Lex NevaAug 22
23
Monday August, 2021
SRE Weekly Issue #284
📖 [The CloudSecList] Issue 101
Marco from CloudSecListAug 22
[tl;dr sec] #97 - Attacking HTTP/2, Securing GitHub Projects
Clint at tl;dr secAug 19
IAM Access Analyzer helps you generate IAM policies based on access activity found in your organization trail
Aug 20
In April 2021, IAM Access Analyzer added policy generation to help you create fine-grained policies based on AWS CloudTrail activity stored within your account. Now, we are extending policy generation to enable you to generate policies based on access activity stored in a designated account. For example, you can use …
AWS Security Hub adds 18 new controls to its Foundational Security Best Practices standard and 8 new partners for enhanced cloud security posture monitoring
Aug 18
AWS Security Huband, nbsp;has released 18 new controls for its Foundational Security Best Practice standardand, nbsp;to enhance customers' cloud security posture monitoring. These controls conduct fully-automatic checks against security best practices for Amazon API Gateway, Amazon EC2, Amazon ECS, Elastic Load Balancing, Amazon Elasticsearch Service, Amazon RDS, Amazon Redshift, and …
Amazon Appflow - 10 updated methods
Aug 19
This release adds support for SAPOData connector and extends Veeva connector for document extraction.
Application Auto Scaling - 10 updated methods
Aug 19
This release extends Application Auto Scaling support for replication group of Amazon ElastiCache Redis clusters. Auto Scaling monitors and automatically expands node group count and number of replicas per node group when a critical usage threshold is met or according to customer-defined schedule.
Amazon Elastic Compute Cloud - 2 updated methods
Aug 19
The ImportImage API now supports the ability to create AMIs with AWS-managed licenses for Microsoft SQL Server for both Windows and Linux.
Amazon MemoryDB - 35 new methods
Aug 19
AWS MemoryDB SDK now supports all APIs for newly launched MemoryDB service.
Access token security for microservice APIs on Amazon EKS
Timothy James PowerAug 19
In this blog post, I demonstrate how to implement service-to-service authorization using OAuth 2.0 access tokens for microservice APIs hosted on Amazon Elastic Kubernetes Service (Amazon EKS). A common use case for OAuth 2.0 access tokens is to facilitate user authorization to a public facing application. Access tokens can also …
deepracer: 6 new actions, 2 new conditions | 40 updated actions | 2 removed actions
Aug 20
6 new actions: AdminGetAccountConfig (get current admin multiuser configuration for this account), AdminListAssociatedUsers (list user data for all users associated with this account), AdminManageUser (manage a user associated with this account), AdminSetAccountConfig (set configuration options for this account), GetAccountConfig (get current multiuser configuration for this account), PerformLeaderboardOperation (performs the leaderboard …
iot: 3 new actions | 1 updated action, 6 updated resources
Aug 20
3 new actions: GetRetainedMessage (get the retained message on the specified topic), ListRetainedMessages (list the retained messages for your account), RetainPublish (publish a retained message to the specified topic); 1 updated action: ListTagsForResource (access); 6 updated resources: stream (arn), otaupdate (arn), rule (arn), destination (arn), provisioningtemplate (arn), domainconfiguration (arn)
chatbot: 1 new action, 1 new condition | 1 updated resource, 4 updated actions
Aug 18
1 new action: DeleteSlackWorkspaceAuthorization (delete the slack workspace authorization with aws chatbot, associated with an aws account); 1 new condition: aws:CalledVia (filters access by the services that make the request on behalf of the iam principal); 1 updated resource: ChatbotConfiguration (arn); 4 updated actions: DeleteChimeWebhookConfiguration (resources), DeleteSlackChannelConfiguration (resources), UpdateChimeWebhookConfiguration (resources), …
dms: 1 new action | 1 updated action
Aug 18
1 new action: DescribeEndpointSettings (return the possible endpoint settings available when you create an endpoint for a specific database engine); 1 updated action: ListTagsForResource (access)
Clint Gibler @clintgibler
☁️ AWS Top 10 by @security_contra
Free labs focused on understanding & fixing, not just finding & exploiting
* S3 directory traversal
* Lambda command injection
* Misconfigured reverse proxy
* + more
#cloudsecurity
application.security/free/kontra-aw…
Clint Gibler @clintgibler
🧙♂️Hacking G Suite: The Power of Dark Apps Script Magic
Awesome @defcon talk by @IAmMandatory covering
* Phishing
* Persistence
* Lateral movement
* Bypassing protections like U2F and OAuth app
* more
#redteam #Pentesting
youtube.com/watch?v=6AsVUS…
Matt Fuller @matthewdfuller
A super comprehensive (160+ pages!) open source #AWS S3 threat model document from the team @trustoncloud. It's incredible how many attack vectors can exist for just a single service.
