SRE Weekly Issue #324 • 📖 [The CloudSecList] Issue 139 • [tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens • Amazon Appflow - 3 updated methods • AWS DataSync - 2 updated methods • Amazon SageMaker Service - 11 updated methods • Amazon Elastic Compute Cloud - 24 updated methods • Spring 2022 SOC 2 Type I Privacy report now available • Updates to resilience in IAM • New global condition keys for resources

ASD Logo

30
Monday May, 2022

Sponsor

AWS Security Digest (ASD) is opening more slots for sponsorship. ASD audience is composed of 800+ cloud security aficionados, experts, doers, and decision-makers.

Contact us for more details

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #324
Lex NevaMay 30
📖 [The CloudSecList] Issue 139
Marco from CloudSecListMay 29
[tl;dr sec] #134 - DevSecOps, Scalable Canary Tokens
Clint at tl;dr secMay 26
AWS API Changes
Amazon Appflow - 3 updated methods
May 27
Adding the following features/changes: Parquet output that preserves typing from the source connector, Failed executions threshold before deactivation for scheduled flows, increasing max size of access and refresh token from 2048 to 4096
AWS DataSync - 2 updated methods
May 27
AWS DataSync now supports TLS encryption in transit, file system policies and access points for EFS locations.
Amazon SageMaker Service - 11 updated methods
May 27
Amazon SageMaker Notebook Instances now allows configuration of Instance Metadata Service version and Amazon SageMaker Studio now supports G5 instance types.
Amazon Elastic Compute Cloud - 24 updated methods
May 26
C7g instances, powered by the latest generation AWS Graviton3 processors, provide the best price performance in Amazon EC2 for compute-intensive workloads.
AWS Security Blog
Spring 2022 SOC 2 Type I Privacy report now available
Nimesh RavasaMay 24
Your privacy considerations are at the core of our compliance work at Amazon Web Services (AWS), and we are focused on the protection of your content while using AWS services. Our Spring 2022 SOC 2 Type I Privacy report is now available, which provides customers with a third-party attestation of …
AWS IAM Release Notes
Updates to resilience in IAM
May 16
Added information about maintaining access to IAM credentials when an event disrupts communication between AWS Regions.
New global condition keys for resources
Apr 27
You can now control access to resources based on the account, Organizational Unit (OU), or organization in AWS Organizations that contains your resources. You can use the aws:ResourceAccount, aws:ResourceOrgID, and aws:ResourceOrgPaths global condition keys in an IAM policy.
IAM Permission Changes
drs: 4 new actions, 1 new condition | 1 updated action
May 28
4 new actions: CreateConvertedSnapshotForDrs (Grants permission to create converted snapshot), CreateExtendedSourceServer (Grants permission to extend a source server), ListExtensibleSourceServers (Grants permission to list extensible source servers), ListStagingAccounts (Grants permission to list staging accounts); 1 new condition: drs:CreateAction (Filters access by the name of a resource-creating API action); 1 updated action: …
discovery: 1 new action | 2 updated actions
May 28
1 new action: GetNetworkConnectionGraph (Grants permission to GetNetworkConnectionGraph API. GetNetworkConnectionGraph accepts input list of one of - Ip Addresses, server ids or node ids. Returns a list of nodes and edges which help customer visualize network connection graph. This API is used for visualize network graph functionality in MigrationHub console); …
cognito-identity: 1 updated condition
May 28
1 updated condition: aws:TagKeys (type)
Top Links from Security Folks
Learning from AWS Customer Security Incidents [2022]
speakerdeck.com
This show will discuss the public catalog of AWS Customer Security Incidents (https://github.com/ramimac/aws-customer-security-incidents), covering over twenty different public breaches. We’ll walk through the technical details …
Learning from AWS (Customer) Security Breaches with Rami McCarthy
www.youtube.com
▬▬▬▬▬▬ SHOW SPONSOR ✨ ▬▬▬▬▬▬As a special offer for the OWASP DevSlop audience, sign up for a free 2-week Datadog trial and receive a Datadog …
AWS Startup Security Baseline (AWS SSB)
docs.aws.amazon.com
This guide provides a comprehensive set of controls for startups that want to establish a strong security foundation in the AWS Cloud.
AWS Security Folks
nojonesuk
Nick Jones @nojonesuk

After taking a few days to reflect, I've compiled a review of the AWS security maturity model. TL;DR: It's a good start, but needs more work before I'd consider it fit for general use. For now, stick with @0xdabbad00's framework that we all know and love.

nojones.net/posts/a-review…

QuinnyPig
Corey Quinn @QuinnyPig

Infosec friends! AWS has put out a security model.

