Lex NevaMay 16
16
Monday May, 2022
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
SRE Weekly Issue #322
📖 [The CloudSecList] Issue 137
Marco from CloudSecListMay 15
[tl;dr sec] #132 - Application Hacking Methodology, Pwning Cloudflare Pages
Clint at tl;dr secMay 12
Amazon Managed Grafana - 2 new 2 updated methods
May 13
This release adds APIs for creating and deleting API keys in an Amazon Managed Grafana workspace.
Amazon Elastic Compute Cloud - 2 updated methods
May 12
This release introduces a target type Gateway Load Balancer Endpoint for mirrored traffic. Customers can now specify GatewayLoadBalancerEndpoint option during the creation of a traffic mirror target.
AWSKendraFrontendService - 4 updated methods
May 12
Amazon Kendra now provides a data source connector for Jira. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/data-source-jira.html
AWS Lambda - 13 updated methods
May 12
Lambda releases NodeJs 16 managed runtime to be available in all commercial regions.
Build a strong identity foundation that uses your existing on-premises Active Directory
Michael MillerMay 12
This blog post outlines how to use your existing Microsoft Active Directory (AD) to reliably authenticate access to your Amazon Web Services (AWS) accounts, infrastructure running on AWS, and third-party applications. The architecture we describe is designed to be highly available and extends access to your existing AD to AWS, …
Getting started with AWS SSO delegated administration
Chris MercerMay 12
Recently, AWS launched the ability to delegate administration of AWS Single Sign-On (AWS SSO) in your AWS Organizations organization to a member account (an account other than the management account). This post will show you a practical approach to using this new feature. For the documentation for this feature, see …
Establishing a data perimeter on AWS
Ilya EpshteynMay 10
For your sensitive data on AWS, you should implement security controls, including identity and access management, infrastructure security, and data protection. Amazon Web Services (AWS) recommends that you set up multiple accounts as your workloads grow to isolate applications and data that have specific security requirements. AWS tools can help …
ram: 2 updated actions
May 14
2 updated actions: CreateResourceShare (dependents), EnableSharingWithAwsOrganization (dependents)
appconfig: 1 updated condition, 1 updated action
May 14
1 updated condition: aws:TagKeys (type); 1 updated action: StartDeployment (conditions)
Clint Gibler @clintgibler
🔥 Bug Hunter's Methodology: Application Hacking v1
#NahamCon2022 slides by @Jhaddix
* Tech profiling
* Finding CVEs & misconfigs
* Port scanning
* Content discovery
* Spidering
* Analyzing JavaScript & params
+tons of tools for ☝️
#bugbountytips
docs.google.com/presentation/d…
246
74May 11 · 7:00 PM
rowan @elrowan
First time I've seen a visual security maturity model from AWS maturitymodel.security.aws.dev/en/model/
The more colours the better! 😁
24058May 16 · 2:02 AM
Scott Piper @0xdabbad00
By my count for Critical Azure incidents in the past 9 months (cross-tenant or unauth RCE) we're at:
🔥🔥🔥 3 Wiz (ChaosDB, OMIGOD, ExtraReplica, +1 High for NotLegit)
🔥🔥 2 Orca (AutoWarp, SynLapse)
🔥1 Palo Alto (Azurescape)
Tzah Pahima @TzahPahima
I was able to access #Azure user credentials and run code on other customers’ machines.
The vulnerability is called #SynLapse.
It was a vulnerability in Azure Synapse Analytics (@Azure_Synapse) & Azure Data Factory, exploiting a major flaw in the tenant separation.
(1/3)
11248May 10 · 3:01 AM Clint Gibler @clintgibler
📚 tl;dr sec 132
* @Jhaddix Bug Hunter’s Methodology: Application Hacking
* @devec0, @seanyeoh Pwning Cloudflare Pages
* @JackRhysider Why you should be blogging
* @hakluke Bypassing WAFs
* @florenciocano Scanning Dockerfiles with Semgrep
+ more!
tldrsec.com/blog/tldr-sec-…
9936May 12 · 5:00 PM Scott Piper @0xdabbad00
The tables in this blog post are very powerful for understanding when to use different controls and conditions keys. Awesome work by @IlyaEpshteyn
AWS Identity @AWSIdentity
Our new condition keys allow you to limit your principals’ access to include only resources belonging to a specific AWS account, AWS organization, or OU.
Learn how they can form part of a wider security strategy to create a perimeter around your data. 👇 go.aws/3w1KcDi
9324May 11 · 4:54 AM
Dan Urson @notdurson
It's pronounced "Tenets." Like "Tennis" with a final "T." Not "Tenants".
324May 13 · 6:30 PM
Ian Mckay @iann0036
Some exciting changes currently in the RFC phase for CloudFormation. 😍
Ever wanted for-loops in CloudFormation? Now's your chance to have your say! twitter.com/AWSCloudFormer…
AWS CloudFormation @AWSCloudFormer
Today we launched a new repository that gives you the ability to start, comment, and contribute on #AWS #CloudFormation language improvement discussions. Get started and learn more here: go.aws/3kSWPdt
272May 10 · 1:29 AM
Brigid Johnson @bjohnso5y
Pickles went on his first field trip today! It was in the rain and we got wet. But we both loved it!
150May 16 · 12:45 AM
Kinnaird McQuade ⛅️🧨 @kmcquade3
My friend @anunbhatt wrote a 🔥 blog post outlining a security reference architecture for serverless in AWS. He runs the security reference architecture program at Salesforce. Highly recommend reading this.
Code: github.com/anunay-bhatt/s…
Blog post: anunay-bhatt.medium.com/security-refer…
Anunay Bhatt @anunbhatt
(1/3) A new article on #serverless security where I use a demo app and demonstrate the integration of security controls - medium.com/p/2fcd25b1d5e2. I hope the #cloudsecurity discussion here will be of help to developers in integrating security early on in their #serverless journey
93May 12 · 3:46 AM
My First Rust Lambda to DynamoDB with returned JSON through API Gateway
Update to the post:
A few users have asked for the code to this project. So here it is. Reminder, nothing is optimized - I'm still learning and haven't gotten to that point yet. And yes, a few items are hardcoded in this version as well. There are a couple …
Abuse Notice for Nessus Kali Penetration Testing from AWS
I am working for a penetration testing company. We have Nessus and Kali installed in AWS. We use them to perform penetration tests against our client targets outside of AWS. We keep getting abuse notices from Amazon, which is hampering our business performance. Is there a way to be a …
Uml Use Cases Cloud security and management
hey guys I'm new to this and I'm sorry if its the wrong sub. can you help find papers about UML use cases diagrams saas application's security?
I'm in dev and I'm doing a paper about it.
best example that I have found is outdated : exemple
- 🖊️ This newsletter was forwarded to you? Subscribe here
- 📢 Promote your content with ASD Sponsorship
- 💌 Want to suggest new content: contact me or reply to this email