SRE Weekly Issue #311 • 📖 [The CloudSecList] Issue 126 • [tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance • Auto Scaling - 3 updated methods • AWS Glue DataBrew - 6 updated methods • Firewall Management Service - 4 updated methods • Amazon Lightsail - 3 updated methods • Scaling cross-account AWS KMS–encrypted Amazon S3 bucket access using ABAC • What is cryptographic computing? A conversation with two AWS experts • AWS achieves FedRAMP P-ATO for 15 services in the AWS US East/West and AWS GovCloud (US) Regions • Fine-tune and optimize AWS WAF Bot Control mitigation capability • greengrass: 2 updated conditions, 1 updated action • s3: 2 new actions • outposts: 2 new actions • GitHub - SummitRoute/imdsv2_wall_of_shame: List of vendors that do not allow IMDSv2 enforcement • Themes From Momentum Cyber's 2022 Cybersecurity Almanac • ✅ Container Security Checklist 💯 overview and distillation by <a href="https://twitter.com/krol_valencia" target="_blank">@krol_valencia</a> with actionable steps, links, and commands covering securing the: * Build * Container registry * Container runtime * Infrastructure * Data * Workloads <a href="https://t.co/LXmBdL8DMy" target="_blank">github.com/krol3/containe…</a> • Excited to say that the new job is off to the races. I’m taking a break from incident response and I’ve joined New Relic as a principal security engineer in their product security org. • Just added <a href="https://twitter.com/F5" target="_blank">@F5</a> BIG-IP products to the IMDSv2 Wall of Shame. Security products are showing up too much on this list of products that are harmful to cloud security. 😔 <a href="https://t.co/TgDSupkxdG" target="_blank">github.com/SummitRoute/im…</a> • This is exactly what 90% of every Australian road trip looks like. • They're using an IAM user access key on an EC2? 😭 • Slack is down - do I have to open a chime room? • Yet another SSRF vulnerability allowing to access the AWS IMDS to steal credentials. It's getting urgent to enforce IMDSv2 everywhere and ensure vendors allow to do so <a href="https://t.co/mqqQZiwnIl" target="_blank">github.com/SummitRoute/im…</a> Recent SSRF with same impact in Dropbox's Hellosign: <a href="https://t.co/bLSWMjhBzd" target="_blank">hackerone.com/reports/1406938</a> • Protect yourself from subdomain takeovers by... proactively taking over your vulnerable domains before attackers can. <a href="https://twitter.com/paulschwarzen" target="_blank">@paulschwarzen</a> describes how OVO does so, automatically within minutes Tool: <a href="https://t.co/2BRlnenzr4" target="_blank">github.com/ovotech/domain…</a> <a href="https://t.co/AoXJF64Z6T" target="_blank">tech.ovoenergy.com/ovo-vs-bug-bou…</a> • I am coming to appreciate the AWS costs being visible on the dashboard. No way I would have guessed this account was incurring this large a bill. Bonus: guess what caused this. • 🏷️Tags, IAM conditions, Amazon ECS....ABAC! 🏷️ <a href="https://t.co/n3xSLeyOry" target="_blank">tinyurl.com/3v5jxapk</a> • Will AWS work in Russia after Ukraine war? • AWS Lambda adds support for .NET 6 • AWS CloudSaga - Simulate security events in AWS • NEW for the AWS CDK: Triggers allow you to execute code during deployments. • Granted: a CLI to access the AWS console for multiple accounts and regions at once • HermeticWiper: What We Know About New Malware Targeting Ukrainian Infrastructure (Thus Far) • Remote Code Execution in pfSense <= 2.5.2 • AWS and Code-X Announce Partnership to Bring Increased Security Capabilities to the AWS Cloud - Business Wire • Introducing Ghostbuster – AWS security tool protects against dangling elastic IP takeovers - The Daily Swig
28
Monday February, 2022

Fix AWS IAM permissions quickly with k9 Security (Sponsor)

AWS IAM is hard. But now Cloud teams can fix IAM permissions problems quickly. Today.

