🥖 Palette Cleanser

This week brings some quality content from the usual suspects. There's a little bit of everything - cloud engineering tools, detection approaches, and one very detailed end-to-end attack. Enjoy!

I have failed you this week :( I promised a video every issue but didn't get a chance to record one this week. You can decide the punishment. Thanks for the valuable feedback that the pacing needs to be faster with less reading. Next time.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Industrial IAM Service Role Creation by Rami McCarthy

  Rami is back with a review of options for creating AWS service roles without the need for artisanal craftsmanship. This is something every AWS engineer has to contend with so it's useful knowing the options. I'd love to see Rami do an update with a little CDK love.

• A Fresh Perspective on Exfiltrating ECS Task Metadata Credentials by Saransh Rana

  It should be obvious that if an attacker logs into your ec2 hosts running ECS tasks, you're going to have a bad time. What I love about this article is that it lays out, in very simple terms, exactly how easy and automate-able that bad time will be. Saransh concludes the post with a script for harvesting and exfiltrating task credentials that's useful for blue and red teamers.

• My Methodology to AWS Detection Engineering (Part 2: Risk Assignment) by Chester Le Bron

  Part 1 appeared in issue 171 and was the most clicked article despite being in the bonus section with no summary. In part 2, Chester covers the key components that make up his "risk assignment rule". The Splunk focus was a little over my head so you'll have to check it out without a summary once more.

Bonus: Replace SSH with Session Manager by Rich Mogull

🥗 AWS security blogs

• One audit, multiple frameworks: Streamline multi-framework compliance with Thoropass on AWS by Ashok Mahajan
• Enhance data governance through column-level lineage in Amazon QuickSight by Selman Ay
• Building automations to accelerate remediation of AWS Security Hub control findings using Amazon Bedrock and AWS Systems Manager by Shiva Vaidyanathan
• Streamline Identity Management with AWS Directory Service and One Identity Active Roles by Rodney Underkoffler
• Elevating credit unions: Transforming core banking on the AWS Cloud by Karl Lionheart Richard Camp

🍛 Reddit threads on r/aws

• DoS Attack - False Positive?
• Industrial IAM Service Role Creation
• Not able to use KMS key from another AWS account to diff AWS account ECS Fargate ephemeral storage encryption.
• Does AWS CloudHSM fullfill the SEBI guidelines for generating, storing, managing the keys in dedicated HSM?
• Please help me understand the extant of ALBeast
• Suspicious login attempts

🧁 IAM permission changes

• quicksight
• events
• bedrock
• pcs
• redshift
• redshift-serverless
• thinclient
• wickr

🍪 API changes

• Amazon Personalize
• AWS Step Functions
• Amazon AppConfig
• Amazon Elastic Compute Cloud
• Amazon CloudWatch Internet Monitor
• AWS Parallel Computing Service
• Amazon Bedrock
• Amazon Omics
• Amazon Polly
• AWS IoT SiteWise
• Amazon WorkSpaces

🍹 IAM managed policy changes

• AWSSSMForSAPServiceLinkedRolePolicy
• AmazonBedrockReadOnly
• AmazonRoute53ProfilesFullAccess
• AmazonRoute53ProfilesReadOnlyAccess
• AWSPCSServiceRolePolicy
• ReadOnlyAccess

☕ CloudFormation resource changes

• AWS::AutoScaling::AutoScalingGroup

🎮 Amazon Linux vulnerabilities

• CVE-2022-48944
• CVE-2024-42934
• CVE-2024-44944
• CVE-2021-4442
• CVE-2024-8250
• CVE-2024-44943
• CVE-2024-45321
• CVE-2024-7730