🥖 Palette Cleanser

Hello friends,

It appears you are not merely readers after all, but writers too! One of you got in touch with a desire to contribute. A few weeks of work later we've published Almahdi Sahad's work on mergers and acquisitions (dish #3 in chef's selections). Let me know if you have something you desperately want to share with the world - maybe we can make it happen.

Hot on the heels of AWS launching its vulnerability disclosure program, Google Cloud announced its own. According to this NahamSec vlog, Amazon paid out US$2.1 million at a recent Hackerone bug bounty event.

Defcon 2024 talks are live on YouTube, including AWS CloudQuarry: Digging for secrets in public AMIs, Exploiting Cloud Provider Vulnerabilities for Initial Access, Abusing OIDC all the way to your cloud, and Breaching AWS Through Shadow Resources.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Turning AWS Documentation into Gold: AI-Assisted Security Research by Jonathan Walker

  We all know how hard it is to write good documentation and keep it up to date. Now imagine if you had hundreds of insanely complex services to document like the folks at AWS do. Things will eventually get weird. How weird? That's what Johnnie Walker set out to discover.

  He did what I always wanted to but never could, wrote a reliable AWS documentation downloader and open sourced it. Then he stuffed it all inside a database that an AI could read, and then yelled at it. Jonathan found lots of cool stuff like public buckets, ancient screenshots, and more.

• Breaching the Data Perimeter: CloudTrail as a mechanism for Data Exfiltration by Sam Cox

  Cloud logging is a really compelling data exfiltration vector. On the one hand, you want to know when other people are trying things against your account or resources. For example, back in my day AWS didn't log role assumptions in the destination account - that was not good. On the other hand, when you lock down a VPC, you probably don't want data squeezing out through CloudTrail. It's clear Sam enjoys pushing small things (data) through even smaller holes (logs), demonstrating how it can be done regardless of identity policy, service control policy or VPC endpoint policy.

• Bringing AWS Security to Mergers and Acquisitions by Almahdi Sahad

  When a big company with an AWS environment loves a little company with an AWS environment, things can get a little "sus", as my kids would say. Almahdi has worked through several acquisitions where he's had to figure out how to securely integrate 2 environments, quickly, with minimal impact on the business. He's turned that experience into a 90 day guide anyone can use. It's opinionated, so it's not for everyone, but he does a great job of sharing all the reasoning.

Bonus: Enterprise Governance Is Failing Cloud Security by Rich Mogull

🥗 AWS security blogs

• 📣 AWS access portal now offers streamlined sign in for AWS Console Mobile App
• 📣 Amazon Verified Permissions is now HIPAA eligible
• Code security scanning with Amazon Q Developer by Surabhi Tandon
• AWS hosts inaugural Defense Industry Partner Forum by Shannon Judd
• Options for AWS customers who use Entrust-issued certificates by Zach Miller
• An unexpected discovery: Automated reasoning often makes systems more efficient and easier to maintain by Byron Cook

🍛 Reddit threads on r/aws

• aws security notif about cdk bucket?
• Can Macie be set up to scan on S3 write vs. scanning the bucket data at rest periodically?
• Someone changed the email that was linked to AWS and I lost total access to my account.
• Elasticache IAM Auth
• WAF
• Is there a way to encrypt an AWS Git repository without AWS having access to my keys?

🧁 IAM permission changes

• redshift
• q
• quicksight
• mediaconnect
• lambda

🍪 API changes

• Amazon Bedrock
• Amazon DataZone
• AWS Data Exchange
• Amazon Pinpoint SMS Voice V2
• Amazon QuickSight
• Amazon Simple Storage Service
• AWS Amplify
• AWS CodeBuild
• Amazon Interactive Video Service
• QBusiness
• Amazon Redshift
• AWS Resilience Hub
• Amazon Simple Email Service
• AWS CodePipeline
• MailManager
• AWS Supply Chain
• AWS Transfer Family

🍹 IAM managed policy changes

• AWSDataSyncFullAccess
• AmazonBedrockReadOnly
• SecurityAudit
• CloudWatchLambdaApplicationSignalsExecutionRolePolicy
• ReadOnlyAccess
• ViewOnlyAccess
• AWSResourceExplorerServiceRolePolicy
• AmazonEKSServicePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2023-26785
• CVE-2024-9143
• CVE-2024-21212
• CVE-2024-21235
• CVE-2024-21230
• CVE-2024-21208
• CVE-2024-21210
• CVE-2024-21204
• CVE-2024-9979
• CVE-2024-21194
• CVE-2024-21232
• CVE-2024-21239
• CVE-2024-21207
• CVE-2024-21213
• CVE-2024-21200
• CVE-2024-21217