SRE Weekly Issue #303 • SRE Weekly Issue #302 • AWS Notification Message • Amazon Chime SDK Messaging - 1 updated methods • Amazon Lookout for Metrics - 1 new methods • AWS MediaConnect - 7 updated methods • AmazonNimbleStudio - 11 updated methods • AWSSupportServiceRolePolicy Informational Update • AWS publishes PiTuKri ISAE3000 Type II Attestation Report for Finnish customers • 2021 FINMA ISAE 3000 Type 2 attestation report for Switzerland now available on AWS Artifact • Simplify setup of Amazon Detective with AWS Organizations • glue: 18 new actions, 1 new resource | 3 updated conditions, 46 updated actions • shield: 3 new actions • s3: 1 new action • The day when the AWS Support got access to your S3 data. In this thread, you will find details about the security incident that leads to this unattended access for millions of AWS customers. 🧵 • AWSSupportServiceRolePolicy just got s3:GetObject. 😱 That role is supposed to only have metadata visibility. <a href="https://twitter.com/AWSSecurityInfo" target="_blank">@AWSSecurityInfo</a> you need to roll that back. • Genie: You have 3 wishes Me: I wish the status page was updated more often. Genie: Granted. There will be more outages. What else? Me: 😱 ... I wish AWS support was more helpful. Genie: Granted. They have read access to all your data now. Me: 😱 I'm not doing this anymore. 😭 • On the plus side, now there's a specific event to point to when justifying encryption at rest in AWS. Too bad that event was "AWS granted themselves access to all your S3 objects for a few hours." • This has been the shittiest year of my life. We had to terminate at 15 weeks, during lockdown. The next week the heartless Texas law went into effect. I’ve been overwhelmed by waves of grief. I cry at every baby I see. And now my friend has miscarried at 17 weeks. 😭 • As 2021 comes to an end, I compiled a list of cloud security incidents and vulnerabilities that were publicly disclosed this year. <a href="https://t.co/3xhfMh1OdF" target="_blank">blog.christophetd.fr/cloud-security…</a> 🧵⬇️ • Takeaways: 1. IAM is HARD, even AWS is failing. 2. Change made to IAM should always be peer-reviewed, manually, and using linting. 3. Encrypt using your own customer-managed keys • The dust has settled on the “AWS Support managed policy has access to S3” kerfuffle. From my perspective (as a third-party absolutely obsessed with AWS sec) I was really blown away and grateful by how much <a href="https://twitter.com/colmmacc" target="_blank">@colmmacc</a> and <a href="https://twitter.com/_msw_" target="_blank">@_msw_</a> engaged with the community in “real time” 1/4 • AWSSupportServiceRolePolicy ... <a href="https://t.co/3t6zzEDrPe" target="_blank">github.com/z0ph/MAMIP/com…</a> • I don't know who needs to hear this, but you can tail AWS CloudWatch log groups easily using <a href="https://t.co/epwiBDzLtL" target="_blank">github.com/lucagrulla/cw</a>. Example: cw tail /aws/apigateway/rest/myapi/prod --region us-west-1 --follow And it just ✨works✨ • Protect Your AWS Environment Beyond Patching Log4j - Security Boulevard • Armis Selects Radware to Deliver Cloud Security for AWS - GlobeNewswire