📋 Chef's weekly selections

After a few weeks of delicious specials, the regular menu is back.

1. Publicly Exposed AWS SSM Command Documents

   Rami McCarthy does it again, this time finding and scanning 2,472 public SSM Command documents. I loved the insights into company security programs based on what's in these scripts. All the code to reproduce the research is in the article.

2. AWS IAM Roles Anywhere with Open-Source Private CA

   This tutorial from Paul Schwarzenberger shows how to set up and test AWS IAM Roles Anywhere using an open-source cloud certificate authority. I'm not certain if this is useful or a cool party trick, but it's worth a look. Paul notes that the approach isn't necessarily more secure than an access key.

3. Attack Paths Into VMs in the Cloud

   An annotated list of ways a virtual machine might be compromised in the major cloud platforms, including pre-conditions, mitigations, and other details.

🥗 AWS security blog

• ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024
• Access AWS services programmatically using trusted identity propagation

🧁 IAM permission changes

• controltower: 1 new action
• glue: 2 updated actions
• ec2: 1 new action | 1 updated action
• eks: 1 new condition | 1 updated action
• glue: 5 new actions, 1 new resource | 3 updated actions
• ec2: 1 updated action

🍔 AWS API Changes

• AWS Certificate Manager Private Certificate Authority - 4 updated methods - Added CCPC_LEVEL_1_OR_HIGHER KeyStorageSecurityStandard and SM2 KeyAlgorithm and SM3WITHSM2 SigningAlgorithm for China regions.
• AWS CloudHSM V2 - 3 new 4 updated methods - Added 3 new APIs to support backup sharing: GetResourcePolicy, PutResourcePolicy, and DeleteResourcePolicy. Added BackupArn to the output of the DescribeBackups API. Added support for BackupArn in the CreateCluster API.
• Amazon Connect Service - 1 updated methods - This release supports showing PreferredAgentRouting step via DescribeContact API.
• Amazon EMR - 3 updated methods - This release provides the support for new allocation strategies i.e. CAPACITY_OPTIMIZED_PRIORITIZED for Spot and PRIORITIZED for On-Demand by taking input of priority value for each instance type for instance fleet clusters.
• AWS Glue - 1 updated methods - Added AttributesToGet parameter to Glue GetDatabases, allowing caller to limit output to include only the database name.
• Amazon Kinesis Analytics - 8 updated methods - Support for Flink 1.19 in Managed Service for Apache Flink
• Amazon WorkSpaces - 4 updated methods - Added support for Red Hat Enterprise Linux 8 on Amazon WorkSpaces Personal.
• Application Auto Scaling - 10 updated methods - Amazon WorkSpaces customers can now use Application Auto Scaling to automatically scale the number of virtual desktops in a WorkSpaces pool.
• Amazon Chime SDK Media Pipelines - 3 updated methods - Added Amazon Transcribe multi language identification to Chime SDK call analytics. Enabling customers sending single stream audio to generate call recordings using Chime SDK call analytics
• Amazon DataZone - 3 new 1 updated methods - This release supports the data lineage feature of business data catalog in Amazon DataZone.
• Amazon Q Connect - 4 new methods - Adds CreateContentAssociation, ListContentAssociations, GetContentAssociation, and DeleteContentAssociation APIs.
• Amazon QuickSight - 9 updated methods - Adding support for Repeating Sections, Nested Filters
• Amazon SageMaker Service - 6 updated methods - Add capability for Admins to customize Studio experience for the user by showing or hiding Apps and MLTools.
• Amazon WorkSpaces - 9 new 3 updated methods - Added support for WorkSpaces Pools.
• AWS Control Tower - 1 new 1 updated methods - Added ListLandingZoneOperations API.
• Amazon Elastic Kubernetes Service - 1 updated methods - Added support for disabling unmanaged addons during cluster creation.
• Amazon Interactive Video Service RealTime - 4 new 3 updated methods - IVS Real-Time now offers customers the ability to upload public keys for customer vended participant tokens.
• Amazon Kinesis Analytics - 2 new 11 updated methods - This release adds support for new ListApplicationOperations and DescribeApplicationOperation APIs. It adds a new configuration to enable system rollbacks, adds field ApplicationVersionCreateTimestamp for clarity and improves support for pagination for APIs.
• Amazon OpenSearch Service - 7 updated methods - This release adds support for enabling or disabling Natural Language Query Processing feature for Amazon OpenSearch Service domains, and provides visibility into the current state of the setup or tear-down.
• Amazon Elastic Compute Cloud - 24 updated methods - This release is for the launch of the new u7ib-12tb.224xlarge, R8g, c7gn.metal and mac2-m1ultra.metal instance types
• AWS Network Manager - 20 updated methods - This is model changes & documentation update for the Asynchronous Error Reporting feature for AWS Cloud WAN. This feature allows customers to view errors that occur while their resources are being provisioned, enabling customers to fix their resources without needing external support.
• Amazon WorkSpaces Thin Client - 3 updated methods - This release adds the deviceCreationTags field to CreateEnvironment API input, UpdateEnvironment API input and GetEnvironment API output.
• Amazon Connect Customer Profiles - 3 updated methods - This release includes changes to ProfileObjectType APIs, adds functionality top set and get capacity for profile object types.
• QBusiness - 3 updated methods - Updates API to latest version.
• Amazon WorkSpaces Web - 5 updated methods - Added ability to enable DeepLinking functionality on a Portal via UserSettings as well as added support for IdentityProvider resource tagging.

