🥖 Palette Cleanser

The Cloud Twitterati this week had a therapy session about about AWS service deprecation. The easy way to communicate about service deprecation is to communicate about service deprecation. AWS chose a bold alternative and the people demanded justice.

My best attempt at decoding the drama goes like this:

1. AWS curiously started publishing various guides on how to migrate away from a few of their services
2. Some services stopped being available in new accounts
3. The (best kind of) nerds like Aidan and Scott identified this and a pile-on ensued
4. AWS did some soul searching and published clearer comms

...and the cloud continued safely onward towards its AI future.

Remember to check out the Cloud Village talks if you are at Defcon this week.

Finally, I've gotten multiple reports of formatting issues. Thank you and sorry. Hopefully these are fixed now. Have any other feedback about AWS Security Digest? Tell us here.

📋 Chef's selections

• Poisoning the SSM Command Document Well by Rami McCarthy

  I love this kind of simple research that anyone can do and replicate. In this post Rami makes some lightly malicious SSM documents that look and feel like official Datadog SSM documents. He points out that vendor documentation often doesn't do much to help users determine which SSM documents are real and which are fake. It's entirely plausible Rami now operates a webscale botnet of AWS well-monitored hosts. That's just speculation. There is no evidence for or against.

• Capturing Exposed AWS Keys During Dynamic Web Application Tests by Aleksa Zatezalo

  I'm not sure I agree with the conclusion that tokens belonging to a backend service should never be sent to an external party. In fact AWS has an design pattern doing exactly this. Sending logs directly to CloudWatch from a somewhat untrusted client is probably going to lead to bad times though. This post is a quick read on what can go wrong.

🥗 AWS security blogs

• Let’s Architect! Designing Well-Architected systems by Vittorio Denti
• Protect your AWS resources from unauthorized access using AWS Organizations integrations by Nivedita Tripathi
• Powering Digital Government with AWS and Acquia Digital Experience Platform by AWS Editorial Team
• Create a customizable cross-company log lake for compliance, Part I: Business Background by Colin Carson
• Secure communications for elections and political campaigns with AWS Wickr by Anne Grahn
• How AWS can enable the Government of Canada’s 2023-2026 Data Strategy by Chris Stoner

🍛 Reddit threads on r/aws

• Account hacked, Getting repeated Mails of Domains being setup, they have added MFA unable to login or do anything help
• Aws breach in account with MFA
• Do you see wrong hostname for AWS managed HTTPS cert?
• MFA on IAM user account - iCloud Keychain
• Auto-renewing IAM role inside a container?
• aws cloud certificate is not recognized some times
• SaaS for IAM Permissions
• Is there some kind of data breach going on?

🧁 IAM permission changes

• bedrock
• resiliencehub
• arc-zonal-shift
• customer-verification

🍪 API changes

• Amazon Bedrock
• AWS Control Catalog
• Amazon Relational Database Service
• Amazon SageMaker Service
• AWS Systems Manager QuickSetup
• Amazon AppStream
• AWS CodePipeline
• Amazon Lex Model Building V2
• IAM Roles Anywhere
• AWS Telco Network Builder

🍹 IAM managed policy changes

• AmazonDataZoneDomainExecutionRolePolicy
• AmazonDataZoneFullUserAccess
• AmazonBedrockStudioPermissionsBoundary
• ReadOnlyAccess
• AWSElasticDisasterRecoveryConsoleFullAccess_v2
• AWSElasticDisasterRecoveryReadOnlyAccess

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-7409
• CVE-2024-41946
• CVE-2024-41965
• CVE-2024-41123
• CVE-2024-41957
• CVE-2024-6923
• CVE-2024-7264