🥖 Palette Cleanser

Hi friends, guest chef here filling in this week. I’ll do my best to whip up a tasty enough issue to keep you full.

It seems AWS has heard our sighs and decided that 83 (that’s not a real number, but it feels like it) IAM policy options weren’t quite enough… so here we are, with Resource Control Policies - the 84th addition to the IAM family, now here to help you keep even tighter reins on your resources.

This week’s menu has all the essentials: a splash of credential security to remind you why IAM hygiene matters, a pinch of bucket protection to avoid an accidental data flood, and a thought-provoking look at how your cloud bill could become an attacker’s next target.

Bon appétit.

Has the guest chef this week burnt AWS Security Digest to the ground? Tell us here. This issue is also available to share online.

📋 Chef's selections

• AWS Credential Pwnage: From Recon to Root in 10 Minutes or Less by Anurag Mishra

  If you’ve ever wanted a front-row seat to the chaos that ensues after an AWS credential gets loose, this could be a showstopper. In a swift, 10-minute takedown, Anurag walks us through how an attacker can go from an innocent recon to a full root takeover. Slacking on IAM hygiene? This one will make you want to double-check those access keys.

• Let's talk Denial of Wallet by Chandrapal Badshah

  We’ve all heard of denial-of-service, but what about denial-of-wallet? Chandrapal dives into the lesser-known attack vector, where the real target is your cloud bill. From crafty attackers exploiting misconfigurations to runaway resources, this is a reminder that sometimes the scariest cloud threat is the one that makes your CFO cry.

• Accidentally Expose All Your Stuff on S3 with a Bucket Policy by Rich Mogull

  Few things in AWS are as terrifyingly simple as accidentally making your S3 bucket public. Rich walks you through how bucket policies can go horribly wrong and how to keep your data from spilling out like a broken faucet. If you think your buckets are airtight, Rich might make you rethink a few settings and save your organisation from becoming the next headline.

🥗 AWS security blogs

• 📣 Introducing Amazon Route 53 Resolver DNS Firewall Advanced
• 📣 Centrally manage root access in AWS Identity and Access Management (IAM)
• 📣 Customize scope of IAM Access Analyzer unused access analysis
• 📣 Introducing resource control policies (RCPs) to centrally restrict access to AWS resources
• 📣 AWS Directory Service is available in the AWS Asia Pacific (Malaysia) Region
• 📣 AWS IAM Identity Center now supports search by permission set name
• Traffic inspection on AWS Outposts rack with FortiGate Next-Generation Firewall by Enrico Liguori
• Centrally managing root access for customers using AWS Organizations by Sébastien Stormacq
• Palo Alto Networks secures the Internet of Things with Amazon Redshift by Meena Menon
• Modernize user authentication and management with DXC’s User Management solution on AWS by Dhiraj Thakur
• How PwC uses AI as the Architect Building a Next-Gen Managed Cloud Service Platform in AWS by David Lau
• New Relic powers sustainable observability with AWS by Meena Menon
• How Amazon built a highly scalable and secure tokenization solution on AWS by Anuj Gupta
• Using Login.gov as an OIDC IdP with Amazon Cognito user pools by Mahmoud Matouk
• Secure by Design: AWS enhances centralized security controls as MFA requirements expand by Arynn Crow
• Updated whitepaper: Architecting for PCI DSS Segmentation and Scoping on AWS by Abdul Javid
• Discover duplicate AWS Config rules for streamlined compliance by Aaron Klotnia
• Maximize your cloud security experience at AWS re:Invent 2024: A comprehensive guide to security sessions by Apurva More

🍛 Reddit threads on r/aws

• Centrally managing root access for customers using AWS Organizations
• Secure connection not working for ALB
• Permission Boundary Conditions
• How to get SSL certificate for EC2
• After 45 attempts it didn't work. please help
• Are these malicious attacks on my backend?
• Reverse proxy behind load balancer or not
• $42357 Bill Hack After AWS Account Help us

