🥖 Palette Cleanser

If regreSSHion was the internet on fire, Crowdstrike this week is an internet firestorm. As much as we all love a good meme, me especially, let’s remember that no one wanted this. No one wants to be required to update nation state governments about their unfortunate errors, but it does happen. And when it happens, what matters is how we respond. There have been far too many terrible hot takes and awful technical analysis.

It was nice to see the professional response from governments and AWS alike. AWS published recovery options quickly. They weren't pretty but they were fast and they did work.

Hopefully there will be less burning online next week. Until then, enjoy this week’s issue which includes our first ever guest article contribution.

Have feedback about AWS Security Digest? Tell us here.

📋 Chef's selections

• Confused Deputy Vulnerability in Microsoft Defender for Cloud and What You Need to Know About It by Brandon Evans

  This might not sound like an AWS Security story, but it is an AWS classic. Confused deputy issues are so much fun because they make us all confused. In this case, if a previously connected AWS account was disconnected, another party could come along and register it in Defender for Cloud. If the AWS permissions weren't properly deprovisioned, unauthorized access ensued.

• An Opinionated Ramp Up Guide to AWS Pentesting by Lizzie Moratti

  This is our first ever guest post and it's a banger! Lizzie puts the reader on a detailed path to becoming an AWS pentester. Not just any pentester, a good one, who knows what they are talking about and doesn't just repurpose open source tool reports. Spicy takes and practical advice within.

• A hard look at GuardDuty shortcomings by Rami McCarthy

  I think Rami was bored of writing for 15 different publications and added a 16th. As usual, he provides a fantastic and deep analysis with charts, data, and references. If you or a close friend rely on GuardDuty, it's worth knowing these shortcomings.

Bonus: Not strictly AWS related but well worth a read, the Google Cloud H2 2024 Threat Horizons Report.

🥗 AWS security blogs

• Introducing AWS Audit Manager Common Controls Library by Anjani Reddy
• How Zurich Insurance Group built a log management solution on AWS by Jake Obi
• AWS Wickr achieves DoD Impact Level 4 and 5 authorization by Anne Grahn
• Protect against bots with AWS WAF Challenge and CAPTCHA actions by David MacDonald
• Automating Amazon FSx for NetApp ONTAP password rotation with AWS Lambda by Tom McDonald

🍛 Reddit threads on r/aws

• Official AWS Advice: Recover AWS resources affected by the CrowdStrike Falcon agent
• Help, I accidently leaked my AWS access and secret online.

🧁 IAM permission changes

ec2, network-firewall, wellarchitected,

🍪 API changes

No changes this week.

🍹 IAM managed policy changes

AmazonWorkSpacesThinClientReadOnlyAccess, AmazonSageMakerCanvasDataPrepFullAccess, AmazonRDSCustomServiceRolePolicy, AmplifyBackendDeployFullAccess, IAMAccessAnalyzerReadOnlyAccess, ReadOnlyAccess, AmazonSSMManagedEC2InstanceDefaultPolicy,

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

CVE-2024-40898, CVE-2024-40725, CVE-2024-41184, CVE-2022-48840, CVE-2024-21171, CVE-2024-21173, CVE-2022-48796, CVE-2024-21127, CVE-2024-21130, CVE-2024-21135, CVE-2024-21131, CVE-2024-21159, CVE-2024-21179, CVE-2024-21138, CVE-2024-21144, CVE-2024-21166, CVE-2024-21147, CVE-2024-21163, CVE-2024-20996, CVE-2024-21165, CVE-2024-21129, CVE-2024-21134, CVE-2024-21177, CVE-2024-21176, CVE-2024-39908, CVE-2024-21145, CVE-2024-0102, CVE-2024-21162, CVE-2024-21125, CVE-2024-21157, CVE-2024-21137, CVE-2024-21140, CVE-2024-21185, CVE-2024-21160, CVE-2024-21142,