🥖 Palette Cleanser

The post Vegas AWS security content hangover continues but don't worry, I am here with your cloud engineering dopamine hit. The article video summary is back, shorter and sweeter.

A few people have asked for more general cybersecurity content beyond the AWS mothership. If you're into that kind of thing, check out tl;dr sec. It's easily the best all-in-one newsletter out there and Clint who runs it is a top bloke.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Eleventeen ways to delete an AWS resource by Rami McCarthy and Daniel Grzelak

  These authors are weird but they write good blog posts. If you've ever wondered why there are so many ways to delete something in AWS, it's how they prevent you from hurting yourself. Turns out there's a public AWS design system describing all the delete patterns and beyond. Who knew?!

  🎥 How AWS stops you from accidentally deleting resources

• AWS vs Azure: A “Secure by default” comparison by Stefan Tita

  Stefan has summarised the different approaches Azure and AWS have taken to key security configurations: 1. Instance metadata service susceptibility to server-side request forgery attacks 2. Access keys vs short term credential minting for CLI logins 3. IAM policies vs Azure roles. It's a good read even if Inspector Gadget would be proud of the overreach on the conclusion - "AWS places more responsibility on the company users to implement secure settings. As a result, Azure’s default security settings and design have resulted in less issues than on AWS over the years".

• Implementing CNAPP: Key Considerations for Success by naman16

  So you want to get yourself one of those fancy Gartner security tools, ayyy. What now? Stefan suggests some selection criteria and early implementation focus areas. Better yet, his conclusion I can agree with, "the tool in itself is very powerful and provides good visibility but the successful implementation and ROI are dependent on people and process"

  Did you know Plerion is one such tool? They pay me dollarydoos to write this newsletter. Get yourself a demo so they continue to think this is a good idea. 😬

Bonus: The Challenges of API Logging by Lina Romero

🥗 AWS security blogs

• Amazon S3 Access Grants introduce the ListCallerAccessGrants API by aws@amazon.com
• Simplified and scalable data integration for Telco BSS by Rabindra Shakya

🍛 Reddit threads on r/aws

• Exploiting Misconfigured GitLab OIDC AWS IAM Roles
• Implementing AWS-Well Architected Best Practises into A Serverless Enviroment
• Monitoring and Alerting in Serverless Enviroment - Cloudwatch Alarms
• Does yubikey not count as hardware mfa?
• SSO security key
• Is is okhe that my KMS key ARN is showing in Cloudfront hosted website response header?

🧁 IAM permission changes

• wisdom
• s3
• logs
• ec2
• elasticloadbalancingv2
• events
• appconfig
• fis
• redshift-data

🍪 API changes

• Amazon CloudWatch Application Signals
• Amazon Connect Service
• Amazon GameLift
• Amazon Kinesis Analytics
• Amazon SageMaker Service
• AWS AppSync
• Agents for Amazon Bedrock
• AWS Fault Injection Simulator
• Amazon CloudWatch Logs
• AWS S3 Control
• Amazon Connect Service
• Amazon DataZone
• Elastic Load Balancing
• AWS MediaConnect
• AWS Elemental MediaLive
• Amazon SageMaker Service
• Timestream InfluxDB

🍹 IAM managed policy changes

• AmazonSageMakerHyperPodServiceRolePolicy
• AWSIAMIdentityCenterAllowListForIdentityContext

☕ CloudFormation resource changes

• AWS::AppSync::GraphQLApi

🎮 Amazon Linux vulnerabilities

• CVE-2024-43402
• CVE-2024-20506
• CVE-2024-8382
• CVE-2024-6119
• CVE-2024-8386
• CVE-2024-8388
• CVE-2024-8384
• CVE-2024-8381