🧁 IAM permission changes

• wisdom
• deepracer
• sts
• cleanrooms-ml
• iot
• iam
• access-analyzer
• partnercentral
• license-manager-user-subscriptions
• elasticache
• q
• cloudtrail
• b2bi
• gamelift
• arc-zonal-shift
• controltower
• outposts
• es
• payments
• sagemaker
• resource-explorer-2
• datazone
• qbusiness
• sagemaker-mlflow
• s3express
• mediapackagev2

🍪 API changes

• Amazon CloudWatch
• AmazonConnectCampaignServiceV2
• AWS IoT
• AWS Outposts
• Amazon Pinpoint SMS Voice V2
• Amazon Route 53 Resolver
• Partner Central Selling API
• Access Analyzer
• AWS Cloud Control API
• AWSDeadlineCloud
• AWS Identity and Access Management
• AWS IoT Wireless
• Amazon Interactive Video Service
• AWS License Manager User Subscriptions
• Partner Central Selling API
• Amazon QuickSight
• Amazon Redshift
• Amazon SageMaker Service
• AWS Security Token Service
• Access Analyzer
• Amazon CloudWatch Application Signals
• AWS B2B Data Interchange
• AWS Billing
• AWS CloudTrail
• Amazon DynamoDB
• Amazon Elastic Compute Cloud
• Amazon CloudWatch Internet Monitor
• AWS Organizations
• AWS CodeBuild
• AWS Control Tower
• AWS Fault Injection Simulator
• Amazon GameLift
• Payment Cryptography Control Plane
• Inspector2
• AWS Lambda
• Amazon OpenSearch Service
• AWS Outposts

🍹 IAM managed policy changes

• AWS-SSM-Automation-DiagnosisBucketPolicy
• AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy
• AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy
• AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy
• AWS-SSM-RemediationAutomation-AdministrationRolePolicy
• AWS-SSM-RemediationAutomation-ExecutionRolePolicy
• AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy
• AWSQuickSetupEnableAREXExecutionPolicy
• AWSQuickSetupSSMDeploymentRolePolicy
• AWSQuickSetupSSMDeploymentS3BucketRolePolicy
• AWSQuickSetupSSMManageResourcesExecutionPolicy
• AmazonEKSServiceRolePolicy
• AWSQuickSetupEnableDHMCExecutionPolicy
• AWSQuickSetupManagedInstanceProfileExecutionPolicy
• AWSQuickSetupSSMLifecycleManagementExecutionPolicy
• AmazonECSInfrastructureRolePolicyForVpcLattice
• KeyspacesReplicationServiceRolePolicy
• AutoScalingServiceRolePolicy
• AmazonSSMServiceRolePolicy
• IAMAuditRootUserCredentials
• IAMCreateRootUserPassword
• IAMDeleteRootUserCredentials
• S3UnlockBucketPolicy
• SQSUnlockQueuePolicy
• SecurityLakeResourceManagementServiceRolePolicy
• AmazonSageMakerNotebooksServiceRolePolicy
• AWSPartnerCentralOpportunityManagement
• AWSPartnerCentralSandboxFullAccess
• AmazonConnectServiceLinkedRolePolicy
• AmplifyBackendDeployFullAccess
• AWSResourceExplorerServiceRolePolicy
• SMSVoiceServiceRolePolicy
• AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy
• AmazonQDeveloperAccess
• AmazonQFullAccess
• AmazonODBServiceRolePolicy
• AmazonConnectSynchronizationServiceRolePolicy
• AmazonDataZoneBedrockModelConsumptionPolicy
• AmazonDataZoneBedrockModelManagementPolicy
• CloudWatchInternetMonitorReadOnlyAccess
• AWSBillingReadOnlyAccess
• AWSThinkboxAWSPortalAdminPolicy
• AWSThinkboxDeadlineResourceTrackerAdminPolicy
• Billing
• GameLiftContainerFleetPolicy

☕ CloudFormation resource changes

• AWS::AccessAnalyzer::Analyzer

🎮 Amazon Linux vulnerabilities

• CVE-2024-10976
• CVE-2024-10978
• CVE-2024-10977
• CVE-2024-11159
• CVE-2024-43498
• CVE-2024-11079
• CVE-2024-49394
• CVE-2024-43499
• CVE-2024-49395
• CVE-2024-11168
• CVE-2024-49393

📺 AWS Security Bulletins

No bulletins this week.