🥖 Palette Cleanser

It's Monday again. How? Time travel! We're back with the usual goodies as well as a video explainer of this week's top post, an absolutely delicious treat from Liad Eliyahu. If your apps use ALB authentication, you need to read (or watch) it immediately.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• The Hunt for ALBeast: A Technical Walkthrough by Liad Eliyahu

  The research team at Miggo dropped a bomb on everyone using application load balancer authentication, in including AWS. Not having to roll your own auth is an awesome idea unless it comes with a giant footgun. In this case the reference integration code was missing a key JWT field validation which put ~15,000 apps at risk of authentication bypass.

• Your queues, your responsibility by Sid Rajalakshmi

  We've all heard about hackers pillaging open s3 buckets but SQS queues escaped attention, until now. Sid found some clever ways to scan ~1.75 billion URLs to identify exposed SQS, without touching anyone's data.

• Exposing Security Observability Gaps in AWS Native Security Tooling by Jonathan Walker

  Ever wonder what the limits IAM Access Analyzer are? Is it just for enforcing Principle of Least Privilege? What services does it cover and when is additional tooling required? Jonathan put together a giant pretty table with all the details and decorated the rest of the article with unexpected quirks.

Bonus: Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware by Margaret Zimmermann and Chandni Vaya

🥗 AWS security blogs

• Investment management: Fostering a culture of security and compliance by Nick Dimtchev
• Embracing OT-IT Convergence: How Automation Software Management Can Enhance OT Security by Madhu Pai
• Supercharge Manufacturing Agility: Self-Service IT on the Shop Floor with AWS by Hans Schabert
• Manage security events in Slack, Teams, or Amazon Chime using AWS Chatbot and Amazon Q by Arbind Basnet
• Dispelling the top 8 cloud myths holding back Canadian public sector IT transformation by Andre Leduc
• Automatically scan for public Amazon S3 buckets and block public access by Arun Chandapillai

🍛 Reddit threads on r/aws

• Regarding the latest breach where .env files were leaked
• Aws Cognitio in React (vanilla)
• MFA for role assumes when using IAM Identity Center
• ALB OIDC auth cookie is always created 3rd party

🧁 IAM permission changes

• ecr
• bedrock
• elemental-activations
• elemental-support-cases
• elemental-appliances-software
• appfabric

🍪 API changes

• Amazon Bedrock
• Inspector2
• Amazon QuickSight
• Amazon Route 53
• Amazon Elastic Compute Cloud
• Amazon Simple Email Service
• AWS Glue
• AWS Lambda
• OpenSearch Service Serverless
• Amazon Simple Storage Service
• Amazon Bedrock
• AWS CodeBuild
• AWS Lambda
• AWS Systems Manager for SAP

🍹 IAM managed policy changes

• AWSCompromisedKeyQuarantineV3
• AmazonBedrockReadOnly
• AWSServiceRoleForAmazonEKSNodegroup
• AmazonBedrockReadOnly
• AmazonOpenSearchServiceRolePolicy
• PowerUserAccess
• AWSResourceExplorerServiceRolePolicy

☕ CloudFormation resource changes

• AWS::IVS::Stage
• AWS::IVS::PublicKey
• AWS::Lambda::Function

🎮 Amazon Linux vulnerabilities

• CVE-2024-43790
• CVE-2024-8088