Issue #185
Monday · November 25, 2024
๐ฅ Palate Cleanser
Hello again loyal diners. Thank you, Cynthia Cheung, for putting together last week's issues while I was celebrating my n+1 wedding anniversary. I can confirm I am not divorced and ASD will continue as planned!
The pre:invent announcements have been coming thick and fast and they aren't all AI related. John Misczak wrote a deeper summary but here's what you need to know:
- Root account management in Organizations - Instead of dealing with root creds in every account, AssumeRoot.
- VPC Block Public Access - If you like how this works in S3, you might like it in VPCs too. There's some finer-grained control that makes the VPC version more flexible but also more complicated.
- Cognito overhaul - Lots of quality of life improvements but my favourite part is support for passwordless login, including passkey authentication.
- Improved SSM experience - The sneaky best change is the ability to identify all unmanaged nodes.
- Resource Control Policies (mentioned last week) - Check out Jason Kao's guide on how to apply them to KMS.
Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.
๐ Chef's selections
-
Stop Using Predictable Bucket Names by Jonathan Walker
Johnnie Dub has been playing with AWS docs lately and turned that into finding all the S3 buckets that AWS creates by default. It's kind of like the shadow resources research but targeting AWS itself. Nothing too serious, but he was able to identify some open buckets and patterns that might be useful to hackers.
-
How Lambda Misconfigurations Can Lead to Lateral Movement by Yehonatan Bitton
There's nothing new here but I like it because it demonstrates how a Lambda attack could work in practice. It's like an attack path walkthrough - Yehonatan makes up a Shop application and shows all the steps needed to hack it.
-
Confused Deputy Vulnerability in Amazon DataZone by Carlos Mora
Carlos found a way to get the DataZone service to assume role into other people's accounts. AWS quickly fixed the issue, but it's still a cool example of a bug type that keeps popping up over and over.
๐ฅ AWS security blogs
- ๐ฃ Amazon OpenSearch Ingestion now supports writing security data to Amazon Security Lake
- ๐ฃ Announcing AWS STS support for ECDSA-based signatures of OIDC tokens
- ๐ฃ Announcing new feature tiers: Essentials and Plus for Amazon Cognito
- ๐ฃ Amazon Cognito introduces Managed Login to support rich branding for end user journeys
- ๐ฃ Amazon Cognito now supports passwordless authentication for low-friction and secure logins
- ๐ฃ AWS Shield Advanced is now available in Asia Pacific (Malaysia) Region
- Improve your app authentication workflow with new Amazon Cognito features by Donnie Prakoso
- Integrate custom applications with AWS Lake Formation โ Part 1 by Stefano Sandona
- Integrate custom applications with AWS Lake Formation โ Part 2 by Stefano Sandona
- Introducing the AWS guide to building and operating financial services workloads for DORA (Level 2) by Eduardo Vilela
- Introducing the AWS Level 1 DORA Workbook for AWS customers regulated under DORA by Eduardo Vilela
- Amazon Kinesis Video Streams Privacy and E2E Security Overview by Syed Rehan
- OCSF Joins the Linux Foundation: Accelerating the Standardization of Cybersecurity Data by Mark Terenzoni
- How national security and defence missions protect data with Trusted Secure Enclaves on AWS by Chris Bailey
- The essential role of a landing zone in a governmentโs digital transformation by Sharon Lindsay
- Preparing for CMMC 2.0 compliance: What contractors can do today by Abel Sanchez
- Deploying AWS Modular Data Center: From ordering to delivery and installation by Kristen Lee
- Secure root user access for member accounts in AWS Organizations by Jonathan VanKim
- Securing the RAG ingestion pipeline: Filtering mechanisms by Laura Verghote
- Important changes to CloudTrail events for AWS IAM Identity Center by Arthur Mnev
- Threat modeling your generative AI workload to evaluate security risk by Danny Cortegaca
๐ Reddit threads on r/aws
- Error on Privileged Root Actions after Enabling Centralized Root Access
- EC2 Security Groups
- Question about AWS WAF pricing. Does the user get charged for resources (like Web ACL and rules) for the whole month immediately or is the cost calculated hourly ?
- Is it possible to apply AWS Web Application Firewall Web ACL for a single EC2 Instance ?
๐ค Dessert
Every machine-tracked change this week. Nobody else assembles this.
