Monday,
September 23, 2024
September 23, 2024
🥖 Palette Cleanser
This issue is a real treat, like Milo ice cream covered in... Milo. There were two big events in AWS security this week:
- fwd:cloudsec Europe - My apologies for not making a fuss about it in issues prior. It was the first iteration outside the U.S. of A. From what I've been told it turned out better than anyone could have hoped, with top tier talks running all day. Even better still, the entire stream is available for anyone to watch AND Christophe Tafani-Dereeper of Datadog has very kindly produced our first guest video summarising his highlights of the con. Rumour has it the next issue might include another guest video. 🤫
AWS launched their Vulnerability Disclosure Program (VDP) on Hackerone (pronounced like Macaroni). I could get snarky here because it's been a loooooooong time coming but I won't because we made it, and this is damn cool. Nick Frichette posted a good summary thread on Twitter.
In a spectacularly timed coincidence, Ryan Nolette (Senior Security Engineer, AWS Security Outreach) took us behind the scenes of the VDP and the AWS remedation process in his fwd:cloudsec presentation. Having interacted with Ryan a bunch, I can confidently say that he is a star that AWS needs to take care of like an 800 year old Bonsai Tree. His slide deck includes a reference to an "invite-only AWS Private Bug Bounty Program". 😲🤭
Oh, and here's the much requested AWS Security Digest RSS feed. Sorry it took so long.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
📋 Chef's selections
-
undocumented-aws-api-hunter by Nick Frichette
The observant clicker of links might notice that this is not an article. It is in fact an open source tool released as part of Nick's fwd:cloudsec talk, Hidden Among the Clouds: A Look at Undocumented AWS APIs. Why link to the tool instead? Because I've been trying to bribe, coerce, convince, and extort this tool out of Nick for years without success. Undocumented APIs have been a great source of gold for Nick's research and provide unexpected insights into production services and data. Maybe an inspired engineer could turn the tool into a public service?
-
A Cloud Access Management Maturity Model: Part 1 & Part 2 by Rowan Udell
Rowan suggests that there are 4 phases to cloud access: Administrator-centric, Role-Based Access Control (RBAC), Just-in-Time (JIT), and finally Adaptive. He describes the challenges with each approach, what it looks like and how to progress to the next. It's clearly a plug for the Common Fate solution but it also reads pretty true to me.
-
Highlights from fwd:cloudsec Europe 2024 by Christophe Tafani-Dereeper
This is the much more detailed text version of Christophe's summary video. Even if you like the video format better, all the links (and there are a lot) are in the blog post.
Bonus: A trio of resources from the AWS mothership...
🥗 AWS security blogs
- 📣 AWS Directory Service adds user and group management using APIs and Console
- 📣 Amazon S3 Express One Zone now supports AWS-KMS with customer managed keys
- 📣 AWS Private CA now supports SCEP for mobile devices
- Enhance security of your AWS app integration with AWS Managed Microsoft AD by Tekena Orugbani
- University of British Columbia Cloud Innovation Centre: Governing an innovation hub using AWS management services by Scott McMillan
- Restrict access to your Amazon FSx for NetApp ONTAP volumes using export policies by Jay Horne
🍛 Reddit threads on r/aws
- Identifying and flagging hardcoded AWS access keys and more with Wiz Code
- How best to kill badly-behaved bots?
- What would be the best way to give access to a user from AWS organization A, Accout A1 to access Account B1 in a separate AWS Organization B
- Integration considerations for AWS CAPTCHA and reCAPTCHA Enterprise
- Authenticating with static credentials
🤖 Dessert
Dessert is made by robots, for those that enjoy the industrial content.
