🥖 Palette Cleanser

Hello esteemed readers, I've missed you so very much. The internet let us down last week with reduced AWS security content and no drama. Luckily, this week's issue is chockas. Thank you to everyone who wrote in to share content and provide feedback. Keep it coming!

Sometimes I come across a story so compelling I have to include it even though it's not about AWS. This week the fine folks at WatchTowr stumbled into possession of a domain (dotmobiregistry.net) once-upon-a-time used for hosting WHOIS services for the .mobi TLD. I don't want to spoil the story too much but things went poorly for the internet and hilariously well for the researchers.

This week's video is extremely niche but close to my heart - building secure AWS integrations. It's not straight forward and many vendors get it wrong, so it's great to see Datadog provide solid advice.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• The Complexity of AWS Data Access with KMS Encryption: KMS Key Grants and all the possible combinations by Jason Kao

  I think Jason could have titled this post, "Twisting your brain into a pretzel with KMS permissions" but the less fun version works too. Jason mapped 17 unique ways to provide access to a KMS key within a single account, and 19 cross-account. Many tools won't find all the combinations because key grants are special. Some brave soul should make a video explaining all of this.

  The most surprising thing to me was that KMS doesn't apply the same policy evaluation algorithm as other resources within a single account. It feels like it does because, "The AWS-Provided default KMS key policy includes a delegation policy that enables IAM [principal] policy access...", but without such a policy on key or key grant, it acts as an implicit deny.

• A SaaS provider's guide to securely integrating with customers' AWS accounts by Christophe Tafani-Dereeper

  Have you ever connected a SaaS tool to your AWS account and gotten a rush of fear? It was probably justified, otherwise Christophe wouldn't need to write this guide. For example, it's always upset me that SaaS services require us to allow their entire account to assume a single role in our accounts. Why? I'd rather that a specific identity in their accounts have to get pwned to gain access to my accounts.

  Not only is this a great resource for people building AWS integrations, but I'd suggest we should all demand our vendors adhere to this very sensible and comprehensive set of requirements.

• Security Flaw in AWS Transit Gateway Peering Attachments (Patched) by James Sheard

  What happens when your customers have their Terraform-created Transit Gateway peering attachments auto-approved? Well, there's an immediate productivity gain of course. Also, James realises that's bad and investigates. He found that when the AWS API was called directly, the peering request could be accepted by the source account (requestor) without proper authorisation, as long as the Transit Gateways are in separate regions. AWS promptly patched the issue but James has some helpful suggestions regardless.

I'm cheating this week and including lots of bonus content (complaints@awssecuritydigest.com):

• The Cloud is Darker and More Full of Terrors - Sec-T 2024 + video
• Exposing the Weakness: How We Identified a Flaw in Bedrock's Foundation Model Access Control
• AWS IAM: A Comprehensive Guide Toward Least Privilege
• Introduction to glue_privesc
• # Let's Get Hacked! Public SSH Edition

🥗 AWS security blogs

• AWS WAF Bot Control Managed Rule expands bot detection capabilities by aws@amazon.com
• Amazon Cognito user pools now offer email as a multi-factor authentication (MFA) option by aws@amazon.com
• AWS Network Firewall now supports AWS PrivateLink by aws@amazon.com
• AWS IAM Identity Center now supports language and visual mode preferences in the AWS access portal by aws@amazon.com
• AWS Resource Access Manager now supports AWS PrivateLink by aws@amazon.com
• Serverless Governance of Software Deployed with AWS Service Catalog by Ran Isenberg (AWS Serverless Hero)
• Securing HPC on AWS – isolated clusters by Alex Domijan
• Accelerate Remote Desktop Gateway deployments with AWS Launch Wizard by Sassan Hajrasooliha
• AWS Canada launches $5 million Provincial and Municipal Cyber Grant Program by Coral Kennett
• Generative AI as a force for good in facilitating cyber-resiliency in public sector organizations by Ian Brazill

🍛 Reddit threads on r/aws

• Hacking misconfigured AWS S3 buckets: A complete guide
• Best ways to Secure DynamoDB's
• IAM implementation in a serverless environment
• Terraform Automating security tasks
• Monitoring and Alerting in Serverless Enviroment - Security Alarms
• Urgent Help: Compromised AWS Account & Exorbitant Bill

🧁 IAM permission changes

• sqlworkbench
• iotroborunner
• rds
• qapps
• supportplans
• sagemaker
• ivs
• profile

🍪 API changes

No changes this week.

🍹 IAM managed policy changes

• AWS_ConfigRole
• AWSConfigServiceRolePolicy
• AWS_ConfigRole
• AmazonConnectServiceLinkedRolePolicy
• AWSReachabilityAnalyzerServiceRolePolicy
• AWSReachabilityAnalyzerServiceRolePolicy
• AWSSupportPlansFullAccess
• AWSSupportPlansReadOnlyAccess

☕ CloudFormation resource changes

• AWS::Connect::AgentStatus
• AWS::Connect::UserHierarchyStructure
• AWS::DataZone::EnvironmentActions
• AWS::Pipes::Pipe
• AWS::MSK::Replicator ReplicationTopicNameConfiguration

🎮 Amazon Linux vulnerabilities

• CVE-2024-46674
• CVE-2024-24968
• CVE-2024-8096
• CVE-2024-23984
• CVE-2024-8645