Lex NevaJan 17
17
Monday January, 2022
🔦 Highlight of the week
- Orca Security Research Team Discovers AWS CloudFormation & Glue Vulnerabilities
- 2021 AWS security-focused workshops
- Implementing a Vulnerable AWS DevOps Environment as a CloudGoat Scenario
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSAppRunnerFullAccess
- AWSBackupServiceLinkedRolePolicyForBackup
- AWSPanoramaFullAccess
- AWSServiceRoleForAmazonEKSNodegroup
- AWSWAFConsoleFullAccess
- AWSWAFFullAccess
- AppRunnerNetworkingServiceRolePolicy
- LightsailExportAccess
Get notified of policy change using this Twitter bot. 🐦
🆕 MASE - Monitor AWS Services and Regional Endpoints on Twitter
SRE Weekly Issue #305
📖 [The CloudSecList] Issue 120
Marco from CloudSecListJan 16
[tl;dr sec] #115 - Mac Malware of 2021, Preventing SSRF
Clint at tl;dr secJan 13
AWS Config - 12 updated methods
Jan 14
Update ResourceType enum with values for CodeDeploy, EC2 and Kinesis resources
Amazon Honeycode - 8 updated methods
Jan 14
Added read and write api support for multi-select picklist. And added errorcode field to DescribeTableDataImportJob API output, when import job fails.
Amazon Lookout for Metrics - 1 new 2 updated methods
Jan 14
This release adds a new DeactivateAnomalyDetector API operation.
Reported AWS CloudFormation Issue
aws@amazon.comJan 13
Initial Publication Date: 2022/01/13 13:00 PST
Security researchers recently identified and reported an issue in AWS CloudFormation. Specifically, the reported issue was in the AWS CloudFormation service itself, which allowed viewing of some local configuration files on an AWS-internal host or attempted unauthenticated HTTP GET requests from the same host. …
Reported AWS Glue Issue
aws@amazon.comJan 13
Initial Publication Date: 2022/01/13 13:00 PST
A security researcher recently reported an issue that allowed them to take actions as the AWS Glue service. Utilizing an AWS Glue feature, researchers obtained credentials specific to the service itself, and an AWS-internal misconfiguration permitted the researchers to use these credentials as the …
Top 10 security best practices for securing backups in AWS
Ibukun OyewumiJan 12
Security is a shared responsibility between AWS and the customer. Customers have asked for ways to secure their backups in AWS. This post will guide you through a curated list of the top ten security best practices to secure your backup data and operations in AWS. While this blog post …
Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager
Rodrigo FerroniJan 12
In this blog post, I show you how to configure AWS Single Sign-On to define attribute-based access control (ABAC) permissions to manage Amazon Elastic Compute Cloud (Amazon EC2) instances and AWS Systems Manager Session Manager for federated users. This combination allows you to control access to specific Amazon EC2 instances based …
2021 AWS security-focused workshops
Temi AdebamboJan 11
Every year, Amazon Web Services (AWS) looks to help our customers gain more experience and knowledge of our services through hands-on workshops. In 2021, we unfortunately couldn’t connect with you in person as much as we would have liked, so we wanted to create and share new ways to learn …
New IRAP full assessment report is now available on AWS Artifact for Australian customers
Clara LimJan 11
We are excited to announce that a new Information Security Registered Assessors Program (IRAP) report is now available on AWS Artifact, after a successful full assessment completed in December 2021 by an independent ASD (Australian Signals Directorate) certified IRAP assessor. The new IRAP report includes reassessment of the existing 111 …
iotdeviceadvisor: 1 new action | 10 updated actions, 2 updated resources
Jan 15
1 new action: GetEndpoint (get a device advisor endpoint); 10 updated actions: UpdateSuiteDefinition (resources), StopSuiteRun (resources), ListTagsForResource (resources), GetSuiteRun (resources), GetSuiteRunReport (resources), DeleteSuiteDefinition (resources), UntagResource (resources), ListSuiteRuns (resources), GetSuiteDefinition (resources), TagResource (resources); 2 updated resources: Suiterun (arn), Suitedefinition (arn)
ssm: 1 new condition | 1 updated action
Jan 15
1 new condition: ssm:DocumentCategories (filters access by verifying that a user has permission to access a document belonging to a specific category); 1 updated action: GetDocument (conditions)
eks: 2 new actions
Jan 15
2 new actions: DeregisterCluster (deregister an external cluster), RegisterCluster (register an external cluster)
Orca Discovers AWS CloudFormation Vulnerability - Orca Security
Orca Security’s vulnerability researcher, Tzah Pahima, discovered a zero day AWS CloudFormation vulnerability, which AWS quickly mitigated within 6 days.
Scott Piper 😱😱😱 This is worse than ChaosDB for AWS. @orcasec gained access to all AWS resources in all AWS accounts! They accessed the AWS internal CloudFormatio…
Zack Glick If anyone has any questions please feel free to reach out to aws (dash) security (at) amazon (dot) com orca.security/resources/blog… orca.security/…
Orca Security Discovers AWS Glue Vulnerability - Orca Security
Orca’s Research Team discovered a critical vulnerability that could allow an actor to create resources and access data of AWS Glue customers.
