SRE Weekly Issue #298 • 📖 [The CloudSecList] Issue 115 • AWS Single Sign-On is now in scope for AWS SOC reporting • AWS WAF adds support for Captcha • AWS Single Sign-On now provides one-click login to Amazon EC2 instances running Microsoft Windows • AWS Migration Hub Refactor Spaces - 23 new methods • Amazon Personalize - 8 new 7 updated methods • Amazon Personalize Runtime - 1 updated methods • Amazon Textract - 1 new methods • AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect • How to enable secure seamless single sign-on to Amazon EC2 Windows instances with AWS SSO • 2021 PCI 3DS report now available • AWS Security Profiles: Merritt Baer, Principal in OCISO • quicksight: 4 new actions, 1 new resource • iotsitewise: 6 new actions, 1 new resource, 2 new conditions | 4 updated actions • workspaces: 3 updated actions • pre:Invent 2021 - Chris Farris • Thank you <a href="https://twitter.com/Cloudflare" target="_blank">@Cloudflare</a> for your R2 announcement 2 months ago to force AWS to reduce their egress charges. • Cloudsplaining (scans AWS IAM policies for excessive permissions) now integrated with Checkov. You can just point Checkov at Terraform code to find policies with Privilege Escalation, Resource Exposure, Credentials Exfi, &amp; Data Exfil capabilities. • Just going through the last year in AWS announcements and it's incredible how quickly Graviton has spread 🤯 Graviton is now in: * EC2 (+ consuming services) * ECS / EKS * Lambda * Beanstalk * OpenSearch * RDS DBs / Aurora * Neptune * ElastiCache * DocDB * MemoryDB * CodeBuild • I think I've tweeted over the years how much of a fan I am of <a href="https://twitter.com/honeycombio" target="_blank">@honeycombio</a>. So I made a thing that gives you a zero-effort taste of Honeycomb with your own metrics. <a href="https://t.co/QLn57COg8J" target="_blank">awsteele.com/blog/2021/11/2…</a> • See you next week at <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> <a href="https://twitter.com/hashtag/reinvent" target="_blank">#reinvent</a>? I'll be hosting a Leadership Session focused on the current state of <a href="https://twitter.com/hashtag/security" target="_blank">#security</a> <a href="https://twitter.com/hashtag/privacy" target="_blank">#privacy</a> <a href="https://twitter.com/hashtag/compliance" target="_blank">#compliance</a> on <a href="https://twitter.com/awscloud" target="_blank">@awscloud</a>! Mark your calendars: happening Thursday, Dec. 2 from 1 - 2 PM (PST). Register for virtual reinvent today <a href="https://t.co/1X63G2eRYN" target="_blank">go.aws/3nhLwxh</a> • My flight has a lot of AWSers on it as we head to <a href="https://twitter.com/hashtag/reInvent" target="_blank">#reInvent</a>, we saw each other, smiled, and kept to ourselves...secretly knowing we all need the few hours of non work talk before a week full of it. Same thing happens on the way home. My AWS people get me. ✈️ 🎧 • Brigid says: "IAM role" Pickles says: "I am roll" • I recently learned that AWS Heroes get free tickets to re:invent. Who do I have to incessantly nag to become a hero in time for re:invent 2022? 😅 • This release is pretty slick. Enable your employees to authenticate with their existing corporate credentials, single sign-in to the AWS console, and have up to 4 separate EC2 windows instance sessions open in a single tab! • HashiCorp Waypoint is incredible. The deployment process for Dockerized AWS Lambda functions is so easy, seamless, and fast. Low difficulty for entry. And it doesn’t require CloudFormation. So refreshing. I plan on getting rid of my AWS SAM CLI crap and moving to Waypoint. • First 1 TB of CloudFront & 100GB of other data xfer out traffic becoming free as of Dec. 1 • Amazon Linux 2022 Coming • AWS Free Tier Data Transfer Expansion – 100 GB From Regions and 1 TB From Amazon CloudFront Per Month • Announcing AWS Fargate for Amazon ECS Powered by AWS Graviton2 Processors • AWS launches NAT64 and DNS64 capabilities to enable communication between IPv6 and IPv4 services • Godaddy hacked - including admin passwords for both WordPress sites hosted on the platform, as well as passwords for sFTPs, databases and SSL private keys. • Vulnerability in the Insulet OmniPod Insulin Management System allows an attacker nearby to schedule or immediately inject insulin • Advise for learning cloud security • Monitor Privilege Escalation Risk of Identities from AWS Security Hub, with Integration from Sonrai - Security Boulevard • AWS re:Invent 2021 Live Blog: MSSP and Cybersecurity Partner News - MSSP Alert
29
Monday November, 2021

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

see more...

Get notified of policy change using this Twitter bot. 🐦

Newsletters
SRE Weekly Issue #298
Lex NevaNov 29
📖 [The CloudSecList] Issue 115
Marco from CloudSecListNov 28
AWS Security by CloudNews
AWS Single Sign-On is now in scope for AWS SOC reporting
Nov 26
AWS Single Sign-On (AWS SSO) is now in scope for AWS SOC 1 , SOC 2, and SOC 3 reports. You can now use AWS SSO in applications requiring audited evidence of the controls in our System and Organization Controls (SOC) reporting. For example, if you use AWS to manage …
AWS WAF adds support for Captcha
Nov 26
AWS today announced AWS WAF Captcha to help block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. Captcha is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart and is commonly …
AWS Single Sign-On now provides one-click login to Amazon EC2 instances running Microsoft Windows
Nov 23
You can now enable one-click single sign-on to your Amazon Elastic Compute Cloud instances running Microsoft Windows (Amazon EC2 Windows Instances) with AWS Single Sign-Onand, nbsp;(AWS SSO). You can connect your instances with users from AWS SSO or any AWS SSO supported identity provider, such as Okta, Ping, and OneLogin. …
AWS API Changes
AWS Migration Hub Refactor Spaces - 23 new methods
Nov 29
This is the initial SDK release for AWS Migration Hub Refactor Spaces
Amazon Personalize - 8 new 7 updated methods
Nov 29
This release adds API support for Recommenders and BatchSegmentJobs.
Amazon Personalize Runtime - 1 updated methods
Nov 29
This release adds API support for Recommenders and BatchSegmentJobs.
Amazon Textract - 1 new methods
Nov 29
This release adds support for synchronously analyzing identity documents through a new API: AnalyzeID
AWS Security Blog
AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect
Maddie BaconNov 24
In the week leading up to AWS re:Invent 2021, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at Amazon Web Services (AWS), and what do you do in your current role? I’ve …
How to enable secure seamless single sign-on to Amazon EC2 Windows instances with AWS SSO
Todd RoweNov 23
Today, we’re launching new functionality that simplifies the experience to securely access your AWS compute instances running Microsoft Windows. We took on this update to respond to customer feedback around creating a more streamlined experience for administrators and users to more securely access their EC2 Windows instances. The new experience …
2021 PCI 3DS report now available
Michael OyeniyaNov 23
We are excited to announce that Amazon Web Services (AWS) has released the latest 2021 PCI 3-D Secure (3DS) attestation to support our customers implementing EMV® 3-D Secure services on AWS. Although AWS doesn’t directly perform the functions of 3DS Server (3DSS), 3DS Directory Server (DS), or 3DS Access Control …
AWS Security Profiles: Merritt Baer, Principal in OCISO
Maddie BaconNov 23
In the week leading up AWS re:Invent 2021, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at Amazon Web Services (AWS), and what do you do in your current role? I’m a …
IAM Permission Changes
quicksight: 4 new actions, 1 new resource
Nov 27
4 new actions: CreateEmailCustomizationTemplate (create a quicksight email customization template), DeleteEmailCustomizationTemplate (delete a quicksight email customization template), DescribeEmailCustomizationTemplate (describe a quicksight email customization template), UpdateEmailCustomizationTemplate (update a quicksight email customization template); 1 new resource: emailCustomizationTemplate
iotsitewise: 6 new actions, 1 new resource, 2 new conditions | 4 updated actions
Nov 27
6 new actions: AssociateTimeSeriesToAssetProperty (associate a time series with an asset property), DeleteTimeSeries (delete a time series), DescribeTimeSeries (describe a time series), DisassociateTimeSeriesFromAssetProperty (disassociate a time series from an asset property), GetInterpolatedAssetPropertyValues (retrieve interpolated values for an asset property), ListTimeSeries (list time series); 1 new resource: time-series; 2 new conditions: …
workspaces: 3 updated actions
Nov 27
3 updated actions: DescribeTags (access), CreateTags (conditions), DeleteTags (conditions)
Top Links from Security Folks
pre:Invent 2021 - Chris Farris
www.chrisfarris.com
There were 234 AWS announcements in pre:Invent season. I breakdown and snark about 27 of them relating to security and governance.
AWS Security Folks
0xdabbad00
Scott Piper @0xdabbad00

Thank you @Cloudflare for your R2 announcement 2 months ago to force AWS to reduce their egress charges.

