Lex NevaJan 31
31
Monday January, 2022
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AmazonEC2RolePolicyForLaunchWizard
- CloudWatchApplicationInsightsFullAccess
- CloudwatchApplicationInsightsServiceLinkedRolePolicy
Get notified of policy change using this Twitter bot. 🐦
👉🏻 MASE - Monitor AWS Services and Regional Endpoints on Twitter
SRE Weekly Issue #307
📖 [The CloudSecList] Issue 122
Marco from CloudSecListJan 30
[tl;dr sec] #117 - WebSocket Security, Securing Dependencies
Clint at tl;dr secJan 27
AWS Notification Message
GuardDutyAnnouncementsJan 26
AWS Notification Message
GuardDutyAnnouncementsJan 25
Amazon Connect Service - 1 updated methods
Jan 27
This release adds support for configuring a custom chat duration when starting a new chat session via the StartChatContact API. The default value for chat duration is 25 hours, minimum configurable value is 1 hour (60 minutes) and maximum configurable value is 7 days (10,080 minutes).
Amazon Elastic Compute Cloud - 24 updated methods
Jan 27
X2ezn instances are powered by Intel Cascade Lake CPUs that deliver turbo all core frequency of up to 4.5 GHz and up to 100 Gbps of networking bandwidth
Managed Streaming for Kafka - 9 updated methods
Jan 27
Amazon MSK has updated the CreateCluster and UpdateBrokerStorage API that allows you to specify volume throughput during cluster creation and broker volume updates.
Amazon OpenSearch Service - 1 new 7 updated methods
Jan 27
Allows customers to get progress updates for blue/green deployments
How to deploy AWS Network Firewall to help protect your network from malware
Ajit PuthiyavettleJan 27
Protecting your network and computers from security events requires multi-level strategies, and you can use network level traffic filtration as one level of defense. Users need access to the internet for business reasons, but they can inadvertently download malware, which can impact network and data security. This post describes how …
How to automate AWS account creation with SSO user assignment
Rafael KoikeJan 25
Background AWS Control Tower offers a straightforward way to set up and govern an Amazon Web Services (AWS) multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-On (AWS SSO), to build a …
How to use tokenization to improve data security and reduce audit scope
Tim WinstonJan 25
Tokenization of sensitive data elements is a hot topic, but you may not know what to tokenize, or even how to determine if tokenization is right for your organization’s business needs. Industries subject to financial, data security, regulatory, or privacy compliance standards are increasingly looking for tokenization solutions to minimize …
Analyze AWS WAF logs using Amazon OpenSearch Service anomaly detection built on Random Cut Forests
Umesh RameshJan 24
This blog post shows you how to use the machine learning capabilities of Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) to detect and visualize anomalies in AWS WAF logs. AWS WAF logs are streamed to Amazon OpenSearch Service using Amazon Kinesis Data Firehose. Kinesis Data Firehose invokes an AWS …
kafka: 3 new actions | 1 updated action
Jan 29
3 new actions: CreateClusterV2 (create an msk cluster), DescribeClusterV2 (describe an msk cluster), ListClustersV2 (list all msk clusters in this account); 1 updated action: DeleteCluster (dependents)
es: 1 new action
Jan 29
1 new action: DescribeDomainChangeProgress (view detail stage progress of an opensearch service domain)
frauddetector: 2 new actions | 6 updated actions
Jan 28
2 new actions: GetEventPredictionMetadata (get more details of a particular prediction), ListEventPredictions (get a list of past predictions); 6 updated actions: BatchGetVariable (resources), CreateDetectorVersion (resources), ListTagsForResource (resources), TagResource (resources), UntagResource (resources), UpdateDetectorVersion (resources)
Christophe @christophetd
📢 Today, I'm thrilled to announce "Stratus Red Team", an open-source adversary emulation tool for the cloud!
Comes with a catalog of cloud-native attack techniques that you can easily detonate to test your threat detection.
github.com/Datadog/stratu…
📝blog.christophetd.fr/introducing-st…
Scott Piper @0xdabbad00
We're hiring on the cloud security team at Block! (previously known as Square). smartrecruiters.com/Square/7439997…
Christophe @christophetd
polkit is not installed by default on Amazon Linux 2
*but* if you install it, the latest available version in Amazon repositories is vulnerable
And no statement from AWS or Amazon Linux security bulletin at alas.aws.amazon.com?
Scott Piper @0xdabbad00
I'm going to start putting together a wall of shame list for vendors that do not enforce IMDSv2.
Scott Piper @0xdabbad00
- Require AWS Partners, Marketplace vendors, etc. to use IMDSv2 for their products. 6/6
Steven Bryen @steven_bryen
📣 AWS Developer Relations is looking for a Developer Advocate in the UK 🇬🇧
You’ll get to work with an amazing and diverse team including @isahuerga @eduvos @094459 @supercoco9 @ziniman @web_goddess @alex_casalboni @IliyanaFox @sebsto + more.
DMs are open for referrals 🚀
Aidan W Steele @__steele
New thing alert: jwtex. GitHub OIDC federation was a great start, but I want more. Specifically:
a) The ability to use GitHub CI job info as AWS role session tags.
b) CloudTrail entries enriched with a lot more context about the CI job that assumed the role.
1/5
Kinnaird McQuade💥🌩 @kmcquade3
We’re hiring on my team at Square! Come work alongside me and some fantastic cloud security engineers like @0xdabbad00, @jasonadyke, and others. See Scott’s other links for two fwd:cloudsec talks by two other members of our team.
Scott Piper @0xdabbad00
We're hiring on the cloud security team at Block! (previously known as Square). smartrecruiters.com/Square/7439997…
Clint Gibler @clintgibler
The attack surface you're probably missing:
➡️ WebSockets
Why?
* Not as well supported by many tools
* Meaningfully different from HTTP
* Not easy to find at scale
🧵 on lessons learned from @bl4ckb1rd71's @owasp talk
#bugbountytips #websecurity
youtube.com/watch?v=bMFP71…
Clint Gibler @clintgibler
🔥 New tool: It-depends by @trailofbits
Build a full dependency graph and know which are affected by CVEs
Autogenerate an SBOM
Detect redundant functionality -> prune unnecessary deps
Handles native library dependencies via dynamic analysis 🤯
blog.trailofbits.com/2021/12/16/it-…
Kinnaird McQuade💥🌩 @kmcquade3
+1. We really need an AWS Serverless Security specialty certification.
Nick Frichette @Frichette_n
I'm kinda surprised there isn't a Serverless AWS Specialty cert. Obviously certs are a dubious show of knowledge (This comes from someone who has too many), but because Serverless is such a huge topic in AWS/Cloud in general you'd think they'd enshrine it with its own cert.
Sharing the AWS Reddit love
This has nothing to do with any question. I’m simply sharing the love for this forum. It is excellent and I have found it very valuable since I became aware of it. That is all. Thank you everyone 🤩👍
One UI change in the AWS Console decimated our revenue
This is going to be a tale about how a simple UI change can negatively impact a business that relies upon another one.
Background
Our company is called 0x4447, and build products for the AWS Marketplace. We are not a big company with infinite resources, we are a boutique …
Searching CloudTrail Logs with Ease
Wrote this short bit on fetching and analyzing AWS CloudTrail logs using JQ and Gigasheet. Hope y'all like it!
https://www.gigasheet.co/post/how-to-search-aws-cloudtrail-logs
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email
