SRE Weekly Issue #288 • 📖 [The CloudSecList] Issue 105 • [tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground • AWS Firewall Manager now supports AWS WAF rate-based rules • Managed Streaming for Kafka Connect - 11 new methods • Amazon Macie 2 - 1 new 2 updated methods • Amazon Pinpoint - 5 new 28 updated methods • AWS RoboMaker - 8 updated methods • How to automate incident response to security events with AWS Systems Manager Incident Manager • New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers • Disaster recovery compliance in the cloud, part 2: A structured approach • Disaster recovery compliance in the cloud, part 1: Common misconceptions • kafkaconnect: 11 new actions, 3 new resources • finspace: 14 new actions, 2 new resources, 3 new conditions • snowball: 3 new actions • sqs: 1 updated action | 3 removed actions • AWS federation comes to GitHub Actions • GitHub - BishopFox/iam-vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. • GitHub - iann0036/iam-dataset: A consolidated AWS IAM dataset • permissions.cloud • Ok I blogged about it. That's how excited I am. 1. Deploy this CFN template 2. Write this GHA workflow 3. Never worry about IAM users again <a href="https://t.co/KJrr2Jw4bE" target="_blank">awsteele.com/blog/2021/09/1…</a> • 🌩️ IAM Vulnerable - An AWS IAM Privilege Escalation Playground 30+ exercises for practicing privesc, by <a href="https://twitter.com/bishopfox" target="_blank">@bishopfox</a>'s <a href="https://twitter.com/sethsec" target="_blank">@sethsec</a> Easily deployable in your AWS account via Terraform Source: <a href="https://t.co/6dpSutYB5m" target="_blank">github.com/BishopFox/iam-…</a> <a href="https://t.co/G7b6aFdW2E" target="_blank">labs.bishopfox.com/tech-blog/iam-…</a> • Thanks to everyone who attended my <a href="https://twitter.com/hashtag/fwdcloudsec" target="_blank">#fwdcloudsec</a> talk 🙏 Slides and videos should be up at the end of the week if you missed it. Links: <a href="https://t.co/2KaOqbn8UC" target="_blank">permissions.cloud</a> <a href="https://t.co/jG77E3kExz" target="_blank">github.com/iann0036/iamli…</a> <a href="https://t.co/EHeTGoFOMT" target="_blank">github.com/iann0036/iam-d…</a> <a href="https://t.co/dvY0xa6ziQ" target="_blank">github.com/iann0036/iamfa…</a> • THIS IS SO EXCITING. I asked for a capability like this back in Jan 2020 (times were simpler back then) and it's almost kind of shipped! Undocumented right now, but it works. 🎉 Now if only AWS sts:AssumeRoleWithWebIdentity could map arbitrary claims to session tags. <a href="https://t.co/0YbKr7C7Ve" target="_blank">twitter.com/chrisrpatterso…</a> • I'm so happy with how fwd:cloudsec went. 😊 Thank you everyone who helped make this a success. 🙏 • It's probably a busy time for people that do contract work for Azure security or cloud migrations off Azure. • 🛡️ Securing Netflix Apps at Scale Masterclass in increasing dev velocity + raising security bar ➡️ How to productize security ➡️ Strong AuthN via gateway ➡️ The power of a single paved road <a href="https://twitter.com/coffeetocode" target="_blank">@coffeetocode</a> <a href="https://twitter.com/jrfernandez" target="_blank">@jrfernandez</a> <a href="https://twitter.com/JuliaaMarieee" target="_blank">@JuliaaMarieee</a> <a href="https://twitter.com/agonigberg" target="_blank">@agonigberg</a> <a href="https://t.co/pA1otA3fKS" target="_blank">netflixtechblog.com/the-show-must-…</a> • Conference complete! We managed to run our first in-person conference with no major disasters, live-streamed to the world, across 2 days and 2 tracks, streaming remote speakers in, and with Q&amp;A with people around the world. 🎉😅 • I’m presenting at <a href="https://twitter.com/fwdcloudsec" target="_blank">@fwdcloudsec</a> on “Security Guardrails at Scale in Azure” tomorrow at 10:20am PT. Be sure to tune in! Here’s the livestream link: <a href="https://t.co/lZc50jM3ut" target="_blank">youtu.be/JtiLnIUmUic</a> • 🍾When we promote women in tech, the entire tech community thrives. <a href="https://twitter.com/CaitShim" target="_blank">@CaitShim</a> is a strong tech leader I admire. She was promoted to Director leading AWS Accounts and Organizations. Congratulations Caitlyn. Thank you for the leadership &amp; dedication to show us what is possible🍾 • How Amazon Web Services makes money: Estimated margins by service • AWS federation comes to GitHub Actions • Former AWS veteran Charlie Bell to head cybersecurity ops at Microsoft • Abusing AWS Lambda to make an Aussie Search Engine • Can someone eli5 why I should or should not switch to awscli-v2? • FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild - The Citizen Lab • Deus x64: a new series of binary exploitation challenges by RET2 Systems • Where to post cloud security related roles? • 10 AWS security tips to secure your environment - Web Hosting | Cloud Computing | Datacenter | Domain News - Daily Host News • Former AWS exec Charlie Bell to head new Microsoft Security, Compliance, Identity, and Management org - ZDNet • What's Coming & Best Practices for AWS Security and Backup & Recovery - Virtualization Review
20
Monday September, 2021

