SRE Weekly Issue #301 • 📖 [The CloudSecList] Issue 118 • [tl;dr sec] #113 - Log4Shell, Security Metrics • Continuous runtime security monitoring with AWS Security Hub and Falco • Using AWS security services to protect against, detect, and respond to the Log4j vulnerability • Open source hotpatch for Apache Log4j vulnerability • Snaring the Bad Folks - Netflix TechBlog • GitHub - Cybereason/Logout4Shell: Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell • AWS outage in us-west-2 and us-west-1 for all you that thought you'd be safe from us-east-1. • Attackers are using Log4shell to steal AWS credentials from disk and environment variables 👀 Blog post from the Datadog security research team incoming. • It's no wonder we have insecure AWS configurations with such examples... <a href="https://t.co/RFI5JBbaeq" target="_blank">registry.terraform.io/providers/hash…</a> • AWS has caused a lot of unneeded stress in the past 24 hours by sending incorrect info about log4shell compromises in customer accounts: non-existing instance IDs, resources with no Java, etc. 😔 • Feature request: AWS Lambda functions to have the same native "secrets" integration that AWS ECS has had for a long time now. <a href="https://twitter.com/hashtag/awswishlist" target="_blank">#awswishlist</a> • The more time I spend in security, the more I become convinced that some of the highest ROI work is in reducing complexity. It can’t get compromised if it doesn’t exist. Delete, disable, decommission. Do whatever is necessary to keep the attack surface manageable. • Is the plural log4js or logs4j • Last <a href="https://t.co/B7SoUXwvye" target="_blank">CloudSecList.com</a> issue of the year just went out! I'll take a couple of weeks off, and CloudSecList will be back in January 🎄 • How many of your security groups look like this - allowing outbound access to "0.0.0.0/0" on all ports and protocols? The folks <a href="https://twitter.com/cloudqueryio" target="_blank">@cloudqueryio</a> have written a step-by-step guide on surfacing security groups you might want to lock down. <a href="https://twitter.com/hashtag/DefenseInDepth" target="_blank">#DefenseInDepth</a> <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> <a href="https://twitter.com/hashtag/cloudsecurity" target="_blank">#cloudsecurity</a> • Fun podcast arrival order from <a href="https://twitter.com/reckless" target="_blank">@reckless</a> and <a href="https://twitter.com/QuinnyPig" target="_blank">@QuinnyPig</a> in Pocket Casts • Another AWS outage? • Using AWS security services to protect against, detect, and respond to the Log4j vulnerability • Today I learned "Classic PostgreSQL on RDS beats Aurora in Benchmarks" • Using Route53 as a Key Value Store in GitHub Actions • Lessons in Trust From us-east-1 • Previous log4j patch insufficient in some situations. New CVE posted and new log4j released 2.16. • Log4Shell Update: Full bypass found in log4j 2.15.0, enabling RCE again (with payload) • Azure CSPM Coding Doubt • AIG Taps AWS as Its Preferred Public Cloud Provider - Datamation • AWS Re-Launches Amazon Inspector with New Architecture and Features - InfoQ.com