SRE Weekly Issue #300 • 📖 [The CloudSecList] Issue 117 • [tl;dr sec] #112 - re:Invent, Python Security • Amazon Lex Model Building V2 - 6 updated methods • AWS Network Firewall - 1 new 4 updated methods • AWS Route53 Recovery Control Config - 3 new 3 updated methods • Amazon Route 53 Domains - 2 new 5 updated methods • Update for Apache Log4j2 Issue (CVE-2021-44228) • Apache Log4j2 Issue (CVE-2021-44228) • How to customize behavior of AWS Managed Rules for AWS WAF • Privacy video: Innovating securely • Hardening the security of your AWS Elastic Beanstalk Application the Well-Architected way • Using CloudTrail to identify unexpected behaviors in individual workloads • kafka: 3 new resources • rekognition: 5 updated actions, 1 updated resource • textract: 1 new action • We've hit the 30 minute mark into us-east-1 being down (based on the first post to hacker news) and no updates to the AWS status page yet. 🔥 • Second log4j2 bulletin from AWS (published 7:30 PM PDT on Saturday): <a href="https://t.co/xfT3c3yzVv" target="_blank">aws.amazon.com/security/secur…</a> More AWS services are impacted. Subtle acknowledgements that S3 and other services are now patched or are being patched. 😬 The recommended WAF rules do not look comprehensive. • This is how we re-bootstrapped detection &amp; response at scale in AWS cloud. Just a year in and we are already seeing some nice wins from all these investments. Nice work - Alex Bainbridge, Nick Siow and Michael Grima! And we are…<a href="https://t.co/BralY5meLU" target="_blank">lnkd.in/g8CJqbu8</a> <a href="https://t.co/1UQ1izgSia" target="_blank">lnkd.in/gzrztPY5</a> • 🐳 Awesome <a href="https://twitter.com/hashtag/Kubernetes" target="_blank">#Kubernetes</a> Security A curated list of awesome Kubernetes security resources, by <a href="https://twitter.com/ksoclabs" target="_blank">@ksoclabs</a> * Open source projects * General resources * Twitter accounts <a href="https://t.co/bauJX9V4Sg" target="_blank">github.com/ksoclabs/aweso…</a> • I released a small Spring Boot web application vulnerable to Log4Shell so everyone can easily play with it. <a href="https://t.co/PR7GbSlFhG" target="_blank">github.com/christophetd/l…</a> cc <a href="https://twitter.com/LunaSecIO" target="_blank">@LunaSecIO</a> <a href="https://twitter.com/hashtag/log4j" target="_blank">#log4j</a> • 🙈 Cloud service provider security mistakes by <a href="https://twitter.com/0xdabbad00" target="_blank">@0xdabbad00</a> AWS, GCP, and Azure Mistakes on the cloud providers' side of the shared responsibility model CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more <a href="https://t.co/xiKoly69E4" target="_blank">github.com/SummitRoute/cs…</a> • The repository now contains both a vulnerable web application and the precise exploitation steps to RCE. Hopefully this will be useful for defenders crafting detection rules! <a href="https://t.co/PR7GbSlFhG" target="_blank">github.com/christophetd/l…</a> • Ask not what you can log4j, ask what j can log 4 you. • I made today "try something new day" for my org. No meetings, emails, or pings. Just go try something new and take a picture. I went to a private yoga experience. For any folks in Seattle, I highly recommend it and it is like a mini retreat. Also makes a great gift! • IAM access analysis directly embedded in the S3 console to help you understand that the access control you granted is what you intended. • 500/502 Errors on AWS Console • A software engineer at Amazon had their total comp increased to $180,000 after earning a promotion to SDE-II. But instead of celebrating, the coder was dismayed to find someone hired in the same role, which might require as few as 2 or 3 YOE, can earn as much as $300,000. • AWS us-east-1 outage brings down services around the world • Anyone Else Lowkey Think the AWS Console Login Captchas Are Hard AF Sometimes..? • Post AWS outage, what changes do you plan to make? • RCE 0-day exploit found in log4j, a popular Java logging package • Log4shell - using the vulnerability to patch the vulnerability - very clever • SOC 2 Compliance questions • Horangi and AWS launch holistic cloud security offering - SecurityBrief Asia • AWS exec: ‘Embrace more automation’ to boost cloud security - VentureBeat