🔦 Highlight of the week

Newsletters
SRE Weekly Issue #288
Lex NevaSep 20
📖 [The CloudSecList] Issue 105
Marco from CloudSecListSep 19
[tl;dr sec] #101 - Securing Netflix at Scale, AWS PrivEsc Playground
Clint at tl;dr secSep 16
AWS Security by CloudNews
AWS Firewall Manager now supports AWS WAF rate-based rules
Sep 14
AWS Firewall Manager now enables customers to centrally deploy AWS WAF rate-based rulesand, nbsp;across accounts in their organization. An AWS WAF rate-based rule allows customers to track the rate of requests for each originating IP address and trigger a rule action on IPs once it goes over the limit. With …
AWS API Changes
Managed Streaming for Kafka Connect - 11 new methods
Sep 16
This is the initial SDK release for Amazon Managed Streaming for Apache Kafka Connect (MSK Connect).
Amazon Macie 2 - 1 new 2 updated methods
Sep 16
This release adds support for specifying which managed data identifiers are used by a classification job, and retrieving a list of managed data identifiers that are available.
Amazon Pinpoint - 5 new 28 updated methods
Sep 16
This SDK release adds a new feature for Pinpoint campaigns, in-app messaging.
AWS RoboMaker - 8 updated methods
Sep 16
Adding support to create container based Robot and Simulation applications by introducing an environment field
AWS Security Blog
How to automate incident response to security events with AWS Systems Manager Incident Manager
Sumit PatelSep 17
Incident response is a core security capability for organizations to develop, and a core element in the AWS Cloud Adoption Framework (AWS CAF). Responding to security incidents quickly is important to minimize their impacts. Automating incident response helps you scale your capabilities, rapidly reduce the scope of compromised resources, and …
New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers
Stéphane DucableSep 16
Today, we’re happy to announce an update to our online AWS GDPR Data Processing Addendum (AWS GDPR DPA) and our online Service Terms to include the new Standard Contractual Clauses (SCCs) that the European Commission (EC) adopted in June 2021. The EC-approved SCCs give our customers the ability to comply …
Disaster recovery compliance in the cloud, part 2: A structured approach
Dan MacKaySep 14
Compliance in the cloud is fraught with myths and misconceptions. This is particularly true when it comes to something as broad as disaster recovery (DR) compliance where the requirements are rarely prescriptive and often based on legacy risk-mitigation techniques that don’t account for the exceptional resilience of modern cloud-based architectures. …
Disaster recovery compliance in the cloud, part 1: Common misconceptions
Dan MacKaySep 14
Compliance in the cloud can seem challenging, especially for organizations in heavily regulated sectors such as financial services. Regulated financial institutions (FIs) must comply with laws and regulations (often in multiple jurisdictions), global security standards, their own corporate policies, and even contractual obligations with their customers and counterparties. These various …
IAM Permission Changes
kafkaconnect: 11 new actions, 3 new resources
Sep 18
11 new actions: CreateConnector (create an msk connect connector), CreateCustomPlugin (create an msk connect custom plugin), CreateWorkerConfiguration (create an msk connect worker configuration), DeleteConnector (delete an msk connect connector), DescribeConnector (describe an msk connect connector), DescribeCustomPlugin (describe an msk connect custom plugin), DescribeWorkerConfiguration (describe an msk connect worker configuration), ListConnectors …
finspace: 14 new actions, 2 new resources, 3 new conditions
Sep 18
14 new actions: CreateEnvironment (create a finspace environment), CreateUser (create a finspace user.), DeleteEnvironment (delete a finspace environment.), DeleteUser (delete a finspace user.), GetEnvironment (describe a finspace environment.), GetLoadSampleDataSetGroupIntoEnvironmentStatus (request status of the loading of sample data bundle.), GetUser (describe a finspace user.), ListEnvironments (list finspace environments in the aws …
snowball: 3 new actions
Sep 18
3 new actions: CreateLongTermPricing (creates a longtermpricinglistentry for allowing customers to add an upfront billing contract for a job), ListLongTermPricing (list longtermpricinglistentry objects for the account making the request), UpdateLongTermPricing (update a specific upfront billing contract for a job)
sqs: 1 updated action | 3 removed actions
Sep 18
1 updated action: ListQueues (access)
Top Links from Security Folks
AWS federation comes to GitHub Actions
awsteele.com
At the time of writing, this functionality exists but has yet to be announced or documented. It works, though!
GitHub - BishopFox/iam-vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
github.com
Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. - GitHub - BishopFox/iam-vulnerable: Use Terraform to create your own vulnerable …
GitHub - iann0036/iam-dataset: A consolidated AWS IAM dataset
github.com
A consolidated AWS IAM dataset. Contribute to iann0036/iam-dataset development by creating an account on GitHub.
permissions.cloud
permissions.cloud
Permissions Reference for AWS IAM
AWS Security Folks
__steele
Aidan W Steele @__steele

Ok I blogged about it. That's how excited I am.

