SRE Weekly Issue #279
Lex NevaJul 19
19
Monday July, 2021
📖 [The CloudSecList] Issue 96
Marco from CloudSecListJul 18
[tl;dr sec] #92 - Hardening Kubernetes, Ransomware
Clint at tl;dr secJul 15
AWS Private Certificate Authority introduces integration with Kubernetes
Jul 15
AWS Private Certificate Authority (CA) now supports an open source plugin for cert-manager that offers a more secure certificate authority solution for Kubernetes containers. cert-manager is a widely-adopted solution for TLS certificate management in Kubernetes. Customers who use cert-manager for application certificate lifecycle management can now use this solution to …
AWS Certificate Manager provides expanded usage of imported ECDSA and RSA Certificates
Jul 14
AWS Certificate Manager (ACM) now allows you to import Secure Sockets Layer/Transport Layer Security (SSL/TLS) X.509 certificates of additional key types and key sizes, including Elliptic Curve Digital Signature Algorithm (ECDSA) and RSA 3072 and 4096 keys and bind them with integrated services like Amazon CloudFront and Application Load Balancer. …
AWS Directory Service for Microsoft Active Directory and AD Connector are now available in the AWS Asia Pacific (Osaka) Region
Jul 14
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector are now available in the AWS Asia Pacific (Osaka) Region.
AWS Single Sign-On is now available in the South America (Sao Paulo) region
Jul 12
AWS Single Sign-On (SSO) is now available in the South America (Sand, atilde;o Paulo) region. For a full list of the regions where AWS SSO is available, see the AWS Region Table.
Amazon Chime - 4 updated methods
Jul 16
This SDK release adds Account Status as one of the attributes in Account API response
Amazon Elastic Compute Cloud - 6 new 8 updated methods
Jul 15
This feature enables customers to specify weekly recurring time window(s) for scheduled events that reboot, stop or terminate EC2 instances.
AWS Certificate Manager - 2 updated methods
Jul 14
Added support for RSA 3072 SSL certificate import
OSPAR 2021 report now available with 127 services in scope
Clara LimJul 16
We are excited to announce the completion of the third Outsourced Service Provider Audit Report (OSPAR) audit cycle on July 1, 2021. The latest OSPAR certification includes the addition of 19 new services in scope, bringing the total number of services to 127 in the Asia Pacific (Singapore) Region. You …
How AWS is helping EU customers navigate the new normal for data protection
Stephen SchmidtJul 15
French version German version Achieving compliance with the European Union’s data protection regulations is critical for hundreds of thousands of Amazon Web Services (AWS) customers. Many of them are subject to the EU’s General Data Protection Regulation (GDPR), which ensures individuals’ fundamental right to privacy and the protection of personal …
TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS
Param SharmaJul 15
In this blog post, we show you how to set up end-to-end encryption on Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Certificate Manager Private Certificate Authority. For this example of end-to-end encryption, traffic originates from your client and terminates at an Ingress controller server running inside a sample app. …
Protect public clients for Amazon Cognito by using an Amazon CloudFront proxy
Mahmoud MatoukJul 14
In Amazon Cognito user pools, an app client is an entity that has permission to call unauthenticated API operations (that is, operations that don’t have an authenticated user), such as operations to sign up, sign in, and handle forgotten passwords. In this post, I show you a solution designed to …
Pawel Rzepa @Rzepsky
This is so cool: Kontra #AWS Top 10. It's a training platform with misconfigured (and FREE!) AWS labs, focused on understanding and fixing an issue, rather than finding and exploiting it. Great exercise for #cloud #developers
application.security/free/kontra-aw…
70
27Jul 14 · 10:14 AM
Aidan W Steele @__steele
I can't resist a bad idea, especially if it means more money for Mountain Dew.
Here's a CFN stack you can deploy into your personal account to get Internet connectivity in VPC-attached Lambda functions without spending $40-$120 on NAT gateways.
github.com/glassechidna/l…
6312Jul 15 · 4:09 AM
Scott Piper @0xdabbad00
Hear me discuss my AWS security roadmap document with @hashishrajan.
Cloud Security Podcast @CloudSecPod
USE THIS TO BUILD YOUR Cloud Security RoadMap! - with @0xdabbad00 & @hashishrajan
cloudsecuritypodcast.tv/season-2/build…
#cloudsecurity #cloudsecuritystrategy #cloudsecuritypodcast #infosec #awssecurity
5510Jul 18 · 4:10 PM Scott Piper @0xdabbad00
Wild way of avoiding paying for a NAT for a VPC attached lambda by attaching an EIP directly to the Lambda. Also this is an interesting technique for bypassing network controls and monitoring someone may have tried to enforce.
Aidan W Steele @__steele
I can't resist a bad idea, especially if it means more money for Mountain Dew.
Here's a CFN stack you can deploy into your personal account to get Internet connectivity in VPC-attached Lambda functions without spending $40-$120 on NAT gateways.
github.com/glassechidna/l…
494Jul 15 · 3:18 PM
Clint Gibler @clintgibler
🔥 #CTF challenges created by @orange_8361 🔥
Includes the source code, write-up, and explanation!
Oof, many of these are *hard* 😅
#bugbountytips #pentesting
github.com/orangetw/My-CT…
3613Jul 14 · 5:00 PM Clint Gibler @clintgibler
🐳 @RedHat State of #Kubernetes Security 2021
94% experienced at least one security incident in their Kubernetes environments in the last 12 months
(k8s, so easy to use! 😂)
88% of respondents use Kubernetes as their container orchestrator
+ more
redhat.com/rhdc/managed-f…
3811Jul 14 · 1:00 AM
Brigid Johnson @bjohnso5y
Engineer: "We need to write a regex"
Me: "OOOO I can help, this used to be my job"
Engineer: "No wonder you became a manager..."
373Jul 13 · 10:58 PM Aidan W Steele @__steele
Finally got my first dose of a covid vaccine. AZ flavour - supporting local manufacturing, of course. 12 weeks until dose #2.
330Jul 19 · 6:37 AM Brigid Johnson @bjohnso5y
Turns out Pickles like Sweetarts! Especially the yellow ones. Happy Friday everyone!
180Jul 17 · 4:04 AM
rowan @elrowan
Just stumbled across github.com/awslabs/aws-se… which is a massive boost if you're just getting started analysing your AWS security logs (VPC, CT, R53)
132Jul 13 · 2:43 AM
Anyone else find aws captchas hard?
Usually fine with these things but aws ones always takes me at least 2 attempts.
Major outage AWS Frankfurt
All of our servers went down 20 min ago in AWS Frankfurt. Some of them are up and running again, but not all.
Anyone else!?
Lessons learned: if you could do it "all" from the start again, what would you do differently / anew in your AWS?
I was talking to a colleague running a b2b SaaS in a single AWS acct with 2 VPCs (prod and everything-else-env). His startup got some traction now and they are considering re-doing it the "right way".
My checklist for them is:
1. control tower; organizations; multi-account;
2. separate accts for …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
