🥖 Palette Cleanser

Greetings festive readers,

What a ride 2024 has been! Today's issue is a special one. We're looking back at all the fun we had this year. We did have fun, didn't we?! New content will be back next week and there will be no interruption to scheduled programming.

The year was more than just content of course, it was defined by some big events and milestones. AWS launched its public vulnerability disclosure program and also made it's previously secret bug bounty, not so secret. The XZ backdoor set the internet on fire for a few weeks and cloud security vendors were at the pointy end of the response. Let's not forget the CUPS bugs. And at the end we got Resource Control Policies and organisational root account management at re:Invent.

Unrelated but important: it might feel like ASD is my baby but I am just the step father. Victor Grenu built AWS Security Digest from the ground up and ran it diligently for many years. In June he agreed to entrust me and Plerion with it going forward. Thank you Victor! None of this would be possible without you. <3

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

I put the call out to the community for their highlights and got an overwhelming response. There's not enough room for everything so here is the content that defined the year:

• fwd:cloudsec presentations

  A few people mentioned one talk specifically, Hacking clouds using the power of the sun by Ian Mckay. It's both fun and informative about the dangers of bit flips at AWS scale.

• Introducing TrailDiscover: Simplifying Access to Security Insights about CloudTrail Events by Adan Álvarez Vilchez

  Adan launched TrailDiscover to gather CloudTrail events linked to security incidents. It puts real world data in the hands of defenders.

• What Do Hackers Know About Your AWS Account? by Daniel Grzelak

  Awseye (pronounced o-zee 🦘🇦🇺) is an open-source intelligence (OSINT) and reconnaissance service that tracks and analyzes publicly accessible AWS data. No bias here - people actually voted for it, I promise.

My personal favourites are a little bit different. You may have noticed I have a bias towards attack research. Instead of hiding it, I've gone all in:

• Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover by Nick Frichette

  Nick identified two variants of a vulnerability in AWS Amplify that exposed IAM roles associated with Amplify projects, allowing them to become assumable by anyone in the world.

• Breaching AWS Accounts Through Shadow Resources by Yakir Kadkoda, Ofek Itach, and Michael Katchinskiy

  These gentlemen discovered that it was possible to predict the names of S3 buckets used by AWS services, and sometimes manipulate data inside those buckets to gain remote code execution (RCE), full-service user takeover (which might provide powerful administrative access), manipulation of AI modules, exposure of sensitive data, data exfiltration and denial of service.

• Non-Production Endpoints as an Attack Surface in AWS by Nick Frichette

  Nick shared his magic for finding non-production and undocumented AWS APIs and abused some of them to find cool bugs. He also published a tool to enable anyone to do the same.

🥗 AWS security blogs

• 📣 AWS Network Firewall now supports IPv6 Service Endpoints
• 📣 IAM Roles Anywhere credential helper now supports TPM 2.0
• Modernize game backend services with AWS Global Accelerator by Serge Poueme
• Improving Overall Security Posture with Wiz Secured AWS landing zone by Anthony Smith
• How to federate into AWS from Azure DevOps using OpenID Connect by Mathieu Bruneau
• Transforming financial markets: How FIA Tech built the Trade Data Network on AWS by Yossi Leon
• Complying with updated NIH Genomic Data Sharing policies on AWS by Sujaya Srinivasan
• Extracting insights from PubMed articles using Amazon Q Business by Bharath Gunapati
• Continuous monitoring and governance: AWS best practices for keeping your data secure during the holidays by Maria S. Thompson
• AWS completes the CCCS PBHVA assessment with 149 services and features in scope by Naranjan Goklani
• 2024 ISO and CSA STAR certificates now available with two additional services by Atulsing Patil
• Updated PCI DSS and PCI PIN compliance packages now available by Nivetha Chandran
• Fall 2024 SOC 1, 2, and 3 reports now available with 183 services in scope by Paul Hong
• AWS named Leader in the 2024 ISG Provider Lens report for Sovereign Cloud Infrastructure Services (EU) by Marta Taggart
• Enforce resource configuration to control access to new features with AWS by Yossi Cohen
• AWS KMS: How many keys do I need? by Ishva Kanani

🍛 Reddit threads on r/aws

• Are lambdas with no vpc attachment secure?
• Centralized Root Account Access in AWS Organizations
• AWS Account Compromised – Suspicious Root Activity, Closed Account, Seeking Advice
• NIST 800-53 Rev 5 Score Implosion; Why all the sudden "Interface Endpoint" requirements?
• What advanced/innovative security strategies you'd propose to a client?

🧁 IAM permission changes

• billing
• neptune-graph
• ce
• connect
• cloudformation
• logs
• batch
• backup
• ssm
• iot
• backup-search
• elemental-support-cases
• iot1click

🍪 API changes

• Agents for Amazon Bedrock Runtime
• Agents for Amazon Bedrock
• AWS Billing
• AWS Cost Explorer Service
• Amazon Connect Service
• Amazon DocumentDB with MongoDB compatibility
• Amazon Elastic Kubernetes Service
• Amazon Macie 2
• AWS Outposts
• Amazon SageMaker Service
• Amazon AppStream
• AWS Elemental MediaConvert
• AWS Elemental MediaLive
• Amazon Q Connect
• AWS Systems Manager for SAP
• Amazon WorkSpaces
• AWS Amplify
• Amazon Connect Service
• Amazon Connect Participant Service
• AWS DataSync
• AWS IoT
• Amazon QuickSight
• AWS Resilience Hub
• AWS Transfer Family
• AWS Backup
• AWS Backup Search
• AWS Batch
• AWS Clean Rooms ML
• Amazon CloudFront
• AWS CodePipeline
• Amazon EC2 Container Service
• AWSMainframeModernization
• Synthetics
• Amazon Data Lifecycle Manager
• Amazon Elastic Compute Cloud
• AWS IoT Greengrass V2
• AWS Elemental MediaLive
• Amazon Relational Database Service

🍹 IAM managed policy changes

• NetworkAdministrator
• ViewOnlyAccess
• AWSBackupServiceRolePolicyForIndexing
• AWSBackupServiceRolePolicyForItemRestores
• AWSCodeBuildAdminAccess
• AWSCodeBuildDeveloperAccess
• AWSCodeDeployDeployerAccess
• AWSCodeDeployFullAccess
• AWSCodeDeployReadOnlyAccess
• AWSCodeBuildReadOnlyAccess
• AWSDataLifecycleManagerServiceRole
• AWSResilienceHubAsssessmentExecutionPolicy

☕ CloudFormation resource changes

• AWS::QuickSight::CustomPermissions
• AWS::Cassandra::Keyspace
• AWS::Cassandra::Type

🎮 Amazon Linux vulnerabilities

• CVE-2024-12455
• CVE-2024-53270
• CVE-2024-53269
• CVE-2024-53580
• CVE-2024-53271
• CVE-2024-51479
• CVE-2024-50379
• CVE-2024-52949

📺 AWS Security Bulletins

No bulletins this week.