AWS Security Digest

Monday,
July 29, 2024

🥖 Palette Cleanser

Cloud security is back to normal. I know this because my 70 year old mother has not called me this week to explain how my friends broke everything. Yay! There was some great gossip nonetheless, as Wiz apparently walked away from a $23 billion acquisition offer from Alphabet.

If you are headed to Defcon this year, the Cloud Village has some exceptional talks scheduled August 9-11.

Have feedback about AWS Security Digest? Tell us here.

📋 Chef's selections

Revealing the Inner Structure of AWS Session Tokens by Tal Be'ery

This is a spectacular piece of reverse engineering of AWS session tokens by Tal Be'ery. Tal details the fascinating research process start to finish for how he identified and decoded each field. Although there was ultimately no negative security impact, the post includes source code and a tool to inspect and modify tokens, leaving the door open for further exploration.
Enabling Security Guardrails: Infra as Code with CDK for Terraform by Ashish Patel and Victor Chen

We can't all be riveting reverse engineers and hilarious hackers. There are folks out there securing things, like the expert engineers at Zip, who migrated to infrastructure-as-code using Terraform CDK (Terraform Cloud Development Kit) with Python. My favourite bit is how they used tags and service control policies to "disable" ClickOps along the way.
NO_WILDCARD: How I discovered the Organization ID of any AWS Account by Sam Cox

Want to get anyone's OrgId? This is a new addition to a long chain of research that started with getting the account ID of a public S3 bucket, then even a private bucket, then various metadata from many public resources. Again not much security impact but very cool to see research compounding over time.

Bonus: For those that like decoding things but without cool decoder rings, Aidan W Steele (the W is for Winning) gives us a decoder for turning AWS unique IDs into ARNs.

🥗 AWS security blogs

Overseeing AI Risk in a Rapidly Changing Landscape by Mark Schwartz
Hardening DNS Resolution for Amazon WorkSpaces Personal by Nahuel Benavidez
Govern Microsoft workloads using the myApplications dashboard on AWS by Mangesh Budkule
Streamlining digital transformation in German healthcare with AWS by Geraldine Reichard
How AWS Wickr can enable secure communications for the Australian Government and its allies by Andrew McBride
Responsible AI for mission-based organizations by Mike George
Leverage AWS Training to enable your workforce to achieve digital transformation by Saurabh Sharma

🍛 Reddit threads on r/aws

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities