Issue #39
Monday · October 04, 2021
π₯ AWS security blogs
- Enable Security Hub PCI DSS standard across your organization and disable specific controls β At this time, enabling the PCI DSS standard from within AWS Security Hub enables this compliance framework only within the Amazon Web Services (AWS) account you are presently administering. This blog post showcases a solution that can be used to customize the configuration and deployment of the PCI DSS standard β¦
- Validate IAM policies in CloudFormation templates using IAM Access Analyzer β In this blog post, I introduce IAM Policy Validator for AWS CloudFormation (cfn-policy-validator), an open source tool that extracts AWS Identity and Access Management (IAM) policies from an AWS CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template. I also show you β¦
- Securely extend and access on-premises Active Directory domain controllers in AWS β If you have an on-premises Windows Server Active Directory infrastructure, itβs important to plan carefully how to extend it into Amazon Web Services (AWS) when youβre migrating or implementing cloud-based applications. In this scenario, existing applications require Active Directory for authentication and identity management. When you migrate these applications to β¦
- Introducing the Ransomware Risk Management on AWS Whitepaper β AWS recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. This whitepaper aligns the National Institute of Standards and Technology (NIST) recommendations for security controls that are related to ransomware risk management, for workloads built on AWS. The whitepaper maps the technical capabilities β¦
π Reddit threads on r/aws
- What Wonderful Times We Live In β Caveat - not a technical post or question so much as a sort of love letter to the Cloud. I'm 57 years old and I've been working in the data space for the last 25 years. My first database build was a tactical database in 1990 in dBase III when β¦
- Amazon EC2 now offers Global View on the console to view all resources across regions together
- I Trust AWS IAM to Secure My Applications. I Donβt Trust the IAM Docs to Tell Me How.
- You can now run AWS Lambda on the ARM64 architecture! β Seriously. Check the AWS Console and the Lambda creation wizard. It asks whether you want x86_64 or arm64 as your code runtime! Looks like they have already deployed it but it is yet to be officially announced.
- I built an open-source GraphQL powered search engine for your AWS infrastructure. β Hey all! CloudGraph is an open-source search engine for your public cloud infrastructure, powered by DGraph and GraphQL. Within seconds, query assets, configurations, and more across accounts and providers. CloudGraph also enables you to solve a host of security, compliance, governance, and FinOps challenges in the time it takes to β¦
π Newsletters
π AWS IAM Release Notes
- Updates to single-valued and multivalued condition keys β The differences between single-valued and multivalued condition keys are now explained in more detail. The value type was added to each AWS global condition context key .
π Top Links from Security Folks
- AWS Cloud Control API, a Uniform API to Access AWS & Third-Party Services | Amazon Web Services β Today, I am happy to announce the availability of AWS Cloud Control API a set of common application programming interfaces (APIs) that are designed to β¦
π r/netsec
π "AWS Security" on Google News
π§ IAM permission changes
- dataexchange: 5 new actions, 1 new resource | 4 updated actions β 5 new actions: CreateEventAction (create an event action), DeleteEventAction (delete an event action), GetEventAction (get an event action), ListEventActions (list event actions for the account), UpdateEventAction (update information for an event action); 1 new resource: event-actions; 4 updated actions: ListDataSetRevisions (access), ListDataSets (access), ListJobs (access), ListRevisionAssets (access)
- transfer: 12 new actions, 1 new resource | 3 updated actions β 12 new actions: CreateAccess (add an access associated with a server), CreateWorkflow (create a workflow), DeleteAccess (delete access), DeleteWorkflow (delete a workflow), DescribeAccess (describe an access assigned to a server), DescribeExecution (describe an execution associated with a workflow), DescribeWorkflow (describe a workflow), ListAccesses (list accesses), ListExecutions (list executions associated with β¦
- events: 1 updated condition β 1 updated condition: events:source (type)
- account: 3 new actions, 2 new resources, 3 new conditions β 3 new actions: DeleteAlternateContact (delete the alternate contacts for an account), GetAlternateContact (retrieve the alternate contacts for an account), PutAlternateContact (modify the alternate contacts for an account); 2 new resources: account, accountInOrganization; 3 new conditions: account:AccountResourceOrgPaths (filters access by the resource path for an account in an organization), account:AccountResourceOrgTags/${TagKey} (filters β¦
πͺ API changes
- AWS Account - 3 new methods β This release of the Account Management API enables customers to manage the alternate contacts for their AWS accounts. For more information, see https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html
- AWS Cloud Control API - 8 new methods β Initial release of the SDK for AWS Cloud Control API
- AWS Data Exchange - 5 new 3 updated methods β This release enables subscribers to set up automatic exports of newly published revisions using the new EventAction API.
- Amazon Macie 2 - 2 updated methods β Amazon S3 bucket metadata now indicates whether an error or a bucket's permissions settings prevented Amazon Macie from retrieving data about the bucket or the bucket's objects.
