SRE Weekly Issue #308 • 📖 [The CloudSecList] Issue 123 • [tl;dr sec] #118 - Atomic Red Team for Cloud, Security Program Building • Amazon Athena - 6 updated methods • Amazon Elastic Compute Cloud - 2 new methods • AWSMarketplace Metering - 1 updated methods • Amazon Recycle Bin - 4 updated methods • How to build a multi-Region AWS Security Hub analytic pipeline and visualize Security Hub data • AWS cloud services adhere to CISPE Data Protection Code of Conduct for added GDPR assurance • How to configure rotation windows for secrets stored in AWS Secrets Manager • Security practices in AWS multi-tenant SaaS environments • fis: 2 new actions • comprehend: 4 new actions • medialive: 3 updated actions • Today one of my AWS IAM access keys turned 3,000 days old. But I don’t know what’s using it. I think I will turn on CloudTrail data events to get to the bottom of it. What’s your oldest key? • I've just open sourced a small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/Gitlab CI: <a href="https://t.co/R16RAHb806" target="_blank">github.com/marco-lancini/…</a> • In the following AWS VPC architectures, can you send data from: A -&gt; B? B -&gt; A? A -&gt; C? C -&gt; A? What path do the packets (attempt to) take? What about the return path? The answers genuinely surprised me and has got me questioning my mental model of VPCs. • I'm just going to put this out there: gatekeeping is one of the worst traits in humans, and if it's the only way you can make yourself feel good you should rethink your life. • No AWS SDK updates yesterday or today reminds me that it is annual performance review week at AWS. • Reminder to vendors: If your product deploys EC2s in customer environments without IMDSv2, I am going to be putting you on a public shame list. This includes AWS's own features such as their new EC2 fast launch that doesn't work if you enforce IMDSv2. • When I was in security consulting, I was telling management about scanning Terraform, securing CI/CD, golden images, overprivileged roles, etc. They didn’t think those were important and were stuck in the past. 5 years later, it’s now standard architecture. I feel vindicated. • Stratus Red Team v1.2.0 adds: • Documentation for detecting common attack techniques using CloudTrail, GuardDuty, Access Analyzer • 2 new attack techniques (discovery &amp; exploitation of EC2 user data) 👉 <a href="https://t.co/ledRfqr7TV" target="_blank">github.com/DataDog/stratu…</a> 📈 Next up: Support for common Kubernetes TTPs! • I’m seeing this article get circled round, and it’s not incorrect, but the only advice regarding AWS IAM users that matters is that you should purge the bloody things from your environment wherever possible. Set up an SSO and use roles for everything. <a href="https://t.co/DIsschjIFm" target="_blank">iampulse.com/articles/aws-i…</a> • You asked, so I'll deliver. This is what I know about responsible disclosure/<a href="https://twitter.com/hashtag/CVD" target="_blank">#CVD</a>/how to report security issues in other people’s software. Call it "10 Commandments of Durson" if you want. 🧵 • Amazon Pip Horror Story (front-page on Hacker News) • AWS Secrets Manager now supports rotation windows • Why is it recommended to avoid S3 bucket for serving video? • Is there a way to escalate ignored support ticket? • Is there a good tool to “map” out AWS infrastructure in your account? • Remote root vulnerability for Samba (CVE 2021-44142) • Silly proof of concept: Anti-phishing using perceptual hashing algorithms • How to monitor different SaaS solutions? The company I work for uses hundreds if not thousands of SaaS solutions from a variety of Independent Software Vendors who mostly use the usual culprits (AWS, Azure, GCP, Oracle) as their hosting providers. • Google Cloud Appears Serious About MSSP Security Partnerships - MSSP Alert • AWS Cloud Data Security & Recovery Best Practices - Virtualization Review