🧁 IAM permission changes
🍪 API changes
- Amazon SageMaker Metrics Service
- Amazon SageMaker Service
- Amazon WorkSpaces
- AWS CodeConnections
- AWS Glue
- AWS Lambda
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- Amazon QuickSight
- Amazon SageMaker Service
- Amazon WorkSpaces Web
- AWS Cost Explorer Service
- AWS Directory Service Data
- AWS Directory Service
- Amazon GuardDuty
- MailManager
- Amazon Simple Storage Service
- AWS CodeBuild
- Amazon Elastic Container Registry
- AWS Lambda
- Amazon Simple Systems Manager (SSM)
- Amazon Bedrock
- AWS IoT
- Amazon Relational Database Service
🍹 IAM managed policy changes
- AWSDirectoryServiceDataFullAccess
- AWSDirectoryServiceDataReadOnlyAccess
- APIGatewayServiceRolePolicy
- AWSAccountActivityAccess
- AWSAccountManagementFullAccess
- AWSAccountManagementReadOnlyAccess
- AWSAccountUsageReportAccess
- AWSAgentlessDiscoveryService
- AWSAppFabricFullAccess
- AWSAppFabricReadOnlyAccess
- AWSAppFabricServiceRolePolicy
- AWSAppMeshEnvoyAccess
- AWSAppMeshFullAccess
- AWSAppMeshPreviewEnvoyAccess
- AWSAppMeshPreviewServiceRolePolicy
- AWSAppMeshReadOnly
- AWSAppMeshServiceRolePolicy
- AWSAppRunnerFullAccess
- AWSAppRunnerReadOnlyAccess
- AWSAppRunnerServicePolicyForECRAccess
- AWSAppSyncAdministrator
- AWSAppSyncInvokeFullAccess
- AWSAppSyncPushToCloudWatchLogs
- AWSAppSyncSchemaAuthor
- AWSAppSyncServiceRolePolicy
- AWSApplicationAutoScalingCustomResourcePolicy
- AWSApplicationAutoscalingAppStreamFleetPolicy
- AWSApplicationAutoscalingCassandraTablePolicy
- AWSApplicationAutoscalingComprehendEndpointPolicy
- AWSApplicationAutoscalingDynamoDBTablePolicy
- AWSApplicationAutoscalingEC2SpotFleetRequestPolicy
- AWSApplicationAutoscalingECSServicePolicy
- AWSApplicationAutoscalingEMRInstanceGroupPolicy
- AWSApplicationAutoscalingElastiCacheRGPolicy
- AWSApplicationAutoscalingKafkaClusterPolicy
- AWSApplicationAutoscalingLambdaConcurrencyPolicy
- AWSApplicationAutoscalingNeptuneClusterPolicy
- AWSApplicationAutoscalingRDSClusterPolicy
- AWSApplicationAutoscalingSageMakerEndpointPolicy
- AWSApplicationAutoscalingWorkSpacesPoolPolicy
- AWSApplicationDiscoveryAgentAccess
- AWSApplicationDiscoveryAgentlessCollectorAccess
- AWSApplicationDiscoveryServiceFullAccess
- AWSApplicationMigrationAgentInstallationPolicy
- AWSApplicationMigrationAgentPolicy
- AWSApplicationMigrationAgentPolicy_v2
- AWSApplicationMigrationConversionServerPolicy
- AWSApplicationMigrationEC2Access
- AWSApplicationMigrationFullAccess
- AWSApplicationMigrationMGHAccess
- AWSApplicationMigrationReadOnlyAccess
- AWSApplicationMigrationReplicationServerPolicy
- AWSApplicationMigrationSSMAccess
- AWSApplicationMigrationServiceEc2InstancePolicy
- AWSApplicationMigrationServiceRolePolicy
- AWSApplicationMigrationVCenterClientPolicy
- AWSArtifactAccountSync
- AWSArtifactReportsReadOnlyAccess
- AWSArtifactServiceRolePolicy
- AWSAuditManagerAdministratorAccess
- AWSAuditManagerServiceRolePolicy
- AWSAutoScalingPlansEC2AutoScalingPolicy
- AWSBCMDataExportsServiceRolePolicy
- AWSBackupAuditAccess
- AWSBackupDataTransferAccess
- AWSBackupFullAccess
- AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync
- AWSBackupOperatorAccess
- AWSBackupOrganizationAdminAccess
