SRE Weekly Issue #325 • 📖 [The CloudSecList] Issue 140 • [tl;dr sec] #135 - BSidesSF, Google’s Cloud Forensics Utils • AWS Backup Gateway - 2 new 1 updated methods • Amazon Chime SDK Meetings - 2 new 5 updated methods • Amazon Forecast Service - 10 updated methods • Amazon Route 53 - 6 new 2 updated methods • IAM policy types: How and when to use them • Correlate IAM Access Analyzer findings with Amazon Macie • AWS CSA Consensus Assessment Initiative Questionnaire version 4 now available • AWS Security Profile: CJ Moses, CISO of AWS • ec2: 1 new action | 31 updated actions, 1 updated resource • connect: 6 new actions, 1 new resource • backup-gateway: 2 new actions • Breaking Into Cloud Security - Nick Jones • GitHub - StyraInc/rego-style-guide: Style guide for Rego • AWS Startup Security Baseline (AWS SSB) • How to get into cloud security based on my own experiences, and on mentoring and hiring over the last few years. I've focused on how to make yourself a success in the field, rather than just the technical knowledge required: <a href="https://t.co/oEhrYHCVda" target="_blank">nojones.net/posts/breaking…</a> • The Datadog security research team has put together a sample vulnerable setup, for along with a walkthrough of exploiting the Confluence RCE. "docker-compose up" and you can easily reproduce it! <a href="https://t.co/VGZgD3Jd4n" target="_blank">github.com/DataDog/securi…</a> • Securing an AWS environment can feel overwhelming. I'm a big believer in threat-informed defense, looking at how companies get hacked on AWS to prioritize the security investments. Check out my (beginner-friendly) talk: <a href="https://t.co/ysn88Yxm3X" target="_blank">docs.google.com/presentation/d…</a> • I found a security vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA) it's been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert AWS IAM credentials into tokens that can be used to login to Airflow. <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> • 💡Damn Vulnerable Web Sockets Walkthrough Up your testing skillz Brute forcing the login, CSRF, file inclusion, error and blind SQL injection, and stored XSS Source: <a href="https://t.co/NT5ZYFCCMY" target="_blank">github.com/interference-s…</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://t.co/RAAZe77S4Y" target="_blank">mmmds.pl/Damn-Vulnerabl…</a> • It's that time of afternoon when all of Japanese tech twitter and me down tools because GitHub is offline. • For a few months, I have worked to transform a side project into a SaaS product. It's called 💸 <a href="https://t.co/gRChT3xNK4" target="_blank">unusd.cloud</a>, and it will help you to tackle unused AWS assets you forget to turn off. It acts as a garbage collector 🚚 for operational teams. 👇 1/6 • 📖 Software Supply Chain Security Reading List A list of resources covering: * Policy * Incidents/threats * Solutions * Organizations * Background * Reports and summaries By <a href="https://twitter.com/chainguard_dev" target="_blank">@chainguard_dev</a> <a href="https://t.co/OEfFZoMHTg" target="_blank">github.com/chainguard-dev…</a> • This is very exciting for people using .Net Core on AWS Lambda. 20-70% faster cold starts 🤯 • 🔖 AWS Startup Security Baseline (AWS SSB): a comprehensive set of controls for startups that want to establish a strong security foundation in AWS <a href="https://t.co/WyIrQj2zcl" target="_blank">docs.aws.amazon.com/prescriptive-g…</a> • Version 1 of the AWS Cloud Development Kit (AWS CDK) is now in maintenance mode • Using The "X-Amzn-Trace-Id" Header For Request Tracing Through Amazon's Load Balancers • adhoc remote execution in aws lambda • Amazon EMR Serverless is now generally available • Something confuses me: When leveraging EKS or k8s in general, when do you run your databases inside of K8s and when you do use a managed database service like Aurora or DynamoDB? • New Zero-Day Code Execution Vulnerability In MS Office - Follina • Using Python to unearth a goldmine of threat intelligence from leaked chat logs • Cloud Security Community • SentinelOne Announces Integration with AWS Security Hub - Business Wire • Ermetic Achieves AWS Security Competency Status - Business Wire

ASD Logo

6
Monday June, 2022

Sponsor

Tackle your unused AWS assets, mistakenly left active with unusd.cloud, and react before the end of month bill 💸

In just a few minutes, you will be able to add your AWS account, start the analysis, and get reports on Slack, MS Teams, or by email.

