Security Newsletter - Water treatment plant hacked. Novel dependency confusion attacks. CD Projekt Red files and source code stolen. • AWS WAF adds support for JSON parsing and inspection • Introducing Amazon VPC Endpoints for AWS CloudHSM • AWS Identity and Access Management now supports tags on additional resources • AWS CloudHSM Adds New Availability Zones • Use tags to manage and secure access to additional types of IAM resources • Mitigate data leakage through the use of AppStream 2.0 and end-to-end auditing • Tagging IAM resources • I’ve spent the past weeks building a 2 day class in Cloud Security Engineering. Unfortunately, I won’t be able to upload the slides anywhere but the labs are made public. Hope someone finds them to be useful despite the lack of context provided by the slides. • 🏷️IAM has more resources to tag🏷️ This is cool because now you can tag customer managed policies. Helps organize and control access to specific policies among other IAM resources. <a href="https://t.co/cr7Cxb9u4Y" target="_blank">amzn.to/2Oref3L</a> • 🛡️ A Practical Guide to Writing Secure Dockerfiles <a href="https://twitter.com/madhuakula" target="_blank">@madhuakula</a> on useful Docker security resources + tools * Securely passing in secrets * Tools: BuiltKit, hadolint, dockle, dive, conftest * DockerSlim: autogenerating Seccomp and AppArmor profiles <a href="https://t.co/nVMnajF72s" target="_blank">speakerdeck.com/madhuakula/a-p…</a> • 🤬 Creating IAM policies is hard What if we could just observe AWS CLI calls and auto-generate an IAM policy? Tool by <a href="https://twitter.com/iann0036" target="_blank">@iann0036</a> that uses client-side monitoring (CSM) to do just that 🙌 <a href="https://t.co/ygcLD7orWN" target="_blank">github.com/iann0036/iamli…</a> • If you perform penetration tests on AWS accounts regularly and are interested in trying out an extremely destructive 😈 AWS pentesting tool I am going to open source next week-ish, please ping me. • From <a href="https://twitter.com/tdmalone" target="_blank">@tdmalone</a> in the og-aws Slack, you can't enforce HTTPS via an SCP because some AWS services use HTTP. ☹️ • Dropping that new AWS security tool in 48 hours. I honestly can’t contain my excitement. Relevant content: • Lab 6: Memory dump of Windows instances with upload to S3. Lab 7: Simple AWS response lab using boto3 and Python <a href="https://t.co/Z3Zn0CTlIH" target="_blank">github.com/karimelmel/clo…</a> The class will be held for a non-profit the coming week! • In my latest post, I talk about that weird situation of having the same root email for two <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> accounts and what its implications are. <a href="https://t.co/gX8j5koCVC" target="_blank">onecloudplease.com/blog/case-of-t…</a> • Given the S3 durability guarantee that AWS loses 1 object per year for every 100B objects, and that in 2012 S3 was already storing 900B objects, I wish AWS would define what happens when they lose an S3 object. <a href="https://t.co/N2mhJ3Wth1" target="_blank">aws.amazon.com/s3/faqs/</a> • CloudFormation::Council::Bens, assemble! Custom resource providers can now be defined in templates <a href="https://t.co/UJDAtMwMWe" target="_blank">docs.aws.amazon.com/AWSCloudFormat…</a> <a href="https://twitter.com/ben11kehoe" target="_blank">@ben11kehoe</a> <a href="https://twitter.com/benbridts" target="_blank">@benbridts</a> • Adults can make snow angels too! • This is neat. I saw in a job ad that AWS handles 750M TPS. I then found this article about it handling 1M TPS 9 years ago. Talk about rapid growth! Will it continue at that rate? Which services contribute the most to that? S3 and CloudFront, maybe? • Opened a mid-level Pentester role as well. If you're passionate about cybersecurity but the specs dont quite match up, reach out to us anyway! Careers@rhinosecuritylabs.com <a href="https://t.co/fG2TojPogI" target="_blank">apply.workable.com/j/0C7173C530</a> • 🎥🍿An overview and demo of how to implement fine-grained access control with Amazon Cognito identity pools and a demo of using attributes from identity providers for access control (ABAC). More on identity pools here: <a href="https://t.co/mAYErymXcV" target="_blank">docs.aws.amazon.com/cognito/latest…</a> <a href="https://twitter.com/AWSIdentity" target="_blank">@AWSIdentity</a> <a href="https://t.co/CAsbllhO5Z" target="_blank">youtube.com/watch?v=tAUmz9…</a> • AWS Support is better than any other vendor support I've used. • AWS Lessons Learned from being DDOS'd • How Andy Jassy, Amazon’s Next C.E.O., Was a ‘Brain Double’ for Jeff Bezos • When discussing the cost of AWS with your clients do you bring up electricity costs for on-prem servers? • Amazon Aurora Global Database supports managed planned failover • Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies • The "P" in Telegram stands for Privacy • Zscaler Newbie