Lex NevaApr 18
18
Monday April, 2022
Sponsor 📣
zoph.io is a cloud advisory boutique – we provide custom consulting and security / best practice AWS assessments for your AWS workloads. Contact us to discuss your projects.
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSBillingConductorFullAccess
- AWSBillingConductorReadOnlyAccess
- AdministratorAccess-Amplify
- AmazonEventBridgeReadOnlyAccess
- AmazonLaunchWizard_Fullaccess
- AmazonSageMakerGroundTruthExecution
- AwsGlueSessionUserRestrictedPolicy
- AwsGlueSessionUserRestrictedServiceRole
- ROSAManageSubscription
- ReadOnlyAccess
- ViewOnlyAccess
SRE Weekly Issue #318
📖 [The CloudSecList] Issue 133
Marco from CloudSecListApr 17
[tl;dr sec] #128 - Security Engineering, CI/CD Goat
Clint at tl;dr secApr 14
Amazon Appflow - 5 updated methods
Apr 14
Enables users to pass custom token URL parameters for Oauth2 authentication during create connector profile
Amazon AppStream - 3 updated methods
Apr 14
Includes updates for create and update fleet APIs to manage the session scripts locations for Elastic fleets.
AWS Batch - 2 updated methods
Apr 14
Enables configuration updates for compute environments with BEST_FIT_PROGRESSIVE and SPOT_CAPACITY_OPTIMIZED allocation strategies.
AWS Glue - 6 updated methods
Apr 14
Auto Scaling for Glue version 3.0 and later jobs to dynamically scale compute resources. This SDK change provides customers with the auto-scaled DPU usage
Reported AWS Desktop VPN Client for Windows Issue
aws@amazon.comApr 12
Initial Publication Date: 2022/04/12 15:30 PST
AWS is aware of the issues described in CVE-2022-25165 and CVE-2022-25166 relating to the AWS-provided Desktop VPN Client for Windows. These issues affect only client versions 2.0.0 and below; they have been addressed in version 3.0.0 and above. Note that these issues require existing …
Reported Amazon RDS PostgreSQL issue
aws@amazon.comApr 11
Initial Publication Date: 2022/04/11 16:45 PST
Last Updated Date: 2022/04/12 13:00 PST
A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster. No cross-customer or cross-cluster access was possible; however, highly …
Amazon Cognito launches support for in-Region integration with Amazon SES and Amazon SNS
Amit JhaApr 12
We are pleased to announce that in all AWS Regions that support Amazon Cognito, you can now integrate Amazon Cognito with Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS) in the same Region. By integrating these services in the same Region, you can more easily …
How to integrate AWS STS SourceIdentity with your identity provider
Keith JoelnerApr 11
You can use third-party identity providers (IdPs) such as Okta, Ping, or OneLogin to federate with the AWS Identity and Access Management (IAM) service using SAML 2.0, allowing your workforce to configure services by providing authorization access to the AWS Management Console or Command Line Interface (CLI). When you federate …
billingconductor: 1 updated condition, 4 updated resources, 18 updated actions
Apr 16
1 updated condition: aws:TagKeys (type); 4 updated resources: pricingplan (arn), customlineitem (arn), pricingrule (arn), billinggroup (arn); 18 updated actions: ListPricingRulesAssociatedToPricingPlan (resources), ListPricingPlansAssociatedWithPricingRule (resources), AssociatePricingRules (resources), DeletePricingRule (resources), DeleteCustomLineItem (resources), DeletePricingPlan (resources), UpdateBillingGroup (resources), BatchAssociateResourcesToCustomLineItem (resources), DisassociatePricingRules (resources), UpdateCustomLineItem (resources), UpdatePricingPlan (resources), DeleteBillingGroup (resources), ListResourcesAssociatedToCustomLineItem (resources), CreateBillingGroup (resources), AssociateAccounts (resources), BatchDisassociateResourcesFromCustomLineItem …
Announcing Docker SBOM: A step towards more visibility into Docker images - Docker
Learn from Docker experts to simplify and advance your app development and management with Docker. Stay up to date on Docker events and new version …
Clint Gibler 🆕 Docker SBOM: A step towards more visibility into Docker images New `docker sbom` CLI command displays the SBOM of any Docker image Uses Syft: gi…
Matt Fuller Docker adding an “sbom” output is pretty neat. Curious if folks are planning to add this to their build pipelines and upload the output somewhere? #s…
Nick Jones @nojonesuk
I put together a list of cloud security resources that have helped me over the years - mailing lists, knowledge bases, people on here to follow etc: nojones.net/cloud-security…
247
87Apr 12 · 5:29 PM Clint Gibler @clintgibler
🐐 CI/CD Goat
A deliberately vulnerable CI/CD environment
Learn and practice CI/CD security through a set of 10 challenges, enacted against a real, full blown CI/CD environment
By @cider_sec
#appsec #pentesting
github.com/cider-security…
24675Apr 15 · 5:00 PM Clint Gibler @clintgibler
📦 Docker Security Playground
A microservices-based framework for the study of network security and penetration testing techniques
#networksecurity #Pentesting
github.com/DockerSecurity…
24273Apr 13 · 8:00 PM
Rhino Security Labs @RhinoSecurity
New Rhino Blog post!
