🥖 Palette Cleanser

I hope you've had a magnificent week dear reader. Did you happen to get one of these emails: "This e-mail confirms that the Amazon Web Services account associated with account ID 123456789012 is permanently closed and cannot be reopened. Any content remaining in this account is inaccessible and will be erased?" ....... Me neither. 🤕🤒 What happens to AWS accounts after death? Is there an afterlife? Do they reincarnate after they pass through The Frame?

Last week I asked for smart readers to share their takes on the CUPS vulnerabilities. A very reputable Frenchman diligently pointed me to this Datadog summary. Has anyone even made a printer work on Linux anyway?

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying by Ian Ahl

  I love AI. You love AI. We all love AI, including attackers who need GPU hours to host their sexy chat bots. So I guess AI loves us back? That was a plot twist I did not expect but seems obvious in retrospect. Ian explores attacks Permiso observed in AWS that leveraged the Anthropic models provided by Bedrock. A cool tidbit is the use of somewhat-documented-but-not-in-the-SDK APIs, which Nick Frichette pulls apart in this very interesting thread.

• Explore the Power and Pain of User-Data by Rich Mogull

  Every week Rich diligently creates an awesome free practical AWS security exercise for folks to complete. I've been in a love triangle with user data and it's friend cloud-init since 2016 because they are both so very naughty. For example, did you know you could remotely modify EC2 user data to run code on every boot using the modify-instance-attribute API together with the #cloud-boothook decorator? Have a go at the lab and let Rich know what you think.

• Defense in Depth approach using AWS by Ahmed Srebrenica and Why Multi-Account in AWS? by Marty Henderson

  Two articles in one dish? The power has gone to my head. No one can stop me! These two articles could just as well be one. The take away is to use the controls that AWS offers to create trust boundaries that require multiple failures for a catastrophe to occur. The defence-in-depth article is very EC2+networking implementation focused while the multi-account one is a sales pitch for going mad with MOAR accounts.

🥗 AWS security blogs

• 📣 AWS Security Hub launches 7 new security controls
• 📣 AWS Incident Detection and Response now available in Japanese
• 📣 Amazon Inspector enhances engine for Lambda standard scanning
• Managing access to AWS accounts from Microsoft Teams and Slack at scale using AWS Organizations and AWS Chatbot by Abhijit Barde
• How to dynamically adapt your response to changing threat levels using AWS WAF by Paul Le Page
• How to use AWS Wickr to enable healthcare workers to interact with generative AI by Stefan Dittforth
• Canadian Centre for Cybersecurity’s Assemblyline brings powerful malware analysis to AWS Marketplace by Joel Desaulniers
• Building a secure and low-code bioinformatics workbench on AWS HealthOmics by Jeremy Ng

🍛 Reddit threads on r/aws

• I built a browser extension which makes logging in to IAM Identity Center faster and protects against phishing
• I would like to build a mock serverless application, but I cannot understand how to secure it despite days of research and tutorials.
• How to implement relationship-based access control with Amazon Verified Permissions and Amazon Neptune
• Amazon Aurora MySQL security best practices
• Need help with Security Hub
• Inspector find a package that do not exists in the container
• Locked out of root acount MFA activated with our knowledge

🧁 IAM permission changes

• quicksight
• codewhisperer
• ssm-guiconnect
• cassandra
• b2bi
• bedrock
• connect
• scn

🍪 API changes

• Amazon Elastic Compute Cloud
• AWS CodePipeline
• Amazon Elastic Compute Cloud
• AWS IoT
• AWS Marketplace Reporting Service
• AWS Elemental MediaPackage v2
• Amazon QuickSight
• Amazon AppStream
• AWS B2B Data Interchange
• Agents for Amazon Bedrock Runtime
• Amazon Bedrock Runtime
• AWS IoT Core Device Advisor
• Amazon Interactive Video Service RealTime
• Amazon Simple Storage Service
• Amazon SageMaker Service
• Agents for Amazon Bedrock
• CodeArtifact
• Amazon Relational Database Service
• Amazon Connect Service
• AWS Resource Groups
• AWS Supply Chain
• Timestream InfluxDB

🍹 IAM managed policy changes

• AmazonEC2ContainerRegistryPullOnly
• AmazonConnectCampaignsServiceLinkedRolePolicy
• AWSServiceRoleForProcurementInsightsPolicy
• AmazonEKSWorkerNodeMinimalPolicy
• AWSCompromisedKeyQuarantineV2
• AWSCompromisedKeyQuarantineV3
• AWSServiceRoleForMonitronPolicy
• AWSIAMIdentityCenterAllowListForIdentityContext

☕ CloudFormation resource changes

• AWS::IoT::DomainConfiguration
• AWS::S3::Bucket LifecycleConfiguration

🎮 Amazon Linux vulnerabilities

• CVE-2024-8508
• CVE-2024-9355