Lex NevaMar 07
7
Monday March, 2022
Comply with ISO 27001, GDPR, SOC 2 and more with Upsafe (Sponsor)
We don’t know you yet, but chances are that you prefer working on actual security rather than compliance paperwork or answers to security questionnaires 😬
Upsafe is opening its launch program to put compliance and questionnaires on autopilot. Just mention that you’re a reader of AWS Security Digest, a free trial will be available!
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSAppRunnerReadOnlyAccess
- AWSApplicationMigrationFullAccess
- AWSBackupServiceRolePolicyForS3Backup
- AmazonRDSBetaServiceRolePolicy
- AmazonRDSPreviewServiceRolePolicy
- AmazonRDSServiceRolePolicy
- AmazonRedshiftQueryEditorV2FullAccess
- AmazonRedshiftQueryEditorV2NoSharing
- AmazonRedshiftQueryEditorV2ReadSharing
- etc...
SRE Weekly Issue #312
📖 [The CloudSecList] Issue 127
Marco from CloudSecListMar 06
[tl;dr sec] #122 - Developer Experience is Security, Everything as Code Survey
Clint at tl;dr secMar 03
Amazon Connect Service - 5 updated methods
Mar 4
This release updates the *InstanceStorageConfig APIs so they support a new ResourceType: REAL_TIME_CONTACT_ANALYSIS_SEGMENTS. Use this resource type to enable streaming for real-time contact analysis and to associate the Kinesis stream where real-time contact analysis segments will be published.
Amazon DevOps Guru - 2 new 4 updated methods
Mar 4
Amazon DevOps Guru now integrates with Amazon CodeGuru Profiler. You can view CodeGuru Profiler recommendations for your AWS Lambda function in DevOps Guru. This feature is enabled by default for new customers as of 3/4/2022. Existing customers can enable this feature with UpdateEventSourcesConfig.
Amazon Appflow - 3 updated methods
Mar 3
Launching Amazon AppFlow Marketo as a destination connector SDK.
AWSKendraFrontendService - 1 updated methods
Mar 3
Amazon Kendra now suggests spell corrections for a query. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/query-spell-check.html
SOC reports now available in Spanish
Rodrigo FiuzaMar 3
At Amazon Web Services (AWS), we continue to listen to our customers, regulators, and stakeholders to understand their needs regarding audit, assurance, certification, and attestation programs. We are pleased to announce that Fall 2021 AWS SOC 1, SOC 2 and SOC 3 reports are now available in Spanish. These translated …
Streamlining evidence collection with AWS Audit Manager
Nicholas ParksMar 3
In this post, we will show you how to deploy a solution into your Amazon Web Services (AWS) account that enables you to simply attach manual evidence to controls using AWS Audit Manager. Making evidence-collection as seamless as possible minimizes audit fatigue and helps you maintain a strong compliance posture. …
Fix AWS IAM permissions quickly with k9 Security (Sponsor)
Need to help your Cloud teams find and fix AWS IAM permissions issues quickly?
Control access to AWS APIs and data with k9’s simple policy automation and actionable IAM audits. Built for Cloud teams doing continuous delivery.
redshift: 2 new actions
Mar 5
2 new actions: DescribeReservedNodeExchangeStatus (describe exchange status details and associated metadata for a reserved-node exchange. statuses include such values as in progress and requested), GetReservedNodeExchangeConfigurationOptions (get the configuration options for the reserved-node exchange)
elasticmapreduce: 4 new actions
Mar 5
4 new actions: DeleteWorkspaceAccess (block an identity from opening a collaborative workspace), ListWorkspaceAccessIdentities (list identities that are granted access to a workspace), PutWorkspaceAccess (allow an identity to open a collaborative workspace), UpdateEditor (update an emr notebook)
connect: 1 new action
Mar 5
1 new action: UpdateContactFlowModuleContent (update contact flow module content in an amazon connect instance)
Scott Piper @0xdabbad00
AWS Terms and Conditions added a hugely important and much needed addition, §1.19 "We will not use Individualized Usage Data or Your Content to compete with your products and services." (added Jan 28)
aws.amazon.com/service-terms/
diffchecker.com/iXloQJqk
Clint Gibler @clintgibler
☁️ AWS Security Fundamentals
Self-paced course by @awscloud covering fundamental security concepts, including:
* Access control
* Data encryption
* And how network access to your AWS infrastructure can be secured
aws.amazon.com/training/digit…
Aidan W Steele @__steele
Names are hard. Especially when you have as many services as Amazon. @QuinnyPig has been known to have opinions on this.
So when you have a good name, why only use it once? Here’s a list of names that Amazon has recycled for completely different services:
Aidan W Steele @__steele
Happy ending: in fewer than three weeks, the CodeBuild service team rolled out a change to address this issue. I updated the linked blog with details.
I'm impressed. It was arguably a rather contrived "vulnerability", but they still did a good job of prioritising and fixing it.
Aidan W Steele @__steele
Very short blog post (five paragraphs): AWS VPC data exfiltration via CodeBuild.
awsteele.com/blog/2022/02/0…
Clint Gibler @clintgibler
🛠️ New tool by @bridgecrewio: Whorf
A #Kubernetes Validating Admission Controller that uses Checkov as the core validator for Kubernetes manifests
Code: github.com/bridgecrewio/c…
Post by @_SteveGiguere_
bridgecrew.io/blog/whorf-the…
Kinnaird McQuade💥🌩 @kmcquade3
What is a technology that security people aren’t paying enough attention to that most security engineers will be forced to learn about in the next 5 years? For one reason or another.
stephenschmidt @StephenSchmidt
We're partnering closely with Ukrainian IT organizations to disrupt attacks & help support Ukrainian people during this difficult time: aboutamazon.com/news/community…
Christophe @christophetd
AWS: "You should sign your container images"
Also AWS: "We don't support signing container images"
¯\_(ツ)_/¯ (feature request opened 3+ years ago)
aws.github.io/aws-eks-best-p…
github.com/aws/containers…
Kinnaird McQuade💥🌩 @kmcquade3
I’m getting LASIK tomorrow and I’m so fucking excited
Christophe @christophetd
The "nodes/proxy" permission in K8s is equivalent to cluster admin. Allows to directly hit the Kubelet, authenticated as a worker node itself, and bypass admission control + audit logs.
Now available in Stratus Red Team 1.6.0 to validate your detections! stratus-red-team.cloud/attack-techniq…
Rory McCune @raesene
Todays blog is about the research I did with @smarticu5 on Kubernetes RBAC and node/proxy rights blog.aquasec.com/privilege-esca… with some ideas on how cluster operators can mitigate the risk if this is part of their threat model.
Why should I NOT store customers API keys in DynamoDB?
I understand I should be using Parameter Store or Secrets Manager to store my customers third-party API keys, but I haven't yet seen a good explanation why this is.
My DynamoDB tables are only able to be accessed by my Lambda API, and it uses Cognito JWT authentication to ensure …
Newbie question: how to protect yourself about loosing the control of your cloud account
I'm a total newbie in security and I'm wondering how can you protect yourself about loosing the control of your main cloud account.
I mean, an attacker is able to get your account credentials and remove your access to your account. Is it that even possible under normal circumstances?
How …
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email
