SRE Weekly Issue #327 • 📖 [The CloudSecList] Issue 142 • [tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot • Amazon Connect Service - 3 updated methods • AmazonConnectCampaignService - 22 new methods • Redshift Data API Service - 7 updated methods • Redshift Serverless - 37 new methods • AWS HITRUST Inheritance: What customers should know • AWS and the UK rules on operational resilience and outsourcing • A sneak peek at the identity and access management sessions for AWS re:Inforce 2022 • How to secure an enterprise scale ACM Private CA hierarchy for automotive and manufacturing • lightsail: 1 new action | 63 updated actions, 3 updated resources • servicecatalog: 1 new action | 1 updated action • rbin: 2 new conditions | 8 updated actions • The Philosphy of Prevention - Chris Farris • A Deep Dive into Temporal's Access Control Strategy in AWS | Temporal Documentation • [tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection • CloudSecList • The <a href="https://twitter.com/HashiCorp" target="_blank">@HashiCorp</a> Terraform AWS provider has just hit 1,000 resource types, beating <a href="https://twitter.com/AWSCloudFormer" target="_blank">@AWSCloudFormer</a> after a surge in 2021. CloudFormation currently trails by 80 types. Congrats to all the contributors of the AWS provider! 🎉 • Three steps to troubleshooting in Cloud: 1. It's not IAM 2. There's no way it's IAM 3. It was IAM • 🔖 Use CloudTrail to Pivot to AWS Accounts How to utilize the AWS CloudTrail service to discover other AWS accounts that you could pivot to. From <a href="https://twitter.com/bishopfox" target="_blank">@bishopfox</a> <a href="https://t.co/AR5HY09DoC" target="_blank">bishopfox.com/blog/cloudtrai…</a> • 5 years ago today I started a 2 week solo road trip around Ukraine 🇺🇦. Write your politicians to continue supporting Ukraine. • Listen to Koz. If you need to report or escalate an event, state the facts and be right, a lot. Hyperbole never pays off in the long term. Holds true for coordinated disclosure as well. • 🤖 How we use Dependabot to secure GitHub How <a href="https://twitter.com/github" target="_blank">@github</a>’s ProdSec rolled out Dependabot and how they track and prioritize tech debt 💯 post on effectively rolling out any security tooling at a company (not just SCA) <a href="https://t.co/e11cyZ22Df" target="_blank">github.blog/2022-05-25-how…</a> • AWS KMS everywhere is a money grab not a security strategy • Looking for people that use Prowler custom checks to give me feedback for the next version of Prowler. I’ll put a Prowler Pro hat in your mailbox. If you are interested, please, fill out this form <a href="https://t.co/Vwvltne6Nv" target="_blank">verica-io.typeform.com/to/FTZv1kmy</a> • TIL that people in the USA get fixed-rate mortgages.. for the lifetime of the loan? And this is the typical arrangement? Here in Australia the vast majority of home loans are variable rate (I think that’s ARM in USA-speak?). When people do fix, it’s for &lt;5 years. • Finally. • Switch to VPC Endpoints from NAT Gateways to Reduce Bandwidth Charges • Adventures in AWS Lambda Land - a Migration Gone Well • A 12-step guide to AWS cost optimisation • How AWS helped Safeguarding Ukraine’s data to preserve its present and build its future • Resoto – create an inventory of your cloud, and react to changes in your infrastructure • Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu • I have created a burp suite extension which allows pentester to keep track of each APIs, write test cases for individual APIs. Lastly the extension allows to map the vulnerable apis to the list of vulnerabilities using a custom checklist. • ORACLE CLOUD SECURITY FLAW? An unprivileged user can query information about all cloud service (with ids, admin emails, public ssh keys...) without any policy allowing it, and NO WAY TO BLOCK IT. • Raytheon Vet David Appel Named AWS National Security VP - GovCon Wire • AWS Security Insights Summit - Virtualization Review