Lex NevaMar 21
21
Monday March, 2022
Sponsor 📣
Automate code reviews, find vulnerabilities and leaked secrets stored in your Git repositories.
Codiga is an automated code review platform that works with GitHub, GitLab, and Bitbucket and provides you feedback on your code within minutes.
Free for individuals and teams smaller than 5 developers.
Trusted by more than 15,000 users and backed by Silicon Valley investors, Codiga gives you the guarantee to merge your code in production with confidence.
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSDataExchangeProviderFullAccess
- AWSSupportServiceRolePolicy
- AmazonChimeVoiceConnectorServiceLinkedRolePolicy
SRE Weekly Issue #314
📖 [The CloudSecList] Issue 129
Marco from CloudSecListMar 20
[tl;dr sec] #124 - GraphQL Cop, GitLab CI/CD CTF
Clint at tl;dr secMar 17
AWS Certificate Manager Private Certificate Authority - 4 updated methods
Mar 16
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports customizable certificate subject names and extensions.
AmplifyBackend - 3 updated methods
Mar 16
Adding the ability to customize Cognito verification messages for email and SMS in CreateBackendAuth and UpdateBackendAuth. Adding deprecation documentation for ForgotPassword in CreateBackendAuth and UpdateBackendAuth
AWSBillingConductor - 30 new methods
Mar 16
This is the initial SDK release for AWS Billing Conductor. The AWS Billing Conductor is a customizable billing service, allowing you to customize your billing data to match your desired business structure.
Amazon S3 on Outposts - 1 new methods
Mar 16
S3 on Outposts is releasing a new API, ListSharedEndpoints, that lists all endpoints associated with S3 on Outpost, that has been shared by Resource Access Manager (RAM).
CVE-2022-0778 awareness
aws@amazon.comMar 18
Initial Publication Date: 2022/03/17 20:42 PST
AWS is aware of an issue present in OpenSSL versions 1.0.2, 1.1.1, and 3.0 in which a certificate containing invalid explicit curve parameters can cause denial of service (DoS) by triggering an infinite logic loop. This issue was eliminated in the releases of OpenSSL …
Ransomware mitigation: Using Amazon WorkDocs to protect end-user data
James PerryMar 18
Amazon Web Services (AWS) has published whitepapers, blog articles, and videos with prescriptive guidance to assist you in developing an enterprise strategy to mitigate risks associated with ransomware and other destructive events. We also announced a strategic partnership with CrowdStrike and Presidio where together we developed a Ransomware Risk Mitigation …
cloudfront: 1 removed action
Mar 19
billingconductor: 30 new actions, 4 new resources, 3 new conditions
Mar 18
30 new actions: AssociateAccounts (associate between one and 30 accounts to a billing group), AssociatePricingRules (associate pricing rules), BatchAssociateResourcesToCustomLineItem (batch associate resources to a percentage custom line item), BatchDisassociateResourcesFromCustomLineItem (batch disassociate resources from a percentage custom line item), CreateBillingGroup (create a billing group), CreateCustomLineItem (create a custom line item), CreatePricingPlan …
kafka: 1 new resource | 2 updated actions, 1 updated resource
Mar 17
1 new resource: configuration; 2 updated actions: DescribeConfiguration (resources), DescribeConfigurationRevision (resources); 1 updated resource: cluster (arn)
Learn to secure AWS IAM continuously (Sponsor)
Learn how to secure AWS with IAM built for continuous delivery using the Effective IAM for AWS guide (free).
Scott Piper @0xdabbad00
S3 is designed to lose only 1 object per year for every 100B objects (which is really good!), but it means it now loses 2000 objects per year.
Jeff Barr ☁️ (@ 🏠 ) 💉 @jeffbarr
Welcome to #AWS Pi Day 2022 - aws.amazon.com/blogs/aws/welc…
Amazon S3 now holds more than 200 trillion (2 x 10^14) objects (almost 29,000 objects for each resident of planet Earth) and averages over 100 million requests per second!
