Lex NevaNov 22
22
Monday November, 2021
π¦ Highlight of the week
π’ MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSElasticDisasterRecoveryAgentInstallationPolicy
- AWSElasticDisasterRecoveryAgentPolicy
- AWSElasticDisasterRecoveryConsoleFullAccess
- AWSElasticDisasterRecoveryConversionServerPolicy
- AWSElasticDisasterRecoveryFailbackInstallationPolicy
- AWSElasticDisasterRecoveryFailbackPolicy
- AWSElasticDisasterRecoveryReadOnlyAccess
- AWSElasticDisasterRecoveryRecoveryInstancePolicy
Get notified of policy change using this Twitter bot. π¦
SRE Weekly Issue #297
SRE Weekly Issue #297
Lex NevaNov 22
π [The CloudSecList] Issue 114
Marco from CloudSecListNov 21
[tl;dr sec] #110 - From What to How in Cybersecurity, Detection Engineering for Kubernetes
Clint at tl;dr secNov 18
Amazon Cognito launches new console experience for user pools
Nov 18
Amazon Cognito now offers a new console experience that makes it even easier for customers to manage Amazon Cognito user pools and add sign-in and sign-up functionality to their applications. Customers that wish to opt in to the new and streamlined experience can do so by navigating to the Amazon β¦
AWS Audit Manager - 6 new 1 updated methods
Nov 18
This release introduces a new feature for Audit Manager: Dashboard views. You can now view insights data for your active assessments, and quickly identify non-compliant evidence that needs to be remediated.
Amazon Chime - 1 updated methods
Nov 18
Adds new Transcribe API parameters to StartMeetingTranscription, including support for content identification and redaction (PII & PHI), partial results stabilization, and custom language models.
Amazon Chime SDK Meetings - 1 updated methods
Nov 18
Adds new Transcribe API parameters to StartMeetingTranscription, including support for content identification and redaction (PII & PHI), partial results stabilization, and custom language models.
How to set up Amazon Cognito for federated authentication using Azure AD
Ratan KumarNov 19
In this blog post, Iβll walk you through the steps to integrate Azure AD as a federated identity provider in Amazon Cognito user pool. A user pool is a user directory in Amazon Cognito that provides sign-up and sign-in options for your app users. Identity management and authentication flow can β¦
Hands-on walkthrough of the AWS Network Firewall flexible rules engine β Part 2
Shiva VaidyanathanNov 17
This blog post is Part 2 of Hands-on walkthrough of the AWS Network Firewall flexible rules engine β Part 1. To recap, AWS Network Firewall is a managed service that offers a flexible rules engine that gives you the ability to write firewall rules for granular policy enforcement. In Part β¦
Everything you wanted to know about trusts with AWS Managed Microsoft AD
Jeremy GirvenNov 16
Many Amazon Web Services (AWS) customers use Active Directory to centralize user authentication and authorization for a variety of applications and services. For these customers, Active Directory is a critical piece of their IT infrastructure. AWS offers AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft β¦
Fall 2021 SOC reports now available with 141 services in scope
Ninad NaikNov 15
At Amazon Web Services (AWS), weβre committed to providing our customers with continued assurance over the security, availability and confidentiality of the AWS control environment. Weβre proud to deliver the System and Organizational (SOC) 1, 2, and 3 reports to enable our AWS customers to maintain confidence in AWS services. β¦
Updates to policy evaluation logic flow chart
Nov 17
Updates to the policy evaluation logic flow chart and related text in the Determining whether a request is allowed or denied within an account section.