Find unexpected access with simple IAM access reports and alerts. Fix IAM with processes and Terraform/CDK automation your entire team can use.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

👉🏻 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #311
Lex NevaFeb 28
📖 [The CloudSecList] Issue 126
Marco from CloudSecListFeb 27
[tl;dr sec] #121 - Container Security Checklist, DevSecOps & Automating Compliance
Clint at tl;dr secFeb 24
AWS API Changes
Auto Scaling - 3 updated methods
Feb 24
You can now hibernate instances in a warm pool to stop instances without deleting their RAM contents. You can now also return instances to the warm pool on scale in, instead of always terminating capacity that you will need later.
AWS Glue DataBrew - 6 updated methods
Feb 24
This AWS Glue Databrew release adds feature to merge job outputs into a max number of files for S3 File output type.
Firewall Management Service - 4 updated methods
Feb 24
AWS Firewall Manager now supports the configuration of AWS Network Firewall policies with either centralized or distributed deployment models. This release also adds support for custom endpoint configuration, where you can choose which Availability Zones to create firewall endpoints in.
Amazon Lightsail - 3 updated methods
Feb 24
This release adds support to delete and create Lightsail default key pairs that you can use with Lightsail instances.
AWS Security Blog
Scaling cross-account AWS KMS–encrypted Amazon S3 bucket access using ABAC
Jorg HuserFeb 23
This blog post shows you how to share encrypted Amazon Simple Storage Service (Amazon S3) buckets across accounts on a multi-tenant data lake. Our objective is to show scalability over a larger volume of accounts that can access the data lake, in a scenario where there is one central account …
What is cryptographic computing? A conversation with two AWS experts
Supriya AnandFeb 23
Joan Feigenbaum Amazon Scholar, AWS Cryptography Bill Horne Principal Product Manager, AWS Cryptography AWS Cryptography tools and services use a wide range of encryption and storage technologies that can help customers protect their data both at rest and in transit. In some instances, customers also require protection of their data …
AWS achieves FedRAMP P-ATO for 15 services in the AWS US East/West and AWS GovCloud (US) Regions
Alexis RobinsonFeb 22
AWS is pleased to announce that 15 additional AWS services have achieved Provisional Authority to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). AWS is continually expanding the scope of our compliance programs to help customers use authorized services for sensitive and regulated …
Fine-tune and optimize AWS WAF Bot Control mitigation capability
Dmitriy NovikovFeb 22
Introduction A few years ago at Sydney Summit, I had an excellent question from one of our attendees. She asked me to help her design a cost-effective, reliable, and not overcomplicated solution for protection against simple bots for her web-facing resources on Amazon Web Services (AWS). I remember the occasion …
IAM Permission Changes
greengrass: 2 updated conditions, 1 updated action
Feb 26
2 updated conditions: aws:MultiFactorAuthPresent (type), aws:SecureTransport (type); 1 updated action: StartBulkDeployment (conditions)
s3: 2 new actions
Feb 26
2 new actions: GetObjectAttributes (retrieve attributes related to a specific object), GetObjectVersionAttributes (retrieve attributes related to a specific version of an object)
outposts: 2 new actions
Feb 26
2 new actions: CreatePrivateConnectivityConfig (create a private connectivity configuration), GetPrivateConnectivityConfig (get a private connectivity configuration)
Top Links from Security Folks
GitHub - SummitRoute/imdsv2_wall_of_shame: List of vendors that do not allow IMDSv2 enforcement
github.com
List of vendors that do not allow IMDSv2 enforcement - GitHub - SummitRoute/imdsv2_wall_of_shame: List of vendors that do not allow IMDSv2 enforcement
Themes From Momentum Cyber's 2022 Cybersecurity Almanac
strategyofsecurity.com
Interesting themes about the business of cybersecurity from the best data in the industry.
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

✅ Container Security Checklist

💯 overview and distillation by @krol_valencia with actionable steps, links, and commands covering securing the:

* Build
* Container registry
* Container runtime
* Infrastructure
* Data
* Workloads

github.com/krol3/containe…

z1g1
Zack Glick @z1g1

Excited to say that the new job is off to the races. I’m taking a break from incident response and I’ve joined New Relic as a principal security engineer in their product security org.

