📋 Chef's selections

1. Apple alerted Amazon about a potential cloud security risk, prompting a change in AWS's data-deletion process

   Behind a paywall but a fascinating read about account deletion failings and improvements.

2. Encryption At Rest: Whose Threat Model Is It Anyway?

   It's important that we keep revisiting this topic because it's so misunderstood.

Bonus: Issue with AWS Deployment Framework - CVE-2024-37293

🥗 AWS security blogs

• How to create a pipeline for hardening Amazon EKS nodes and automate updates
• AWS completes Police-Assured Secure Facilities (PASF) audit in the Europe (London) Region
• Implementing a compliance and reporting strategy for NIST SP 800-53 Rev. 5
• Passkeys enhance security and usability as AWS expands MFA requirements

🍛 Reddit threads on r/aws

• Simulate Ransomware Attack in AWS
• Why use aws external ID for s3 access?
• AWS WAF vs GCP WAF vs Cloudflare WAF
• Using AWS Managed EKS Optimized Amazon Linux AMI
• Not Secure signin

🧁 IAM permission changes

• datazone: 7 new actions - 7 new actions: AssociateEnvironmentRole (Grants permission to associate a role in a default service
• apptest: 2 updated actions - 2 updated actions: DeleteTestRun (dependents), StartTestRun (dependents)
• tax: 1 new action - 1 new action: BatchDeleteTaxRegistration (Grants permission to batch delete tax registration data)
• connect: 2 new actions - 2 new actions: SearchContactFlowModules (Grants permission to search contact flow module resources i
• apptest: 24 new actions, 4 new resources, 3 new conditions - 24 new actions: CreateTestCase (Grants permission to create a test case), CreateTestConfiguration (G
• cloudtrail: 1 new action | 1 updated action - 1 new action: GenerateQuery (Grants permission to generate a query for a specified event data store
• entityresolution: 1 new action - 1 new action: BatchDeleteUniqueId (Grants permission to batch delete unique Id)
• guardduty: 5 new actions, 1 new resource | 3 updated actions - 5 new actions: CreateMalwareProtectionPlan (Grants permission to create a new Malware Protection pla
• pca-connector-scep: 12 new actions, 2 new resources, 3 new conditions - 12 new actions: CreateChallenge (Grants permission to create a Challenge for a Connector), CreateCon
• ecs: 1 new condition | 4 updated actions - 1 new condition: ecs:fargate-ephemeral-storage-kms-key (Filters access by the AWS KMS key id provide
• access-analyzer: 3 new actions - 3 new actions: CheckNoPublicAccess (Grants permission to check that public access is not allowed by
• s3: 1 new action, 2 new conditions | 1 updated action - 1 new action: PauseReplication (Grants permission to pause S3 Replication from target source buckets

🍪 API changes

• Amazon DataZone - 7 new 4 updated methods - This release introduces a new default service blueprint for custom environment creation.
• Amazon Macie 2 - 2 new 4 updated methods - This release adds support for managing the status of automated sensitive data discovery for individual accounts in an organization, and determining whether individual S3 buckets are included in the scope of the analyses.
• AWS Elemental MediaConvert - 1 new methods - This release adds the ability to search for historical job records within the management console using a search box and/or via the SDK/CLI with partial string matching search on input file name.
• AWS CloudHSM V2 - 8 updated methods - Added support for hsm type hsm2m.medium. Added supported for creating a cluster in FIPS or NON_FIPS mode.
• AWS Glue - 2 updated methods - This release adds support for configuration of evaluation method for composite rules in Glue Data Quality rulesets.
• AWS IoT Wireless - 1 updated methods - Add RoamingDeviceSNR and RoamingDeviceRSSI to Customer Metrics.
• AWS Key Management Service - 1 new 7 updated methods - This feature allows customers to use their keys stored in KMS to derive a shared secret which can then be used to establish a secured channel for communication, provide proof of possession, or establish trust with other parties.
• AWS Elemental MediaPackage v2 - 8 updated methods - This release adds support for CMAF ingest (DASH-IF live media ingest protocol interface 1)
• AWS Mainframe Modernization Application Testing - 24 new methods - AWS Mainframe Modernization Application Testing is an AWS Mainframe Modernization service feature that automates functional equivalence testing for mainframe application modernization and migration to AWS, and regression testing.
• Amazon Elastic Compute Cloud - 1 new 13 updated methods - Tagging support for Traffic Mirroring FilterRule resource
• Amazon OpenSearch Ingestion - 5 updated methods - SDK changes for self-managed vpc endpoint to OpenSearch ingestion pipelines.
• AWS Secrets Manager - 1 updated methods - Introducing RotationToken parameter for PutSecretValue API
• Amazon Simple Email Service - 3 updated methods - This release adds support for Amazon EventBridge as an email sending events destination.
• Access Analyzer - 3 new 1 updated methods - IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.
• Amazon GuardDuty - 5 new 1 updated methods - Added API support for GuardDuty Malware Protection for S3.
• AWS Network Manager - 20 updated methods - This is model changes & documentation update for Service Insertion feature for AWS Cloud WAN. This feature allows insertion of AWS/3rd party security services on Cloud WAN. This allows to steer inter/intra segment traffic via security appliances and provide visibility to the route updates.
• Private CA Connector for SCEP - 12 new methods - Connector for SCEP allows you to use a managed, cloud CA to enroll mobile devices and networking gear. SCEP is a widely-adopted protocol used by mobile device management (MDM) solutions for enrolling mobile devices. With the connector, you can use AWS Private CA with popular MDM solutions.
• Amazon SageMaker Service - 5 updated methods - Introduced Scope and AuthenticationRequestExtraParams to SageMaker Workforce OIDC configuration; this allows customers to modify these options for their private Workforce IdP integration. Model Registry Cross-account model package groups are discoverable.
• Amazon CloudWatch Application Signals - 15 new methods - This is the initial SDK release for Amazon CloudWatch Application Signals. Amazon CloudWatch Application Signals provides curated application performance monitoring for developers to monitor and troubleshoot application health using pre-built dashboards and Service Level Objectives.
• Amazon EC2 Container Service - 19 updated methods - This release introduces a new cluster configuration to support the customer-managed keys for ECS managed storage encryption.

☕ CloudFormation resource changes

New resources:

• AWS::GuardDuty::MalwareProtectionPlan
• AWS::ApplicationSignals::ServiceLevelObjective
• AWS::ECS::Cluster ManagedStorageConfiguration

Updated resources:

• AWS::CloudFormation::CustomResource

🎮 Amazon Linux vulnerabilities

No CVEs this week 🎉