Issue #54
Monday · January 24, 2022
π₯ AWS security blogs
- How to enrich AWS Security Hub findings with account metadata β In this blog post, weβll walk you through how to deploy a solution to enrich AWS Security Hub findings with additional account-related metadata, such as the account name, the Organization Unit (OU) associated with the account, security contact information, and account tags. Account metadata can help you search findings, create β¦
- Fall 2021 PCI DSS report now available with 7 services added to compliance scope β Weβre continuing to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that seven new services have been added to the scope of our Payment Card Industry Data Security Standard (PCI DSS) certification. These new services provide our customers with more options β¦
- Best practices for cross-Region aggregation of security findings β AWS Security Hub enables customers to have a centralized view into the security posture across their AWS environment by aggregating your security alerts from various AWS services and partner products in a standardized format so that you can more easily take action on them. To facilitate that central view, Security β¦
- Continuous compliance monitoring using custom audit controls and frameworks with AWS Audit Manager β For most customers today, security compliance auditing can be a very cumbersome and costly process. This activity within a security program often comes with a dependency on third party audit firms and robust security teams, to periodically assess risk and raise compliance gaps aligned with applicable industry requirements. Due to β¦
π Reddit threads on r/aws
- I'm an AWS Serverless convert now. (CloudFront -> S3 -> API Gateway -> Lambda -> DynamoDB) β Admittedly, I came kicking and screaming when my friends were trying to persuade me. I'm kind of embarrassed about it now. I recently converted a small C# web app ECS container deployment with application load balancer to CloudFront -> S3 -> API Gateway -> Lambda -> DynamoDB using the AWS β¦
- Is there any reason why we shouldnβt migrate our RDS databases to Graviton? β As the title says, we have a large amount of RDS databases in different families/engines. We are planning on migrating everything to their graviton equivalents, monitor, adjust whatever is needed and buy no upfront reservations on them. Our main driver for doing this would be cost optimization. Seems pretty straight β¦
- Architecture Drawings β Are there any resources on how to put together professional quality architecture drawings?
- Taking over as Sr Sysadmin and oh boy
- Stop using static cloud credentials in GitHub Actions
π Newsletters
π r/netsec
π r/cloudsecurity
π "AWS Security" on Google News
π§ IAM permission changes
- route53-recovery-cluster: 1 new condition | 2 updated actions β 1 new condition: route53-recovery-cluster:AllowSafetyRulesOverrides (override safety rules to allow routing control state updates); 2 updated actions: UpdateRoutingControlState (conditions), UpdateRoutingControlStates (conditions)
- connect: 4 updated actions, 1 updated resource β 4 updated actions: CreateUserHierarchyGroup (conditions), UntagResource (conditions, resources), ListTagsForResource (resources), TagResource (resources, conditions); 1 updated resource: hierarchy-group (conditions)
- finspace: 2 new actions | 2 updated actions, 2 updated resources | 1 removed action β 2 new actions: ResetUserPassword (reset the password for a finspace user), UpdateUser (update a finspace user); 2 updated actions: CreateUser (conditions), CreateEnvironment (conditions); 2 updated resources: environment (arn), user (arn)
πͺ API changes
- Amazon Connect Service - 2 updated methods β This release adds tagging support for UserHierarchyGroups resource.
- Amazon Elastic Compute Cloud - 24 updated methods β C6i, M6i and R6i instances are powered by a third-generation Intel Xeon Scalable processor (Ice Lake) delivering all-core turbo frequency of 3.5 GHz
- AWS Fault Injection Simulator - 3 updated methods β Added action startTime and action endTime timestamp fields to the ExperimentAction object
- Amazon GuardDuty - 1 updated methods β Amazon GuardDuty findings now include remoteAccountDetails under AwsApiCallAction section if instance credential is exfiltrated.