1. Deploy this CFN template
2. Write this GHA workflow
3. Never worry about IAM users again

awsteele.com/blog/2021/09/1…

clintgibler
Clint Gibler @clintgibler

🌩️ IAM Vulnerable - An AWS IAM Privilege Escalation Playground

30+ exercises for practicing privesc, by @bishopfox's @sethsec

Easily deployable in your AWS account via Terraform

Source:
github.com/BishopFox/iam-…

labs.bishopfox.com/tech-blog/iam-…

iann0036
Ian Mckay @iann0036

Thanks to everyone who attended my #fwdcloudsec talk 🙏

Slides and videos should be up at the end of the week if you missed it.

Links:
permissions.cloud
github.com/iann0036/iamli…
github.com/iann0036/iam-d…
github.com/iann0036/iamfa…

__steele
Aidan W Steele @__steele

THIS IS SO EXCITING. I asked for a capability like this back in Jan 2020 (times were simpler back then) and it's almost kind of shipped!

Undocumented right now, but it works. 🎉 Now if only AWS sts:AssumeRoleWithWebIdentity could map arbitrary claims to session tags. twitter.com/chrisrpatterso…

chrisrpatterson
Chris Patterson @chrisrpatterson

@iamwillbar @micahhausler @GitHubSecurity @GHSecurityLab @jhutchings0 github.com/actions/toolki… like you read our minds. Keep your eyes on the @GHchangelog.

0xdabbad00
Scott Piper @0xdabbad00

I'm so happy with how fwd:cloudsec went. 😊
Thank you everyone who helped make this a success. 🙏

0xdabbad00
Scott Piper @0xdabbad00

It's probably a busy time for people that do contract work for Azure security or cloud migrations off Azure.

clintgibler
Clint Gibler @clintgibler

🛡️ Securing Netflix Apps at Scale

Masterclass in increasing dev velocity + raising security bar

➡️ How to productize security
➡️ Strong AuthN via gateway
➡️ The power of a single paved road

@coffeetocode @jrfernandez @JuliaaMarieee @agonigberg

netflixtechblog.com/the-show-must-…

fwdcloudsec
fwd:cloudsec @fwdcloudsec

Conference complete! We managed to run our first in-person conference with no major disasters, live-streamed to the world, across 2 days and 2 tracks, streaming remote speakers in, and with Q&A with people around the world. 🎉😅

kmcquade3
Kinnaird McQuade💥☁️ @kmcquade3

I’m presenting at @fwdcloudsec on “Security Guardrails at Scale in Azure” tomorrow at 10:20am PT. Be sure to tune in! Here’s the livestream link: youtu.be/JtiLnIUmUic

bjohnso5y
Brigid Johnson @bjohnso5y

🍾When we promote women in tech, the entire tech community thrives. @CaitShim is a strong tech leader I admire. She was promoted to Director leading AWS Accounts and Organizations. Congratulations Caitlyn. Thank you for the leadership & dedication to show us what is possible🍾

CaitShim
Caitlyn Shim @CaitShim

@jim_scharf and @chasing_elk123 gave me a heart attack this morning. First they had @colmmacc set up a (terrifying) distraction with a faux-security issue. Then they showed up at my door with gifts announcing my promotion.

Thankfully, I got dressed this morning.

r/aws
How Amazon Web Services makes money: Estimated margins by service
11433cnbc.com
AWS federation comes to GitHub Actions
11012awsteele.com
Former AWS veteran Charlie Bell to head cybersecurity ops at Microsoft
8832reuters.com
Abusing AWS Lambda to make an Aussie Search Engine
4418boyter.org
Can someone eli5 why I should or should not switch to awscli-v2?
3554

What are the practical differences between awscli v1 and v2?

AFAIK the main difference is that v2 is much more of a pain to install (why is it?)

Why is v2 not pip installable?

r/netsec
FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild - The Citizen Lab
26232citizenlab.ca
Deus x64: a new series of binary exploitation challenges by RET2 Systems
20510deusx64.ai
r/cloudsecurity
Where to post cloud security related roles?
31

I was wondering if there were any specific job boards that are better than others for posting cloud security related roles.

"AWS Security" on Google News
10 AWS security tips to secure your environment - Web Hosting | Cloud Computing | Datacenter | Domain News - Daily Host News
Daily Host NewsSeptember 17
Former AWS exec Charlie Bell to head new Microsoft Security, Compliance, Identity, and Management org - ZDNet
ZDNetSeptember 15
What's Coming & Best Practices for AWS Security and Backup & Recovery - Virtualization Review
Virtualization ReviewSeptember 14

buymeacoffee