Lex NevaOct 11
11
Monday October, 2021
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- ReadOnlyAccess
- AmazonMemoryDBFullAccess
- AmazonMemoryDBReadOnlyAccess
- AmazonRDSCustomPreviewServiceRolePolicy
- AmazonRDSCustomServiceRolePolicy
Get notified of policy change using this Twitter bot. 🐦
SRE Weekly Issue #291
📖 [The CloudSecList] Issue 108
Marco from CloudSecListOct 10
[tl;dr sec] #104 - New Phrack, Often Missed Web Vulnerabilities
Clint at tl;dr secOct 07
Monitor AWS Managed IAM Policies (MAMIP)
- - - -
AWS Elemental MediaConvert - 3 new methods
Oct 8
AWS Elemental MediaConvert has added the ability to set account policies which control access restrictions for HTTP, HTTPS, and S3 content sources.
Amazon Lex Model Building V2 - 3 updated methods
Oct 8
Added configuration support for an Amazon Lex bot to provide fulfillment progress updates to users while their requests are being processed. See documentation for more details: https://docs.aws.amazon.com/lexv2/latest/dg/streaming-progress.html
AWS SecurityHub - 2 updated methods
Oct 8
Added new resource details objects to ASFF, including resources for WAF rate-based rules, EC2 VPC endpoints, ECR repositories, EKS clusters, X-Ray encryption, and OpenSearch domains. Added additional details for CloudFront distributions, CodeBuild projects, ELB V2 load balancers, and S3 buckets.
Update the alternate security contact across your AWS accounts for timely security notifications
Steven BedekerOct 7
Amazon Web Services (AWS) will send you important security notifications from time to time related to your account. From a security perspective, the ability for AWS Security to reach you in a timely manner is important whether you have one AWS account or thousands. These notifications could include alerts from AWS …
Enabling data classification for Amazon RDS database with Macie
Bruno SilveiraOct 5
Customers have been asking us about ways to use Amazon Macie data discovery on their Amazon Relational Database Service (Amazon RDS) instances. This post presents how to do so using AWS Database Migration Service (AWS DMS) to extract data from Amazon RDS, store it on Amazon Simple Storage Service (Amazon …
How to set up a two-way integration between AWS Security Hub and Jira Service Management
Ramesh VenkataramanOct 4
If you use both AWS Security Hub and Jira Service Management, you can use the new AWS Service Management Connector for Jira Service Management to create an automated, bidirectional integration between these two products that keeps your Security Hub findings and Jira issues in sync. In this blog post, I’ll show you how …
Updates to security best practices
Oct 5
Added information about creating IAM admin users instead of using root user credentials, removed the best practice of using user groups to assign permissions to IAM users, and clarified when to use managed policies instead of inline policies.
Updates to policy evaluation logic topic for resource-based policies
Oct 5
Added information about the impact of resource-based policies and different principal types in the same account.
workmail: 2 new actions
Oct 7
2 new actions: DescribeInboundDmarcSettings (read the settings in a dmarc policy for a specified organization), PutInboundDmarcSettings (enable or disable a dmarc policy for a given organization)
backup: 2 new actions, 1 new condition | 2 updated actions
Oct 7
2 new actions: DeleteBackupVaultLockConfiguration (remove the lock configuration from a backup vault), PutBackupVaultLockConfiguration (add a lock configuration to the backup vault); 1 new condition: backup:FrameworkArns (filters access by the framework arns); 2 updated actions: CreateReportPlan (conditions), UpdateReportPlan (conditions)
s3: 1 new condition | 3 updated actions, 1 updated resource, 2 updated conditions
Oct 5
1 new condition: s3:x-amz-server-side-encryption-customer-algorithm (filters access by customer-provided algorithm (sse-c) for server-side encryption); 3 updated actions: BypassGovernanceRetention (conditions), PutObject (conditions), ReplicateObject (conditions); 1 updated resource: multiregionaccesspoint (arn); 2 updated conditions: aws:TagKeys (type), s3:RequestObjectTagKeys (type)
Victor Grenu @zoph
Following #twitchleak, I've analyzed the 125GB dump archive from an AWS Security Consultant perspective, I will complete this thread along the way, but here is what I found so far 🧵:
Clint Gibler @clintgibler
🤔 10 Types of Web Vulnerabilities that are Often Missed
Nice overview of vuln classes by @hakluke and @Farah_Hawaa
1. HTTP/2 Smuggling
2. XXE via Office Open XML Parsers
3. SSRF via XSS in PDF Generators
4. XSS via SVG Files
...
#bugbountytips
labs.detectify.com/2021/09/30/10-…
Scott Piper @0xdabbad00
Infinite loop created between two Lambdas resulted in "several-hundred-thousand dollar bill in a couple of hours". ♾💸
news.ycombinator.com/item?id=284931…
Nick Jones @nojonesuk
Just published a reference doc on AWS access keys & how different services provide temporary keys. Turns out there's 4 different metadata services in use at present, and about a thousand ways people provide keys into EKS. Have a read!
nojones.net/posts/aws-acce…
Kinnaird McQuade💥🌩 @kmcquade3
UPDATE: WE FOUND COOPER
I’m dying from happiness right now
Kinnaird McQuade💥🌩 @kmcquade3
San Francisco folks: We just lost our dog, Cooper, in the Haight/Panhandle around 2pm on Sunday. Last seen in Lower Haight a block from Alamo Park and the Painted Ladies. German shepherd mix.
If anyone has seen him - please let me know & call Animal Control
RT for reach please!
Kinnaird McQuade💥🌩 @kmcquade3
Cooper is sweet, loves sticks, and meeting new doggy friends. Here’s another picture of him.
Aidan W Steele @__steele
We thought it would be neat to add some live numbers to the @stedi careers page.
What other numbers do you think would be interesting? I was thinking maybe number of production deployments per week.
Scott Piper @0xdabbad00
I need an IAM policy differ. Ex. given a vendor requested policy, show me all the privs that aren't in ViewOnlyAccess so I can quickly spot the ones that are granting create/modify/delete or data plane access.
Victor Grenu @zoph
InfoSec:
- Unexpectedly, the security maturity is really high, with a lot of contermesure, automation bots (hijacking prevention, etc), bastions usage and alerting systems for SIRT Team and dashboards.
- Automated secret-detection in git history, etc..
Clint Gibler @clintgibler
📚 tl;dr sec 104
* New Phrack
* @hakluke, @Farah_Hawaa 10 often missed web vulns
* @_fel1x C/C++ semantic search tool
* @Black2Fan, @S1r1u5_ Finding prototype pollution at scale
* @r2cdev Securing your GitHub Actions
* @alex_dhondt Exploiting drones
tldrsec.com/blog/tldr-sec-…
What's your oldest S3 bucket?
This post has a bucket from 16-Mar-2006 - just 2 days after S3 was launched!
Fun fact: Only us-east-1 returns the true creation date for buckets, no matter what region the bucket is created in. Other regions return the last updated time instead.
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
