🥖 Palette Cleanser

What is the state of cloud security? Datadog is very glad you asked! Their answer comes complete with pretty moving birds in the header, adding credibility to the data. There's lots of great fodder to copy and paste to your manager in order to convince them of whatever you want. For example, 46% of you savages are still using IAM users, so it must be totes fine to continue. The report includes a technical description of how they got the data at the end, which is a nice touch for the nerds (me).

A lot of awesome protective resources were published this week that deserve their own mention. Travis McPeak from Resourcely teamed up with a bunch of cloud veterans to gift us a huge repository of cloud guardrails. CloudCopilot explained every IAM condition operator in excruciating detail. And we got introductions to two tools: SkyScalpel for combatting IAM obfuscation, and CloudTail for long-term log retention and search.

I somehow missed the SANS CloudSecNext Summit 2024, oops! Luckily, the presentations are up on YouTube.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover by Ofek Itach & Yakir Kadkoda

  This is the purest form of AWS hacking, like Milo straight out of the tin. 1. Find an AWS account that has evidence of CDK use. 2. Create an S3 bucket with a predictable name. 3. Do whatever you like because CDK trusts the CloudFormation in the bucket. AWS has patched CDK to make this impossible, assuming everyone updates their CDK. Do you patch your CDK?

• Protecting Data and Preventing Ransomware: The IAM Guide to Managing and Updating Encryption for AWS Resources by Jason Kao

  I'm worried about Jason's health. He is clearly obsessed with KMS and his friends are planning an intervention. This is the latest in a series of KMS security posts. Most cloud ransomware requires the ability to modify existing encryption keys. This post covers the IAM actions needed for ransomware, findings on IAM inconsistencies and practical strategies for defending against cloud ransomware.

• What I’ve Learned: My Top AWS WAF Tips for Stronger Protection by Sena Yakut

  If you're like me, you've probably deployed the AWS WAF in front of something (like an API) and then more or less left it to run on its own. Sena rightly points out that there's more to a successful deployment than just deployment. Sena writes awesome technical content but this post is more about what to do and less about how to do it.

🥗 AWS security blogs

• 📣 AWS Firewall Manager now supports retrofitting of existing AWS WAF WebACLs
• 📣 AWS WAF Bot and Fraud Control RuleGroup is now available in 6 additional AWS Regions
• 📣 AWS IAM Identity Center simplifies calls to AWS services with single identity context
• Supercharge your cyber resiliency with Cohesity DataHawk by Girish Chanchlani
• How to implement access control and auditing on Amazon Redshift using Immuta by Satesh Sonti
• Battling the food security crisis with Agents for Amazon Bedrock by Mike George
• How to mitigate bot traffic by implementing Challenge actions in your AWS WAF custom rules by Javier Sanchez Navarro
• Amazon identified internet domains abused by APT29 by CJ Moses
• Exploring digital sovereignty: learning opportunities at re:Invent 2024 by Marta Taggart
• How to use the Amazon Detective API to investigate GuardDuty security findings and enrich data in Security Hub by Nicholas Jaeger
• How to use interface VPC endpoints to meet your security objectives by Joaquin Manuel Rinaudo
• 170 AWS services achieve HITRUST certification by Mark Weech
• How to build a Security Guardians program to distribute security ownership by Mitch Beaumont

🍛 Reddit threads on r/aws

• AWS CDK Risk: Exploiting a Missing S3 Bucket Allowed Account Takeover
• Whispr: An open-source security tool to whisper secrets from AWS secrets manager to your applications
• Multi-Cloud Secure Federation: One-Click Terraform Templates for Cross-Cloud Connectivity
• How to build a Security Guardians program to distribute security ownership
• Starting a new role with AWS knowledge - how to get started.
• Users access to S3 bucket(s) - IAM Identity Center
• Unable to login into my account
• Multi-Cloud Secure Federation: One-Click Terraform Templates for Cross-Cloud Connectivity
• Connect to multiple RDS clusters from local
• Restricting SSM-user EC2 root access with AWS Identity Center?
• Cleared position
• What is the best way to protect waitlist email form from attacks?
• Im getting access denied for everything and I don’t know why. I gave my user full permissions
• Zero Trust

🧁 IAM permission changes

• transfer
• wisdom
• airflow
• apptest
• ssm-contacts
• dataexchange
• qbusiness
• dms
• workspaces-web

🍪 API changes

• Agents for Amazon Bedrock
• AWS CodeBuild
• AWS Lambda
• Amazon CloudWatch Logs
• AWS Supply Chain
• Amazon AppConfig
• Amazon Elastic Compute Cloud
• Amazon EC2 Container Service
• QBusiness
• Amazon Connect Service
• Amazon Elastic Compute Cloud
• AmazonMWAA
• Payment Cryptography Data Plane
• Payment Cryptography Control Plane
• EC2 Image Builder
• AWSMainframeModernization
• Amazon Relational Database Service
• AWS re:Post Private
• Amazon Timestream Query
• Amazon CloudWatch Application Insights
• Agents for Amazon Bedrock Runtime
• AWS Database Migration Service
• Amazon Elastic Compute Cloud
• Amazon Elastic Kubernetes Service
• Firewall Management Service
• Payment Cryptography Data Plane
• AWS WAFV2

🍹 IAM managed policy changes

• AmazonConnectServiceLinkedRolePolicy
• AWSElasticLoadBalancingServiceRolePolicy
• ElasticLoadBalancingFullAccess
• AWSApplicationAutoscalingECSServicePolicy
• AWSCloudFrontVPCOriginServiceRolePolicy
• AmazonEKSLocalOutpostClusterPolicy
• AWSDataExchangeDataGrantOwnerFullAccess
• AWSDataExchangeDataGrantReceiverFullAccess
• AWSDataExchangeReadOnly
• AmazonDataZoneRedshiftGlueProvisioningPolicy
• CloudWatchInternetMonitorFullAccess
• AWSMarketplaceSellerFullAccess
• AWSMarketplaceSellerProductsFullAccess
• AmazonEKSServiceRolePolicy
• AWSMarketplaceSellerProductsReadOnly
• ReadOnlyAccess
• ViewOnlyAccess

☕ CloudFormation resource changes

• AWS::Backup::LogicallyAirGappedBackupVault

🎮 Amazon Linux vulnerabilities

• CVE-2024-0126
• CVE-2024-50382
• CVE-2024-50383
• CVE-2024-9050

📺 AWS Security Bulletins

• CVE-2024-10125 - missing JWT issuer and signer validation in aws-alb-identity-aspnetcore
• CVE-2024-8901 - missing JWT issuer and signer validation in aws-alb-route-directive-adapter-for-istio