SRE Weekly Issue #326 • 📖 [The CloudSecList] Issue 141 • [tl;dr sec] #136 - Career Advice, Scaling AppSec at Netflix • AWS Notification Message • AWS Database Migration Service - 9 new methods • AWSMainframeModernization - 32 new methods • Amazon Neptune - 6 new 3 updated methods • Amazon Redshift - 1 new methods • Introducing a new AWS whitepaper: Does data localization cause more problems than it solves? • Use Amazon Cognito to add claims to an identity token for fine-grained authorization • AWS HITRUST Shared Responsibility Matrix version 1.2 now available • AWS achieves ISO 22301:2019 certification • U2F deprecation and WebAuthn/FIDO update • connect-campaigns: 4 new actions | 1 updated condition, 1 updated action • m2: 32 new actions, 2 new resources, 3 new conditions • appsync: 1 updated condition • GitHub - hexops/dockerfile: Dockerfile best-practices for writing production-worthy Docker images. • IAM policy types: How and when to use them | Amazon Web Services • A Deep Dive into Temporal's Access Control Strategy in AWS | Temporal Documentation • Update detected · z0ph/MAMIP@cd761d6 • 📺 NahamCon 2022 Playlist Featuring 🔥 talks by <a href="https://twitter.com/seanyeoh" target="_blank">@seanyeoh</a>, <a href="https://twitter.com/devec0" target="_blank">@devec0</a>, <a href="https://twitter.com/infosec_au" target="_blank">@infosec_au</a>, <a href="https://twitter.com/Codingo" target="_blank">@Codingo</a>, <a href="https://twitter.com/zseano" target="_blank">@zseano</a>, <a href="https://twitter.com/samwcyo" target="_blank">@samwcyo</a>, <a href="https://twitter.com/gregxsunday" target="_blank">@gregxsunday</a>, <a href="https://twitter.com/Farah_Hawaa" target="_blank">@Farah_Hawaa</a>, and <a href="https://twitter.com/Jhaddix" target="_blank">@Jhaddix</a> <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://t.co/ZP2KiRRFiQ" target="_blank">youtube.com/playlist?list=…</a> • It's official: I'm writing a book! 📖 "The CloudSec Engineer" will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor. 1/ • 🔖 AWS-Threat-Simulation-and-Detection Playing around with Stratus Red Team (Cloud Attack simulation tool) and SumoLogic. <a href="https://t.co/QUV20V14X3" target="_blank">github.com/sbasu7241/AWS-…</a> • At <a href="https://twitter.com/hashtag/RSAC22" target="_blank">#RSAC22</a> with my friend George, CISO of Apple, promoting <a href="https://twitter.com/hashtag/MoreThanAPassword" target="_blank">#MoreThanAPassword</a>. <a href="https://twitter.com/CISAJen" target="_blank">@CISAJen</a> <a href="https://twitter.com/CISAgov" target="_blank">@CISAgov</a> • 🧑‍🎓 Security Study Plan A complete practical study plan to become a successful security professional in: * Pen testing * AppSec * Cloud Security * DevSecOps and more By <a href="https://twitter.com/jassics" target="_blank">@jassics</a> <a href="https://t.co/hoG999UBlY" target="_blank">github.com/jassics/securi…</a> • You asked we heard you, look what is coming in Prowler: 4 times faster execution and python support! Look this test by <a href="https://twitter.com/sergargar1" target="_blank">@sergargar1</a> 😍 🚀 • The remote control car service gets the budget controls everyone else has been asking for because it impacts AWS's marketing budget. 😐 • For anyone looking to attend fwd:cloudsec - speaker acceptances will be going out soon. We've got a strong line-up but it does mean only about 20-25 additional tickets will be available. Mark your calendar, they go on sale June 13th at 5pm ET! and will sell out fast. • How the fuck did I live without observability tools in serverless • New post about IAM policy types from AWS <a href="https://t.co/N3A3VIowUq" target="_blank">aws.amazon.com/blogs/security…</a> As a writer, it's always interesting to see how others cover complex topics. This is very different to how I cover it in my <a href="https://t.co/9fVsi3dOcI" target="_blank">awsiamguide.com</a>, but I do like the policy examples they've included • My approach to building ad hoc developer environments using AWS ECS, Terraform and GitHub Actions (article link and diagram description in comments) • The AWS Health Dashboard can't be trusted • us-east-1 - outage • How can I automate my AWS EC2 Minecraft server so that it is only running when people are online? • Announcing AWS Cost Allocation Tag API • I made a browser extension that spoofs your location data to match your VPN. It can also spoof your user agent. • People’s Republic of China State-Sponsored Actors Exploit Network Providers and Devices • Need help landing my first cloud security job. Will pay. • Credentials for thousands of open source projects free for the taking—again! - Ars Technica • AWS, Azure and GCP: The Ultimate IAM Comparison - Security Boulevard