#cve 2022-25165: Privilege Escalation to SYSTEM in #AWS VPN Client
rhinosecuritylabs.com/aws/cve-2022-2…
6027Apr 12 · 3:43 PM
Scott Piper @0xdabbad00
It's odd the AWS RDS advisory doesn't mention the researcher (@gafnitav from Lightspin).
2021 ALB issue[1]: Thanks individuals and universities
2022 CF[2]: Thanks Orca
2022 RDS[3]: No mention
[1] aws.amazon.com/security/secur…
[2] aws.amazon.com/security/secur…
[3] aws.amazon.com/security/secur…
6613Apr 12 · 2:55 PM
Brigid Johnson @bjohnso5y
That's right! IAM Access Analyzer has you covered. Functions URLs is a great addition to AWS and incredibly useful. You'll want to make sure you only configure public or cross account access when you absolutely need it. IAM Access Analyzer can help you verify that's the case.
AWS Identity @AWSIdentity
🆕: IAM Access Analyzer now monitors the newly launched Lambda Function URLs along with all other Lambda access controls to identify public & cross-account access. go.aws/3v8LkmH
369Apr 12 · 4:41 AM
Aidan W Steele @__steele
Vlad is blowing up on the internet today (and deservedly so). I’ve had people in three different Slack groups send me a link to this fantastic article 🤩
Vlad Ionescu (he/him) @iamvlaaaaaaad
What's the fastest way to scale containers on AWS in 2022?
Is EKS faster than ECS? What's faster: serverless workers (Fargate) or to serverful workers (EC2)?
What about App Runner and Lambda?
Now we know: vladionescu.me/posts/scaling-…
320Apr 14 · 5:34 AM Aidan W Steele @__steele
Update on my dogs’ tough lives: Missy is crying because she’s unhappy with the chair I brought up just for her, she wants to be on my lap
310Apr 18 · 4:48 AM Scott Piper @0xdabbad00
@gafnitav Attribution has now been added for Lightspin to the advisory. It's great to see that added.
232Apr 12 · 10:18 PM
Ian Mckay @iann0036
This is brilliant work and insight into container (and Lambda) scaling by @iamvlaaaaaaad, I highly recommend giving his post a look. 👏
Vlad Ionescu (he/him) @iamvlaaaaaaad
What's the fastest way to scale containers on AWS in 2022?
Is EKS faster than ECS? What's faster: serverless workers (Fargate) or to serverful workers (EC2)?
What about App Runner and Lambda?
Now we know: vladionescu.me/posts/scaling-…
171Apr 14 · 11:02 AM
15k bill after 3 years of unknowingly having aws running.
Today I checked my email and I had an email from AWS with a bill for 400 dollars for the month, and a bunch of months as well, tracing way back to 2019. Now, I never used AWS in my life for anything, I might have activated something by accident …
[AWS Lambda] Optimizing node_modules in zip files
Hey folks
I was recently working through setting up some lambda infrastructure, and one thing that caught me off guard was the bloat that came from my node_modules.
I can present how I solved it but I would love to hear how ya’ll are solving this problem.
Before we start, …
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with ASD Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email