SRE Weekly Issue #296 • 📖 [The CloudSecList] Issue 113 • [tl;dr sec] #109 - Breaking Stateless Authentication, Secrets • AWS Security Hub adds three new FSBP controls and three new partners • Manage Access Centrally for JumpCloud Users with AWS Single Sign-On • Manage Access Centrally for CyberArk Users with AWS Single Sign-On • Amazon Connect Service - 4 new 1 updated methods • Amazon DevOps Guru - 5 new 5 updated methods • Amazon Elastic Compute Cloud - 24 updated methods • AWS Elemental MediaConvert - 11 updated methods
15
Monday November, 2021

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Get notified of policy change using this Twitter bot. 🐦

Newsletters
SRE Weekly Issue #296
Lex NevaNov 15
📖 [The CloudSecList] Issue 113
Marco from CloudSecListNov 14
[tl;dr sec] #109 - Breaking Stateless Authentication, Secrets
Clint at tl;dr secNov 11
AWS Security by CloudNews
AWS Security Hub adds three new FSBP controls and three new partners
Nov 11
AWS Security Huband, nbsp;has released three new controls for its Foundational Security Best Practice standardand, nbsp;(FSBP) to enhance customers' Cloud Security Posture Management (CSPM). These controls conduct fully-automatic checks against security best practices for Elastic Load Balancing and AWS Systems Manager. If you have Security Hub set to automatically enable …
Manage Access Centrally for JumpCloud Users with AWS Single Sign-On
Nov 11
Customers can now connect their JumpCloud Directory Platform (JumpCloud) to Amazon Web Services Single Sign-On (SSO) once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using JumpCloud to access all their assigned AWS accounts. The integration helps customers simplify AWS access management across …
Manage Access Centrally for CyberArk Users with AWS Single Sign-On
Nov 10
Customers can now connect their CyberArk Workforce Identity (CyberArk) to AWS Single Sign-On (SSO) once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using CyberArk Workforce Identity to access all their assigned AWS accounts. The integration helps customers simplify AWS access management across …
AWS API Changes
Amazon Connect Service - 4 new 1 updated methods
Nov 12
This release adds APIs for creating and managing scheduled tasks. Additionally, adds APIs to describe and update a contact and list associated references.
Amazon DevOps Guru - 5 new 5 updated methods
Nov 12
Add support for cross account APIs.
Amazon Elastic Compute Cloud - 24 updated methods
Nov 12
C6i instances are powered by a third-generation Intel Xeon Scalable processor (Ice Lake) delivering all-core turbo frequency of 3.5 GHz. G5 instances feature up to 8 NVIDIA A10G Tensor Core GPUs and second generation AMD EPYC processors.
AWS Elemental MediaConvert - 11 updated methods
Nov 12
AWS Elemental MediaConvert SDK has added automatic modes for GOP configuration and added the ability to ingest screen recordings generated by Safari on MacOS 12 Monterey.
AWS Security Blog
Managing temporary elevated access to your AWS environment
James GreenwoodNov 12
In this post you’ll learn about temporary elevated access and how it can mitigate risks relating to human access to your AWS environment. You’ll also be able to download a minimal reference implementation and use it as a starting point to build a temporary elevated access solution tailored for your …
AWS achieves GSMA Security Certification for Europe (Paris) Region
Janice LeungNov 10
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that our Europe (Paris) Region is now certified by the GSM Association (GSMA) under its Security Accreditation Scheme Subscription Management (SAS-SM) with scope Data Center Operations and Management (DCOM). This …
Managing permissions with grants in AWS Key Management Service
Rick YinNov 8
AWS Key Management Service (AWS KMS) helps customers to use encryption to secure their data. When creating a new encrypted Amazon Web Services (AWS) resource, such as an Amazon Relational Database Service (Amazon RDS) database or an Amazon Simple Storage Service (Amazon S3) bucket, all you have to do is …
IAM Permission Changes
sts: 1 new condition | 1 updated action
Nov 13
1 new condition: sts:AWSServiceName (filters access by the service that is obtaining a bearer token); 1 updated action: GetServiceBearerToken (conditions)
chime: 7 new actions
Nov 13
7 new actions: DeregisterAppInstanceUserEndpoint (deregister an endpoint for an app instance user), DescribeAppInstanceUserEndpoint (describe an endpoint registered for an app instance user), GetChannelMembershipPreferences (get the preferences for a channel membership), ListAppInstanceUserEndpoints (list the endpoints registered for an app instance user), PutChannelMembershipPreferences (put the preferences for a channel membership), RegisterAppInstanceUserEndpoint (register …
resiliencehub: 39 new actions, 4 new resources, 3 new conditions
Nov 12
39 new actions: AddDraftAppVersionResourceMappings (add draft application version resource mappings), CreateApp (create application), CreateRecommendationTemplate (create recommendation template), CreateResiliencyPolicy (create resiliency policy), DeleteApp (batch delete application), DeleteAppAssessment (batch delete application assessment), DeleteRecommendationTemplate (batch delete recommendation template), DeleteResiliencyPolicy (batch delete resiliency policy), DescribeApp (describe application), DescribeAppAssessment (describe application assessment), DescribeAppVersionResourcesResolutionStatus (describe application …
Top Links from Security Folks
ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrough | Wiz Blog
www.wiz.io
Pull back the curtain and get the step-by-step technical walkthrough of ChaosDB, one of the most sever Azure vulnerabilities of all time
AWS Security Folks
0xdabbad00
Scott Piper @0xdabbad00

