Lex NevaJan 24
24
Monday January, 2022
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSConfigServiceRolePolicy
- AWS_ConfigRole
- AmazonEC2RoleforAWSCodeDeployLimited
- AmazonInspector2ReadOnlyAccess
Get notified of policy change using this Twitter bot. 🐦
🆕 MASE - Monitor AWS Services and Regional Endpoints on Twitter
SRE Weekly Issue #306
📖 [The CloudSecList] Issue 121
Marco from CloudSecListJan 23
[tl;dr sec] #116 - Secrets of Successful Security Programs, Supply Chain
Clint at tl;dr secJan 20
AWS Notification Message
GuardDutyAnnouncementsJan 19
Sponsor
Webinar: Understanding the Cloud Security Maturity Model Framework
Ermetic’s Cloud Security Maturity Model is a guide for prioritizing and implementing security controls and procedures. Join us on Jan. 27, 10am PT to:
- Gain clarity into where your organization stands on its path to a secure cloud environment
- Design a clear and practical cloud security strategy
- Create a common language across stakeholders
Amazon Connect Service - 2 updated methods
Jan 20
This release adds tagging support for UserHierarchyGroups resource.
Amazon Elastic Compute Cloud - 24 updated methods
Jan 20
C6i, M6i and R6i instances are powered by a third-generation Intel Xeon Scalable processor (Ice Lake) delivering all-core turbo frequency of 3.5 GHz
AWS Fault Injection Simulator - 3 updated methods
Jan 20
Added action startTime and action endTime timestamp fields to the ExperimentAction object
Amazon GuardDuty - 1 updated methods
Jan 20
Amazon GuardDuty findings now include remoteAccountDetails under AwsApiCallAction section if instance credential is exfiltrated.
How to enrich AWS Security Hub findings with account metadata
Siva RajamaniJan 21
In this blog post, we’ll walk you through how to deploy a solution to enrich AWS Security Hub findings with additional account-related metadata, such as the account name, the Organization Unit (OU) associated with the account, security contact information, and account tags. Account metadata can help you search findings, create …
Fall 2021 PCI DSS report now available with 7 services added to compliance scope
Michael OyeniyaJan 20
We’re continuing to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce that seven new services have been added to the scope of our Payment Card Industry Data Security Standard (PCI DSS) certification. These new services provide our customers with more options …
Best practices for cross-Region aggregation of security findings
Marshall JonesJan 18
AWS Security Hub enables customers to have a centralized view into the security posture across their AWS environment by aggregating your security alerts from various AWS services and partner products in a standardized format so that you can more easily take action on them. To facilitate that central view, Security …
Continuous compliance monitoring using custom audit controls and frameworks with AWS Audit Manager
Deenadayaalan ThirugnanasambandamJan 18
For most customers today, security compliance auditing can be a very cumbersome and costly process. This activity within a security program often comes with a dependency on third party audit firms and robust security teams, to periodically assess risk and raise compliance gaps aligned with applicable industry requirements. Due to …
route53-recovery-cluster: 1 new condition | 2 updated actions
Jan 22
1 new condition: route53-recovery-cluster:AllowSafetyRulesOverrides (override safety rules to allow routing control state updates); 2 updated actions: UpdateRoutingControlState (conditions), UpdateRoutingControlStates (conditions)
connect: 4 updated actions, 1 updated resource
Jan 22
4 updated actions: CreateUserHierarchyGroup (conditions), UntagResource (conditions, resources), ListTagsForResource (resources), TagResource (resources, conditions); 1 updated resource: hierarchy-group (conditions)
finspace: 2 new actions | 2 updated actions, 2 updated resources | 1 removed action
Jan 21
2 new actions: ResetUserPassword (reset the password for a finspace user), UpdateUser (update a finspace user); 2 updated actions: CreateUser (conditions), CreateEnvironment (conditions); 2 updated resources: environment (arn), user (arn)
Zack Glick @z1g1
Heartbleed to Log4j has been an interesting time in the security space. It’s been a real ride to see it from inside AWS security. Today I put my resignation in with the team. I’ll be around for a month to transition then off to something new. To my teammates it’s been an honor.
Clint Gibler @clintgibler
🔥 10 real-world stories of how we’ve compromised CI/CD pipelines
Excellently detailed scenarios, including PrivEsc across:
* Jenkins
* GitLab
* Kubernetes
* Dev laptop access
By @NCCGroupInfosec's @0xZon1, @smarticu5, @wucpi, @divya_natesan, @enjenneer
research.nccgroup.com/2022/01/13/10-…
Scott Piper @0xdabbad00
GuardDuty's UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS is finally arriving on January 20! From the Guardduty SNS: gist.githubusercontent.com/0xdabbad00/e19…
Scott Piper @0xdabbad00
New AWS whitepaper "Guidelines for Implementing AWS WAF"
d1.awsstatic.com/whitepapers/gu…
Ian Mckay @iann0036
Have you ever used Cognito's Hosted UI and found it very limiting in its customization options? (drop shadows and plain backgrounds🤢)
Well today I've figured out a way to fully customize the CSS, so you can make beautiful looking pages like this: 😍
…auth.ap-southeast-2.amazoncognito.com/login?client_i…
1/
Aidan W Steele @__steele
1/8 “Lift and shift” migrations to the cloud get a bad rap. But I think that’s unfair. Any kind of migration to the cloud is a step in the right direction.
But here’s why the cloud (and VPCs in particular) made my security job maintaining a “legacy” workload infinitely easier.
Christophe @christophetd
I'm working on a new, exciting AWS security project that should be open-sourced soon. Stay tuned!
fwd:cloudsec @fwdcloudsec
We're ramping up planning for fwd:cloudsec 2022 to happen this Summer! Dates and location TBD, but start thinking about talk ideas!
Kinnaird McQuade💥🌩 @kmcquade3
Cloudsplaining has now been downloaded over 1 million times 😱 So proud 😊
pepy.tech/project/clouds…
houston @hhopk
Defenders. Use SourceVPC conditions on your IAM roles and particularly with instance profiles or face the wrath of attackers advanced enough they didn’t need Nick to show them this :).
Nick Frichette @Frichette_n
Want to mess with bypassing the new GuardDuty CredentialExfiltration finding? This project can build a setup for you! Quickly create an EC2 in a private VPC (no internet access), connect over SSM Sessions, and use the VPC Endpoints to connect to services.
github.com/Frichetten/Sne…
I'm an AWS Serverless convert now. (CloudFront -> S3 -> API Gateway -> Lambda -> DynamoDB)
Admittedly, I came kicking and screaming when my friends were trying to persuade me. I'm kind of embarrassed about it now. I recently converted a small C# web app ECS container deployment with application load balancer to CloudFront -> S3 -> API Gateway -> Lambda -> DynamoDB using the AWS …
Is there any reason why we shouldn’t migrate our RDS databases to Graviton?
As the title says, we have a large amount of RDS databases in different families/engines.
We are planning on migrating everything to their graviton equivalents, monitor, adjust whatever is needed and buy no upfront reservations on them.
Our main driver for doing this would be cost optimization.
Seems pretty straight …
Architecture Drawings
Are there any resources on how to put together professional quality architecture drawings?
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email