๐ง IAM permission changes
- resiliencehub
- s3express
- ce
- cloudtrail
- artifact
- iotfleetwise
- cleanrooms
- ssm
- iot
- chatbot
- qapps
- ssm-quicksetup
- logs
- application-autoscaling
- connect
- autoscaling
- elasticloadbalancingv2
- bedrock
- compute-optimizer
- cloudfront
- xray
- ec2
- sagemaker
- rds
- datazone
- aws-marketplace
- glue
- omics
- sqlworkbench
- datazone
- glue
- sms-voicev2
- dynamodb
- ecs
- route53
- iotsitewise
- connect-campaigns
- repostspace
๐ช API changes
- Auto Scaling
- AWS Billing and Cost Management Pricing Calculator
- Agents for Amazon Bedrock Runtime
- AWS Cost Explorer Service
- AWS Chatbot
- AWS CodePipeline
- Amazon Cognito Identity Provider
- Amazon Connect Service
- Elastic Load Balancing
- Amazon EMR
- AWS Lambda
- MailManager
- Amazon Neptune Graph
- Amazon Omics
- Amazon QuickSight
- Amazon SageMaker Service
- Amazon Simple Email Service
- AWS Step Functions
- Amazon API Gateway
- Application Auto Scaling
- AWS AppSync
- AWS Cost Explorer Service
- Amazon CloudFront
- AWS CloudTrail
- Amazon Elastic Compute Cloud
- Amazon ElastiCache
- AWS Health APIs and Notifications
- AWS IoT Jobs Data Plane
- AWS IoT
- AWS IoT FleetWise
- AWS Lambda
- Amazon CloudWatch Logs
- AWS User Notifications
- AWS User Notifications Contacts
- AWS Resilience Hub
- Amazon Simple Storage Service
- AWS Systems Manager QuickSetup
- Amazon Simple Systems Manager (SSM)
- AWS X
- Auto Scaling
- Agents for Amazon Bedrock Runtime
- Amazon CloudFront
- AWS Compute Optimizer
- AWS Control Tower
- Cost Optimization Hub
- Amazon DataZone
- AWS Application Discovery Service
- Amazon Elastic Compute Cloud
- Amazon EC2 Container Service
- Elastic Load Balancing
- AWS Lambda
- AWS Elemental MediaConvert
- AWS Elemental MediaPackage v2
- Amazon Omics
- Amazon Recycle Bin
- Amazon Relational Database Service
- Amazon Timestream Query
- Amazon WorkSpaces Web
- Amazon WorkSpaces
- AWS B2B Data Interchange
- Amazon Elastic Compute Cloud
- Amazon EC2 Container Service
- Amazon Elastic File System
- AWS Glue
- Amazon Keyspaces
- Tax Settings
- Amazon WorkSpaces
- Auto Scaling
- AWS CloudFormation
- Amazon Connect Service
- Amazon Connect Customer Profiles
- Amazon Elastic Compute Cloud
- Amazon EC2 Container Service
- AWS IoT SiteWise
- Amazon Q Connect
- Amazon Relational Database Service
๐น IAM managed policy changes
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectRoleMachineLearningPolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- AWSPartnerLedSupportReadOnlyAccess
- AWSArtifactAgreementsFullAccess
- AWSArtifactAgreementsReadOnlyAccess
- ReadOnlyAccess
- SecurityAudit
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- AmazonConnectServiceLinkedRolePolicy
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- CloudWatchSyntheticsFullAccess
- SageMakerStudioProjectProvisioningRolePolicy
- AmazonDataZoneFullAccess
- AmazonDataZoneSageMakerManageAccessRolePolicy
- CloudWatchReadOnlyAccess
- AWSServiceRoleForAmazonEKSNodegroup
- ComputeOptimizerReadOnlyAccess
- SageMakerStudioDomainExecutionRolePolicy
- SageMakerStudioDomainServiceRolePolicy
- SageMakerStudioProjectProvisioningRolePolicy
- SageMakerStudioProjectRoleMachineLearningPolicy
- SageMakerStudioProjectUserRolePermissionsBoundary
- SageMakerStudioProjectUserRolePolicy
- AWSMarketplaceManageSubscriptions
- AWSMarketplaceRead-only
- AmazonRedshiftServiceLinkedRolePolicy
- CloudFrontFullAccess
- AWSEC2VssSnapshotPolicy
- AWSQuickSetupSSMDeploymentRolePolicy
- AmazonDataZoneFullUserAccess
- AmazonDataZoneDomainExecutionRolePolicy
- ReadOnlyAccess
- SecurityAudit
- ViewOnlyAccess
- AWSMarketplaceSellerOfferManagement
- AWSPartnerCentralFullAccess
- AmazonDynamoDBReadOnlyAccess
- SSMQuickSetupRolePolicy
โ CloudFormation resource changes
- AWS::WorkSpacesWeb::Portal
- AWS::Chatbot::CustomAction AWS
- AWS::Chatbot::MicrosoftTeamsChannelConfiguration
- AWS::ResourceGroups::TagSyncTask
- AWS::WorkSpacesWeb::DataProtectionSettings
- AWS::ElastiCache::ServerlessCache
- AWS::S3Express::DirectoryBucket
- AWS::ApplicationAutoScaling::ScalingPolicy
- AWS::IoT::ThingType
- AWS::ApiGateway::BasePathMappingV2
- AWS::ApiGateway::DomainNameV2
- AWS::ApiGateway::DomainNameAccessAssociation
- AWS::IVS::IngestConfiguration
- AWS::RDS::GlobalCluster
- AWS::Route53Resolver::ResolverRule TargetAddress
- AWS::IoTFleetWise::StateTemplate
- AWS::IoTFleetWise::Campaign MqttTopicConfig
- AWS::AutoScaling::AutoScalingGroup
- AWS::Wisdom::MessageTemplate
- AWS::Wisdom::MessageTemplateVersion
- AWS::ConnectCampaignsV2::Campaign
- AWS::CustomerProfiles::SegmentDefinition
- AWS::RBin::Rule
๐ฎ Amazon Linux vulnerabilities
๐บ AWS security bulletins
-
No bulletins this week.
