SRE Weekly Issue #276 • 📖 [The CloudSecList] Issue 93 • [tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas • AmplifyBackend - 1 new methods • Amazon Import/Export Snowball - 6 updated methods • Amazon Chime - 4 updated methods • Amazon DynamoDB Accelerator (DAX) - 7 updated methods • AWS welcomes Wickr to the team • Create a portable root CA using AWS CloudHSM and ACM Private CA • Security is the top priority for Amazon S3 • CloudHSM best practices to maximize performance and avoid common configuration pitfalls • Semgrep: The Surgical Static Analysis Tool • 🤖 InjuredAndroid by <a href="https://twitter.com/B3nac" target="_blank">@B3nac</a> A vulnerable Android application with <a href="https://twitter.com/hashtag/CTF" target="_blank">#CTF</a> examples based on bug bounty findings, exploitation concepts, and pure creativity &gt;15 flags to capture <a href="https://twitter.com/hashtag/MobileSecurity" target="_blank">#MobileSecurity</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://t.co/yRGK5gIH1r" target="_blank">github.com/B3nac/InjuredA…</a> • 😱 Nightmare: An intro to binary exploitation / reverse engineering course based around <a href="https://twitter.com/hashtag/CTF" target="_blank">#CTF</a> challenges &gt;90 challenges covering: * Assembly * Stack buffer overflows * Format strings * Return oriented programming * Heap exploitation * + more <a href="https://t.co/nQf8rHMan5" target="_blank">guyinatuxedo.github.io</a> • The <a href="https://twitter.com/AWSCloudFormer" target="_blank">@AWSCloudFormer</a> Public Registry now lets you publish your own custom types to the world! 🥳 I've uploaded a selection of types from my Terraform types project (<a href="https://t.co/r89MRt1q59" target="_blank">github.com/iann0036/cfn-t…</a>) under the TF::* namespace as well as some others. 1/2 • Denial of Wallet attacks on AWS are a scary thing and <a href="https://twitter.com/QuinnyPig" target="_blank">@QuinnyPig</a>'s latest post is nightmare fuel. I still believe AWS should try to prove the effectiveness of their controls with the challenge below (although I am certain it would end poorly for them). <a href="https://t.co/Bbn6U3xRcc" target="_blank">lastweekinaws.com/blog/the-cloud…</a> • Do you use API Gateway with Lambda authorizers? This is worth 15 minutes of your time. I've almost certainly made the mistakes outlined in the article 😰 <a href="https://t.co/7ihYrXxL5k" target="_blank">twitter.com/TenchiSecurity…</a> • Someone sent me a PowerPoint for an internal meeting. I think I had an allergic reaction. • 1/ 📣🎉 <a href="https://twitter.com/Identiverse" target="_blank">@Identiverse</a>, the premier conference for identity professionals, begins today! AWS is a sponsor and will be presenting in-person and live sessions the next few weeks. For those who are attending, here's a thread of the sessions not to miss. <a href="https://twitter.com/AWSIdentity" target="_blank">@AWSIdentity</a> • And he wonders why I never take him anywhere nice. <a href="https://twitter.com/hashtag/Pickles" target="_blank">#Pickles</a> • Yay! I'm happy to announce that I'm official <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> Authorized Instructor🥳 • Just blogged: "Automated Github Backups with ECS and S3" - Architecture and implications of an automated process aiming to backup a Github account, relying on <a href="https://twitter.com/awscloud" target="_blank">@awscloud</a> ECS Fargate and S3 Glacier. <a href="https://t.co/wqkTsEeZUB" target="_blank">marcolancini.it/2021/blog-gith…</a> • The Gamer Guide to Playing AWS • AWS launches BugBust contest: Help fix a $100m problem for a $12 tshirt • Announcing a new Public Registry for AWS CloudFormation • Strange Performance Decline: AWS Clocksource Change? • Feedback for AWS: improvements for CloudFormation • I made 56874 calls to explore the telephone network. Here’s what I found. • Microsoft signed a malicious Netfilter rootkit • The Fault in Our Stars - Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion https://www.tenchisecurity.com/blog/thefaultinourstars • Amazon Web Services Acquires Secure Communications Tech Company Wickr - GovCon Wire • Amazon acquires secure chat app used by government agencies - CNBC • Splunk launches security products and AWS security enhancements - TechRepublic
28
Monday June, 2021