308
56Mar 14 · 5:54 PM
Christophe @christophetd
New container escape vulnerability in the CRI-O container runtime:
crowdstrike.com/blog/cr8escape…
A thread with reminders about container runtimes, CRI, and how to exploit this vulnerability. 🧵⬇️
18465Mar 16 · 2:09 PM
Clint Gibler @clintgibler
👮 GraphQL Cop
Tool to run common security tests against #GraphQL APIs.
~10 detections for DoS, CSRF, and info leaks.
By @dftrace #bugbountytips
github.com/dolevf/graphql…
11443Mar 14 · 8:00 PM Clint Gibler @clintgibler
📈 How to Burp Good
Awesome guide by @n00py1 on how to do useful things in @Burp_Suite like:
* Password brute forcing
* Password spraying
* Handling CSRF tokens
* Re-validating sessions
* Finding hidden pages
* SSL stripping
+ more. #bugbountytips
n00py.io/2017/10/how-to…
10034Mar 15 · 4:00 PM
Aidan W Steele @__steele
brb gotta update my LinkedIn profile.
Also, I spoke on a podcast! About building silly things and the state of cloud security.
Last Week in AWS @LastWeekinAWS
Blogger and AWS expert Aidan Steele (@__steele), a Serverless Engineer at Stedi, joins Corey to talk Asimov influences and more!
Have a listen: buff.ly/362e0W5
736Mar 17 · 4:29 AM
Chris Farris @jcfarris
Alrighty everyone. @fwdcloudsec will be happening again this year. We're actually gonna tempt fate and try what we intended in 2020: have a one-day B-Sides conference the day before AWS re:Inforce. Monday June 27th, JW Marriott Downtown - Houston, TX - fwdcloudsec.org
5015Mar 15 · 1:24 AM Aidan W Steele @__steele
I added a new feature to flowdog that captures metadata and headers for HTTP(S) requests inside AWS VPCs.
It sends JSON records like the one in this screenshot to Kinesis Firehose, for archival in S3. They can then be queried later using Athena.
497Mar 16 · 4:05 AM
fwd:cloudsec @fwdcloudsec
fwd:cloudsec is happening June 27 in Houston, TX! 🎉
(the day before re:Inforce)
Interested in sponsoring? Please reach out at sponsorship@fwdcloudsec.org
Interesting in speaking? ➡️fwdcloudsec.org/cfp.html
Not interested in speaking? You're wrong. 😜 Check out the CFP.
3917Mar 15 · 3:49 AM
Brigid Johnson @bjohnso5y
🌺This week, members from my #AWS team decided to give the office a whirl for two-ish days. First time in two years. TLDR; It was really delightful. 🌺
483Mar 19 · 12:07 AM Scott Piper @0xdabbad00
AWS Data Pipelines do not support IMDSv2. One might argue that Glue should be used instead, but not maintaining security best practices is an unexpected choice for an AWS managed service. 😔
435Mar 14 · 5:28 PM
MFA in AWS is just broken, hope they fix it soon
We, as a small company with a small SaaS product allow our users to setup
- OTP and
- as many FIDO-Sticks as a user needs
At AWS it is either OTP or Stick, and just one Stick. No spare stick, no different Sticks for different devices (USB-A vs USB-C) and although …
With GCP, you create a project and enable services in it. When you don't want, you delete the entire project effectively deleting all services inside it. What's the AWS equivalent of it?
Correct me if I am wrong with the assumption of gcp behaviour.
Is there AWS way of doing the same?
That seems much better way to manage services. One click delete project and all services inside.
Currently afaik, I go to tag editor and delete all manually. I use third …
AZ-104 and AZ-500 Passed!
The exams were a bit harder than I expected. I studied for about 6 months non stop.
Main resources used: - Microsoft Learn (very important to write things down and do the labs, don't just click through ) - Whizlabs videos and labs - Whizlabs practice tests - FreeCodeCamp / …
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email
