SRE Weekly Issue #299 • 📖 [The CloudSecList] Issue 116 • [tl;dr sec] #111 - This Shouldn’t Have Happened, Humble Hacking Bundle • AWS Amplify UI Builder - 14 new methods • AWS Network Manager - 33 new 4 updated methods • AWS Resource Access Manager - 3 updated methods • Amazon DevOps Guru - 14 updated methods • AWS attained MTCS Level 3 certification under the new SS584:2020 standard • How to automate AWS Managed Microsoft AD scaling based on utilization metrics • AWS Security Profiles: Jenny Brinkley, Director, AWS Security
6
Monday December, 2021

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Get notified of policy change using this Twitter bot. 🐦

Newsletters
SRE Weekly Issue #299
Lex NevaDec 06
📖 [The CloudSecList] Issue 116
Marco from CloudSecListDec 05
[tl;dr sec] #111 - This Shouldn’t Have Happened, Humble Hacking Bundle
Clint at tl;dr secDec 02
AWS API Changes
AWS Amplify UI Builder - 14 new methods
Dec 2
This release introduces the actions and data types for the new Amplify UI Builder API. The Amplify UI Builder API provides a programmatic interface for creating and configuring user interface (UI) component libraries and themes for use in Amplify applications.
AWS Network Manager - 33 new 4 updated methods
Dec 2
This release adds API support for AWS Cloud WAN.
AWS Resource Access Manager - 3 updated methods
Dec 2
This release adds the ability to use the new ResourceRegionScope parameter on List operations that return lists of resources or resource types. This new parameter filters the results by letting you differentiate between global or regional resource types.
Amazon DevOps Guru - 14 updated methods
Dec 1
DevOps Guru now provides detailed, database-specific analyses of performance issues and recommends corrective actions for Amazon Aurora database instances with Performance Insights turned on. You can also use AWS tags to choose which resources to analyze and define your applications.
AWS Security Blog
AWS attained MTCS Level 3 certification under the new SS584:2020 standard
Clara LimDec 3
We’re excited to announce the completion of the Multi-Tier Cloud Security (MTCS) Level 3 certification under the new SS584:2020 standard in November 2021 for three Amazon Web Services (AWS) Regions: Singapore, Korea, and United States, excluding AWS GovCloud (US) Regions. The new standard, released in October 2020, includes more stringent …
How to automate AWS Managed Microsoft AD scaling based on utilization metrics
Dennis RothmelDec 1
AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), provides a fully managed service for Microsoft Active Directory (AD) in the AWS cloud. When you create your directory, AWS deploys two domain controllers in separate Availability Zones that are exclusively yours for high availability. For use cases requiring …
AWS Security Profiles: Jenny Brinkley, Director, AWS Security
Maddie BaconNov 29
In the week leading up to AWS re:Invent 2021, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at AWS, and what do you do in your current role? I’ve been at AWS …
IAM Permission Changes
iotfleetwise: 43 new actions, 6 new resources, 2 new conditions
Dec 4
43 new actions: AssociateVehicle (associate the given vehicle to a fleet), CreateCampaign (create a campaign), CreateDecoderManifest (create a decoder manifest for an existing model), CreateFleet (create a fleet), CreateModelManifest (create a model manifest definition), CreateSignalCatalog (create a signal catalog), CreateVehicle (create a vehicle), DeleteCampaign (delete a campaign), DeleteDecoderManifest (delete the …
dataexchange: 1 new action
Dec 4
1 new action: SendApiAsset (send a request to an api asset)
refactor-spaces: 23 new actions, 4 new resources, 8 new conditions
Dec 4
23 new actions: CreateApplication (create an application within an environment), CreateEnvironment (create an environment), CreateRoute (create a route within an application), CreateService (create a service within an application), DeleteApplication (delete an application from an environment), DeleteEnvironment (delete an environment), DeleteResourcePolicy (delete a resource policy), DeleteRoute (delete a route from an …
Top Links from Security Folks
GitHub - SummitRoute/csp_security_mistakes: Cloud service provider security mistakes
github.com
Cloud service provider security mistakes. Contribute to SummitRoute/csp_security_mistakes development by creating an account on GitHub.
AWS re:Inforce
reinforce.awsevents.com
Cloud security, identity, and compliance learning
AWS Security Folks
0xdabbad00
Scott Piper @0xdabbad00

