Issue #72
Monday · May 30, 2022
🥗 AWS security blogs
- Spring 2022 SOC 2 Type I Privacy report now available — Your privacy considerations are at the core of our compliance work at Amazon Web Services (AWS), and we are focused on the protection of your content while using AWS services. Our Spring 2022 SOC 2 Type I Privacy report is now available, which provides customers with a third-party attestation of …
🍛 Reddit threads on r/aws
- AWS Systems Manager announces support for port forwarding to remote hosts using Session Manager
- Properly Unit Testing Lambda Functions — With an Actual Production Example
- In a serverless architecture, is it best to handle all API methods of a single entity in one lambda function with one API endpoint, or create an API endpoint for each and a lambda as a result? — Let's say I have a serverless web app which uses Gateway API and Lambdas to communicate. I have an entity, say "TodoItem". What's conceptually more correct: 1. Create an endpoint /todo/{id} and a lambda ToDoItem where you will handle GETs, POSTs etc differently (i.e., you will return an item on …
- Announcing Multi-Account Support for AWS Transit Gateway Network Manager
- C7g instance family powered by Graviton3 launches — https://aws.amazon.com/ec2/instance-types/c7g/ https://aws.amazon.com/blogs/aws/new-amazon-ec2-c7g-instances-powered-by-aws-graviton3-processors/ https://aws.amazon.com/about-aws/whats-new/2022/05/amazon-ec2-c7g-instances-powered-aws-graviton3-processors/ Our experience at Honeycomb from our preview is 30%-40% better performance, the instances cost 7% more each, \~= 25%-35% better price-performance. https://www.honeycomb.io/blog/present-future-arm-aws-graviton-honeycomb/
📌 Newsletters
📌 AWS IAM Release Notes
- Updates to resilience in IAM — Added information about maintaining access to IAM credentials when an event disrupts communication between AWS Regions.
- New global condition keys for resources — You can now control access to resources based on the account, Organizational Unit (OU), or organization in AWS Organizations that contains your resources. You can use the aws:ResourceAccount , aws:ResourceOrgID , and aws:ResourceOrgPaths global condition keys in an IAM policy.
📌 Top Links from Security Folks
- Learning from AWS Customer Security Incidents [2022] — This show will discuss the public catalog of AWS Customer Security Incidents (https://github.com/ramimac/aws-customer-security-incidents), covering over twenty different public breaches. We’ll walk through the technical details …
- Learning from AWS (Customer) Security Breaches with Rami McCarthy — ▬▬▬▬▬▬ SHOW SPONSOR ✨ ▬▬▬▬▬▬As a special offer for the OWASP DevSlop audience, sign up for a free 2-week Datadog trial and receive a Datadog …
- AWS Startup Security Baseline (AWS SSB) — This guide provides a comprehensive set of controls for startups that want to establish a strong security foundation in the AWS Cloud.
📌 r/netsec
📌 r/cloudsecurity
- CSA cloud control Matrix (CCM) — Hello guys, Long story Short, my organization has adopted the cloud control matrix for its cloud assessment. The Cloud control matrix was modified and adapted to our organization needs. Few columns and extra information were added. However it's getting out of hands to manage all this 200+ controls in an …
📌 "AWS Security" on Google News
🧁 IAM permission changes
- drs: 4 new actions, 1 new condition | 1 updated action — 4 new actions: CreateConvertedSnapshotForDrs (Grants permission to create converted snapshot), CreateExtendedSourceServer (Grants permission to extend a source server), ListExtensibleSourceServers (Grants permission to list extensible source servers), ListStagingAccounts (Grants permission to list staging accounts); 1 new condition: drs:CreateAction (Filters access by the name of a resource-creating API action); 1 updated action: …
- discovery: 1 new action | 2 updated actions — 1 new action: GetNetworkConnectionGraph (Grants permission to GetNetworkConnectionGraph API. GetNetworkConnectionGraph accepts input list of one of - Ip Addresses, server ids or node ids. Returns a list of nodes and edges which help customer visualize network connection graph. This API is used for visualize network graph functionality in MigrationHub console); …
- cognito-identity: 1 updated condition — 1 updated condition: aws:TagKeys (type)
🍪 API changes
- Amazon Appflow - 3 updated methods — Adding the following features/changes: Parquet output that preserves typing from the source connector, Failed executions threshold before deactivation for scheduled flows, increasing max size of access and refresh token from 2048 to 4096
- AWS DataSync - 2 updated methods — AWS DataSync now supports TLS encryption in transit, file system policies and access points for EFS locations.
- Amazon SageMaker Service - 11 updated methods — Amazon SageMaker Notebook Instances now allows configuration of Instance Metadata Service version and Amazon SageMaker Studio now supports G5 instance types.
- Amazon Elastic Compute Cloud - 24 updated methods — C7g instances, powered by the latest generation AWS Graviton3 processors, provide the best price performance in Amazon EC2 for compute-intensive workloads.