Scott Piper 😱😱😱 This is worse than ChaosDB for AWS. @orcasec gained access to all AWS resources in all AWS accounts! They accessed the AWS internal CloudFormatio…
Zack Glick If anyone has any questions please feel free to reach out to aws (dash) security (at) amazon (dot) com orca.security/resources/blog… orca.security/…
Scott Piper @0xdabbad00
😱😱😱 This is worse than ChaosDB for AWS. @orcasec gained access to all AWS resources in all AWS accounts! They accessed the AWS internal CloudFormation service.
orca.security/resources/blog…
Separately, they did something similar for Glue.
orca.security/resources/blog…
Zack Glick @z1g1
Wanted to share two items that are now public. Thank to @orcasec for their collaboration with us at AWS's security team on this research into Glue and CloudFormation each technique was mitigated within days of their reports and there was no customer impact. 🧵
Michael Chan @mchancloud
Amazon SNS now supports ABAC! 🙌 aws.amazon.com/about-aws/what…. For more on the basics & benefits of ABAC in AWS: aws.amazon.com/identity/attri…
Scott Piper @0xdabbad00
AWS has published security bulletins for this:
- aws.amazon.com/security/secur…
- aws.amazon.com/security/secur…
This is a new direction for AWS to not only publish a bulletin for something like this, but also to thank Orca publicly. 👏
Aidan W Steele @__steele
(1/13) People seemed to like the thread last week about silly IPv6 TOTP possible in AWS EC2. But then @donkersgood said I should do something useful instead.
So here are some useful things that are possible thanks to the AWS Gateway Load Balancer
Aidan W Steele @__steele
What's the silliest use for 281 trillion IP addresses?
I made a thing that uses the new-ish AWS EC2 support for assigning IPv6 prefixes to EC2 instances. You can only connect to the instance when the IP ends in a TOTP 6 digit authenticator code. How/why:
github.com/aidansteele/ip…
Rhino Security Labs @RhinoSecurity
We have a new CloudGoat scenario, contributed by @christophetd from @datadoghq!
Check it out: github.com/RhinoSecurityL…
Kinnaird McQuade💥🌩 @kmcquade3
🔥🔥 love attacking CI/CD pipelines. They’re basically RCE as a service by design - ripe for abuse. To secure it you have to really think like an attacker.
Thanks NCC group for sharing these war stories. Love it
Mark Carter @markcartertm
🤔 10 real-world stories of how we’ve compromised CI/CD pipelines research.nccgroup.com/2022/01/13/10-… #infosec
Christophe @christophetd
I contributed to a new CloudGoat scenario: a vulnerable "modern AWS DevOps environment" with an API, simulated user activity, and a continuous deployment pipeline
Making-of: blog.christophetd.fr/implementing-a…
Bonus: Writing end-to-end tests for Terraform-based security labs with Terratest
Rhino Security Labs @RhinoSecurity
We have a new CloudGoat scenario, contributed by @christophetd from @datadoghq!
Check it out: github.com/RhinoSecurityL…
Clint Gibler @clintgibler
🛡️ Advocate: Prevent SSRF in your Python apps
Advocate is a drop-in replacement for `requests` that makes it easy to safely make HTTP requests on behalf of a third party
* Deny internal IPs or specific hosts/domains
* Handles DNS rebinding & redirects
pypi.org/project/advoca…
Aidan W Steele @__steele
This is my love language
The new Console Home - I didn't think you could do it.
Hello AWS humans, I'd like to congratulate you on the new Console Home - I'm impressed. I honestly like what I see, and didn't think you had it in you to make such thing. Congrats! And keep it coming 🥳
Does anyone actually use CodeCommit?
I've been doing developer for 11 years now. I've primarily used GitHub, Gerrit, Gitlab, and now CodeCommit. I cannot believe how barebones CodeCommit is. Describing it as batteries not included doesn't even begin to explain the feature gap between it and something like Gitlab. I really feels like AWS is …
Container Insights for EKS is a hot mess, and I just need to say it out loud
Disclaimer: It's not entirely AWS' fault. Kubernetes is notoriously fickle about versioning between its APIs and addons. Telemetry and infrastructure teams also aren't always the easiest to get on the same page in terms of creating a seamless "product". Plus, stuff that's leveraged by Container Insights mixes a variety of …
Data Security Models in Cloud Computing.
hi guys! i’m a student of a west african university & currently in my final year but in order to complete my degree programme in computer science, i would have to write a project (a well written and gratifying one)
you’re my family, my tech family. i request that you …
- 🖊️ This newsletter was fwd to you? Subscribe here
- 💌 Want to suggest new content: contact me or reply to this email
- ⚡️ Powered by Mailbrew
- 🐦 Follow me on Twitter or hire me.
