Security Newsletter - Nuclear secrets exposed through flashcard apps. HaveIBeenPwned goes open source.
Dieter Van der StockMay 31
31
Monday May, 2021
SRE Weekly Issue #272
Lex NevaMay 31
📖 [The CloudSecList] Issue 89
Marco from CloudSecListMay 30
[tl;dr sec] #85 - Machine Learning, GraphQL
Clint at tl;dr secMay 27
AWS Certificate Manager Private Certificate Authority now supports storing CRLs in private S3 buckets
May 26
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports using S3 Block Public Access when storing certificate revocation links (CRL) in S3 buckets.
AWS Security Hub now supports bidirectional integration with Atlassian Jira Service Management
May 26
AWS Security Huband, nbsp;now supports a bidirectional integration with Atlassian Jira Service Management (JSM).and, nbsp; You can now automatically create and update issues in Atlassian JSM from AWS Security Hub findings. Updates to those issues in Atlassian JSM will be synced with the findings in AWS Security Hub. This integration …
AWS Device Farm - 4 updated methods
May 27
Introduces support for using our desktop testing service with applications hosted within your Virtual Private Cloud (VPC).
Amazon FSx - 7 updated methods
May 27
This release adds LZ4 data compression support to FSx for Lustre to reduce storage consumption of both file system storage and file system backups.
How to implement a hybrid PKI solution on AWS
Max FarngaMay 27
As customers migrate workloads into Amazon Web Services (AWS) they may be running a combination of on-premises and cloud infrastructure. When certificates are issued to this infrastructure, having a common root of trust to the certificate hierarchy allows for consistency and interoperability of the Public Key Infrastructure (PKI) solution. In …
How to import AWS IoT Device Defender audit findings into Security Hub
Joaquin Manuel RinaudoMay 24
AWS Security Hub provides a comprehensive view of the security alerts and security posture in your accounts. In this blog post, we show how you can import AWS IoT Device Defender audit findings into Security Hub. You can then view and organize Internet of Things (IoT) security findings in Security …
common-fate/iamzero
Identity & Access Management simplified and secure. - common-fate/iamzero
Matt Fuller @matthewdfuller
"We use Slack, not Teams" should be listed under the "Benefits" section of most job descriptions.
85
9May 25 · 1:10 AM
Aidan W Steele @__steele
I've been using AWS CDK full-time for six months now. My feelings are mixed. First, the requests. I wish AWS CDK had these behaviours out of the box:
809May 26 · 2:40 AM
Victor GRENU @zoph
Folks, check out iam zero, a new tool to do least-privilege on AWS. 👏🏻
github.com/common-fate/ia…
5011May 24 · 7:35 PM
Clint Gibler @clintgibler
📚 tl;dr sec 85
* @elie Deep learning side-channel attacks
* @Furyz1_, @nJoyneer: CSRF in #GraphQL
* @frgx Modern Static Analysis
* @LewisArdern, @garethheyes Hackvertor
* @security_prince AppSec Knowledge Base
* @CloudNativeFdn Supply chain whitepaper
tldrsec.com/blog/tldr-sec-…
2317May 27 · 5:00 PM Clint Gibler @clintgibler
🚀 Modern Static Analysis: how the best tools empower creativity
Masterclass by @frgx on the past & future of this space
* Tools must be fast and customizable to your env
* Interoperable, community driven
His tool of choice: Semgrep.dev
devd.me/log/posts/stat…
324May 26 · 7:00 PM
rowan @elrowan
Just some light (up to 853 pages these days) reading...
🍌 for scale
321May 28 · 1:39 PM rowan @elrowan
Took me a while to get to this post, but it's a really good post on integrating AWS IAM with API GW and Cognito aws.amazon.com/blogs/security…
Please just stop using the old isometric icons at the same time as the new flat set! 🤨
256May 31 · 12:29 PM
fwd:cloudsec @fwdcloudsec
Tickets are still available for fwd:cloudsec! $100/person, limited to 200 people, in Salt Lake City, Sep 13-14. eventbrite.com/e/fwdcloudsec-…
226May 27 · 4:17 AM
Scott Piper @0xdabbad00
A non-read priv has been in ReadOnlyAccess (gamelift:RequestUploadCredentials).
I'm kicking myself for not noticing this before. It's been there since at least 2019 (the git blame doesn't go back further).
MAMIP - Monitor AWS Managed IAM Policies Changes @mamip_aws
ReadOnlyAccess ... github.com/z0ph/aws_manag…
253May 26 · 3:07 AM Scott Piper @0xdabbad00
AWS didn't fail any of their SOC 2 audit this time like they did in the Apr 1 - Sep 30, 2020 SOC 2. Good work AWS on improving. 👍 twitter.com/AWSSecurityInf…
AWS Security @AWSSecurityInfo
Spring 2021 SOC reports now available with 133 services in scope: go.aws/33VPPE2
242May 28 · 3:46 AM
Elastic has broken filebeat as of 7.13; it no longer works with AWS managed ElasticSearch
Many of us use the Elastic Beats clients to get stuff into ElasticSearch, and many of us use AWS Managed ElasticSearch despite the terrible UX because it's cheap and convenient.
That won't work anymore. Elastic has caused filebeats and probably the other beats clients to not connect to AWS Managed …
Cloud security consulting exit opportunities
How easy is it for someone in the Cloud Security consulting space (ACN or Big 4) to exit to a FAANG or Big N type company in a cloud focused role?
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
