Lex NevaApr 25
25
Monday April, 2022
Sponsor 📣
AWS Security Digest is opening new slots for sponsorship — with more than 780 subscribers full of Cloud Security Engineers, Security Managers, VCs, Doers, Students, and Cloud aficionados from a myriad of companies.
There are still a few slots available for this year. Contact us for more details.
🔦 Highlight of the week
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSMigrationHubOrchestratorConsoleFullAccess
- AWSMigrationHubOrchestratorInstanceRolePolicy
- AWSMigrationHubOrchestratorPlugin
- AWSMigrationHubOrchestratorServiceRolePolicy
- AWSProtonDeveloperAccess
- AWSProtonReadOnlyAccess
- AmazonEMRFullAccessPolicy_v2
- AmazonEMRReadOnlyAccessPolicy_v2
- AmazonSageMakerPipelinesIntegrations
(...)
SRE Weekly Issue #319
📖 [The CloudSecList] Issue 134
Marco from CloudSecListApr 24
[tl;dr sec] #129 - Maximizing Bug ROI, Tamper-proof GitHub Builds
Clint at tl;dr secApr 21
AWS Glue - 5 new methods
Apr 21
This release adds APIs to create, read, delete, list, and batch read of Glue custom entity types
AWS IoT SiteWise - 3 new methods
Apr 21
This release adds 3 new batch data query APIs : BatchGetAssetPropertyValue, BatchGetAssetPropertyValueHistory and BatchGetAssetPropertyAggregates
Amazon Lookout for Metrics - 1 new methods
Apr 21
Added DetectMetricSetConfig API for detecting configuration required for creating metric set from provided S3 data source.
AWS MediaTailor - 5 new 7 updated methods
Apr 21
This release introduces tiered channels and adds support for live sources. Customers using a STANDARD channel can now create programs using live sources.
Reported Apache Log4j Hotpatch Issues
aws@amazon.comApr 19
Initial Publication Date: 2022/04/19 14:30 PST
CVE IDs: CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, CVE-2022-0071
On December 12, 2021, Amazon publicly released a hotpatch for running Java VMs which disables the loading of the Java Naming and Directory Interface (JNDI) class. This hotpatch provides an immediate mitigation for critical issues within the open-source …
Canadian Centre for Cyber Security Assessment Summary report now available in AWS Artifact
Rob SamuelApr 22
French version At Amazon Web Services (AWS), we are committed to providing continued assurance to our customers through assessments, certifications, and attestations that support the adoption of AWS services. We are pleased to announce the availability of the Canadian Centre for Cyber Security (CCCS) assessment summary report for AWS, which …
How to protect HMACs inside AWS KMS
Jeremy StieglitzApr 19
April 20, 2022: In the section “Use the HMAC key to encode a signed JWT,” we fixed an error in the code sample. Today AWS Key Management Service (AWS KMS) is introducing new APIs to generate and verify hash-based message authentication codes (HMACs) using the Federal Information Processing Standard (FIPS) …
route53: 2 updated actions
Apr 23
2 updated actions: AssociateVPCWithHostedZone (resources), DisassociateVPCFromHostedZone (resources)
sagemaker: 2 new conditions | 1 updated action
Apr 23
2 new conditions: sagemaker:ServerlessMaxConcurrency (Filters access by limiting maximum concurrency used for Serverless inference in the request), sagemaker:ServerlessMemorySize (Filters access by limiting memory size used for Serverless inference in the request); 1 updated action: CreateEndpointConfig (conditions)
lookoutmetrics: 1 new action
Apr 23
1 new action: DetectMetricSetConfig (Grants permission to detect metric set config from data source)
Christophe @christophetd
Wondering how to exploit this?
We just released a purposely vulnerable sample Java application, with a walk-through of how to craft a malicious JWT signature to bypass the verification process
github.com/DataDog/securi…
Thomas H. Ptacek @tqbf
Welp. It’s the crypto bug of the year. Mark it down for April. Java 15-18 ECDSA doesn’t sanity check that the random x coordinate and signature proof are nonzero; a (0,0) signature validates any message. Breaks JWT, SAML, &c. neilmadden.blog/2022/04/19/psy…
339
140Apr 20 · 10:34 PM
Toni de la Fuente @ToniBlyx
I’m happy to share that I’m starting a new position as Founder of Prowler Open Source and Lead of Prowler Pro at Verica! #ProwlerPro #Prowler #opensource #awssecurity
blyx.com/2022/04/19/pro…
7010Apr 19 · 3:13 PM
Scott Piper @0xdabbad00
Sometimes "the attack surface is the vulnerability - finding a bug there is just a detail" - @mdowd
Great presentation.
Aaron Grattafiori @dyn___
The great @mdowd keynote for offensivecon hit YouTube finally youtu.be/7Ysy6iA2sqA
429Apr 23 · 5:47 AM Scott Piper @0xdabbad00
This is awesome to see a video walk-through of flaws.cloud to make learning AWS security even more accessible to folks. Nice work @daycyberwox!
daycyberwox @daycyberwox
☀️Happy Monday! This is my first installment of flaws.cloud by @0xdabbad00 from @SummitRoute.
☁️Through a series of levels we'll go over AWS Misconfigurations and how they could be possibly exploited.
Check it out!
👉🏾youtu.be/fEjAryrzLSQ
407Apr 18 · 10:03 PM
Clint Gibler @clintgibler
🐐 GitGoat
A learning and training project that demonstrates common config errors that can potentially allow adversaries to introduce code to prod
Can be used to test products that integrate with GitHub w/out exposing your assets
By @ArnicaIO
github.com/arnica-ext/Git…
2911Apr 18 · 11:41 PM
Aidan W Steele @__steele
Today I am 0x21 hex-years old.
I know I am old because last night I slept not-perfectly-straight and this morning I woke up with back pain 😩
360Apr 25 · 4:56 AM Aidan W Steele @__steele
Archie says I can’t go upstairs to my office until we’ve done at least another hour of cuddles
250Apr 22 · 12:59 AM Clint Gibler @clintgibler
👀 Code Review Hotspots with Semgrep
@CryptoGangsta describes how to hone in on potentially vulnerable code during code review
Plenty of examples + how to build your own hotspot list
#pentesting #bugbountytips
parsiya.net/blog/2022-04-0…
205Apr 19 · 5:00 PM
Brigid Johnson @bjohnso5y
I find CDG (Paris) is the worst airport to connect through. I much prefer AMS (Amsterdam). AMS is easier to navigate, less buses, better and more food options, more bathrooms. If you have an option go AMS.
231Apr 25 · 9:36 AM
Nick Jones @nojonesuk
This is an awesome little conference, and the place to be if you’re into cloud security. Well worth attending if you can make it, and worth paying attention to the research released there regardless.
fwd:cloudsec @fwdcloudsec
Tickets for fwd:cloudsec go on sale today at noon ET for $100! Buy them at: eventbrite.com/e/fwdcloudsec-…
177Apr 18 · 6:37 PM
Why Cloud Security is important and how to enhance your Cloud Security posture
As companies continues to migrate to the cloud, understanding the security requirements for keeping data safe has become critical.Read this blog to know why Cloud Security is important and how to enhance your Cloud Security posture: https://www.umbrellainfocare.com/blogs/its-time-to-beef-up-your-cloud-security-posture
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with ASD Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email