Newsletters

SRE Weekly Issue #276

Lex NevaJun 28

📖 [The CloudSecList] Issue 93

Marco from CloudSecListJun 27

[tl;dr sec] #89 - MITRE D3FEND, Lambda Authorizer Gotchas

Clint at tl;dr secJun 24

AWS API Changes

AmplifyBackend - 1 new methods

Jun 25
Imports an existing backend authentication resource.

Amazon Import/Export Snowball - 6 updated methods

Jun 25
AWS Snow Family customers can remotely monitor and operate their connected AWS Snowcone devices. AWS Snowball Edge Storage Optimized customers can now import and export their data using NFS.

Amazon Chime - 4 updated methods

Jun 24
Adds EventIngestionUrl field to MediaPlacement

Amazon DynamoDB Accelerator (DAX) - 7 updated methods

Jun 24
Add support for encryption in transit to DAX clusters.

AWS Security Blog

AWS welcomes Wickr to the team

Stephen SchmidtJun 25
We’re excited to share that AWS has acquired Wickr, an innovative company that has developed the industry’s most secure, end-to-end encrypted, communication technology. With Wickr, customers and partners benefit from advanced security features not available with traditional communications services – across messaging, voice and video calling, file sharing, and collaboration. …

Create a portable root CA using AWS CloudHSM and ACM Private CA

J.D. BeanJun 24
With AWS Certificate Manager Private Certificate Authority (ACM Private CA) you can create private certificate authority (CA) hierarchies, including root and subordinate CAs, without the investment and maintenance costs of operating an on-premises CA. In this post, I will explain how you can use ACM Private CA with AWS CloudHSM …

Security is the top priority for Amazon S3

Maddie BaconJun 23
Amazon Simple Storage Service (Amazon S3) launched 15 years ago in March 2006, and became the first generally available service from Amazon Web Services (AWS). AWS marked the fifteenth anniversary with AWS Pi Week—a week of in-depth streams and live events. During AWS Pi Week, AWS leaders and experts reviewed …

CloudHSM best practices to maximize performance and avoid common configuration pitfalls

Esteban HernándezJun 22
AWS CloudHSM provides fully-managed hardware security modules (HSMs) in the AWS Cloud. CloudHSM automates day-to-day HSM management tasks including backups, high availability, provisioning, and maintenance. You’re still responsible for all user management and application integration. In this post, you will learn best practices to help you maximize the performance of …

Top Links from Security Folks

Semgrep: The Surgical Static Analysis Tool

parsiya.net

AWS Security Folks

clintgibler
Clint Gibler @clintgibler

🤖 InjuredAndroid by @B3nac

A vulnerable Android application with #CTF examples based on bug bounty findings, exploitation concepts, and pure creativity

>15 flags to capture

#MobileSecurity #bugbountytips

github.com/B3nac/InjuredA…

46Jun 22 · 5:00 PM
clintgibler
Clint Gibler @clintgibler

😱 Nightmare: An intro to binary exploitation / reverse engineering course based around #CTF challenges

>90 challenges covering:
* Assembly
* Stack buffer overflows
* Format strings
* Return oriented programming
* Heap exploitation
* + more

guyinatuxedo.github.io

23Jun 21 · 11:00 PM
iann0036
Ian Mckay @iann0036

The @AWSCloudFormer Public Registry now lets you publish your own custom types to the world! 🥳

I've uploaded a selection of types from my Terraform types project (github.com/iann0036/cfn-t…) under the TF::* namespace as well as some others. 1/2