🍹 Updated AWS Managed IAM Policies

Managed Policy changed since last week: 22

1. 🚩 AWSDataExchangeFullAccess
2. 🚩 AWSIAMIdentityCenterAllowListForIdentityContext
3. 🚩 AWSQuickSetupCFGCPacksPermissionsBoundary
4. 🚩 AWSQuickSetupDeploymentRolePolicy
5. 🚩 AWSQuickSetupDevOpsGuruPermissionsBoundary
6. 🚩 AWSQuickSetupDistributorPermissionsBoundary
7. AWSQuickSetupPatchPolicyBaselineAccess
8. 🚩 AWSQuickSetupPatchPolicyDeploymentRolePolicy
9. 🚩 AWSQuickSetupPatchPolicyPermissionsBoundary
10. 🚩 AWSQuickSetupSSMHostMgmtPermissionsBoundary
11. 🚩 AWSQuickSetupSchedulerPermissionsBoundary
12. 🚩 AWSServiceRoleForAmazonEKSNodegroup
13. 🚩 AWSSystemsManagerEnableConfigRecordingExecutionPolicy
14. 🚩 AWSSystemsManagerEnableExplorerExecutionPolicy
15. AmazonDataZoneDomainExecutionRolePolicy
16. AmazonDataZoneFullUserAccess
17. 🚩 AmazonDataZoneGlueManageAccessRolePolicy
18. AmazonWorkSpacesAdmin
19. 🚩 AmazonWorkSpacesPoolServiceAccess
20. AmazonWorkSpacesSecureBrowserReadOnly
21. 🚩 NetworkAdministrator
22. 🚩 SSMQuickSetupRolePolicy

🔀 Weekly diff

🤖 Powered by MAMIP | 🚩 Sensitive IAM Actions included

☕︎ CloudFormation updates

New resources:

• AWS::WorkSpaces::WorkspacesPool
• AWS::AppTest::TestCase

🍪 Amazon Linux CVEs

No CVEs this week 🎉

👾 r/aws

• Identify Unnecessary Security Group Rules?
• Aws Beanstalk multiple (malicious?) request
• GuardDuty Malware Scan support for S3
• IAM Role Cross Account Access to Update Autoscaling Group in different AWS account
• Logging Cloudtrail events using Lambda, Golang and Eventbridge
• How can I deploy front end, backend containers with proper security configuration?
• Aws Forensics
• Investigating GuardDuty Findings with ChatGPT