I've begun a list of security mistakes made by Cloud Service Providers (AWS, GCP, Azure). Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.

github.com/SummitRoute/cs…

zoph
Victor Grenu @zoph

As the #reinvent is ending and the #replay hungover is starting, let me re:Introduce this 2021 one-pager recap of all #AWS announcements:

github.com/zoph-io/awscon…

jim_scharf
Jim Scharf @jim_scharf

Security folks, pay attention to this one. This is one of those sneaky-powerful re:Invent releases that you might miss. Disable S3 ACLs (which predate AWS IAM's 2010 release) so that all access control is through IAM policies. @AWSIdentity

awswhatsnew
What’s New on AWS @awswhatsnew

Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3

Amazon S3 introduces a new S3 Object Ownership setting, Bucket owner enforced, that disables access control lists (ACLs), simplifying acces... aws.amazon.com/about-aws/what…

christophetd
Christophe @christophetd

More than a year ago, I started building Adaz - a project to easily spin up disposable AD hunting labs in Azure with 1 DC and X workstations, pre-configured with Sysmon and ELK.

github.com/christophetd/A…

I'm considering whether it's worth investing time in improving it... (1/2)

kmcquade3
Kinnaird McQuade💥🌩 @kmcquade3

I started my new job as Staff Security Engineer at @Square today 😃 I couldn’t be more excited to be working with a rockstar team of cloud security engineers at such an amazing company.

__steele
Aidan W Steele @__steele

This is the highlight of reinvent for me. It’s done, can’t get better than this

julian_wood
Julian Wood @julian_wood

Ephemeral storage coming to Lambda! Up to 10Gb! Pre-announced at #reInvent #serverless

clintgibler
Clint Gibler @clintgibler

🐋 Learning Containers From The Bottom Up

@iximiuz recommends:
1. Linux Containers - low-level impl details
2. Container Images - what images are and why you need them
3. Container Managers - how Docker helps containers coexist
4. Container Orchestrators

iximiuz.com/en/posts/conta…

0xdabbad00
Scott Piper @0xdabbad00

This attack uses the gamut of webapp exploit techniques applied to AWS. If an attacker knew the name of your SageMaker notebook, and convinced you to click a link, they could get RCE inside the notebook.

LightspinSR
Lightspin Security Research @LightspinSR

Harden your AWS environment is important because you can never know how an attacker can break in 😈

and here is our example:

Cross-Account Access vulnerability in AWS SageMaker Jupyter Notebook Instance

blog.lightspin.io/aws-sagemaker-…

StephenSchmidt
stephenschmidt @StephenSchmidt

🚀Excited to announce the new Amazon Inspector has been re-architected to deploy in a few clicks, automatically discovering both EC2 & ECR workloads, continually scanning them for software vulnerabilities. More during my Thurs leadership session go.aws/3o2lFK1🚀#reInvent

bjohnso5y
Brigid Johnson @bjohnso5y

The real #reInvent life. Taking a call from the hallway floor.

r/aws
The keynote drinking game....
14620

Take a drink every time you hear "Digital transformation". I'll see you in the ER when we all get alcohol poisoning!

AWS Cloud Development Kit (AWS CDK) v2 is now generally available
10426aws.amazon.com
Did the announcements this year in Re:Invent seem underwhelming?
9064

Usually every year I hear price cuts, really big features, and etc for developers, but it seems like this year things were just much smaller overall. I hope this isn't a trend year to year.

I was expecting to hear about aurora serverless v2, AWS AppRunner new features, extra serverless …

Introducing AWS re:Post, a new, community-driven, questions-and-answers service
8426aws.amazon.com
Top Announcements of AWS re:Invent 2021 (Live Blog - updated daily)
8218aws.amazon.com
r/netsec
Compromising the email supply chain of 190 Australian organisations through a single IT Managed Service Provider
23023caniphish.com
pip-audit: a tool for identifying Python packages with known vulnerabilities
18313pypi.org
"AWS Security" on Google News
The top 12 security announcements at AWS re:Invent 2021 - VentureBeat
VentureBeatDecember 3
Amazon Web Services security: 5 issues startups aim to fix - VentureBeat
VentureBeatDecember 2

buymeacoffee