SRE Weekly Issue #285 • 📖 [The CloudSecList] Issue 102 • [tl;dr sec] 98 - Cloud Security Orienteering, Last S3 Document You’ll Need • IAM Access Analyzer helps you generate fine-grained policies that specify the required actions for more than 50 services • Amazon Elastic Compute Cloud - 2 updated methods • Amazon EMR - 3 new 1 updated methods • AWS Compute Optimizer - 1 new 6 updated methods • Amazon Elastic Compute Cloud - 1 updated methods • How to securely create and store your CRL for ACM Private CA • AWS introduces changes to access denied errors for easier permissions troubleshooting • Use IAM Access Analyzer to generate IAM policies based on access activity found in your organization trail • Apply the principle of separation of duties to shell access to your EC2 instances • autoscaling: 1 new action • compute-optimizer: 1 new action • mobiletargeting: 1 new action | 2 updated actions • cloudfront: 2 updated actions • 🔥New blog post🔥 "<a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> privilege escalation: exploring odd features of the Trust Policy" a.k.a. how to assume an IAM role without "sts:AssumeRole" permission? <a href="https://t.co/t9oGPvQ6dl" target="_blank">rzepsky.medium.com/aws-privilege-…</a> • 📓 163 page Threat Model of <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> S3 by @djo_hk Covers: 1. Best practices (best security/effort ratio) 2. Onboarding for large enterprises/agencies 3. Compliance mapping to demonstrate a risk-based approach and gap analysis <a href="https://twitter.com/hashtag/cloudsecurity" target="_blank">#cloudsecurity</a> <a href="https://t.co/6esuPR9kdd" target="_blank">trustoncloud.com/the-last-s3-se…</a> • Access Denied errors are going to say why type of policy is denying them! (SCP vs resource vs IAM vs boundary vs VPC end-point, etc.) This is going to be a huge help for debugging these. • 🔥🔥 Crazy exploit on Azure Cosmos DB. “In short, the [Jupyter] notebook container allowed for a privilege escalation into other customer notebooks… As a result, an attacker could gain access to customers’ Cosmos DB primary keys… and the notebook storage access token.” • ⚛️ Electron Hardener by <a href="https://twitter.com/1Password" target="_blank">@1Password</a> A <a href="https://twitter.com/rustlang" target="_blank">@rustlang</a> library and CLI tool to harden <a href="https://twitter.com/electronjs" target="_blank">@electronjs</a> binaries against runtime behavior modifications <a href="https://t.co/MlvQwQ4PP6" target="_blank">github.com/1Password/elec…</a> • Numerous cloud vendors ask for "ReadOnly" access via a managed policy. You should think long and hard about what you're actually giving them. <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> <a href="https://twitter.com/hashtag/cloud" target="_blank">#cloud</a> <a href="https://twitter.com/hashtag/security" target="_blank">#security</a> <a href="https://t.co/RcKqBcDJxZ" target="_blank">posts.specterops.io/aws-readonlyac…</a> • There is now an EC2 IMDS end-point for IPv6 so there will be a new place to acquire creds beyond 169.254.169.254 at fd00:ec2::254. <a href="https://t.co/QoKUMnb4OW" target="_blank">github.com/aws/aws-sdk-go…</a> The SDK started supporting it a few weeks, but looks like now EC2 has it. <a href="https://t.co/dE7v5FRIAy" target="_blank">github.com/aws/aws-sdk-go…</a> • 😊Had a blast talking about AWS permissions at <a href="https://twitter.com/hashtag/reInforce" target="_blank">#reInforce</a> with Karen and Jesse! Least privilege is one of my favorite thing to talk about. 🥳 • Coming in October: We are making it easier to protect sensitive data by offering free MFA devices to AWS account holders and Security Awareness Training. More details <a href="https://t.co/e0ERMoPFry" target="_blank">aws.amazon.com/blogs/security…</a> • This is the holy grail for cloud adversaries: crossing the customer isolation boundaries of the service provider to access other customers' data. <a href="https://twitter.com/hashtag/azure" target="_blank">#azure</a> <a href="https://twitter.com/hashtag/cloud" target="_blank">#cloud</a> <a href="https://twitter.com/hashtag/security" target="_blank">#security</a> • A leaked Amazon document shows the maximum compensation a recruiter is allowed to offer some programmer job candidates, up to $715,400 • AWS introduces changes to access denied errors for easier permissions troubleshooting • Happy 15th Birthday Amazon EC2 • I presume you're all aware of 42.10 • IAM Zero: I built a tool which automatically suggests least-privilege IAM policies for AWS CDK infrastructure • Vulnerability in Bumble dating app reveals any user's exact location • DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover • How to start learning cloud security? • Operationalize AWS security responsibilities in the cloud - Help Net Security • AWS Introduces Security Analytics Bootstrap to Perform Security Investigations - InfoQ.com • AWS Sets MSSP Beachhead With New Security Competency - CRN