What did they get right / wrong? I have my thoughts, but I very much want to hear yours.

maturitymodel.security.aws.dev/en/model/

18May 24 · 9:28 PM
clintgibler
Clint Gibler @clintgibler

🗒️ Awesome Open Source Security Tools

A list of interesting open source security tools across a broad variety of
topics

* Mobile security
* Cloud & containers
* CTF
* Forensics
* Reverse engineering
* Code analysis
* Firmware
* Fuzzing

+ more

github.com/CaledoniaProje…

20May 23 · 9:00 PM
0xdabbad00
Scott Piper @0xdabbad00

I was in Skull Valley this weekend and came across this nightmare fuel. This is my goto for when I need to describe something that is abandoned with only pain for those who enter. Like cloud resources that you’re not sure of the use for and if you can turn off.

5May 26 · 4:08 PM
clintgibler
Clint Gibler @clintgibler

🐙 Octopii

New open source tool to scan for PII: government IDs, passports, photos, signatures

Uses Tesseract's Optical Character Recognition (OCR) & Keras' Convolutional Neural Networks (CNN) models

By @RedHuntLabs

#osint #recon #bugbountytips

redhuntlabs.com/blog/octopii-a…

11May 25 · 11:08 PM
steven_bryen
Steven Bryen @steven_bryen

Is anyone surprised at this VMware deal?

Their core product/revenue stream has been “legacy” for a good 5+ yrs. I know some good folks at VMware, but reality is I haven’t found a workload in the last 8+ yrs that cannot be hosted natively in AWS/Azure etc. 1/2

1May 27 · 10:43 PM
0xdabbad00
Scott Piper @0xdabbad00

This is the third HTTP request smuggling issue AWS has had that I know of, with @arkadiyt finding it in ALB in 2019[1], and @_danielthatcher finding it in API Gateway in 2021[2].

1. twitter.com/arkadiyt/statu…
2. intruder.io/research/pract…

nJoyneer
Andrea Brancaleoni @nJoyneer

AWS story of a special security issue.

TL;DR I discovered an HTTP Header Smuggling
affecting AWS ELB Cache mechanism;
The Brave team helped triage it,
AWS fixed the issue.

Happily ever after!

A thread 🧵 1/N.

10May 26 · 9:13 PM
steven_bryen
Steven Bryen @steven_bryen

Jubilee day at school 🇬🇧 Of course my kid wants to go as the Queen 👸😆

0May 27 · 2:51 PM
RhinoSecurity
Rhino Security Labs @RhinoSecurity

New Rhino Blog Post: CVE-2022-25237: Bonitasoft Authorization Bypass and RCE
bit.ly/3a8NNGW

8May 24 · 5:04 PM
notdurson
Dan Urson @notdurson

I lack the vocabulary to scream about the school shooting in Texas today.

What the actual fuck.

0May 25 · 2:13 AM
z1g1
Zack Glick @z1g1

As I enter the 40th min on hold with my doctor, I promise if elected I will fight for legislation to mandate 1. All hold systems must offer a call back option and 2. A hold system can only play recorded messages telling you to go to the website or other ads for the first 2 min

2May 24 · 6:28 PM
r/aws
AWS Systems Manager announces support for port forwarding to remote hosts using Session Manager
12416aws.amazon.com
Properly Unit Testing Lambda Functions — With an Actual Production Example
893medium.com
In a serverless architecture, is it best to handle all API methods of a single entity in one lambda function with one API endpoint, or create an API endpoint for each and a lambda as a result?
7434

Let's say I have a serverless web app which uses Gateway API and Lambdas to communicate. I have an entity, say "TodoItem".

What's conceptually more correct: 1. Create an endpoint /todo/{id} and a lambda ToDoItem where you will handle GETs, POSTs etc differently (i.e., you will return an item on …

Announcing Multi-Account Support for AWS Transit Gateway Network Manager
597aws.amazon.com
C7g instance family powered by Graviton3 launches
572

https://aws.amazon.com/ec2/instance-types/c7g/
https://aws.amazon.com/blogs/aws/new-amazon-ec2-c7g-instances-powered-by-aws-graviton3-processors/
https://aws.amazon.com/about-aws/whats-new/2022/05/amazon-ec2-c7g-instances-powered-aws-graviton3-processors/

Our experience at Honeycomb from our preview is 30%-40% better performance, the instances cost 7% more each, \~= 25%-35% better price-performance. https://www.honeycomb.io/blog/present-future-arm-aws-graviton-honeycomb/

r/netsec
VirtualBox leaks host ring 0 SIMD registers into guest ring 3
28815phoronix.com
Building a Threat Intelligence Feed using the Twitter API and a bit of code
21518grimminck.medium.com
r/cloudsecurity
CSA cloud control Matrix (CCM)
37

Hello guys,

Long story Short, my organization has adopted the cloud control matrix for its cloud assessment. The Cloud control matrix was modified and adapted to our organization needs. Few columns and extra information were added. However it's getting out of hands to manage all this 200+ controls in an …

"AWS Security" on Google News
Sydney AWS partner 6pillars unveils anti-ransomware automation tool - CRN Australia
CRN AustraliaMay 30
6 Tips for Successfully Securing Your AWS Environment - Security Boulevard
Security BoulevardMay 25