accounts in an organization, and determining whether individual S3 buckets are included in the scope of the analyses.
• AWS Elemental MediaConvert - 1 new methods - This release adds the ability to search for historical job records within the management console using a search box and/or via the SDK/CLI with partial string matching search on input file name.
• AWS CloudHSM V2 - 8 updated methods - Added support for hsm type hsm2m.medium. Added supported for creating a cluster in FIPS or NON_FIPS mode.
• AWS Glue - 2 updated methods - This release adds support for configuration of evaluation method for composite rules in Glue Data Quality rulesets.
• AWS IoT Wireless - 1 updated methods - Add RoamingDeviceSNR and RoamingDeviceRSSI to Customer Metrics.
• AWS Key Management Service - 1 new 7 updated methods - This feature allows customers to use their keys stored in KMS to derive a shared secret which can then be used to establish a secured channel for communication, provide proof of possession, or establish trust with other parties.
• AWS Elemental MediaPackage v2 - 8 updated methods - This release adds support for CMAF ingest (DASH-IF live media ingest protocol interface 1)
• AWS Mainframe Modernization Application Testing - 24 new methods - AWS Mainframe Modernization Application Testing is an AWS Mainframe Modernization service feature that automates functional equivalence testing for mainframe application modernization and migration to AWS, and regression testing.
• Amazon Elastic Compute Cloud - 1 new 13 updated methods - Tagging support for Traffic Mirroring FilterRule resource
• Amazon OpenSearch Ingestion - 5 updated methods - SDK changes for self-managed vpc endpoint to OpenSearch ingestion pipelines.
• AWS Secrets Manager - 1 updated methods - Introducing RotationToken parameter for PutSecretValue API
• Amazon Simple Email Service - 3 updated methods - This release adds support for Amazon EventBridge as an email sending events destination.
• Access Analyzer - 3 new 1 updated methods - IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.
• Amazon GuardDuty - 5 new 1 updated methods - Added API support for GuardDuty Malware Protection for S3.
• AWS Network Manager - 20 updated methods - This is model changes & documentation update for Service Insertion feature for AWS Cloud WAN. This feature allows insertion of AWS/3rd party security services on Cloud WAN. This allows to steer inter/intra segment traffic via security appliances and provide visibility to the route updates.
• Private CA Connector for SCEP - 12 new methods - Connector for SCEP allows you to use a managed, cloud CA to enroll mobile devices and networking gear. SCEP is a widely-adopted protocol used by mobile device management (MDM) solutions for enrolling mobile devices. With the connector, you can use AWS Private CA with popular MDM solutions.
• Amazon SageMaker Service - 5 updated methods - Introduced Scope and AuthenticationRequestExtraParams to SageMaker Workforce OIDC configuration; this allows customers to modify these options for their private Workforce IdP integration. Model Registry Cross-account model package groups are discoverable.
• Amazon CloudWatch Application Signals - 15 new methods - This is the initial SDK release for Amazon CloudWatch Application Signals. Amazon CloudWatch Application Signals provides curated application performance monitoring for developers to monitor and troubleshoot application health using pre-built dashboards and Service Level Objectives.
• Amazon EC2 Container Service - 19 updated methods - This release introduces a new cluster configuration to support the customer-managed keys for ECS managed storage encryption.

☕︎ CloudFormation updates

New resources:

• AWS::GuardDuty::MalwareProtectionPlan
• AWS::ApplicationSignals::ServiceLevelObjective
• AWS::ECS::Cluster ManagedStorageConfiguration

Updated resources:

• AWS::CloudFormation::CustomResource

🍪 Amazon Linux CVEs

No CVEs this week 🎉

👾 r/aws

• Simulate Ransomware Attack in AWS
• Why use aws external ID for s3 access?
• AWS WAF vs GCP WAF vs Cloudflare WAF
• Using AWS Managed EKS Optimized Amazon Linux AMI
• Not Secure signin