🥖 Palette Cleanser

Knock, knock, knock. Is anyone there? I hope you are all enjoying some time off and not reading nerdy security newsletters. For those that refuse to conform to the tyranny of societal norms, I got you.

In case you missed it, RDS protection in GuardDuty on some MySQL instances may have been inconsistent between 16 March 2023 and 15 December 2024. Database detection engineering is a weird combination of a) way harder than it looks, b) insanely critical, and c) hardly ever implemented. I'm surprised there aren't more of these types of public issues but I'm also glad AWS is trying to make it work.

Something else that appears easy but rarely works in the real world is cloud auto remediation. I'm not a believer, not least because it's an anti-pattern, but mostly because I've only ever seen it fail. Maybe that's why we need Farris's Three Laws of Auto Remediation.

I hope you all have an amazing new year and stick with your resolutions. Mine is to bring back the videos many of you keep asking (nagging?) for. And better gags. On that note, enjoy this spinner the Plerion team made of me as a show of, errr, respect and admiration.

See you in 2025.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• The many ways to obtain credentials in AWS by Scott Piper

  When an attacker lands somewhere in your AWS account, they will probably try to grab some creds and use them to do bad things. What's not obvious is just how many options there are for grabbing said credentials. Did you know about "iot:AssumeRoleWithCertificate" for example? As usual, Scott makes a comprehensive list so we don't have to.

• Implementing Security Invariants in an AWS Management Account by Chris Farris

  A security invariant is a statement that will always hold true about a system property, with the intention of preventing security issues from happening. AWS makes it somewhat easy to implement security invariants in Organizations member accounts but is less accommodating to the management account. Chris walks the reader through exactly how to do it, complete with a semi-exhaustive list of policies he'd want to use, and you can copy+paste.

• Get Phished by a Public AWS Systems Manager Automation Document by Gabriel Koo

  Who doesn't love a good attack walkthrough? This one shows how a legitimate-looking SSM document URL could be used to grant unauthorized access to data and other naughty things. Perhaps some of the lessons from CloudFormation Launch Stack URLs can be applied to SSM.

Bonusii:

• Securing Your Cloud Data: Unencrypted Resources in AWS
• State of 'State of Cloud Security' Reports: Insights or Self-Owns?
• CloudLens: Modeling and Detecting Cloud Security Vulnerabilities

🥗 AWS security blogs

• 📣 IPv6 compatibility for AWS Secrets Manager VPC Endpoints
• 📣 AWS announces notification actions in the AWS Console Mobile App for iOS
• Delegated Administrators Guide to Effective Controls in AWS Organizations by Craig Edwards

🍛 Reddit threads on r/aws

• If anyone who has permission to read objects in an S3 bucket can receive the requested content already decrypted at AWS's end when SSE-S3 is used, how does SSE-S3 encryption at rest protect contents above normal Bucket policy?
• S3 bucket access
• For what security purpose is the CloudFront response headers policy needed

🧁 IAM permission changes

• ec2
• ecr
• eks
• ses

🍪 API changes

• Amazon Elastic Kubernetes Service
• AWS Glue

🍹 IAM managed policy changes

• AmazonEC2ReadOnlyAccess
• AWSServiceRoleForImageBuilder
• EC2InstanceProfileForImageBuilder

☕ CloudFormation resource changes

• AWS::CloudFront::Distribution
• AWS::CloudFront::AnycastIpList

🎮 Amazon Linux vulnerabilities

No new CVEs.

📺 AWS Security Bulletins

• Issue with RedShift JDBC Driver, Python Connector and ODBC Driver - (CVE-2024-12744, CVE-2024-12745, CVE-2024-12746)