AWS Security Digest

Monday,
February 10, 2025

🥖 Palette Cleanser

Readers, I have great news.

It's not that the BeyondTrust breach investigation has concluded and left us with a public example of why blast radius reduction and least privilege is g00d. "The investigation determined that a zero-day vulnerability of a third-party application was used to gain access to an online asset in a BeyondTrust AWS account. Access to that asset then allowed the threat actor to obtain an infrastructure API key that could then be leveraged against a separate AWS account which operated Remote Support infrastructure."

It's also not the fact that Redshift now has all the secure defaults you'd expect in 2025 including disabling public access by default, enabling encryption by default, and enforcing secure connections by default.

It's not even that blog authors are now sending me pictures of Milo products as bribes and recognizing Milo as a food, not a drink.

IT IS that you don't have to put up with my nonsense for three weeks as I'm flying away from chefly my responsibilities to Singapore and London. If you want to meet up, email me. Expect the next three issues to come from the wonderful Cynthia Cheung who can be bribed with sour coke bottle candy instead of Milo.

P.S. The AWS team noticed ASD didn't have enough RCP content, so they gave us the Resource Control Policy examples repo.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur by Benjamin Harris, Aliz Hammond, & Pinaki Mondal

Clickbait score: 10/10. Content score: Also 10/10. Dumb attacks are the best attacks. Scooping up ~150 S3 buckets that were referenced in various software but later deleted is the epitome of dumb. Yet, it worked a treat and I love it. The WatchTowr team spent $400 watching the logs as affected software relentlessly tried to access and execute the data formerly in the buckets. The irony was high, as among the affected software were several security products and... CISA. Warning: the storytelling and gag density might be too high for some people's liking, but it's worth the extra processing power required.
How does Sendbird secure AWS? by Laxman Eppalagudem

This one is more strategeryyy. How do you make your AWS environment more secure? Do you sit there fixing all the misconfigurations and vulnerabilities ad infinitum? What are the options for long term sustainable risk reduction? Almost everyone struggles with this. Sendbird published this not-super-technical guide describing how they went about maturing their AWS security. Many organizations could likely follow a similar approach without too much security opportunity cost.
The Complete Guide to Cloud-Native Ransomware Protection in Amazon S3 and KMS by Jason Kao

Two things come to mind while reading this guide: 1. The recent rah-rah about S3 ransomware has spawned some great work, including this super comprehensive guide. I've sent it to our engineering team to implement. Make sure you read and apply what makes sense for your org! 2. Jason continues to have an unhealthy obsession with KMS, and maybe we should all send him a message of support on LinkedIn so he knows there are people who care about him.

Bonusii: Stop bringing old practices to the cloud and How Adversaries Exploit Unmonitored Cloud Regions to Evade Detection

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Have you got a long list of AWS security issues you could fix but no idea how bad any of it really is?

Get a Plerion demo and focus on the 1% of risks that matter & achieve better security outcomes.

🥖 Palette Cleanser

📋 Chef's selections

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

🤖 Dessert

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS Security Bulletins