My general guidance for AWS has been to trust AWS is securing their side of the shared responsibility model (ex. don't spend much time worrying about the possibility of guest-to-host-escapes, CPU side channels, etc from other customers). That is not my belief for Azure. 🧵

0xdabbad00
Scott Piper @0xdabbad00

This is a REALLY good read. Shows how the team explored and chained multiple issues together in a cloud environment and how a number of mistakes by Azure led to this devastating outcome.

shirtamari
Shir @shirtamari

Here it is-
wiz.io/blog/chaosdb-e…

iann0036
Ian Mckay @iann0036

Soo, AWS have added probably the worst CAPTCHA flow ever as a feature of AWS WAF (docs.aws.amazon.com/waf/latest/dev…). 1/

kmcquade3
Kinnaird McQuade💥🌩 @kmcquade3

Today is my last day at Salesforce. I’ve made some dear friends, built lots of cool stuff, got some war stories, and discovered my love for open source & security evangelism. It’s been real.

I’m excited to share what’s next, but taking a few weeks off first to recharge.

mamip_aws
MAMIP - Monitor AWS Managed IAM Policies Changes @mamip_aws

Did you know that I'm running AWS Access Analyzer Policy Validation every time a new update is detected on all AWS Managed Policies? 🕵🏻‍♂️

You can see findings here: github.com/z0ph/MAMIP/tre…

clintgibler
Clint Gibler @clintgibler

🛡️ Kubernetes API Access Security Hardening

@sshahtweets provides an impressively detailed list of things to consider, including securing access to:
* The #Kubernetes control plane (API server)
* Kubelet
* + additional security considerations

goteleport.com/blog/kubernete…

clintgibler
Clint Gibler @clintgibler

👀 Finding secrets in Docker containers

@GitGuardian scanned ~2K public containers, and found secrets in ~7%

Pro tip: Use the Docker manifest file to focus on layers where either files are manually added or copied, or environment variables are modified

blog.gitguardian.com/hunting-for-se…

lancinimarco
Marco Lancini @lancinimarco

I don't usually post about personal matters, but this time it is different 🇬🇧

bjohnso5y
Brigid Johnson @bjohnso5y

Well hello old friend!!! 🎤

matthewdfuller
Matt Fuller @matthewdfuller

Really excited about some of the conversations I've been having with the team @CommonFateTech (commonfate.io)! Their IAM Zero open source tool gives a glimpse of what they're working on: github.com/common-fate/ia…

r/aws
100 Free AWS Courses on Amazon.com
13014amazon.com
AWS EKS Rant
8670

So, anyone else find it absolutely infuriating that AWS EKS seems like it actively wants you to hate yourself?

Let's go ahead and create a cloud provider offering of Kubernetes, but make it so that all of the functionality you'd get out of GKE natively you'll need to build via …

New whitepaper: IPv6 on AWS
492d1.awsstatic.com
What does t2 stand for in EC2 sizes?
3444

Was curious and couldn't find the answer online

What would you like from /r/aws for re:Invent
3526

We (the mods) are working on some things but would love any ideas/feedback.

r/netsec
Backdoors can be hidden in JS code using "invisible" variables. Code looks completely harmless.
47128certitude.consulting
Scanning Millions Of Publicly Exposed Docker Containers - Thousands Of Secrets Leaked
24724redhuntlabs.com
r/cloudsecurity
Introducing the latest blog from Kloudle!
31

https://kloudle.com/blog/a-mysql-bug-that-causes-a-misconfiguration-in-the-waf-service-on-the-aws-cloud

A quick read on how a decade old MySQL/MariaDB bug caused by the inability to parse a malformed scientific notation literal could be used to bypass Web Application Firewalls on-prem and more dangerously on the cloud.

"AWS Security" on Google News
Resecurity brings dark web and threat intelligence to AWS Marketplace - Help Net Security
Help Net SecurityNovember 15
NETSCOUT integrates with AWS security hub enterprise - CIOL
CIOLNovember 15

buymeacoffee