🥖 Palette Cleanser

It's almost Christmas, New Year, or a few days off work, whichever you celebrate. While your mother is fighting with your uncle about your grandfather's opinion on your cousin's boyfriend from 10 years ago, remember to watch the 63 re:Invent security presentations - you'll learn a lot more from them than the family drama. Or is that just my family?!

Anywayyy, there was still a surprising amount of fantastic content published this week. Enjoy it. Next week's issue falls just before Christmas Day so instead of the regular content review, I'm preparing my favourite goodies from 2024. Email me your favourites to 2024@awssecuritydigest.com and I'll do a reader's selection too.

Enjoy your week, friends.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Tales from the cloud trenches: Unwanted visitor by Oren Margalit

  Oren describes some run-of-the-mill attacker activity that intends to abuse the Simple Email Service (SES) in victim accounts. There's a really elegant diagram I love that describes the activity beautifully. As always with Datadog posts there are indicators of compromise (IoCs) anyone can use, as well as descriptions of detection opportunities.

  If this article tickles you, Maayan Bentor published something similar on LLM hijacking this week.

• Bedrock Slip: Sysdig TRT Discovers CloudTrail Logging Misstep by Alessandro Brucato

  Continuing the threat detection theme, this is a quick story about some gaps in Bedrock CloudTrail that were quickly resolved by AWS. It's instructive because almost every service goes through these pains as detection engineers attempt to find malicious activity. In 2016 I gave a presentation called Gremlins in Your Cloud Success where I noted that (at the time) AssumeRole was only logged in the source account, not the destination. The trial by fire is necessary so please continue to share these gaps with the AWS team.

• AWS Native Scanning in ECR has a Gotcha by Brandon Sherman

  This blog post is super niche but it will probably save someone some pain. If you switch to using AWS Native scanning in ECR, any scans done with the previous Clair scanner will no longer be accessible. In some cases, you can revert the setting and see scan results again but YMMV.

Bonus: Another summary of re:Invent Announcements for Security Teams, this time by Scott Piper

🥗 AWS security blogs

• 📣 Amazon Route 53 Resolver DNS Firewall and DNS Firewall Advanced now available in the Asia Pacific (Malaysia) Region
• 📣 AWS Security Hub now supports PCI DSS v4.0.1 standard
• 📣 AWS Network Firewall is now available in the AWS Asia Pacific (Malaysia) region
• Detect and respond to security threats in near real-time using Amazon Managed Grafana by Sameeksha Garg
• Achieve cost effective cloud operations with AWS Managed Services by Mahnoor Hussain
• Securing Amazon Bedrock and Amazon SageMaker with Orca Security by Jason Patterson
• Scale Your AWS Environment Securely with HashiCorp Terraform and Sentinel Policy as Code by Welly Siauw
• A practical guide to getting started with policy as code by Andrew Timpone
• Modernize email sending with Amazon Simple Email Service and Proofpoint SER by Zip Zieper
• Introducing Cross-Region Connectivity for AWS PrivateLink by George Oakes
• AWS Verified Access in a TIC 3.0 architecture by Renato Ahiable
• Generative AI adoption and compliance: Simplifying the path forward with AWS Audit Manager by Kurt Kumar
• Introducing the AWS Network Firewall CloudWatch Dashboard by Ajinkya Patil
• Securing the future: building a culture of security by Carter Spriggs
• Introducing an enhanced version of the AWS Secrets Manager transform: AWS::SecretsManager-2024-09-16 by Sanjay Varma Datla
• AWS-LC FIPS 3.0: First cryptographic library to include ML-KEM in FIPS 140-3 validation by Jake Massimo

🍛 Reddit threads on r/aws

• The AWS Connector for GitHub app by aws is requesting updated permissions?
• Something about permissions boundary seems redundant and doesn't make sense to me
• How do I install packages with yum if outbound traffic is not allowed?
• Policy review for LPA to RDP into a single Windows EC2
• Adding a target group/EC2 in legacy VPC to an existing Load Balancer?
• Root Account - IP Restrictions

🧁 IAM permission changes

• servicediscovery
• connect
• lakeformation
• sesv2
• wisdom
• mgh
• bcm-pricing-calculator
• cleanrooms
• cognito-idp
• mgn
• ec2

🍪 API changes

• AWS CloudHSM V2
• Amazon Elastic Kubernetes Service
• AWS MediaConnect
• AWS Cloud Map
• Amazon Connect Service
• AWS Database Migration Service
• AWS Glue
• Amazon Route 53 Domains
• AWS Artifact
• EMR Serverless
• AWS Migration Hub
• Amazon Simple Email Service
• Timestream InfluxDB
• Amazon Connect Service
• Amazon Interactive Video Service RealTime
• Amazon Simple Email Service
• Amazon Elastic Compute Cloud
• AWS Elemental MediaLive

🍹 IAM managed policy changes

• AWSConfigServiceRolePolicy
• AWSSupportServiceRolePolicy
• AWSSSMForSAPServiceLinkedRolePolicy
• AWSSupplyChainFederationAdminAccess
• ReadOnlyAccess
• ResourceGroupsTaggingAPITagUntagSupportedResources
• AdministratorAccess-AWSElasticBeanstalk
• AWSPanoramaApplianceServiceRolePolicy
• AWSPanoramaFullAccess
• AWSMarketplaceSellerProductsFullAccess
• AWSMarketplaceSellerProductsReadOnly
• AWSPartnerCentralFullAccess
• AWSPartnerCentralSandboxFullAccess
• AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy
• AccessAnalyzerServiceRolePolicy
• AWSMarketplaceSellerFullAccess
• AmazonVPCFullAccess
• AmazonDocDBConsoleFullAccess
• AmazonDocDBElasticFullAccess
• AmazonVPCReadOnlyAccess

☕ CloudFormation resource changes

• AWS::CloudFront::Distribution
• AWS::CloudFront::Distribution
• AWS::ServiceDiscovery::Service
• AWS::EKS::Nodegroup
• AWS::S3Express::DirectoryBucket
• AWS::QBusiness::DataAccessor
• AWS::QBusiness::Permissions
• AWS::S3Tables::TableBucket
• AWS::S3Tables::TableBucketPolicy
• AWS::Connect::EmailAddress

🎮 Amazon Linux vulnerabilities

• CVE-2024-48916

📺 AWS Security Bulletins

• Issue with DynamoDB local - CVE-2022-1471