Lex NevaOct 04
4
Monday October, 2021
SRE Weekly Issue #290
📖 [The CloudSecList] Issue 107
Marco from CloudSecListOct 03
[tl;dr sec] #103 - Cloud Security Guardrails, Lateral Movement in GitHub Orgs
Clint at tl;dr secSep 30
AWS Account - 3 new methods
Sep 30
This release of the Account Management API enables customers to manage the alternate contacts for their AWS accounts. For more information, see https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html
AWS Data Exchange - 5 new 3 updated methods
Sep 30
This release enables subscribers to set up automatic exports of newly published revisions using the new EventAction API.
Amazon Macie 2 - 2 updated methods
Sep 30
Amazon S3 bucket metadata now indicates whether an error or a bucket's permissions settings prevented Amazon Macie from retrieving data about the bucket or the bucket's objects.
Enable Security Hub PCI DSS standard across your organization and disable specific controls
Pablo PaganiSep 30
At this time, enabling the PCI DSS standard from within AWS Security Hub enables this compliance framework only within the Amazon Web Services (AWS) account you are presently administering. This blog post showcases a solution that can be used to customize the configuration and deployment of the PCI DSS standard …
Validate IAM policies in CloudFormation templates using IAM Access Analyzer
Matt LuttrellSep 29
In this blog post, I introduce IAM Policy Validator for AWS CloudFormation (cfn-policy-validator), an open source tool that extracts AWS Identity and Access Management (IAM) policies from an AWS CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template. I also show you …
Securely extend and access on-premises Active Directory domain controllers in AWS
Mangesh BudkuleSep 29
If you have an on-premises Windows Server Active Directory infrastructure, it’s important to plan carefully how to extend it into Amazon Web Services (AWS) when you’re migrating or implementing cloud-based applications. In this scenario, existing applications require Active Directory for authentication and identity management. When you migrate these applications to …
Introducing the Ransomware Risk Management on AWS Whitepaper
Temi AdebamboSep 28
AWS recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. This whitepaper aligns the National Institute of Standards and Technology (NIST) recommendations for security controls that are related to ransomware risk management, for workloads built on AWS. The whitepaper maps the technical capabilities …
Updates to single-valued and multivalued condition keys
Sep 30
The differences between single-valued and multivalued condition keys are now explained in more detail. The value type was added to each AWS global condition context key.
dataexchange: 5 new actions, 1 new resource | 4 updated actions
Oct 2
5 new actions: CreateEventAction (create an event action), DeleteEventAction (delete an event action), GetEventAction (get an event action), ListEventActions (list event actions for the account), UpdateEventAction (update information for an event action); 1 new resource: event-actions; 4 updated actions: ListDataSetRevisions (access), ListDataSets (access), ListJobs (access), ListRevisionAssets (access)
transfer: 12 new actions, 1 new resource | 3 updated actions
Oct 2
12 new actions: CreateAccess (add an access associated with a server), CreateWorkflow (create a workflow), DeleteAccess (delete access), DeleteWorkflow (delete a workflow), DescribeAccess (describe an access assigned to a server), DescribeExecution (describe an execution associated with a workflow), DescribeWorkflow (describe a workflow), ListAccesses (list accesses), ListExecutions (list executions associated with …
account: 3 new actions, 2 new resources, 3 new conditions
Oct 2
3 new actions: DeleteAlternateContact (delete the alternate contacts for an account), GetAlternateContact (retrieve the alternate contacts for an account), PutAlternateContact (modify the alternate contacts for an account); 2 new resources: account, accountInOrganization; 3 new conditions: account:AccountResourceOrgPaths (filters access by the resource path for an account in an organization), account:AccountResourceOrgTags/${TagKey} (filters …
AWS Cloud Control API, a Uniform API to Access AWS & Third-Party Services | Amazon Web Services
Today, I am happy to announce the availability of AWS Cloud Control API a set of common application programming interfaces (APIs) that are designed to …
Srinath Kuruvadi @secdrama
This is a fairly urgent Sr Cloud Security Engineer role on my team at Netflix. Please apply directly if you like working on AWS IAM & credentials mgmt, reducing blast radius, right-sizing of permissions and cloud guardrails at scal…lnkd.in/g9fmfekS lnkd.in/g7dCSw9
Steven Bryen @steven_bryen
8years ago today - my first Day1 @awscloud. What a journey!
There was no CloudTrail, Kinesis, Lambda, APIGW, Step Functions, Amplify or even Chime 😉
We had not long launched DataPipeline, Opsworks, Simple Workflow and CloudSearch 😜
Change is constant, keep learning folks!
Michael Chan @mchancloud
1/ Here's the IAM Policy Validator for AWS CloudFormation, an #Opensource project that uses IAM Access Analyzer to validate that policies are secure & functional within your CFN templates, as part of a CI/CD pipeline, before they're deployed! @AWSIdentity
aws.amazon.com/blogs/security…
Scott Piper @0xdabbad00
This post is AWS's response to Azure's recent container escape (Azurescape), to show how similar issues would not be able to impact AWS.
AWS Blog Unofficial. @AWSBlogUnreal
The AWS Open Source Blog #AWSOpenSource
aws.amazon.com/blogs/opensour…
By: Jeremy Cowan, Sai Charan Teja Gopaluni* and Vijay K Sikha
Aidan W Steele @__steele
There's a bit of confusion about the new Lambda support for Graviton2 and Golang. It works great, you just need to:
* GOARCH=arm64 go build
* Use the `provided.al2` runtime instead of `go1.x`
awsteele.com/blog/2021/09/2…
Scott Piper @0xdabbad00
This has been the biggest 24 hours of AWS announcements all year, and yet I have no idea what event is going on or why it all got released today.
Aidan W Steele @__steele
This is very useful if you’re still living in VPCs aws.amazon.com/about-aws/what…
Clint Gibler @clintgibler
☁️ Building Strong Security Guardrails in AWS
@marknca walks prioritizing and building simple guardrails to help devs avoid misconfigurations and other common security pitfalls in AWS
CloudWatch event -> Lambda -> Slack message
markn.ca/2021/how-to-bu…
Clint Gibler @clintgibler
🔥 GitOops: Bloodhound for your CI/CD pipeline
Helps identify lateral movement and privesc paths in GitHub orgs by abusing CI/CD pipelines and GitHub access controls
Gather info -> graph DB -> query attack paths
By @AlxKatana #redteam
github.com/ovotech/gitoops
Alexandre Sieira @AlexandreSieira
Current status: living vicariously through @NerdPyle dog walk threads. ❤️
What Wonderful Times We Live In
Caveat - not a technical post or question so much as a sort of love letter to the Cloud.
I'm 57 years old and I've been working in the data space for the last 25 years. My first database build was a tactical database in 1990 in dBase III when …
You can now run AWS Lambda on the ARM64 architecture!
Seriously. Check the AWS Console and the Lambda creation wizard. It asks whether you want x86_64 or arm64 as your code runtime!
Looks like they have already deployed it but it is yet to be officially announced.
I built an open-source GraphQL powered search engine for your AWS infrastructure.
Hey all!
CloudGraph is an open-source search engine for your public cloud infrastructure, powered by DGraph and GraphQL. Within seconds, query assets, configurations, and more across accounts and providers. CloudGraph also enables you to solve a host of security, compliance, governance, and FinOps challenges in the time it takes to …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
