🥖 Palette Cleanser

Blackhat and Defcon happened. Hope everyone had a good time. I'm sure it was great. I don't have much gossip to share (yet?). Send gossip to gossip@awssecuritydigest.com and I'll give it the appropriate treatment.

One AWS security presentation made noise and leads this week's chef's selections. One event organiser made some horrible career choices that deserve our ire.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Breaching AWS Accounts Through Shadow Resources by Yakir Kadkoda, Michael Katchinskiy & Ofek Itach

  SC Magazine did a solid job interviewing the presenters and summarising the juicy bits. Some AWS services create and use buckets automatically as part of how they work. It was possible to pre-register buckets with predictable names, and have AWS services interact with them in ways that were bad for customers. AWS has fixed the issues but the techniques are cool and make me wonder, 'what else'?

• AWS IAM Privilege Escalation Leads to EC2 Ransomware Deployment by Adam Messer

  This is a cool approach to awesome content - simulate an AWS ransomware deployment, do forensics on it take the reader through the evidence. If Windows on AWS is your thing, this is a fun read.

• Emerging phishing campaign targeting AWS accounts by Scott Piper & Gili Tikochinski

  A short and sweet look at how cyber bandits are taking off with your credentials, after many clicks and redirects. Using AWS services to phish AWS service users is a nice touch. The screenshots and indicators of compromise are worth a gander - that's British for squiz, which Australian for look.

Bonus: Surprising behaviour in AWS web console session duration by Aidan Steele

🥗 AWS security blogs

• How to implement Zero Standing Privileges with CyberArk for securing access to the AWS console by Rajendra Kulkarni
• Review your Amazon Aurora and Amazon RDS security configuration with Prowler’s new checks by Sanjeet Singireddy
• From Data Chaos to Cohesion: How OCSF is Optimizing Cyber Threat Detection by Mark Terenzoni
• National framework for AI assurance in Australian government: Guidance when building with AWS AI/ML solutions by Natacha Fort

🍛 Reddit threads on r/aws

• How Automatically Created S3 Buckets Could Pose a Security Risk in AWS
• Lambda cold-start on secrets pull
• How to Enforce MFA for Admin Access with Google SSO Across Multiple Accounts?
• Create IAM users using a stackset
• Aggregate NIST findings to one account for sandbox with one currently for prod
• AWS SFTP

🧁 IAM permission changes

• app-integrations
• glue
• kinesisvideo
• elemental-activations
• codepipeline
• bedrock
• redshift
• datazone
• cloudhsm
• controlcatalog

🍪 API changes

• Amazon Cognito Identity Provider
• Amazon Elastic Compute Cloud
• AWS Glue
• Amazon AppIntegrations Service
• AWS Glue
• Agents for Amazon Bedrock Runtime
• Amazon Cognito Identity Provider
• Cost Optimization Hub
• Amazon WorkSpaces
• Amazon DataZone
• Amazon EC2 Container Registry
• Amazon Kinesis Video WebRTC Storage

🍹 IAM managed policy changes

• AmazonCognitoUnAuthedIdentitiesSessionPolicy
• AmazonCognitoUnAuthedIdentitiesSessionPolicy
• AmazonWorkSpacesThinClientFullAccess
• AmazonWorkSpacesThinClientReadOnlyAccess
• AmazonElasticFileSystemReadOnlyAccess
• AmazonRDSBetaServiceRolePolicy
• AmazonRDSPreviewServiceRolePolicy
• AWSSSMForSAPServiceLinkedRolePolicy
• AWSSupportServiceRolePolicy
• AwsGlueSessionUserRestrictedPolicy
• AwsGlueSessionUserRestrictedServiceRole
• AmazonRoute53ResolverFullAccess
• AmazonRoute53ResolverReadOnlyAccess

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-43167
• CVE-2024-43168
• CVE-2024-7348
• CVE-2024-5290
• CVE-2024-7006
• CVE-2024-7529
• CVE-2024-7522
• CVE-2024-7519
• CVE-2024-7525
• CVE-2024-7518
• CVE-2024-7531
• CVE-2024-7521
• CVE-2024-7527
• CVE-2024-7246
• CVE-2024-43111
• CVE-2024-7530
• CVE-2024-43113
• CVE-2024-7526
• CVE-2024-43112
• CVE-2024-7520
• CVE-2024-7528
• CVE-2024-7524
• CVE-2024-7523