Lex NevaOct 25
25
Monday October, 2021
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSBackupServiceLinkedRolePolicyForBackup
- AWSMigrationHubStrategyCollector
- AWSMigrationHubStrategyConsoleFullAccess
- AWSMigrationHubStrategyServiceRolePolicy
- AWSPanoramaApplianceServiceRolePolicy
- AWSPanoramaFullAccess
- AWSPanoramaServiceLinkedRolePolicy
- AmazonChimeSDK
Get notified of policy change using this Twitter bot. 🐦
SRE Weekly Issue #293
📖 [The CloudSecList] Issue 110
Marco from CloudSecListOct 24
[tl;dr sec] #106 - Least Privilege IAM, Fuzzing
Clint at tl;dr secOct 21
Amazon Appflow - 3 updated methods
Oct 20
Feature to add support for JSON-L format for S3 as a source.
AWS Direct Connect - 4 new methods
Oct 20
This release adds 4 new APIS, which needs to be public able
AWS Elemental MediaConvert - 7 updated methods
Oct 20
AWS Elemental MediaConvert SDK has added support for specifying caption time delta in milliseconds and the ability to apply color range legalization to source content other than AVC video.
AWS Elemental MediaPackage - 4 updated methods
Oct 20
When enabled, MediaPackage passes through digital video broadcasting (DVB) subtitles into the output.
elasticmapreduce: 3 new actions
Oct 22
3 new actions: GetAutoTerminationPolicy (retrieve the auto-termination policy associated with a cluster), PutAutoTerminationPolicy (create or update the auto-termination policy associated with a cluster), RemoveAutoTerminationPolicy (remove the auto-termination policy associated with a cluster)
ec2: 6 new actions, 2 new resources | 2 updated actions | 1 removed condition
Oct 22
6 new actions: CancelCapacityReservationFleets (cancel one or more capacity reservation fleets), CreateCapacityReservationFleet (create a capacity reservation fleet), GetVpnConnectionDeviceSampleConfiguration (download an aws-provided sample configuration file to be used with the customer gateway device), GetVpnConnectionDeviceTypes (obtain a list of customer gateway devices for which sample configuration files can be provided), ModifyCapacityReservationFleet (modify …
Attacking and Securing CI/CD Pipeline
ATT&CK-like Threat Matrix for CI/CD Pipeline on GitHub: https://github.com/rung/threat-matrix-cicd -------- Place: CODE BLUE 2021 OpenTalks at Tokyo Presenter: Hiroki SUEZAWA (https://www.suezawa.net…
Aidan W Steele @__steele
This image fills me with despair for our industry. I understand my burned-out infosec colleagues now.
This is less than 24 hours of pushes to GitHub. What are we doing? How are we failing these people? Is it on cloud vendors? GitHub? Infosec educators? 1/5
Brigid Johnson @bjohnso5y
As a high achieving woman in tech, having a stellar work community is critical for me to perform at my best, deliver resounding impact, and have fun while doing it. My community at #AWS is top notch and continues to impress me. A thread🧵
Scott Piper @0xdabbad00
Abusing an AWS SNS subscription for RCE against Discourse servers! The incorrect sanity checking (by AWS!) looks very similar to the issue that @_fel1x exploited against Hashicorp Vault last year (AWS should have learned from that): twitter.com/_fel1x/status/…
joernchen @joernchen
Here is the writeup:
0day.click/recipe/discour…
Clint Gibler @clintgibler
📔 An Intro to #Fuzzing by @bishopfox
Nice intro & overview covering:
* Types of fuzzers
* How fuzzing works
* Popular fuzzers and their pros/cons
* Writing a good test harness
labs.bishopfox.com/tech-blog/an-i…
Scott Piper @0xdabbad00
If you enforce IMDSv2 via an SCP and try to create an EC2 that allows IMDSv1 still, decoding the error message actually tells you the full SCP statement (including Sid) of the SCP that blocked it.
Aidan W Steele @__steele
This is ultra cool
Soam Vasani @soamv
So: Cohesion transforms Python to AWS Step Functions workflow language. Loops, if statements, exceptions, etc. are transformed from Python to Step Functions' JSON.
Toni de la Fuente @ToniBlyx
Friday was my last day at Amazon Web Services, I'll put all my time and passion on Prowler and see how far we can go. Exciting news coming up! So far a new discord server for Prowler is available for you all to join at #prowler #cloudsecurity #awscloud lnkd.in/grSSFnPY
Kinnaird McQuade💥🌩 @kmcquade3
🔥🔥 GitHub Actions Security best practices and overview of threats by one of my colleagues at @SalesforceEng, Reethi Kotti. Reethi did a sick deep dive of threat model of GitHub actions & these recommended best practices is a result of that work. I highly recommend reading! twitter.com/vashta_nerdrad…
/wade @vashta_nerdrada
Github Actions Security Best Practices by Reethi Kotti (🤘😝🤘) engineering.salesforce.com/github-actions…
Clint Gibler @clintgibler
🪧 Ddosify by @ddosify
A high-performance load testing tool, written in Golang
#DDoS #networksecurity
github.com/ddosify/ddosify
Steven Bryen @steven_bryen
Great goal from my eldest this weekend. Through to next round of the cup 💪⚽️ @HAFCOfficial
A rant about 2021 re:Invent session reservations
I'm honestly baffled at how the session reservation system passed QA this year. It looks a lot better compared to 2019 and I had high hopes that it wouldn't be a total cluster, and then reservations opened all to a giant "haha nope".
- You can cancel a reservation from the …
Career Path / How did you land a job in cloud sec?
For those of you currently working a cloud security role, what path did you take to get there?
Previous job titles/descriptions and what certifications?
I'm very much interested in cloud security and trying to learn as much as I can. Currently Im a tier 2 engineer but get promoted to …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
