
August 19, 2024
🥖 Palette Cleanser
Last week I put out a call for post-hacker-summer-camp gossip, and you responded. Well, sort of. You didn't send gossip (shame 🔔) but you did send slide decks from the best AWS security presentations and workshops. I'll take it.
For folks that want to consume articles a different way, I'm picking at least one article each week and recording a dramatic reading with super serious internet guy commentary. Here's one from last week. They'll be crammed inside the newsletter going forward.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
📋 Chef's selections
-
How some Let's Encrypt renewal failures pointed to an AWS traffic hijacking issue by Jamie Finnigan
"A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP assigned to me, effectively hijacking my AWS-sourced traffic." So many security issues are found when things break in unusual ways and someone decides they care deeply. Remember that SSH backdoor that was found because someone's connections were taking slightly longer? Great storytelling by Jamie here.
-
Addressed AWS defaults risks: OIDC, Terraform and Anonymous to AdministratorAccess by Eduard Agavriloae
Nothing in cloud is new and we love it. If you've previously enjoyed hacking Github AWS integrations you'll enjoy this. Eduard explains how folks accidentally over-permission Terraform Cloud integrations. He stops short of mass-pwnage because AWS asked nicely. Boo! Makes me wonder though, which other deputies are confused?
-
Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments by Margaret Zimmermann, Sean Johnstone, William Gamazo, Nathaniel Quist
It's pretty difficult to turn such fantastic subject matter drier than a Weetbix challenge, but they did it! No really, it's spectacular content. From mass scanning for .env files to every single action in compromised AWS accounts. A must read for defenders.
It seems people like publishing blog posts straight after summer camp so the bonus section is bloated. I'm sorry. There was just too much goodness to simply leave it off the menu.
- An AWS IAM Security Tooling Reference [2024] by Rami McCarthy
- My Methodology to AWS Detection Engineering (Part 1: Object Selection) by Chester Le Bron
- What is the probability that you can successfully assume an IAM role in a random AWS account? by Michael Kirchner
- Canary Infrastructure vs. Real World TTPs by Rami McCarthy
- Holding Cloud Vendors to a Higher Security Bar by Matthew Fuller
- Anywhere Access in AWS: Blessing or Security Nightmare? by Chandrapal Badshah
🍣 Hacker summer camp slide decks
- Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access presented by Nick Frichette at Blackhat
- Cloud Tripwires presented by Jenko Hwong at Defcon Cloud Village
- Exploiting Common Vulnerabilities in AWS environments workshop by Seth Art at Defcon Cloud Village
🥗 AWS security blogs
- Using AWS CloudTrail data events to audit your Amazon SNS and Amazon SQS workloads by Isaiah Salinas
- Securing your AWS environment with Wiz for Gov, a FedRAMP Moderate authorized security solution by Faizan Mahmood
- Accessing AWS resources using AWS IAM Roles Anywhere from Amazon WorkSpaces by Mayank Jain
- Securing the future of mobility: UNECE WP.29 and AWS IoT for connected vehicle cybersecurity by Syed Rehan
- Security best practices when using ALB authentication by Lucas Pellucci Barreto Rolim
🍛 Reddit threads on r/aws
- AWS RDS + S3 access for an external freelancer
- Aws detective search limitations
- Anyone know how test POST requests return 403 for false positives on WAF?
- Seeking Advice: Using AWS Key Management for Encrypting User Data on External Web Server
- Bastions
- Just passed SAA, what to do to better land cloud security engineer
🤖 Dessert
Dessert is made by robots, for those that enjoy the industrial content.
🧁 IAM permission changes
🍪 API changes
🍹 IAM managed policy changes
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasDataPrepFullAccess
- AmazonSageMakerCanvasFullAccess
- AwsGlueSessionUserRestrictedNotebookPolicy
- AwsGlueSessionUserRestrictedNotebookServiceRole
- AWSDataExchangeProviderFullAccess
- ReadOnlyAccess
- AmazonInspector2ServiceRolePolicy
- AmazonInspector2ServiceRolePolicy
- AmazonECS_FullAccess
- AmazonGuardDutyServiceRolePolicy
- AmazonGuardDutyServiceRolePolicy
- SSMQuickSetupRolePolicy