Lex NevaSep 27
27
Monday September, 2021
SRE Weekly Issue #289
📖 [The CloudSecList] Issue 106
Marco from CloudSecListSep 26
[tl;dr sec] #102 - Why AuthZ is Hard, Vendor Security 2.0
Clint at tl;dr secSep 23
AWS WAF now offers in-line regular expressions
Sep 23
AWS WAF extends its regular expression (regex) support, allowing regex patterns to be expressed in-line within a rule statement. Previously, you had to create a regex pattern set, which provides a collection of regex patterns in a rule statement, even if you wanted to use just a single regex pattern …
Amazon Macie adds support for selecting managed data identifiers
Sep 23
Amazon Macie now allows you to select which managed data identifiersand, nbsp;to use when you create a sensitive data discovery job. This allows you to customize what data types you deem sensitive and would like Macie to alert on per specific data governance and privacy needs in your organization. When …
Amazon Detective supports S3 and DNS finding types, adds finding details
Sep 20
Amazon Detective expands security investigation support for Amazon Simple Storage Service (S3) and DNS-related findings on Amazon GuardDuty, providing full coverage of all detections from GuardDuty. Along with this, Detective now makes it even easier for a security analyst to investigate entities and behaviors using a revamped user experience.and, nbsp;
AWS AppSync - 4 updated methods
Sep 23
Documented the new OpenSearchServiceDataSourceConfig data type. Added deprecation notes to the ElasticsearchDataSourceConfig data type.
AWS Elemental MediaConvert - 11 updated methods
Sep 23
This release adds style and positioning support for caption or subtitle burn-in from rich text sources such as TTML. This release also introduces configurable image-based trick play track generation.
Amazon Simple Systems Manager (SSM) - 4 updated methods
Sep 23
Added cutoff behavior support for preventing new task invocations from starting when the maintenance window cutoff time is reached.
EC2 Image Builder - 10 updated methods
Sep 22
This feature adds support for specifying GP3 volume throughput and configuring instance metadata options for instances launched by EC2 Image Builder.
AWS achieves GSMA security certification for US East (Ohio) Region
Janice LeungSep 24
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that our US East (Ohio) Region (us-east-2) is now certified by the GSM Association (GSMA) under its Security Accreditation Scheme Subscription Management (SAS-SM) with scope Data Center Operations and Management …
connect-campaigns: 18 new actions, 1 new resource, 3 new conditions
Sep 25
18 new actions: CreateCampaign (create a campaign), DeleteCampaign (delete a campaign), DescribeCampaign (describe a specific campaign), GetCampaignState (get state of a campaign), GetCampaignStateBatch (get state of campaigns), ListCampaigns (provide summary of all campaigns), ListTagsForResource (list tags for a resource), PauseCampaign (pause a campaign), PutConnectInstanceConfig (add configuration information for an amazon …
appstream: 1 new action
Sep 25
1 new action: CreateUpdatedImage (update an existing image within customer account)
license-manager: 3 new actions | 4 updated actions
Sep 25
3 new actions: CreateLicenseConversionTaskForResource (create a license conversion task for a resource), GetLicenseConversionTask (retrieve a license conversion task), ListLicenseConversionTasks (list license conversion tasks); 4 updated actions: CreateLicenseConfiguration (access), ListLicenseConfigurations (access), ListLicenses (access), ListTagsForResource (access)
ecr: 1 new action | 3 updated actions
Sep 25
1 new action: DescribeImageReplicationStatus (retrieve replication status about an image in a registry, including failure reason if replication fails); 3 updated actions: DescribeImages (access), DescribeRepositories (access), ListTagsForResource (access)
It's Time for Vendor Security 2.0
In a previous post I talked about how security questionnaires are security theater. They were in 2018---and they still are---but pointing this out always
Clint Gibler 👀 Vendor Security 2.0 @DanielMiessler argues that questionnaires are bad at determining security posture and business needs often trump security rec…
Alexandre Sieira Really good, short article by the always thoughtful @DanielMiessler on third party risk management: danielmiessler.com/blog/its-time-…
Jim Scharf @jim_scharf
17 years ago today, I joined this small incubator group they were calling Amazon Web Services. Later that day someone forwarded me an email "Q4 hardware orders are due Friday; Jim, you might want to order us some servers." Ah, the foreshadowing... @awscloud
Scott Piper @0xdabbad00
Cloud vulns of the past 4 weeks 🧵:
Azure:
- ChaosDB: twitter.com/sagitz_/status…
- Azurescape twitter.com/yuval_avrahami…
- OMIGOD: twitter.com/nirohfeld/stat…
- Log Analytics role privesc:
Karl @kfosaaen
This took almost a year to get through the disclosure approval process, but here's the @NetSPI blog that covers the privilege escalation issue (now fixed) that we found with the Azure Log Analytics Contributor role - netspi.com/blog/technical…
Ian Mckay @iann0036
It's new #AWS icons day!
Interestingly, we have a new group for "AWS Account" now. Happy architecting 📐☁️
aws.amazon.com/architecture/i…
Rhino Security Labs @RhinoSecurity
New Rhino Blog: CVE-2021-38112: AWS WorkSpaces Remote Code Execution
bit.ly/3kzeyr7
Scott Piper @0xdabbad00
Looks like someone found a vuln in Google's IAP (Identity Aware Proxy, a foundational component of BeyondCorp) to allow them to access someone else's protected resources. cloud.google.com/support/bullet…
Clint Gibler @clintgibler
📚 tl;dr sec 102
* @samososos Why authz is hard
* @DanielMiessler Vendor security 2.0
* @InsecureNature TruffleHog Chrome extension
* @__steele GitHub Actions w/out long-lived AWS creds
* @iann0036 permissions.cloud
* @HolyBugx Web security roadmap
tldrsec.com/blog/tldr-sec-…
Matt Fuller @matthewdfuller
I am humbled and excited to share that I've joined @stripe to help build their Cloud Security team! Stripe's mission is to grow the GDP of the internet, which I find to be quite motivating, and one in which security is at the absolute forefront.
Victor Grenu @zoph
AWS, please stop giving this kind of example snippet, I'm dying.
Aidan W Steele @__steele
Hypothetical: you have many AWS accounts, many Lambda functions, many API gateways, many subdomains and extremely productive colleagues.
How do you go from seeing a URL in the browser devtools to finding the code that handles it on GitHub?
Victor Grenu @zoph
Pretty useful AWS CLI command to get AWS CloudWatch LogGroups sorted by size. 👷🏻♂️ 👇🏼
Posting for visibility: AWS needs to provide support for multi-account users
AWS recommends that we set up multiple AWS accounts for each developer working on a project, and in some cases, separate AWS accounts for dev/production. This is how we've set things up, and it works great, but there's one huge drawback: we can't get support to help with the sub-accounts. …
Problems with elasticache in us-east-1?
Currently I have a couple of alarms in INSUFICIENT_DATA from 2 different redis nodes, and at the same time a node from a redis cluster failed over and it's taking longer to come back.
Anyone seeing something similar?
Beta Testers Needed
Hey all,
We have a new cloud security suite we are deploying over the next couple months called Crowd Sentry. We are in desperate need of beta testers and would like to offer our services free till our launch in February. If you would like to be a beta tester …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