ASD Logo

13
Monday June, 2022

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #326
Lex NevaJun 13
📖 [The CloudSecList] Issue 141
Marco from CloudSecListJun 12
[tl;dr sec] #136 - Career Advice, Scaling AppSec at Netflix
Clint at tl;dr secJun 09
AWS Notification Message
GuardDutyAnnouncementsJun 07

Sponsor

Tackle your unused AWS assets, mistakenly left active with unusd.cloud, and react before the end of month bill 💸

In just a few minutes, you will be able to add your AWS account, start the analysis, and get reports on Slack, MS Teams, or by email.

Try now, it's free for the first 30 days.

AWS API Changes
AWS Database Migration Service - 9 new methods
Jun 8
This release adds DMS Fleet Advisor APIs and exposes functionality for DMS Fleet Advisor. It adds functionality to create and modify fleet advisor instances, and to collect and analyze information about the local data infrastructure.
AWSMainframeModernization - 32 new methods
Jun 8
AWS Mainframe Modernization service is a managed mainframe service and set of tools for planning, migrating, modernizing, and running mainframe workloads on AWS
Amazon Neptune - 6 new 3 updated methods
Jun 8
This release adds support for Neptune to be configured as a global database, with a primary DB cluster in one region, and up to five secondary DB clusters in other regions.
Amazon Redshift - 1 new methods
Jun 8
Adds new API GetClusterCredentialsWithIAM to return temporary credentials.
AWS Security Blog
Introducing a new AWS whitepaper: Does data localization cause more problems than it solves?
Jana KayJun 10
Amazon Web Services (AWS) recently released a new whitepaper, Does data localization cause more problems than it solves?, as part of the AWS Innovating Securely briefing series. The whitepaper draws on research from Emily Wu’s paper Sovereignty and Data Localization, published by Harvard University’s Belfer Center, and describes how countries …
Use Amazon Cognito to add claims to an identity token for fine-grained authorization
Ajit AmbikeJun 8
With Amazon Cognito, you can quickly add user sign-up, sign-in, and access control to your web and mobile applications. After a user signs in successfully, Cognito generates an identity token for user authorization. The service provides a pre token generation trigger, which you can use to customize identity token claims …
AWS HITRUST Shared Responsibility Matrix version 1.2 now available
Sonali VaidyaJun 7
The latest version of the AWS HITRUST Shared Responsibility Matrix is now available to download. Version 1.2 is based on HITRUST MyCSF version 9.4[r2] and was released by HITRUST on April 20, 2022. AWS worked with HITRUST to update the Shared Responsibility Matrix and to add new controls based on …
AWS achieves ISO 22301:2019 certification
Sonali VaidyaJun 7
We’re excited to announce that Amazon Web Services (AWS) has successfully achieved ISO 22301:2019 certification without audit findings. ISO 22301:2019 is a rigorous third-party independent assessment of the international standard for Business Continuity Management (BCM). Published by the International Organization for Standardization (ISO), ISO 22301:2019 is designed to help organizations …
AWS IAM Release Notes
U2F deprecation and WebAuthn/FIDO update
May 31
Removed mentions of U2F as an MFA option and added information about WebAuthn, FIDO2, and FIDO security keys.
IAM Permission Changes
connect-campaigns: 4 new actions | 1 updated condition, 1 updated action
Jun 10
4 new actions: DeleteConnectInstanceConfig (Grants permission to remove configuration information for an Amazon Connect instance), DeleteInstanceOnboardingJob (Grants permission to remove onboarding job for an Amazon Connect instance), GetConnectInstanceConfig (Grants permission to get configuration information for an Amazon Connect instance), StartInstanceOnboardingJob (Grants permission to start onboarding job for an Amazon Connect …
m2: 32 new actions, 2 new resources, 3 new conditions
Jun 10
32 new actions: CancelBatchJobExecution (Grants permission to cancel the execution of a batch job), CreateApplication (Grants permission to create an application), CreateDataSetImportTask (Grants permission to create a data set import task), CreateDeployment (Grants permission to create a deployment), CreateEnvironment (Grants permission to Create an environment), DeleteApplication (Grants permission to delete …
appsync: 1 updated condition
Jun 9
1 updated condition: aws:TagKeys (type)
Top Links from Security Folks
GitHub - hexops/dockerfile: Dockerfile best-practices for writing production-worthy Docker images.
github.com
Dockerfile best-practices for writing production-worthy Docker images. - GitHub - hexops/dockerfile: Dockerfile best-practices for writing production-worthy Docker images.
IAM policy types: How and when to use them | Amazon Web Services
aws.amazon.com
You manage access in AWS by creating policies and attaching them to AWS Identity and Access Management (IAM) principals (roles, users, or groups of users) …
A Deep Dive into Temporal's Access Control Strategy in AWS | Temporal Documentation
docs.temporal.io
This blog post gives some insight into Temporal’s strategy for securing our cloud environment. It also calls attention to an unexpected facet of AWS access …
Update detected · z0ph/MAMIP@cd761d6
github.com
[MAMIP] Monitor AWS Managed IAM Policies Changes . Contribute to z0ph/MAMIP development by creating an account on GitHub.
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