11Jun 22 · 12:11 AM
0xdabbad00
Scott Piper @0xdabbad00

Denial of Wallet attacks on AWS are a scary thing and @QuinnyPig's latest post is nightmare fuel. I still believe AWS should try to prove the effectiveness of their controls with the challenge below (although I am certain it would end poorly for them). lastweekinaws.com/blog/the-cloud…

0xdabbad00
Scott Piper @0xdabbad00

But more importantly, here's a fun challenge I propose to AWS: If Budget Actions are a sufficient cost control, then give an AWS access key with admin creds to me and my friends for an account protected in this way, and let us know what the bill ends up being.😈

5Jun 23 · 4:48 PM
__steele
Aidan W Steele @__steele

Do you use API Gateway with Lambda authorizers? This is worth 15 minutes of your time. I've almost certainly made the mistakes outlined in the article 😰 twitter.com/TenchiSecurity…

TenchiSecurity
TenchiSecurity @TenchiSecurity

New blog post: The Fault in Our Stars - Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion tenchisecurity.com/blog/thefaulti… about #security issues in the way the AWS docs indicated #serverless apps could use AWS API Gateway lambda authorizers

9Jun 22 · 2:03 AM
bjohnso5y
Brigid Johnson @bjohnso5y

Someone sent me a PowerPoint for an internal meeting. I think I had an allergic reaction.

0Jun 25 · 4:34 AM
mchancloud
Michael Chan @mchancloud

1/ 📣🎉 @Identiverse, the premier conference for identity professionals, begins today! AWS is a sponsor and will be presenting in-person and live sessions the next few weeks. For those who are attending, here's a thread of the sessions not to miss. @AWSIdentity

6Jun 21 · 9:20 PM
bjohnso5y
Brigid Johnson @bjohnso5y

And he wonders why I never take him anywhere nice. #Pickles

0Jun 26 · 9:46 PM
Rzepsky
Pawel Rzepa @Rzepsky

Yay! I'm happy to announce that I'm official #AWS Authorized Instructor🥳

0Jun 22 · 2:15 PM
lancinimarco
Marco Lancini @lancinimarco

Just blogged: "Automated Github Backups with ECS and S3" - Architecture and implications of an automated process aiming to backup a Github account, relying on @awscloud ECS Fargate and S3 Glacier. marcolancini.it/2021/blog-gith…

2Jun 25 · 4:46 PM

r/aws

The Gamer Guide to Playing AWS

19715nathanpeck.com

AWS launches BugBust contest: Help fix a $100m problem for a $12 tshirt

17341theregister.com

Announcing a new Public Registry for AWS CloudFormation

8619aws.amazon.com

Strange Performance Decline: AWS Clocksource Change?

7911

Over the past week, we saw a significant drop in performance in some of our applications. We noticed that servers deployed on or before 6/17 maintained good performance, and servers deployed after that date took a significant performance hit.

After some extensive troubleshooting, we determined that calls to time.Now() or …

Feedback for AWS: improvements for CloudFormation

7346

I've been using CloudFormation since 2016, and if I could I'd make a CFN for my life :)

There are some small things that I would love to see improved to make the service even better. Over the year I did collect this list:

  • move regex validation on the Parameters …

r/netsec

I made 56874 calls to explore the telephone network. Here’s what I found.

48157shufflingbytes.com

Microsoft signed a malicious Netfilter rootkit

47243gdatasoftware.com

r/cloudsecurity

The Fault in Our Stars - Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion https://www.tenchisecurity.com/blog/thefaultinourstars

20

The Fault in Our Stars - Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion

https://www.tenchisecurity.com/blog/thefaultinourstars

"AWS Security" on Google News

Amazon Web Services Acquires Secure Communications Tech Company Wickr - GovCon Wire

GovCon WireJune 28

Amazon acquires secure chat app used by government agencies - CNBC

CNBCJune 25

Splunk launches security products and AWS security enhancements - TechRepublic

TechRepublicJune 22

buymeacoffee