0xdabbad00
Scott Piper @0xdabbad00

Just added @F5 BIG-IP products to the IMDSv2 Wall of Shame. Security products are showing up too much on this list of products that are harmful to cloud security. 😔 github.com/SummitRoute/im…

__steele
Aidan W Steele @__steele

This is exactly what 90% of every Australian road trip looks like.

0xdabbad00
Scott Piper @0xdabbad00

They're using an IAM user access key on an EC2? 😭

TrainOfError
TrainOfError @TrainOfError

@0xdabbad00 @F5 Can't get hacked with IMDSv1 if you don't use instance roles: docs.paloaltonetworks.com/vm-series/8-1/…

steven_bryen
Steven Bryen @steven_bryen

Slack is down - do I have to open a chime room?

christophetd
Christophe @christophetd

Yet another SSRF vulnerability allowing to access the AWS IMDS to steal credentials.

It's getting urgent to enforce IMDSv2 everywhere and ensure vendors allow to do so github.com/SummitRoute/im…

Recent SSRF with same impact in Dropbox's Hellosign: hackerone.com/reports/1406938

disclosedh1
publiclyDisclosed @disclosedh1

Acronis disclosed a bug submitted by @lu3ky13: hackerone.com/reports/1241149 #hackerone #bugbounty

clintgibler
Clint Gibler @clintgibler

Protect yourself from subdomain takeovers by... proactively taking over your vulnerable domains before attackers can.

@paulschwarzen describes how OVO does so, automatically within minutes

Tool: github.com/ovotech/domain…

tech.ovoenergy.com/ovo-vs-bug-bou…

__steele
Aidan W Steele @__steele

I am coming to appreciate the AWS costs being visible on the dashboard. No way I would have guessed this account was incurring this large a bill.

Bonus: guess what caused this.

bjohnso5y
Brigid Johnson @bjohnso5y

🏷️Tags, IAM conditions, Amazon ECS....ABAC! 🏷️
tinyurl.com/3v5jxapk

r/aws
Will AWS work in Russia after Ukraine war?
95103

Hello. I live in Russia and I have a small mobile game hosted on Amazon Web Services. As I know, US wanna impose sanctions on Russia due to Ukraine conflicts. My app use serverless services (GameLift, Lambda, S3, DynamoDB, API Gateway, Cognito) that hard to bear out from provider. I …

AWS Lambda adds support for .NET 6
9026aws.amazon.com
AWS CloudSaga - Simulate security events in AWS
821github.com
NEW for the AWS CDK: Triggers allow you to execute code during deployments.
7725github.com
Granted: a CLI to access the AWS console for multiple accounts and regions at once
7819

Hey r/aws!

I find the AWS Console to be useful even though I mostly use APIs or infrastructure-as-code to interact with AWS. It’s good to have an out of the box tool to explore resources or look at logs and metrics for my services. A frustration that I frequently run …

r/netsec
HermeticWiper: What We Know About New Malware Targeting Ukrainian Infrastructure (Thus Far)
32114cyberark.com
Remote Code Execution in pfSense <= 2.5.2
22467shielder.it
"AWS Security" on Google News
AWS and Code-X Announce Partnership to Bring Increased Security Capabilities to the AWS Cloud - Business Wire
Business WireFebruary 24
Introducing Ghostbuster – AWS security tool protects against dangling elastic IP takeovers - The Daily Swig
The Daily SwigFebruary 22

buymeacoffee