📺 NahamCon 2022 Playlist

Featuring 🔥 talks by @seanyeoh, @devec0, @infosec_au, @Codingo, @zseano, @samwcyo, @gregxsunday, @Farah_Hawaa, and @Jhaddix

#bugbounty #bugbountytips

youtube.com/playlist?list=…

34Jun 07 · 5:00 PM
lancinimarco
Marco Lancini @lancinimarco

It's official: I'm writing a book! 📖

"The CloudSec Engineer" will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.

1/

10Jun 11 · 4:00 PM
lancinimarco
Marco Lancini @lancinimarco

🔖 AWS-Threat-Simulation-and-Detection

Playing around with Stratus Red Team (Cloud Attack simulation tool) and SumoLogic.
github.com/sbasu7241/AWS-…

14Jun 07 · 11:27 PM
StephenSchmidt
stephenschmidt @StephenSchmidt

At #RSAC22 with my friend George, CISO of Apple, promoting #MoreThanAPassword. @CISAJen @CISAgov

4Jun 09 · 12:44 AM
clintgibler
Clint Gibler @clintgibler

🧑‍🎓 Security Study Plan

A complete practical study plan to become a successful security professional in:
* Pen testing
* AppSec
* Cloud Security
* DevSecOps

and more

By @jassics

github.com/jassics/securi…

4Jun 10 · 7:00 PM
ToniBlyx
Toni de la Fuente @ToniBlyx

You asked we heard you, look what is coming in Prowler: 4 times faster execution and python support! Look this test by @sergargar1 😍 🚀

9Jun 09 · 7:13 PM
0xdabbad00
Scott Piper @0xdabbad00

The remote control car service gets the budget controls everyone else has been asking for because it impacts AWS's marketing budget. 😐

awswhatsnew
What's New on AWS (Unoffical) @awswhatsnew

AWS DeepRacer introduces quota management

AWS DeepRacer Multi-user mode provides an exciting way for organizations to sponsor multiple AWS DeepRacer participants under one AWS account. Until now, AWS DeepRacer event organizers lacked ways to preemp... aws.amazon.com/about-aws/what…

4Jun 06 · 10:17 PM
jcfarris
Chris Farris @jcfarris

For anyone looking to attend fwd:cloudsec - speaker acceptances will be going out soon. We've got a strong line-up but it does mean only about 20-25 additional tickets will be available. Mark your calendar, they go on sale June 13th at 5pm ET! and will sell out fast.

5Jun 07 · 12:54 AM
kmcquade3
Kinnaird McQuade ⛅️🧨 @kmcquade3

How the fuck did I live without observability tools in serverless

0Jun 09 · 5:11 AM
elrowan
rowan @elrowan

New post about IAM policy types from AWS aws.amazon.com/blogs/security…

As a writer, it's always interesting to see how others cover complex topics. This is very different to how I cover it in my awsiamguide.com, but I do like the policy examples they've included

2Jun 08 · 1:55 AM
r/aws
My approach to building ad hoc developer environments using AWS ECS, Terraform and GitHub Actions (article link and diagram description in comments)
14324
The AWS Health Dashboard can't be trusted
13827jonathanbull.co.uk
us-east-1 - outage
13165

Seeing console down, KMS, DynamoDB issues...

How can I automate my AWS EC2 Minecraft server so that it is only running when people are online?
5356

I want the server to be offline when no one is one and online when someone try’s to connect.

Announcing AWS Cost Allocation Tag API
401aws.amazon.com
r/netsec
I made a browser extension that spoofs your location data to match your VPN. It can also spoof your user agent.
32622github.com
People’s Republic of China State-Sponsored Actors Exploit Network Providers and Devices
21416cisa.gov
r/cloudsecurity
Need help landing my first cloud security job. Will pay.
42
"AWS Security" on Google News
Credentials for thousands of open source projects free for the taking—again! - Ars Technica
Ars TechnicaJune 13
AWS, Azure and GCP: The Ultimate IAM Comparison - Security Boulevard
Security BoulevardJune 8