- AWSBackupRestoreAccessForSAPHANA
- AWSBackupServiceLinkedRolePolicyForBackup
- AWSBackupServiceLinkedRolePolicyForBackupTest
- AWSBackupServiceRolePolicyForBackup
- AWSBackupServiceRolePolicyForRestores
- AWSBackupServiceRolePolicyForS3Backup
- AWSBackupServiceRolePolicyForS3Restore
- AWSBatchFullAccess
- AWSBatchServiceEventTargetRole
- AWSBatchServiceRole
- AWSBillingConductorFullAccess
- AWSBillingConductorReadOnlyAccess
- AWSBillingReadOnlyAccess
- AWSBudgetsActionsWithAWSResourceControlAccess
- AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM
- AWSBudgetsReadOnlyAccess
- AWSBugBustFullAccess
- AWSBugBustPlayerAccess
- AWSBugBustServiceRolePolicy
- AWSCertificateManagerFullAccess
- AWSCertificateManagerPrivateCAAuditor
- AWSCertificateManagerPrivateCAFullAccess
- AWSCertificateManagerPrivateCAPrivilegedUser
- AWSCertificateManagerPrivateCAReadOnly
- AWSCertificateManagerPrivateCAUser
- AWSCertificateManagerReadOnly
- AWSChatbotServiceLinkedRolePolicy
- AWSCleanRoomsFullAccess
- AWSCleanRoomsFullAccessNoQuerying
- AWSCleanRoomsMLFullAccess
- AWSCleanRoomsMLReadOnlyAccess
- AWSCleanRoomsReadOnlyAccess
- AWSCloud9Administrator
- AWSCloud9EnvironmentMember
- AWSCloud9SSMInstanceProfile
- AWSCloud9ServiceRolePolicy
- AWSCloud9User
- AWSCloudFormationFullAccess
- AWSCloudFormationReadOnlyAccess
- AWSCloudFrontLogger
- AWSCloudHSMFullAccess
- AWSCloudHSMReadOnlyAccess
- AWSCloudHSMRole
- AWSCloudMapDiscoverInstanceAccess
- AWSCloudMapFullAccess
- AWSCloudMapReadOnlyAccess
- AWSCloudMapRegisterInstanceAccess
- AWSCloudShellFullAccess
- AWSCloudTrail_FullAccess
- AWSCloudTrail_ReadOnlyAccess
- AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy
- AWSCodeArtifactAdminAccess
- AWSCodeArtifactReadOnlyAccess
- AWSCodeBuildAdminAccess
- AWSCodeBuildDeveloperAccess
- AWSCodeBuildReadOnlyAccess
- AWSCodeCommitFullAccess
- AWSCodeCommitPowerUser
- AWSCodeCommitReadOnly
- AWSCodeDeployDeployerAccess
- AWSCodeDeployFullAccess
- AWSCodeDeployReadOnlyAccess
- AWSCodeDeployRole
- AWSCodeDeployRoleForCloudFormation
- AWSCodeDeployRoleForECS
- AWSCodeDeployRoleForECSLimited
- AWSCodeDeployRoleForLambda
- AWSCodeDeployRoleForLambdaLimited
- AWSCodePipelineApproverAccess
- AWSCodePipelineCustomActionAccess
- AWSCodePipeline_FullAccess
- AWSCodePipeline_ReadOnlyAccess
- AWSCodeStarFullAccess
- AWSCodeStarNotificationsServiceRolePolicy
- AWSCodeStarServiceRole
- AWSCompromisedKeyQuarantine
- AWSCompromisedKeyQuarantineV2
- AWSCompromisedKeyQuarantineV3
- AWSConfigMultiAccountSetupPolicy
- AWSConfigRemediationServiceRolePolicy
- AWSConfigRole
- AWSConfigRoleForOrganizations
- AWSConfigRulesExecutionRole
- AWSConfigServiceRolePolicy
- AWSConfigUserAccess
- AWSConnector
- AWSControlTowerAccountServiceRolePolicy
- AWSControlTowerServiceRolePolicy
- AWSCostAndUsageReportAutomationPolicy
- AWSDMSFleetAdvisorServiceRolePolicy
- AWSDMSServerlessServiceRolePolicy
- AWSDataExchangeFullAccess
- AWSDataExchangeProviderFullAccess
- AWSDataExchangeReadOnly
- AWSDataExchangeSubscriberFullAccess
- AWSDataLifecycleManagerSSMFullAccess
- AWSDataLifecycleManagerServiceRole
- AWSDataLifecycleManagerServiceRoleForAMIManagement
- AWSDataPipeline_FullAccess
- AWSDataPipeline_PowerUser
- AWSDataSyncDiscoveryServiceRolePolicy
