AWS Security Digest

Monday,
September 30, 2024

🥖 Palette Cleanser

AWS re:Invent season has started ahead of the 2 December Las Vegas scheduled date. There are already 187 security-related sessions in the catalog. I wonder if the stream of service deprecations will continue before then?

Speaking of conferences, there's been a lot of chatter and praise for the fwd:cloudsec Europe keynote. With a title like, "How to 10X Your Cloud Security (Without the Series D)", it's hardly a surprise. If you can't sit through the full 51min version, Rami Mac (that's his rapper name) comes in hot with this week's summary video for his own keynote. Is this cloud security Inception?

I should probably talk about the CUPS vulnerabilities but I really don't want to. They feel like a bit of a nothing burger for cloud environments. Unrelated, our cloud hacking heroes at Wiz found a cool vulnerability in NVIDIA Container Toolkit. At least I'm guessing it's cool because the details are not very detailed. The real world impact of this also appears limited. Perhaps a smart reader can share some insights about either issue? Let's get you a quote in the next issue!

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

Redefining CNAPP: A Complete Guide To the Future of Cloud Security by Francis Odum & James Berthoty

It was bound to happen one day, and that day is today. We're going FULL CNAPP. You're never going to agree fully with a report like this but I haven't seen an analysis of the cloud security market this thorough and well-reasoned before. The authors don't hold back: "CNAPP has created a crappy version of too many standalone products and is at a serious breaking point."

One minor gripe - can we please stop mis-using "detection" in the context of finding misconfigurations and vulnerabilities? Think NIST NIST Cybersecurity Framework functions - govern, identify, protect, detect, respond, recover. Detections are for bad things that have happened, not for things that could enable bad things to happen in the future.

If you're in the process of trying to get the most out of your CNAPP, Naman Sogani just published part 2 of his implementation guide.
Gaining AWS Persistence by Updating a SAML Identity Provider by Adan Álvarez

Finding creative ways to backdoor AWS accounts is a niche passion for Adan (and me). This particular approach of switching out metadata to point to an attacker controlled identity provider has limited real world applications because after changing the SAML metadata, legitimate users won’t be able to login via SSO. However, it's still worth reading in order to internalise the impact of frivolously giving out "UpdateSAMLProvider" permissions.
Tracking cloud-fluent threat actors - Part one: Atomic cloud IOCs by Merav Bar & Amitai Cohen

This is a very consumable primer on what defenders and detection engineers need to care about in terms of cloud indicators of compromise. The authors do an excellent job describing why each indicator is important, giving examples of how they used it to track past threat actors, and giving some practical advice for using it yourself. Oh, and the post comes with an open source indicator database.

If you like tracking threat actors, you'll probably also enjoy reading how Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities