SRE Weekly Issue #275 • Security Newsletter - Inside the cookie stealing market. Billion records from CVS health leaked. Taking a break. • 📖 [The CloudSecList] Issue 92 • [tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement • AWS Resource Access Manager enables granular access control with additional managed permissions • AWS Certificate Manager Private Certificate Authority now supports more flexibility for CAs shared across accounts • Amazon Chime - 1 new methods • AWSKendraFrontendService - 4 updated methods • Amazon Relational Database Service - 14 updated methods • Amazon SageMaker Service - 23 updated methods
21
Monday June, 2021

Newsletters

SRE Weekly Issue #275

Lex NevaJun 21

Security Newsletter - Inside the cookie stealing market. Billion records from CVS health leaked. Taking a break.

Dieter Van der StockJun 21

📖 [The CloudSecList] Issue 92

Marco from CloudSecListJun 20

[tl;dr sec] #88 - Testing 2FA Implementations, Cloud Visibility/Enforcement

Clint at tl;dr secJun 17

AWS Security by CloudNews

AWS Resource Access Manager enables granular access control with additional managed permissions

Jun 15
AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts within your organization or organizational units (OUs) in AWS Organizations, and now also with IAM roles and IAM users for supported resource types. Also with this release, AWS RAM now provides additional managed permissions that you …

AWS Certificate Manager Private Certificate Authority now supports more flexibility for CAs shared across accounts

Jun 15
AWS Certificate Manager (ACM) Private Certificate Authority (CA) has extended support for sharing CAs viaand, nbsp;Resource Access Managerand, nbsp;(RAM). Customers can now share CAs across accounts to issue certificates defined as client only TLS and server only TLS, as well as fully customizable certificates. Customer's can also choose to share …

AWS API Changes

Amazon Chime - 1 new methods

Jun 17
This release adds a new API UpdateSipMediaApplicationCall, to update an in-progress call for SipMediaApplication.

AWSKendraFrontendService - 4 updated methods

Jun 17
Amazon Kendra now supports the indexing of web documents for search through the web crawler.

Amazon Relational Database Service - 14 updated methods

Jun 17
This release enables Database Activity Streams for RDS Oracle

Amazon SageMaker Service - 23 updated methods

Jun 17
Enable ml.g4dn instance types for SageMaker Batch Transform and SageMaker Processing

AWS Security Blog

Encrypt global data client-side with AWS KMS multi-Region keys

Jeremy StieglitzJun 16
Today, AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another. Multi-Region keys are designed to simplify management of client-side encryption when your encrypted data has to be copied into other Regions for …

Approaches to meeting Australian Government gateway requirements on AWS

John HildebrandtJun 14
Australian Commonwealth Government agencies are subject to specific requirements set by the Protective Security Policy Framework (PSPF) for securing connectivity between systems that are running sensitive workloads, and for accessing less trusted environments, such as the internet. These agencies have often met the requirements by using some form of approved …

Top Links from Security Folks

tl;dr sec Newsletter

tldrsec.com

AWS Security Folks

lancinimarco
Marco Lancini @lancinimarco

An incomplete list of skills senior engineers need, beyond coding skamille.medium.com/an-incomplete-…

16Jun 18 · 10:35 PM
__steele
Aidan W Steele @__steele

I'm easily distracted - and frustrated. So here's a tool to access EFS without a VPN or EC2 instance. Usage:

* brew install glassechidna/taps/efsu
* efsu setup --subnet-id ...
* efsu ls /mnt
* efsu cp /mnt/hello.txt .

github.com/glassechidna/e…

__steele
Aidan W Steele @__steele

Is there a handy tool for accessing AWS EFS from my laptop? I'm thinking a Lambda function + CLI combo that lets me run `ls`, `mv`, `cp`, etc.

9Jun 21 · 7:45 AM
clintgibler
Clint Gibler @clintgibler

🗒️ Testing Two-Factor Authentication

@NCCGroupInfosec's @aschmitz walks through assessing a 2FA implementation, including:
1⃣ General 2FA issues
2⃣Authentication code-based issues
3⃣WebAuthn security key issues

#bugbountytips #websecurity

research.nccgroup.com/2021/06/10/tes…

8Jun 16 · 7:00 PM
iann0036
Ian Mckay @iann0036

This is insanely useful! The fact that the KMS key ID is preserved during this process is a huge deal for multi-region workloads and/or backups. 👏

QuinnyPig
Corey Quinn @QuinnyPig

BREAKING: Your mental models, as @awscloud KMS multi-region keys just dropped.

aws.amazon.com/about-aws/what…

4Jun 17 · 12:32 AM
kmcquade3
Kinnaird McQuade💥☁️ @kmcquade3

The OWASP ZAP Automation Framework is awesome. It offers the ability to configure ZAP scans via YAML files so you can get really granular with the scan settings. It will eventually replace the CLI options

Here are some examples of the YAML config files:
zaproxy.org/docs/automate/…

zaproxy
Zed Attack Proxy @zaproxy

New Blog Post: Baseline Scan Changes zaproxy.org/blog/2021-06-1…

If you use the ZAP Baseline Scan then you should read this!

5Jun 15 · 9:11 PM
RhinoSecurity
Rhino Security Labs @RhinoSecurity

We're putting together training materials/guidance for soon-to-be pentesters entering InfoSec
What questions do you have?
What materials would be most useful?

5Jun 16 · 7:43 PM
__steele
Aidan W Steele @__steele

So the new AWS KMS multi-region keys are super cool, obviously. But this language in the docs feels misleading/confusing to me.

1/3

3Jun 17 · 1:04 AM
0xdabbad00
Scott Piper @0xdabbad00

The AWS status page RSS feed is a unique take on status updates by just telling you about problems after they have been resolved instead of informing you about current issues. status.aws.amazon.com/rss/codebuild-…

Golduck
Pocket Programer @Golduck

@AWSSupport could you please look into this issue across all of aws forums.aws.amazon.com/thread.jspa?th… - seems like something hit yesterday that completely broke codeBuild limits for many aws accounts.

2Jun 15 · 5:45 PM
bjohnso5y
Brigid Johnson @bjohnso5y

Overheard in AWS - "docs are like gold"

0Jun 16 · 10:25 PM
clintgibler
Clint Gibler @clintgibler

☁️ #AWS Visibility and Enforcement

Great cheatsheet of cloud security tools by @lancinimarco to:

* Get visibility into your cloud environment
* Continuously enforce security policies

cloudsecdocs.com/aws/devops/too…

0Jun 15 · 5:00 PM

r/aws

Serverless Static Wordpress on AWS for $0.01 a day

18126dev.to

I wrote up how I build personal projects on AWS for free

1729scriptingis.life

From 0 to $100M spend in 1 month

16889

Recently I came across this joke.

Genie: I’ll give you one billion dollars if you can spend 100M in a month. There are 3 rules: No gifting, no gambling, no throwing it away

SRE: Can I use AWS?

Genie: There are 4 rules

And it got me thinking, is there …

Sharing my progress on a CDK construct library for deploying web applications on EKS (repo and diagram annotations in comments)

14724

New – AWS Step Functions Workflow Studio – A Low-Code Visual Tool for Building State Machines

13110aws.amazon.com

r/netsec

How I Found A Vulnerability To Hack iCloud Accounts and How Apple Reacted To It

52275thezerohack.com

A short story about how I hacked my home router.

41236elongl.github.io

"AWS Security" on Google News

Nokia and DISH to deploy first 5G standalone core network in the public cloud with AWS - StreetInsider.com

StreetInsider.comJune 21

Orca Security Named A 2021 Gartner Cool Vendor in Cloud Security Posture Management (CSPM) - Yahoo Finance

Yahoo FinanceJune 21

Report Reveals AWS S3 Buckets are Poorly Protected - Security Boulevard

Security BoulevardJune 16

buymeacoffee