Try now, it's free for the first 30 days.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #325
Lex NevaJun 06
📖 [The CloudSecList] Issue 140
Marco from CloudSecListJun 05
[tl;dr sec] #135 - BSidesSF, Google’s Cloud Forensics Utils
Clint at tl;dr secJun 02
AWS API Changes
AWS Backup Gateway - 2 new 1 updated methods
Jun 1
Adds GetGateway and UpdateGatewaySoftwareNow API and adds hypervisor name to UpdateHypervisor API
Amazon Chime SDK Meetings - 2 new 5 updated methods
Jun 1
Adds support for centrally controlling each participant's ability to send and receive audio, video and screen share within a WebRTC session. Attendee capabilities can be specified when the attendee is created and updated during the session with the new BatchUpdateAttendeeCapabilitiesExcept API.
Amazon Forecast Service - 10 updated methods
Jun 1
Added Format field to Import and Export APIs in Amazon Forecast. Added TimeSeriesSelector to Create Forecast API.
Amazon Route 53 - 6 new 2 updated methods
Jun 1
Add new APIs to support Route 53 IP Based Routing

Sponsor

Supercharge your developer productivity with the Codiga Coding Assistant.

Share code snippets and good coding practices with the Codiga Coding Assistant. With the Codiga Coding Assistant, you can create, use and share smart code snippets with your team from your IDE.

Codiga works for 15 languages and has integration in VS Code and IntelliJ. Codiga is free for individuals and for teams with less than 5 developers.

AWS Security Blog
IAM policy types: How and when to use them
Matt LuttrellJun 3
You manage access in AWS by creating policies and attaching them to AWS Identity and Access Management (IAM) principals (roles, users, or groups of users) or AWS resources. AWS evaluates these policies when an IAM principal makes a request, such as uploading an object to an Amazon Simple Storage Service …
Correlate IAM Access Analyzer findings with Amazon Macie
Nihar DasJun 3
In this blog post, you’ll learn how to detect when unintended access has been granted to sensitive data in Amazon Simple Storage Service (Amazon S3) buckets in your Amazon Web Services (AWS) accounts. It’s critical for your enterprise to understand where sensitive data is stored in your organization and how …
AWS CSA Consensus Assessment Initiative Questionnaire version 4 now available
Sonali VaidyaJun 2
Amazon Web Services (AWS) has published an updated version of the AWS Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ). The questionnaire has been completed using the current CSA CAIQ standard, v4.0.2 (06.07.2021 update), and is now available for download. The CSA is a not-for-profit organization dedicated to “defining …
AWS Security Profile: CJ Moses, CISO of AWS
Maddie BaconJun 2
In the AWS Security Profile series, I interview the people who work in Amazon Web Services (AWS) Security and help keep our customers safe and secure. This interview is with CJ Moses—previously the AWS Deputy Chief Information Security Officer (CISO), he began his role as CISO of AWS in February …
IAM Permission Changes
ec2: 1 new action | 31 updated actions, 1 updated resource
Jun 4
1 new action: GetInstanceUefiData (Grants permission to retrieve the binary representation of the UEFI variable store); 31 updated actions: AssociateAddress (conditions), AssociateIamInstanceProfile (conditions), AttachNetworkInterface (conditions), AttachVolume (conditions), CreateImage (conditions), CreateInstanceExportTask (conditions), CreateReplaceRootVolumeTask (conditions), CreateTags (conditions), CreateTrafficMirrorTarget (conditions, resources), DescribeInstanceAttribute (conditions), DetachNetworkInterface (conditions), DetachVolume (conditions), DisassociateIamInstanceProfile (conditions), GetConsoleOutput (conditions), GetConsoleScreenshot (conditions), …
connect: 6 new actions, 1 new resource
Jun 4
6 new actions: CreateTaskTemplate (Grants permission to create a task template in an Amazon Connect instance), DeleteTaskTemplate (Grants permission to delete a task template in an Amazon Connect instance), GetTaskTemplate (Grants permission to get details about specified task template in an Amazon Connect instance), ListTaskTemplates (Grants permission to list task …
backup-gateway: 2 new actions
Jun 3
2 new actions: GetGateway (Grants permission to GetGateway), UpdateGatewaySoftwareNow (Grants permission to UpdateGatewaySoftwareNow)
Top Links from Security Folks
Breaking Into Cloud Security - Nick Jones
www.nojones.net

Cloud security is an area of the industry with some of the biggest skill shortages. Combine that with the cloud industry growing at 30-40% a …

GitHub - StyraInc/rego-style-guide: Style guide for Rego
github.com
Style guide for Rego. Contribute to StyraInc/rego-style-guide development by creating an account on GitHub.
AWS Startup Security Baseline (AWS SSB)
docs.aws.amazon.com
This guide provides a comprehensive set of controls for startups that want to establish a strong security foundation in the AWS Cloud.
AWS Security Folks
nojonesuk
Nick Jones @nojonesuk

How to get into cloud security based on my own experiences, and on mentoring and hiring over the last few years. I've focused on how to make yourself a success in the field, rather than just the technical knowledge required: nojones.net/posts/breaking…

75May 30 · 8:06 PM
christophetd
Christophe @christophetd

The Datadog security research team has put together a sample vulnerable setup, for along with a walkthrough of exploiting the Confluence RCE.

