🥖 Palette Cleanser

A while back I told you the story of a hardworking gentleman trying to elevate the AWS vulnerability disclosure program. I suggested that AWS should offer him a promotion and pay increase but sadly I don't have that kind of juice with the illuminati. Instead, Ryan Nolette is asking for your help - please complete this survey and share your feedback on the AWS VDP expansion. If you have no idea what I'm talking about, listen to his interview with Corey on Last Week in AWS.

Your AWS Account is a floating cloud of garbage, says Chris Farris. It's a good day when you can insult your readers in the title and still have people read your stuff and think it's cool. There's nothing technical in this article but we would all be well served to heed Chris' pollution metaphor and the insight that, "Pollution is locally caused but globally felt." With that in mind, enjoy this week's garbage you didn't know you had in your AWS account.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• AWS Security Guardrails & Terraform by Naman Sogani

  If Naman ever tries to raise VC funding he'll need to work on his marketing. The title buries that lede that the guardrails are AI generated. I don't know how good his tool is in the-real-world but the experiment is a worthy one - use AI to parse standards and tools for security requirements, and automatically build them into infrastructure as code templates.

• Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy by Bleon Proko

  So many people have accidentally leaked their AWS access keys on Github that one day the folks at AWS cracked the shits and summoned a magical fairy to protect leaked keys by applying a 'quarantine policy' to them as soon they are leaked. It's an open secret that in the cloud security community that this policy is, let's say, incomplete. So, I'm glad Bleon took the time to publish exactly how it's incomplete and what folks should be aware of. It's worth reading even if you don't care about the IAM policy because it also serves as a compendium of privilege escalation techniques.

• I bought us-east-1.com: A Look at Security, DNS Traffic, and Protecting AWS Users by Gabriel Koo

  It's a story as old as time. You find a domain name that looks like it shouldn't be used for stuff but also looks like it's used for stuff. You smoke some weed and get an urge to buy said domain. You buy it and start getting traffic you shouldn't get and accidentally pwn some stuff. You're high so you panic and write a blog post to demonstrate your innocence. I'm not saying that’s how Gabriel did it, but I’m not not saying it either.

Bonus:

• How To Scan The Entire Cloud by Ben Sadeghipour
• EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files by Miguel Hernández
• How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS Access by Adan Álvarez

🥗 AWS security blogs

• 📣 AWS Incident Detection and Response now available in 16 additional AWS regions
• 📣 AWS WAF is now available in AWS Asia Pacific (Malaysia) Region
• 📣 AWS Network Firewall now supports configurable TCP idle timeout
• 📣 AWS Payment Cryptography now supports card issuing use cases
• CrowdStrike’s Charlotte AI – Enhancing productivity of Cyber Security Analysts with Generative AI built-on AWS by Jenn Reed
• Automate security scans on Amazon EKS with Kubescape, AWS CodeBuild, and AWS CodePipeline by Aniket Dekate
• Improving security and performance with additional DNS resource record types in Amazon Route 53 by Tega Odjegba
• New AWS Secure Builder training available through SANS Institute by Mecca Nnacheta
• Adding threat detection to custom authentication flow with Amazon Cognito advanced security features by Vishal Jakharia
• Spring 2024 PCI DSS and 3DS compliance packages available now by Ramone Weyerhaeuser
• How to implement trusted identity propagation for applications protected by Amazon Cognito by Joseph de Clerck

🍛 Reddit threads on r/aws

• TLSA records available in Route 53 so DANE now possible
• Any way to secure CLI transactions with FIDO2 2FA?
• How is a hardware MFA device better than a fingerprint (macOS) based Passkey?
• How To Get Amplifyconfiguration to Amplify without pushing to Github
• How to monitor cloudtrail logs and create alerts on AWS Control Tower?

🧁 IAM permission changes

• sagemaker
• bedrock
• workmail
• payment-cryptography
• es
• logs
• ecs

🍪 API changes

• Amazon DocumentDB Elastic Clusters
• Tax Settings
• Amazon Prometheus Service
• Auto Scaling
• AWS Batch
• Elastic Load Balancing
• AWS Glue
• Amazon SageMaker Service
• Amazon Simple Email Service
• AWS AppSync
• AWS DataSync
• Amazon Elastic Compute Cloud
• Amazon EC2 Container Service
• Amazon Location Service Maps V2
• Amazon Location Service Places V2
• Amazon Location Service Routes V2
• Amazon Keyspaces
• AWS Network Firewall
• Amazon OpenSearch Service
• OpenSearch Service Serverless
• Redshift Serverless
• Amazon Route 53
• Amazon SageMaker Service
• Amazon WorkMail
• Amazon Bedrock
• AWS Clean Rooms Service
• Amazon CloudWatch Logs
• Redshift Data API Service
• Amazon SageMaker Service
• AWS Elemental MediaPackage v2
• Amazon OpenSearch Service
• Amazon Relational Database Service

🍹 IAM managed policy changes

• AmazonEKSComputePolicy
• AmazonCognitoUnAuthedIdentitiesSessionPolicy
• AmazonEKSClusterPolicy
• AmazonEKSBlockStoragePolicy
• AmazonEKSLoadBalancingPolicy
• SecurityAudit
• AWSTrustedAdvisorServiceRolePolicy
• AmazonEKSServiceRolePolicy
• AmazonConnectServiceLinkedRolePolicy
• AWSGlobalAcceleratorSLRPolicy
• AccessAnalyzerServiceRolePolicy
• AmazonEKSNetworkingPolicy
• AmazonQDeveloperAccess
• AmazonQFullAccess
• AmazonQDeveloperAccess
• AmazonQFullAccess

☕ CloudFormation resource changes

• AWS::NetworkFirewall::FirewallPolicy

🎮 Amazon Linux vulnerabilities

• CVE-2024-21510
• CVE-2024-46956
• CVE-2024-46953
• CVE-2024-46952
• CVE-2024-7883
• CVE-2024-9632
• CVE-2024-10465
• CVE-2024-10460
• CVE-2024-10459
• CVE-2024-49769
• CVE-2024-10463
• CVE-2024-10462
• CVE-2024-10467
• CVE-2024-10466
• CVE-2024-10458
• CVE-2024-10461
• CVE-2024-10474
• CVE-2024-10464
• CVE-2024-10468
• CVE-2024-49768

📺 AWS Security Bulletins

No bulletins this week.