- AWSDataSyncFullAccess
- AWSDataSyncReadOnlyAccess
- AWSDeadlineCloud-FleetWorker
- AWSDeadlineCloud-UserAccessFarms
- AWSDeadlineCloud-UserAccessFleets
- AWSDeadlineCloud-UserAccessJobs
- AWSDeadlineCloud-UserAccessQueues
- AWSDeadlineCloud-WorkerHost
- AWSDeepLensLambdaFunctionAccessPolicy
- AWSDeepLensServiceRolePolicy
- AWSDeepRacerAccountAdminAccess
- AWSDeepRacerCloudFormationAccessPolicy
- AWSDeepRacerDefaultMultiUserAccess
- AWSDeepRacerFullAccess
- AWSDeepRacerRoboMakerAccessPolicy
- AWSDeepRacerServiceRolePolicy
- AWSDenyAll
- AWSDeviceFarmFullAccess
- AWSDeviceFarmServiceRolePolicy
- AWSDeviceFarmTestGridServiceRolePolicy
- AWSDirectConnectFullAccess
- AWSDirectConnectReadOnlyAccess
- AWSDirectConnectServiceRolePolicy
- AWSDirectoryServiceFullAccess
- AWSDirectoryServiceReadOnlyAccess
- AWSDiscoveryContinuousExportFirehosePolicy
- AWSEC2CapacityReservationFleetRolePolicy
- AWSEC2FleetServiceRolePolicy
- AWSEC2SpotFleetServiceRolePolicy
- AWSEC2SpotServiceRolePolicy
- AWSEC2VssSnapshotPolicy
- AWSECRPullThroughCache_ServiceRolePolicy
- AWSElasticBeanstalkCustomPlatformforEC2Role
- AWSElasticBeanstalkEnhancedHealth
- AWSElasticBeanstalkMaintenance
- AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy
- AWSElasticBeanstalkManagedUpdatesServiceRolePolicy
- AWSElasticBeanstalkMulticontainerDocker
- AWSElasticBeanstalkReadOnly
- AWSElasticBeanstalkRoleCWL
- AWSElasticBeanstalkRoleCore
- AWSElasticBeanstalkRoleECS
- AWSElasticBeanstalkRoleRDS
- AWSElasticBeanstalkRoleSNS
- AWSElasticBeanstalkRoleWorkerTier
- AWSElasticBeanstalkService
- AWSElasticBeanstalkServiceRolePolicy
- AWSElasticBeanstalkWebTier
- AWSElasticBeanstalkWorkerTier
- AWSElasticDisasterRecoveryAgentInstallationPolicy
- AWSElasticDisasterRecoveryAgentPolicy
- AWSElasticDisasterRecoveryConsoleFullAccess
- AWSElasticDisasterRecoveryConsoleFullAccess_v2
- AWSElasticDisasterRecoveryConversionServerPolicy
- AWSElasticDisasterRecoveryCrossAccountReplicationPolicy
- AWSElasticDisasterRecoveryEc2InstancePolicy
- AWSElasticDisasterRecoveryFailbackInstallationPolicy
- AWSElasticDisasterRecoveryFailbackPolicy
- AWSElasticDisasterRecoveryLaunchActionsPolicy
- AWSElasticDisasterRecoveryNetworkReplicationPolicy
- AWSElasticDisasterRecoveryReadOnlyAccess
- AWSElasticDisasterRecoveryRecoveryInstancePolicy
- AWSElasticDisasterRecoveryReplicationServerPolicy
- AWSElasticDisasterRecoveryServiceRolePolicy
- AWSElasticDisasterRecoveryStagingAccountPolicy
- AWSElasticDisasterRecoveryStagingAccountPolicy_v2
- AWSElasticLoadBalancingClassicServiceRolePolicy
- AWSElasticLoadBalancingServiceRolePolicy
- AWSElementalMediaConvertFullAccess
- AWSElementalMediaConvertReadOnly
- AWSElementalMediaLiveFullAccess
- AWSElementalMediaLiveReadOnly
- AWSElementalMediaPackageFullAccess
- AWSElementalMediaPackageReadOnly
- AWSElementalMediaPackageV2FullAccess
- AWSElementalMediaPackageV2ReadOnly
- AWSElementalMediaStoreFullAccess
- AWSElementalMediaStoreReadOnly
- AWSElementalMediaTailorFullAccess
- AWSElementalMediaTailorReadOnly
- AWSEnhancedClassicNetworkingMangementPolicy
- AWSEntityResolutionConsoleFullAccess
- AWSEntityResolutionConsoleReadOnlyAccess
- AWSFMAdminFullAccess
- AWSFMAdminReadOnlyAccess
- AWSFMMemberReadOnlyAccess