jeffbarr
Jeff Barr ☁️ (@ 🏠 ) 💉 @jeffbarr

#AWS Free Tier Data Transfer Expansion – 100 GB From Regions and 1 TB From Amazon CloudFront Per Month - aws.amazon.com/blogs/aws/aws-…

kmcquade3
Kinnaird McQuade💥🌩 @kmcquade3

Cloudsplaining (scans AWS IAM policies for excessive permissions) now integrated with Checkov. You can just point Checkov at Terraform code to find policies with Privilege Escalation, Resource Exposure, Credentials Exfi, & Data Exfil capabilities.

bridgecrewio
bridgecrew @bridgecrewio

Check out today's post from @kmcquade3 and @BarakSchoster to learn how #Cloudsplaining and #Checkov can be used together to identify AWS IAM least privilege violations in both build-time and runtime. 🔎 bridge.dev/3cCFiCg

iann0036
Ian Mckay @iann0036

Just going through the last year in AWS announcements and it's incredible how quickly Graviton has spread 🤯

Graviton is now in:

* EC2 (+ consuming services)
* ECS / EKS
* Lambda
* Beanstalk
* OpenSearch
* RDS DBs / Aurora
* Neptune
* ElastiCache
* DocDB
* MemoryDB
* CodeBuild

__steele
Aidan W Steele @__steele

I think I've tweeted over the years how much of a fan I am of @honeycombio. So I made a thing that gives you a zero-effort taste of Honeycomb with your own metrics.

awsteele.com/blog/2021/11/2…

StephenSchmidt
stephenschmidt @StephenSchmidt

See you next week at #AWS #reinvent? I'll be hosting a Leadership Session focused on the current state of #security #privacy #compliance on @awscloud! Mark your calendars: happening Thursday, Dec. 2 from 1 - 2 PM (PST). Register for virtual reinvent today go.aws/3nhLwxh

bjohnso5y
Brigid Johnson (at re:invent) @bjohnso5y

My flight has a lot of AWSers on it as we head to #reInvent, we saw each other, smiled, and kept to ourselves...secretly knowing we all need the few hours of non work talk before a week full of it. Same thing happens on the way home. My AWS people get me. ✈️ 🎧

bjohnso5y
Brigid Johnson (at re:invent) @bjohnso5y

Brigid says: "IAM role"
Pickles says: "I am roll"

__steele
Aidan W Steele @__steele

I recently learned that AWS Heroes get free tickets to re:invent. Who do I have to incessantly nag to become a hero in time for re:invent 2022? 😅

jim_scharf
Jim Scharf @jim_scharf

This release is pretty slick. Enable your employees to authenticate with their existing corporate credentials, single sign-in to the AWS console, and have up to 4 separate EC2 windows instance sessions open in a single tab!

AWSIdentity
AWS Identity @AWSIdentity

🎦 In this demo, learn how to provide your #AWSSSO users a one-click log-in experience to Amazon EC2 Windows instances. go.aws/3FHS26Z

kmcquade3
Kinnaird McQuade💥🌩 @kmcquade3

HashiCorp Waypoint is incredible. The deployment process for Dockerized AWS Lambda functions is so easy, seamless, and fast. Low difficulty for entry. And it doesn’t require CloudFormation. So refreshing.

I plan on getting rid of my AWS SAM CLI crap and moving to Waypoint.

r/aws
First 1 TB of CloudFront & 100GB of other data xfer out traffic becoming free as of Dec. 1
17723aws.amazon.com
Amazon Linux 2022 Coming
17363aws.amazon.com
AWS Free Tier Data Transfer Expansion – 100 GB From Regions and 1 TB From Amazon CloudFront Per Month
15137aws.amazon.com
Announcing AWS Fargate for Amazon ECS Powered by AWS Graviton2 Processors
12424aws.amazon.com
AWS launches NAT64 and DNS64 capabilities to enable communication between IPv6 and IPv4 services
11517aws.amazon.com
r/netsec
Godaddy hacked - including admin passwords for both WordPress sites hosted on the platform, as well as passwords for sFTPs, databases and SSL private keys.
78269sec.gov
Vulnerability in the Insulet OmniPod Insulin Management System allows an attacker nearby to schedule or immediately inject insulin
51561omnipod.lyrebirds.dk
r/cloudsecurity
Advise for learning cloud security
45

Hello, I'm trying to explore the cloud security field and i was wondering what advice you can give to a beginner or best learning path for cloud security. I know basics of AWS, Azure, GCP.

"AWS Security" on Google News
Monitor Privilege Escalation Risk of Identities from AWS Security Hub, with Integration from Sonrai - Security Boulevard
Security BoulevardNovember 29
AWS re:Invent 2021 Live Blog: MSSP and Cybersecurity Partner News - MSSP Alert
MSSP AlertNovember 29

buymeacoffee