🥖 Palette Cleanser

re:Invent is here. All the big security announcements and summaries (snark included) appear to have been made. If you are attending, make sure to catch up with Plerion founder, Keith Davison.

What's the best time to launch an open source intelligence (OSINT) platform for AWS? One week before re:Invent apparently. If you want to know what hackers can find out about your AWS account, go try it out at awseye.com (pronounced o-zee 🦘🇦🇺). Hit the 'surprise me' button to get info about a random well-known vendor account, one of ~190,000 accounts already indexed. I started working on this concept in October 2021, so I hope it was worth the grind - I'd love to know what you think. More details here.

As for today's dishes, I guess everyone is trying to get their content out before Vegas consumes them. Enjoy.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• The New PKCE Authentication in AWS SSO Brings Hope (Mostly) by Christophe Tafani-Dereeper

  There's a new default authentication process for the AWS CLI which closes longstanding holes. Apparently, red teamers have been abusing it to phish engineers for a long time. Christophe explains the flow in detail. The short story is the change is good but the old process remains available, so you still need to do some work to protect against and detect attacks.

• How Attackers (Rizzlers) Can Exploit AWS Trust Policies to Hide Behind Third-Party Roles by Or Aspir

  Regular readers will know I'm a big fan of gags but this one is lost on me. Maybe I'm too old? Luckily the content is great. Or looks at why attackers should be backdooring existing highly privileged roles and using them to complete their objectives. There's a pretty thorough section on defense too.

• Denial of Wallet Goes Beyond Serverless Functions by Chandrapal Badshah

  $5 for a million unauthenticated HTTP requests to a public S3 bucket doesn't sound like a lot (to me). Chandrapal explores how realistic it is to run up someone else's bill, and gives us yet another reason not to make buckets public.

Bonus:

• How to use AWS Resource Control Policies
• Hands-On Security Tips For Centralize Root Access In AWS (AssumeRoot)

🥗 AWS security blogs

• 📣 Amazon Web Services announces declarative policies
• 📣 Amazon OpenSearch Service zero-ETL integration with Amazon Security Lake
• 📣 AWS Verified Access now supports secure access to resources over non-HTTP(S) protocols (Preview)
• 📣 AWS Network Firewall expands the list of supported protocols and keywords in firewall rules
• 📣 AWS Artifact enhances agreements with improved access control and tracking
• Introducing Amazon OpenSearch Service and Amazon Security Lake integration to simplify security analytics by Channy Yun (윤석찬)
• Your telecom cloud journey on AWS: Part 2 – A technical roadmap with AWS by Amir Choudhri
• AWS IoT Services alignment with US Cyber Trust Mark by Syed Rehan
• Use Amazon Bedrock Agents for code scanning, optimization, and remediation by Rama Krishna Yalla
• Exploring the benefits of artificial intelligence while maintaining digital sovereignty by Max Peterson
• Federated access to Amazon Athena using AWS IAM Identity Center by Ajay Rawat
• Navigate your AWS Certification journey like an AWS pro by Vimal Vyas

🍛 Reddit threads on r/aws

• Amazon CloudWatch Logs launches the ability to transform and enrich logs
• Is there a managed policy that allows to list everything?
• 【Cognito】How to make secure sign-in without exposing tokens in the URL or to the front-end?
• IAM Identity Centre - This instance of IAM Identity Center doesn't have trusted access to your organization
• Permission denied (publickey,gssapi-keyex,gssapi-with-mic) getting into SSH

🧁 IAM permission changes

• redshift-data
• redshift-serverless
• aoss
• networkmanager
• connect
• quicksight
• q
• s3
• profile
• bcm-pricing-calculator

🍪 API changes

• Agents for Amazon Bedrock
• AWS Config
• Amazon FSx
• CloudWatch Observability Admin Service
• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• Amazon Connect Service
• Amazon Elastic Compute Cloud
• QApps
• AWS Direct Connect
• AWS Network Manager
• Amazon Simple Storage Service

🍹 IAM managed policy changes

• AWSSecurityIncidentResponseCaseFullAccess
• AWSSecurityIncidentResponseFullAccess
• AWSSecurityIncidentResponseReadOnlyAccess
• CloudWatchNetworkFlowMonitorAgentPublishPolicy
• CloudWatchNetworkFlowMonitorServiceRolePolicy
• CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy
• CloudWatchOpenSearchDashboardAccess
• CloudWatchOpenSearchDashboardsFullAccess
• AWSBillingReadOnlyAccess
• AWSPurchaseOrdersServiceRolePolicy
• Billing
• AWSSecurityIncidentResponseServiceRolePolicy
• AWSSecurityIncidentResponseTriageServiceRolePolicy
• MemoryDBServiceRolePolicy
• AWSVpcLatticeServiceRolePolicy
• VPCLatticeFullAccess
• VPCLatticeReadOnlyAccess
• DeclarativePoliciesEC2Report
• SageMakerStudioProjectUserRolePermissionsBoundary
• SageMakerStudioProjectUserRolePolicy
• SageMakerStudioFullAccess
• AWSObservabilityAdminServiceRolePolicy
• SageMakerStudioProjectProvisioningRolePolicy
• SageMakerStudioProjectRoleMachineLearningPolicy
• SageMakerStudioProjectUserRolePermissionsBoundary
• CustomerProfilesServiceLinkedRolePolicy
• SageMakerStudioProjectUserRolePermissionsBoundary
• AmazonDataZoneGlueManageAccessRolePolicy
• SageMakerStudioProjectRoleMachineLearningPolicy
• SageMakerStudioProjectUserRolePolicy
• AmazonConnectServiceLinkedRolePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2024-53008
• CVE-2024-53920
• CVE-2024-11695
• CVE-2024-11701
• CVE-2024-53976
• CVE-2024-53975
• CVE-2024-11699
• CVE-2024-11706
• CVE-2024-52336
• CVE-2024-11700
• CVE-2024-11696
• CVE-2024-11702
• CVE-2024-52337
• CVE-2024-11692
• CVE-2024-11703
• CVE-2024-11407
• CVE-2024-11705
• CVE-2024-11708
• CVE-2024-11694
• CVE-2024-11693
• CVE-2024-11704
• CVE-2024-11698
• CVE-2024-11697
• CVE-2024-11691

📺 AWS Security Bulletins

No bulletins this week.