- AWSFaultInjectionSimulatorEC2Access
- AWSFaultInjectionSimulatorECSAccess
- AWSFaultInjectionSimulatorEKSAccess
- AWSFaultInjectionSimulatorNetworkAccess
- AWSFaultInjectionSimulatorRDSAccess
- AWSFaultInjectionSimulatorSSMAccess
- AWSFinSpaceServiceRolePolicy
- AWSForWordPressPluginPolicy
- AWSGitSyncServiceRolePolicy
- AWSGlobalAcceleratorSLRPolicy
- AWSGlueConsoleFullAccess
- AWSGlueConsoleSageMakerNotebookFullAccess
- AWSGlueDataBrewServiceRole
- AWSGlueSchemaRegistryFullAccess
- AWSGlueSchemaRegistryReadonlyAccess
- AWSGlueServiceNotebookRole
- AWSGlueServiceRole
- AWSGrafanaAccountAdministrator
- AWSGrafanaConsoleReadOnlyAccess
- AWSGrafanaWorkspacePermissionManagement
- AWSGrafanaWorkspacePermissionManagementV2
- AWSGreengrassFullAccess
- AWSGreengrassReadOnlyAccess
- AWSGreengrassResourceAccessRolePolicy
- AWSGroundStationAgentInstancePolicy
- AWSHealthFullAccess
- AWSHealthImagingFullAccess
- AWSHealthImagingReadOnlyAccess
- AWSHealth_EventProcessorServiceRolePolicy
- AWSIAMIdentityCenterAllowListForIdentityContext
- AWSIPAMServiceRolePolicy
- AWSIQContractServiceRolePolicy
- AWSIQFullAccess
- AWSIQPermissionServiceRolePolicy
- AWSIdentitySyncFullAccess
- AWSIdentitySyncReadOnlyAccess
- AWSImageBuilderFullAccess
- AWSImageBuilderReadOnlyAccess
- AWSImportExportFullAccess
- AWSImportExportReadOnlyAccess
- AWSIncidentManagerIncidentAccessServiceRolePolicy
- AWSIncidentManagerResolverAccess
- AWSIncidentManagerServiceRolePolicy
- AWSIoT1ClickFullAccess
- AWSIoT1ClickReadOnlyAccess
- AWSIoTAnalyticsFullAccess
- AWSResilienceHubAsssessmentExecutionPolicy
- IVSReadOnlyAccess
- IVSReadOnlyAccess
- AWSResilienceHubAsssessmentExecutionPolicy
- ReadOnlyAccess
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
- CVE-2024-7207
- CVE-2024-7254
- CVE-2024-46743
- CVE-2024-46775
- CVE-2024-46759
- CVE-2024-46767
- CVE-2024-46784
- CVE-2024-46726
- CVE-2024-46761
- CVE-2024-46770
- CVE-2024-46734
- CVE-2024-46739
- CVE-2024-46754
- CVE-2024-46749
- CVE-2024-46723
- CVE-2024-46758
- CVE-2024-46792
- CVE-2024-46745
- CVE-2024-46731
- CVE-2024-46714
- CVE-2024-46733
- CVE-2024-46793
- CVE-2024-46744
- CVE-2024-46740
- CVE-2024-46774
- CVE-2024-46800
- CVE-2024-46728
- CVE-2024-46779
- CVE-2024-46801
- CVE-2024-46741
- CVE-2024-46750
- CVE-2024-46776
- CVE-2024-46742
- CVE-2024-46791
- CVE-2024-46729
- CVE-2024-46785
- CVE-2024-46782
- CVE-2024-46765
- CVE-2024-46773
- CVE-2024-46718
- CVE-2024-46799
- CVE-2024-46796
- CVE-2024-46732
- CVE-2024-46757
- CVE-2024-46719
- CVE-2024-46762
- CVE-2024-46721
- CVE-2024-46781
- CVE-2024-46751
- CVE-2024-46725
- CVE-2024-46753
- CVE-2024-46798
- CVE-2024-46789
- CVE-2024-46746
- CVE-2024-46748
- CVE-2024-46797
- CVE-2024-46766
- CVE-2024-46756
- CVE-2024-46735
- CVE-2024-46771
- CVE-2024-46788
- CVE-2024-46763
- CVE-2024-46715
- CVE-2024-46760
- CVE-2024-46727
- CVE-2024-46737
- CVE-2024-46747
- CVE-2024-46786
- CVE-2024-46752
- CVE-2024-46768
- CVE-2024-46794
- CVE-2024-46755
- CVE-2024-46783
- CVE-2024-46777
- CVE-2024-46716
- CVE-2024-46720
- CVE-2024-46780
- CVE-2024-46722
- CVE-2024-46738
- CVE-2024-46769
- CVE-2024-46730
- CVE-2024-46795
- CVE-2024-46772
- CVE-2024-46724
- CVE-2024-46764
- CVE-2024-46787
- CVE-2024-46778
- CVE-2024-8900
- CVE-2024-8897