"docker-compose up" and you can easily reproduce it!
github.com/DataDog/securi…

35Jun 04 · 6:41 PM
christophetd
Christophe @christophetd

Securing an AWS environment can feel overwhelming.

I'm a big believer in threat-informed defense, looking at how companies get hacked on AWS to prioritize the security investments.

Check out my (beginner-friendly) talk: docs.google.com/presentation/d…

30Jun 03 · 10:45 AM
BenReser
Ben Reser @BenReser

I found a security vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA) it's been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert AWS IAM credentials into tokens that can be used to login to Airflow. #AWS

20May 31 · 8:54 PM
clintgibler
Clint Gibler @clintgibler

💡Damn Vulnerable Web Sockets Walkthrough

Up your testing skillz

Brute forcing the login, CSRF, file inclusion, error and blind SQL injection, and stored XSS

Source: github.com/interference-s…

#bugbountytips #bugbounty

mmmds.pl/Damn-Vulnerabl…

34May 31 · 5:00 PM
__steele
Aidan W Steele @__steele

It's that time of afternoon when all of Japanese tech twitter and me down tools because GitHub is offline.

14Jun 02 · 6:43 AM
zoph
Victor Grenu @zoph

For a few months, I have worked to transform a side project into a SaaS product. It's called 💸 unusd.cloud, and it will help you to tackle unused AWS assets you forget to turn off.

It acts as a garbage collector 🚚 for operational teams. 👇

1/6

15May 31 · 5:30 PM
clintgibler
Clint Gibler @clintgibler

📖 Software Supply Chain Security Reading List

A list of resources covering:
* Policy
* Incidents/threats
* Solutions
* Organizations
* Background
* Reports and summaries

By @chainguard_dev

github.com/chainguard-dev…

20May 30 · 11:00 PM
__steele
Aidan W Steele @__steele

This is very exciting for people using .Net Core on AWS Lambda. 20-70% faster cold starts 🤯

socketnorm
Norm Johanson @socketnorm

We have been experimenting with .NET's preview AOT support for improving Lambda cold start. For some scenarios we are seeing big improvements.

Here is a repo showing how we are testing and would love to hear more from the community their experience.

github.com/awslabs/dotnet…

16Jun 02 · 9:53 AM
lancinimarco
Marco Lancini @lancinimarco

🔖 AWS Startup Security Baseline (AWS SSB): a comprehensive set of controls for startups that want to establish a strong security foundation in AWS docs.aws.amazon.com/prescriptive-g…

11May 30 · 9:00 PM
r/aws
Version 1 of the AWS Cloud Development Kit (AWS CDK) is now in maintenance mode
696aws.amazon.com
Using The "X-Amzn-Trace-Id" Header For Request Tracing Through Amazon's Load Balancers
594bennadel.com
adhoc remote execution in aws lambda
5022github.com
Amazon EMR Serverless is now generally available
464aws.amazon.com
Something confuses me: When leveraging EKS or k8s in general, when do you run your databases inside of K8s and when you do use a managed database service like Aurora or DynamoDB?
3921

This has plagued me forever as I've learned more about containerization, serverless, K8s, etc in AWS. What are your criteria for running a persistent volume in K8s for your database vs using serverless or managed offerings? Do you simply always go with k8s? Or are there architectures or situations where …

r/netsec
New Zero-Day Code Execution Vulnerability In MS Office - Follina
34031fourcore.io
Using Python to unearth a goldmine of threat intelligence from leaked chat logs
2505aka.ms
r/cloudsecurity
Cloud Security Community
30

I made a community focused on cloud security mostly on Twitter to stay updated. Feel free to join and share your knowledge in the community. Thank you ! Link =

https://twitter.com/i/communities/1503652337260249089

"AWS Security" on Google News
SentinelOne Announces Integration with AWS Security Hub - Business Wire
Business WireJune 2
Ermetic Achieves AWS Security Competency Status - Business Wire
Business WireJune 1