🥖 Palette Cleanser

Imagine you could time travel and transfer your consciousness into Jeff Barr's body on November 9th 2004, as he was writing the first-ever AWS blog post. What would you write?

20 years ago Jeff wrote, "We plan to provide you with useful information about AWS, products built with AWS, web services development tools, interviews with successful AWS developers, case studies, and information about the web services industry." It wasn’t the world's spiciest take but I feel like he nailed it based on what I see every week in this newsletter. Congrats, Jeff and the AWS team on 20 years of content.

I'm off tending to my marriage next week. Somehow "I have an ASD issue to do" is not a valid reason to miss an anniversary. Issue 184 will be prepared and delivered by a guest author, at the same time as always. Please be sure to let them know what you think of their work.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Effective Techniques for AWS Ransomware by Chris Farris

  Writing how-to guides for ransomware is bold strategy as a well-meaning defender of the clouds. I'm a fan of sharing attack details as a way to balance information asymmetries that favor attackers. Chris mentions that the code was entirely generated by AI, so it's not exactly secret sauce however I'd still love to see Chris regain the urge to provide more detection details.

• Modern AWS Access: Moving from IAM Users to AWS Identity Center by Rowan Udell

  In issue #181 I quipped that "46% of you savages are still using IAM users". It appears Rowan took it upon himself to bring civilization to the hordes. This guide provides a comprehensive way to structure your migration for a technical program manager. It doesn't include details on how to execute each step, so you'll still need to research those yourself.

• Cost-effective AWS Security Best Practices: Our Experience and Tips by Ihor Sasovets, Rotem Levi, Victoria Shutenko, Victor Grenu

  I would be lying if I said I read this article end-to-end. It's a lot. There are 4 parts, which you could consume individually if they interested you. 1: AWS WAF implementation considerations; 2: An overview of the open-source AWS Security Survival Kit; 3: AWS compliance tool options; 4: Some general cloud security tips.

🥗 AWS security blogs

• 📣 AWS Firewall Manager is now available in the AWS Asia Pacific (Malaysia) Region
• 📣 AWS IAM now supports PrivateLink in the AWS GovCloud (US) Regions
• 📣 Amazon Verified Permissions launches new API to get multiple policies
• 📣 Amazon CloudFront no longer charges for requests blocked by AWS WAF
• 📣 AWS Security Hub launches 7 new security controls
• Operational Best Practices for FedRAMP Compliance in AWS GovCloud with AWS Config by Dylan McAllister
• Governing by Enabling: A Strategic Approach to Data Governance for Executives by Tom Godden
• Securing PartyRock: How we protect Amazon Bedrock endpoints using AWS WAF by Achraf Souk
• The key components of CISA’s Malcolm on Amazon EKS by Emma Harrison
• Amazon Inspector suppression rules best practices for AWS Organizations by Mojgan Toth
• Implement effective data authorization mechanisms to secure your data used in generative AI applications by Riggs Goodman III
• Unauthorized tactic spotlight: Initial access through a third-party identity provider by Steve de Vera

🍛 Reddit threads on r/aws

• RDS secrets were published in a repo during a school project. Is deleting the RDS instance enough to keep me safe?
• What is an alternate to Identity center in a medium size org?
• Yubikey not working on new login page
• Secrets Security
• Great Security Refresher Tutorials
• I was charged $1500, but I don't have any AWS services or accounts

🧁 IAM permission changes

No changes this week.

🍪 API changes

• AWS Batch
• Agents for Amazon Bedrock Runtime
• Amazon Chime SDK Media Pipelines
• AWS Control Catalog
• Amazon Elastic Kubernetes Service
• Amazon Kinesis Firehose
• AWS Lambda
• Amazon Pinpoint SMS Voice V2
• QBusiness
• Auto Scaling
• Agents for Amazon Bedrock
• Amazon Bedrock Runtime
• AWS Clean Rooms Service
• AWS Clean Rooms ML
• Amazon QuickSight
• AWS Resource Explorer
• Synthetics
• AWS CodeBuild
• Amazon GuardDuty
• AWS Lake Formation
• QApps
• Amazon Verified Permissions

🍹 IAM managed policy changes

• AWSIPAMServiceRolePolicy
• AWSLicenseManagerUserSubscriptionsServiceRolePolicy
• AmazonEKSComputePolicy
• AmazonElasticFileSystemFullAccess
• AmazonElasticFileSystemReadOnlyAccess
• AmazonElasticFileSystemServiceRolePolicy
• AWSConfigServiceRolePolicy
• AWS_ConfigRole
• AWSMarketplaceSellerFullAccess

☕ CloudFormation resource changes

• AWS::AutoScaling::AutoScalingGroup
• AWS::CleanRooms::AnalytisTemplate
• AWS::CleanRooms::Collaboration
• AWS::CleanRooms::Membership
• AWS::AppSync::Api

🎮 Amazon Linux vulnerabilities

• CVE-2024-46954
• CVE-2024-46951
• CVE-2024-46955

📺 AWS Security Bulletins

• Issue with data.all (Multiple CVEs)