#cloud #security
trustoncloud.com/the-last-s3-se…
Brigid Johnson @bjohnso5y
🏞️Soooo...remember when we pumped up Access Analyzer to generate policies based on access activity from CloudTrail? Well, now you can generate those same fine-grained policies using your organizational trail. 🏞️ (1/10)
Brigid Johnson @bjohnso5y
Seriously considering a "Policies with Pickles" YouTube channel with short videos on AWS permissions. Crazy idea or good idea? What topics should we cover?
Scott Piper @0xdabbad00
Why doesn't AWS just add this condition themselves!? They are already changing the policy for you. Why would they knowingly configure an insecure policy!? 😭
Here is a confused deputy problem, deployed by AWS, to allow messing with CloudTrail log ingestion pipelines.🤦♂️
AWS Doc Update @aws_doc
Changed functionality - When you configure a trail to send notifications to Amazon SNS, CloudTrail adds a policy statement to your SNS topic access policy that allows CloudTrail to send content to an SNS topic. As a security best practice, we recommend a… docs.aws.amazon.com/awscloudtrail/…
Scott Piper @0xdabbad00
This fixes the biggest limitation of Access Analyzer policy generation that previously it only worked when the principal and CloudTrail logs were local to an S3 in the same account. Now you can use logs from an S3 stored elsewhere. An obvious and badly needed improvement.
What’s New on AWS @awswhatsnew
IAM Access Analyzer helps you generate IAM policies based on access activity found in your organization trail
In April 2021, IAM Access Analyzer added policy generation to help you create fine-grained policies based on AWS CloudTrail activity store... aws.amazon.com/about-aws/what…
Michael Chan @mchancloud
1/ 📣 Identity and Access Management is critical to security 🔐. Check out what Karen Haberkorn, Director of Product Management for AWS Identity, has to say about how AWS helps you manage and secure your critical data and resources in AWS! 11:45am PT / 2:45pm ET @AWSIdentity twitter.com/AWSSecurityInf…
AWS Security @AWSSecurityInfo
📣 Join #AWS security leaders online for #reInforce! 🛡✨☁️ Catch the livestream of @StephenSchmidt's keynote + leadership sessions on August 24th! 📌 Register here: go.aws/3srwOF4 👈 #AWS #CloudComputing #CloudSecurity #Developer
Marco Lancini @lancinimarco
📣 Ok, announcement time: I've started working on a new project focused on helping individual contributors/engineers get their work recognized and progress in their careers. More on this later this week!
Toni de la Fuente @ToniBlyx
Here it is what I promised with Prowler 2.5. Enjoy “dashboarding”! …sight-security-dashboard.workshop.aws
Toni de la Fuente @ToniBlyx
Prowler 2.5.0 - Senjutsu 🔥🔥🤘github.com/toniblyx/prowl…
Urgent Help needed on Auto remediation of AWS Config and Security Hub findings
Please can someone assist me on an auto remediation strategy to bring our non compliant controls into compliance with findings from AWS Config and Security Hub which are all based on the CIS Benchmark. There are tons of S3 buckets for instance and putting on the appropriate controls manually would …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
