SRE Weekly Issue #295 • 📖 [The CloudSecList] Issue 112 • [tl;dr sec] #108 - How SolarWinds is Securing their Supply Chain, Cloud Security Tooling • AWS Security Hub adds support for AWS PrivateLink for private access to Security Hub APIs • AWS Secrets Manager increases secrets limit to 500K per account • Amazon Chime SDK Meetings - 11 new methods • Amazon Connect Service - 5 new methods • Amazon Elastic Compute Cloud - 4 updated methods • AWS IoT Wireless - 26 new 3 updated methods • Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda • The Five Ws episode 2: Data Classification whitepaper • securityhub: 5 new actions, 1 new resource • servicequotas: 1 updated condition • iotwireless: 26 new actions, 2 new resources • permissions.cloud • No more making Lambda@Edge functions just to add HTTP headers to CloudFront. <a href="https://t.co/sBaFMR2FfJ" target="_blank">github.com/aws/aws-sdk-go…</a> • I think there's no need for AWS IAM users today. So I made a PoC to "prove" it. First here are the general use-cases for creds * AWS SSO works great for humans 👍 * Roles work fine inside AWS 👍 * Federation works fine from other clouds 👍 * Raspberry Pi in your closet ❓ 1/4 • Semgrep 0.70+ now supports scanning Terraform source files (HCL) for misconfigurations and security flaws! Announcement: <a href="https://t.co/U1aQxruIfD" target="_blank">r2c.dev/blog/2021/semg…</a> 16 built-in rules: <a href="https://t.co/jny44SkLLl" target="_blank">github.com/returntocorp/s…</a> I will add it to the blog post shortly • Proof <a href="https://twitter.com/QuinnyPig" target="_blank">@QuinnyPig</a> has a favorite and it's <a href="https://twitter.com/AWSIdentity" target="_blank">@AWSIdentity</a>! • 🦫 Meet Ottr: A Serverless Public Key Infrastructure Framework New open source tool by <a href="https://twitter.com/Airbnb" target="_blank">@Airbnb</a> Handles end-to-end certificate rotations without the use of an agent Source code: <a href="https://t.co/W3itx3zG4k" target="_blank">github.com/airbnb/ottr</a> <a href="https://t.co/HGKkKAtlhA" target="_blank">medium.com/airbnb-enginee…</a> • 🤔 pwru: Packet, where are you? <a href="https://twitter.com/ciliumproject" target="_blank">@ciliumproject</a> An eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities Allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues <a href="https://t.co/NFc7P0vgxs" target="_blank">github.com/cilium/pwru</a> • re:Invent talk is out for editing! A least-privilege journey: IAM policies &amp; Access Analyzer 1⃣1⃣ policy pro-tips 8⃣ full policies 6⃣ pics of Pickles Looking forward to covering fun stuff: conditions, multi-value conditions, cross account, PassRole &amp; everything Access Analyzer • anyway tl;dr here it is. Really keen to hear from folks what I haven't considered. I genuinely can't think of any use cases for IAM users now. <a href="https://t.co/3LYMrDz371" target="_blank">github.com/aidansteele/cl…</a> • Committing my AWS access keys on GitHub just to feel something • "AWS’ temporary event account solution, but the 72 hour expiration policy..." Hold up, AWS provides a mechanism for temporary accounts, but you can only get access to it by hosting remote controlled car competitions?!? • Amazon CloudFront now supports configurable CORS, security, and custom HTTP response headers • Goodbye Microsoft SQL Server, Hello Babelfish • GitHub - pistazie/cdk-dia: Automated diagrams of CDK provisioned infrastructure • Where to start with a mess? • $17,000 bill after support prematurely closed case • Verizon SIMs open their own TCP/IP sessions. And other stuff. • LDAP Password Hunter: Automated tool to lookup for world-readable secrets in LDAP database building a custom list of attributes at runtime based on the CN=Schema,CN=Configuration • Microsoft Defender for Cloud Launches with Support for AWS - Petri.com • Microsoft Expands Security to AWS in Multicloud Push - Dark Reading