forecast: 10 new actions, 2 new resources | 12 updated actions
Nov 20
10 new actions: CreateAutoPredictor (create an auto predictor), CreateExplainability (create an explainability), CreateExplainabilityExport (create an explainability export using an explainability resource), DeleteExplainability (delete an explainability), DeleteExplainabilityExport (delete an explainability export), DescribeAutoPredictor (describe an auto predictor), DescribeExplainabilityExport (describe an explainability export), DescribeExplainablity (describe an explainability), ListExplainabilities (list all the explainabilities), ListExplainabilityExports β¦
s3: 3 updated actions | 1 removed condition
Nov 20
3 updated actions: BypassGovernanceRetention (conditions), PutObject (conditions), ReplicateObject (conditions)
databrew: 5 new actions, 1 new resource | 3 updated actions
Nov 20
5 new actions: CreateRuleset (create a ruleset), DeleteRuleset (delete a ruleset), DescribeRuleset (view details about a ruleset), ListRulesets (list rulesets in your account), UpdateRuleset (modify a ruleset); 1 new resource: Ruleset; 3 updated actions: ListTagsForResource (resources), TagResource (resources), UntagResource (resources)
Aidan W Steele @__steele
Are you still using API Gateway? That is soooo first half of November 2021.
All the cool kids are using lambda.CreateFunctionUrlConfig()
β¦gf.lambda-url.us-east-1.amazonaws.com
Scott Piper @0xdabbad00
Looks like an ability to directly call Lambdas over the Internet without an API Gateway was just added to the SDK. π
Ian Mckay @iann0036
π Continuing with efforts on the permissions.cloud project, I'm happy to now have both @Azure and @GoogleCloudTech spaces available now.
azure.permissions.cloud
gcp.permissions.cloud
All 3 clouds work in very different ways when it comes to IAM, as I'm learning π€
rowan @elrowan
Policy evaluation in AWS IAM is... Not Simple.
I love that this diagram got an update, I'm just not sure it "sparks joy" in me π€
Scott Piper @0xdabbad00
AWS re-uses access keys. You can have multiple roles using the same key value at the same time! (with different secret keys and sessions tokens) This can make investigation confusing and likely many tools incorrect.
Hunters @hunters_ai
Hunters' research team discovered that temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
Read Eliav Livneh's latest blog post on it.
lnkd.in/d3sMUUQ3
Clint Gibler @clintgibler
π Cybersecurity Incident & Vulnerability Response Playbooks
By @CISAgov, H/T @ryanaraine
Includes incident response and incident response preparation checklists
cisa.gov/sites/default/β¦
Chris Farris @jcfarris
I'm generally horrified to find this setting....
Clint Gibler @clintgibler
π‘οΈ Practical Security Recommendations for Start-ups with Limited Budgets by @ajxchapman
* Use a password manager + 2FA
* Use modern frameworks
* Configure an edge security service
* Enable HTTP security headers
+ more
ajxchapman.github.io/security/2021/β¦
Aidan W Steele @__steele
In all seriousness though, this isnβt real for me until it lands in CloudFormation.
Aidan W Steele @__steele
Are you still using API Gateway? That is soooo first half of November 2021.
All the cool kids are using lambda.CreateFunctionUrlConfig()
β¦gf.lambda-url.us-east-1.amazonaws.com
Ian Mckay @iann0036
[Deprecated]
SimpleDB
Machine Learning
[Almost Deprecated]
SWF
Data Pipeline
CloudSearch
Elastic Transcoder
Did I miss anything? #aws
Hidden AWS Console Dark Mode
Hello fine folks, I found a little gem in the aws console cookie. Navigate to console.aws.amazon.com, open the chrome dev console, and navigate to the Application -> Cookies section. You should see an entry for "awsc-color-theme", default value being "light". Just change this to "dark" and refresh!
https://preview.redd.it/alucgdj5t1081.png?width=853&format=png&auto=webp&s=49028e4c47a12f82b5be954f38dcc4ddfd20975b
Got hacked and found a 30k bill. Please turn on MFA if/when you start using AWS.
Randomly got an email saying my card got declined after AWS tried to charge me 19k for last month's usage. I totally forgot I even had an aws account. I created mine a year ago for a mini hackathon that lasted for 3 days and forgot about it after it β¦
- ποΈ This newsletter was fwd to you? Subscribe here
- π Want to suggest new content: contact me or reply to this email
- β‘οΈ Powered by Mailbrew
- π¦ Follow me on Twitter or hire me.
