🥖 Palette Cleanser

"A security device is not the same thing as a secure device." I can't remember who said it but it describes this week beautifully as Fortinet and Palo Alto both announced critical pre-auth vulnerabilities in their software - oops. Maybe BYO on-premise security software in the cloud isn't the most optimal security architecture after all.

In happier news, after years of community projects duct taping boto3 parsers and scrapers together, AWS has published a machine readable service reference, accessible here. For now it's just a service list with "action-level permissions" so projects like permissions.cloud aren't going away just yet. But it is great to see progress on this. More like this, please AWS friends <3

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Challenges with IP spoofing in cloud environments by Emile-Hugo Spir

  Sometimes your app needs to know the IP address of the connecting user/client but their web requests are passing through a bunch of those (not secure) security devices. You can't get the IP from the TCP connection so what do you do? Emile lays out the problem and various traps engineers can fall into. While it's a cloud agnostic article, he provides some AWS examples and code.

  It should be obvious to cloud professionals that IP controls are at most a mild annoyance to attackers. After all, the cost of spinning up another EC2 instance or Lambda is ~$0. Definitely unrelated: AWS Active Defence for S3.

• Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks by Harsh Varagiya

  Trigger warning: This article is guaranteed to rub some people the wrong way. It's a pretty detailed instruction manual for effective ransomeware of AWS data stores. I think it's important though. It clearly demonstrates how easy it is to execute the attack but also how easy it is to prevent. Get that SCP setup immediately if you don't intend to use XKS!!

• My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring) by Chester Le Bron

  This time Chester focuses on adjusting "risk scores" for alerts based on things like ip enrichment, users of interest, privileged identities etc. I found this post much more accessible than Part 1 and Part 2. I think Chester has discovered the secret to AWS security content distribution - split your blog posts up into a series and we'll be forced to link all of them each time.

Bonus++:

• AWS Launches Improvements for Key Quarantine Policy by Michael Clark
• Simulate an Attacker Mining Crypto with User Data by Rich Mogull
• Cloud native incident response in AWS - Part II. And cheeky Part I.

🥗 AWS security blogs

• 📣 Streamline automation of policy management workflows with service reference information
• Boost developer productivity and security with Amazon Q Developer and JumpCloud integration by Sunil Ramachandra
• AWS Weekly Roundup: HIPAA eligible with Amazon Q Business, Amazon DCV, AWS re:Post Agent, and more (Oct 07, 2024) by Betty Zheng (郑予彬)
• Securing communications at the edge with AWS Wickr by Erik Iwanski
• Optimizing web application user experiences with AWS WAF JavaScript integrations by David MacDonald
• Strengthening security in the era of generative AI: Must-attend sessions at re:Invent 2024 by Anna Montalat
• How AWS uses active defense to help protect customers from security threats by Chris Betz
• Improve security incident response times by using AWS Service Catalog to decentralize security notifications by Cheng Wang
• Skilling up in SaaS with AWS Training and Certification by Dylan Souvage

🍛 Reddit threads on r/aws

• Why does setting up AWS security feel like swimming upstream?
• Is my approach secure?
• Monitoring nonEC2 instance
• Resources policies for SNS and KMS, allow access for an event-bridge rule
• MFA Reset - Phone Number Step Fails
• Trouble Authenticating AWS Users in Entra ID
• S3 bucket, i have a-lot of media file in my bucket file type mp4,how to protect these
• How to enable MFA?
• API, AWS - am I wasting my time?

🧁 IAM permission changes

• qbusiness
• social-messaging
• aws-marketplace-reporting
• deadline
• connect
• wisdom

🍪 API changes

• Elastic Load Balancing
• Amazon EMR
• Amazon GuardDuty
• AWS Database Migration Service
• Amazon Elastic Compute Cloud
• AWS Outposts
• Amazon Route 53 Resolver
• AWS End User Messaging Social
• AWS CodePipeline
• Amazon ElastiCache
• Amazon MemoryDB
• AWSDeadlineCloud
• Amazon Q Connect

🍹 IAM managed policy changes

• AmazonVerifiedPermissionsFullAccess
• AmazonVerifiedPermissionsReadOnlyAccess
• CloudWatchSyntheticsFullAccess
• ResourceGroupsTaggingAPITagUntagSupportedResources
• AWSSocialMessagingServiceRolePolicy
• AWSSupportServiceRolePolicy
• AmazonECSInfrastructureRolePolicyForVolumes
• AWSDataExchangeServiceRolePolicyForLicenseManagement
• AWSDataExchangeServiceRolePolicyForOrganizationDiscovery
• AWSDataSyncServiceRolePolicy
• AmazonTimestreamInfluxDBFullAccess
• AWSDeadlineCloud-UserAccessJobs
• AWSDeadlineCloud-UserAccessQueues
• SecurityAudit
• AWSDeadlineCloud-UserAccessFarms

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-8928
• CVE-2024-48957
• CVE-2024-48958
• CVE-2024-9781
• CVE-2024-9780
• CVE-2024-45720
• CVE-2024-9680
• CVE-2024-28168
• CVE-2024-43485
• CVE-2024-38229
• CVE-2024-43483
• CVE-2024-43484