Issue #75
Monday · June 20, 2022
π₯ AWS security blogs
- AWS HITRUST Inheritance: What customers should know β As an Amazon Web Services (AWS) customer, you donβt have to assess the controls that you inherit from the AWS HITRUST Validated Assessment Questionnaire, because AWS already has completed HITRUST assessment using version 9.4 in 2021. You can deploy your environments onto AWS and inherit our HITRUST CSF certification, provided β¦
- AWS and the UK rules on operational resilience and outsourcing β Financial institutions across the globeΒ use Amazon Web Services (AWS) to transform the way they do business. Regulations continue to evolve in this space, and weβre working hard to help customers proactively respond to new rules and guidelines. In many cases, the AWS Cloud makes it simpler than ever before to β¦
- A sneak peek at the identity and access management sessions for AWS re:Inforce 2022 β Register now with discount code SALFNj7FaRe to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. AWS re:Inforce 2022 will take place in-person in Boston, MA, on July 26 and 27 and will include some exciting identity and access management β¦
- How to secure an enterprise scale ACM Private CA hierarchy for automotive and manufacturing β In this post, we show how you can use the AWS Certificate Manager Private Certificate Authority (ACM Private CA) to help follow security best practices when you build a CA hierarchy. This blog post walks through certificate authority (CA) lifecycle management topics, including an architecture overview, centralized security, separation of β¦
π Reddit threads on r/aws
- Switch to VPC Endpoints from NAT Gateways to Reduce Bandwidth Charges
- Adventures in AWS Lambda Land - a Migration Gone Well
- A 12-step guide to AWS cost optimisation
- How AWS helped Safeguarding Ukraineβs data to preserve its present and build its future
- Resoto β create an inventory of your cloud, and react to changes in your infrastructure
π Newsletters
π Top Links from Security Folks
- The Philosphy of Prevention - Chris Farris β I discuss the limitations and use-cases for SCPs and Auto-remediation tools
- A Deep Dive into Temporal's Access Control Strategy in AWS | Temporal Documentation β This blog post gives some insight into Temporalβs strategy for securing our cloud environment. It also calls attention to an unexpected facet of AWS access β¦
- [tl;dr sec] #137 - Malicious Terraform, How GitHub uses Dependabot, Democratizing Security Detection β How to defend against malicious Terraform, great tips from GitHub on effectively rolling out security tooling, and Palantir on building a scalable detection and response β¦
- CloudSecList β The Cloud Security Reading List
π r/netsec
- Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu
- I have created a burp suite extension which allows pentester to keep track of each APIs, write test cases for individual APIs. Lastly the extension allows to map the vulnerable apis to the list of vulnerabilities using a custom checklist.
π r/cloudsecurity
- ORACLE CLOUD SECURITY FLAW? An unprivileged user can query information about all cloud service (with ids, admin emails, public ssh keys...) without any policy allowing it, and NO WAY TO BLOCK IT. β An unprivileged user can use OCI to query any information about the cloud without any policy allowing it. Oracle let it happen by default and after almost 2 weeks talking with their support, they are not considering this as a security problem . Whats your opinion? Check it: $ oci β¦
π "AWS Security" on Google News
π§ IAM permission changes
- lightsail: 1 new action | 63 updated actions, 3 updated resources β 1 new action: GetLoadBalancerTlsPolicies (Grants permission to get a list of TLS security policies that you can apply to Lightsail load balancers); 63 updated actions: CreateDiskSnapshot (resources), DeleteDiskSnapshot (resources), CreateDiskFromSnapshot (resources), CreateRelationalDatabaseFromSnapshot (resources), CreateCertificate (conditions, resources), CreateContainerService (conditions, resources), CreateDistribution (conditions, resources), ExportSnapshot (resources, dependents), GetRelationalDatabaseMasterUserPassword (resources), TagResource (resources), UntagResource β¦
- servicecatalog: 1 new action | 1 updated action β 1 new action: ListAttributeGroupsForApplication (Grants permission to list the associated attribute groups for a given application); 1 updated action: AssociateResource (dependents)
- rbin: 2 new conditions | 8 updated actions β 2 new conditions: rbin:Attribute/ResourceType (Filters access by the resource type of the existing rule), rbin:Request/ResourceType (Filters access by the resource type in a request); 8 updated actions: TagResource (conditions), UntagResource (conditions), CreateRule (conditions), DeleteRule (conditions), GetRule (conditions), ListRules (conditions), ListTagsForResource (conditions), UpdateRule (conditions)
πͺ API changes
- Amazon Connect Service - 3 updated methods β This release updates these APIs: UpdateInstanceAttribute, DescribeInstanceAttribute and ListInstanceAttributes. You can use it to programmatically enable/disable High volume outbound communications using attribute type HIGH_VOLUME_OUTBOUND on the specified Amazon Connect instance.
- AmazonConnectCampaignService - 22 new methods β Added Amazon Connect high volume outbound communications SDK.
- Redshift Data API Service - 7 updated methods β This release adds a new --workgroup-name field to operations that connect to an endpoint. Customers can now execute queries against their serverless workgroups.
- Redshift Serverless - 37 new methods β Add new API operations for Amazon Redshift Serverless, a new way of using Amazon Redshift without needing to manually manage provisioned clusters. The new operations let you interact with Redshift Serverless resources, such as create snapshots, list VPC endpoints, delete resource policies, and more.
