📋 Chef's selections

• How some Let's Encrypt renewal failures pointed to an AWS traffic hijacking issue by Jamie Finnigan

  "A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP assigned to me, effectively hijacking my AWS-sourced traffic." So many security issues are found when things break in unusual ways and someone decides they care deeply. Remember that SSH backdoor that was found because someone's connections were taking slightly longer? Great storytelling by Jamie here.

• Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess by Eduard Agavriloae

  Nothing in cloud is new and we love it. If you've previously enjoyed hacking Github AWS integrations you'll enjoy this. Eduard explains how folks accidentally over-permission Terraform Cloud integrations. He stops short of mass-pwnage because AWS asked nicely. Boo! Makes me wonder though, which other deputies are confused?

• Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments by Margaret Zimmermann, Sean Johnstone, William Gamazo, Nathaniel Quist

  It's pretty difficult to turn such fantastic subject matter drier than a Weetbix challenge, but they did it! No really, it's spectacular content. From mass scanning for .env files to every single action in compromised AWS accounts. A must read for defenders.

It seems people like publishing blog posts straight after summer camp so the bonus section is bloated. I'm sorry. There was just too much goodness to simply leave it off the menu.

• An AWS IAM Security Tooling Reference [2024] by Rami McCarthy
• My Methodology to AWS Detection Engineering (Part 1: Object Selection) by Chester Le Bron
• What is the probability that you can successfully assume an IAM role in a random AWS account? by Michael Kirchner
• Canary Infrastructure vs. Real World TTPs by Rami McCarthy
• Holding Cloud Vendors to a Higher Security Bar by Matthew Fuller
• Anywhere Access in AWS: Blessing or Security Nightmare? by Chandrapal Badshah

🥗 AWS security blogs

• Using AWS CloudTrail data events to audit your Amazon SNS and Amazon SQS workloads by Isaiah Salinas
• Securing your AWS environment with Wiz for Gov, a FedRAMP Moderate authorized security solution by Faizan Mahmood
• Accessing AWS resources using AWS IAM Roles Anywhere from Amazon WorkSpaces by Mayank Jain
• Securing the future of mobility: UNECE WP.29 and AWS IoT for connected vehicle cybersecurity by Syed Rehan
• Security best practices when using ALB authentication by Lucas Pellucci Barreto Rolim

🍛 Reddit threads on r/aws

• AWS RDS + S3 access for an external freelancer
• Aws detective search limitations
• Anyone know how test POST requests return 403 for false positives on WAF?
• Seeking Advice: Using AWS Key Management for Encrypting User Data on External Web Server
• Bastions
• Just passed SAA, what to do to better land cloud security engineer

🧁 IAM permission changes

• datazone
• healthlake
• codestar-connections
• appstream
• codeconnections
• lambda
• glue
• route53profiles
• ssm
• kinesisanalyticsv2
• bedrock
• ec2

🍪 API changes

• Amazon DocumentDB with MongoDB compatibility
• Amazon EC2 Container Service
• Amazon Simple Storage Service
• AWS CodeBuild
• AWS Amplify
• Amazon AppStream
• AWS Fault Injection Simulator
• AWS Glue
• Amazon Elastic Compute Cloud
• Amazon Elastic Kubernetes Service
• AWS Elemental MediaLive
• Amazon SageMaker Service

🍹 IAM managed policy changes

• AmazonSageMakerCanvasDataPrepFullAccess
• AmazonSageMakerCanvasDataPrepFullAccess
• AmazonSageMakerCanvasFullAccess
• AwsGlueSessionUserRestrictedNotebookPolicy
• AwsGlueSessionUserRestrictedNotebookServiceRole
• AWSDataExchangeProviderFullAccess
• ReadOnlyAccess
• AmazonInspector2ServiceRolePolicy
• AmazonInspector2ServiceRolePolicy
• AmazonECS_FullAccess
• AmazonGuardDutyServiceRolePolicy
• AmazonGuardDutyServiceRolePolicy
• SSMQuickSetupRolePolicy

☕ CloudFormation resource changes

• AWS::Bedrock::Guardrail

🎮 Amazon Linux vulnerabilities

• CVE-2024-42472
• CVE-2023-42667
• CVE-2024-42259
• CVE-2024-24853
• CVE-2024-25939
• CVE-2024-39792
• CVE-2024-38168