SRE Weekly Issue #329 • 📖 [The CloudSecList] Issue 144 • [tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course • AWS Notification Message • Amazon Athena - 1 new 3 updated methods • Amazon Connect Customer Profiles - 5 updated methods • Amazon EMR - 2 updated methods • AWS Glue - 1 updated methods • AWS achieves the first OSCAL format system security plan submission to FedRAMP • TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints

ASD Logo

4
Monday July, 2022

In a nutshell

You are more and more to subscribe to ASD, and I want to thank you folks. To better understand your expectations, I've created a small survey (1 min): AWS Security Digest Survey.

Notable move for "csp-security-mistakes" community repository initiated by Scott to a more usable, good-looking website, led by Wiz.io folks. It's called "Open CVDB". Here's a direct link to AWS Mistakes.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #329
Lex NevaJul 04
📖 [The CloudSecList] Issue 144
Marco from CloudSecListJul 03
[tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course
Clint at tl;dr secJun 30
AWS Notification Message
GuardDutyAnnouncementsJun 28
AWS API Changes
Amazon Athena - 1 new 3 updated methods
Jun 30
This feature introduces the API support for Athena's parameterized query and BatchGetPreparedStatement API.
Amazon Connect Customer Profiles - 5 updated methods
Jun 30
This release adds the optional MinAllowedConfidenceScoreForMerging parameter to the CreateDomain, UpdateDomain, and GetAutoMergingPreview APIs in Customer Profiles. This parameter is used as a threshold to influence the profile auto-merging step of the Identity Resolution process.
Amazon EMR - 2 updated methods
Jun 30
This release adds support for the ExecutionRoleArn parameter in the AddJobFlowSteps and DescribeStep APIs. Customers can use ExecutionRoleArn to specify the IAM role used for each job they submit using the AddJobFlowSteps API.
AWS Glue - 1 updated methods
Jun 30
This release adds tag as an input of CreateDatabase
AWS Security Blog
AWS achieves the first OSCAL format system security plan submission to FedRAMP
Matthew DonkinJun 30
Amazon Web Services (AWS) is the first cloud service provider to produce an Open Security Control Assessment Language (OSCAL)–formatted system security plan (SSP) for the FedRAMP Project Management Office (PMO). OSCAL is the first step in the AWS effort to automate security documentation to simplify our customers’ journey through cloud …
TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
Janelle HopperJun 28
At Amazon Web Services (AWS), we continuously innovate to deliver you a cloud computing environment that works to help meet the requirements of the most security-sensitive organizations. To respond to evolving technology and regulatory standards for Transport Layer Security (TLS), we will be updating the TLS configuration for all AWS …

Sponsor

I see many stories of students going through a tough spot because of an unexpected AWS bill 💸.

As a student, during your apprenticeship, or while preparing for your AWS certifications, you will probably create an AWS Free-tier account and use it to manipulate and create cloud resources.

To avoid unnecessary resources that you forgot to turn off on your accounts, I’ve created a SaaS product called unusd.cloud.

unusd will allows you to receive a notification 💌 when an unused resource is detected: EC2, RDS, Glue DevEndpoints, EIP, EBS Volumes, Redshift Clusters, SageMaker Notebooks. It also provides visibility on current and forecasted spending (end-of-month).

PS: It’s free (forever) for a single AWS Account.

IAM Permission Changes
wellarchitected: 1 new action
Jul 2
1 new action: UpdateGlobalSettings (Grants permission to update settings to enable aws-organization support)
forecast: 6 new actions, 1 new resource | 2 updated actions
Jul 1
6 new actions: CreateMonitor (Grants permission to create an monitor using a Predictor resource), DeleteMonitor (Grants permission to delete a monitor resource), DescribeMonitor (Grants permission to describe an monitor resource), ListMonitorEvaluations (Grants permission to list all the monitor evaluation result for a monitor), ListMonitors (Grants permission to list all the …
sagemaker-groundtruth-synthetic: 7 new actions
Jul 1
7 new actions: CreateProject (Grants permission to create a project), DeleteProject (Grants permission to delete a project), GetBatch (Grants permission to get a batch), GetProject (Grants permission to get a project), ListBatchSummaries (Grants permission to list batch summaries), ListProjectSummaries (Grants permission to list project summaries), UpdateBatch (Grants permission to update …
Top Links from Security Folks
[tl;dr sec] #139 - 60 RCE in 60 minutes, Free Sigstore Course, Cloud Risk Encyclopedia
tldrsec.com
A presentation with many real world RCE examples, new free course on using Sigstore for supply chain security, list of 1,200+ cloud security risks.
Get Started with Sigstore (Free Course!)
blog.chainguard.dev
Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source.
General Availability of SLSA 3 Go native builder for GitHub Actions
slsa.dev
A couple of months ago, Google and GitHub demonstrated how to generate non-forgeable SLSA 3 provenance for packages/binaries created via GitHub Actions (1, 2). Since …
Cloud Risk Encyclopedia
orca.security
Cloud Risk Encyclopedia Search 1200+ cloud security risks or filter by cloud vendor, compliance framework, risk category, and criticality. 3 cloud platforms. 47 compliance frameworks. …
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

tl;dr sec 139
* @TheLaluka 60 RCE in 60 min
* @lisaironcutter Free @projectsigstore course
* @orcasec Cloud Risk Encyclopedia
* @apps3c Semgrep rules for PHP
* SLSA 3 @golang GitHub Action
* @nirohfeld, @shirtamari Cloud service provider agent security

tldrsec.com/blog/tldr-sec-…

27Jun 30 · 5:00 PM
christophetd
Christophe @christophetd

New blog post! ☁️ MiTM at the Edge - Abusing Cloudflare Workers

blog.christophetd.fr/abusing-cloudf…

🧵⬇️

32Jun 29 · 12:36 AM
0xdabbad00
Scott Piper @0xdabbad00

I'm thrilled to see the list of cloud provider security mistakes that I was maintaining as a list in a github repo turned into a more community driven and easier to consume site! From day one people had wanted easier searching, sorting, and filtering, and this will enable that.

41thexplorer
Alon @41thexplorer

Today @AmitaiCo, @0xdabbad00 and I are launching a new website to list cloud vulnerabilities and CSP security issues. The website will be driven by the community, enabling cloud defenders to search and view essential info about cloud vulnerabilities cloudvulndb.org 1/6

14Jun 28 · 3:33 PM
__steele
Aidan W Steele @__steele

Later this month I will be travelling 17,000km to AWS re:inforce in Boston.

Who else is going? We should catch up. I’d love to meet new people in person for the first time in a loooong time. Reply or DM if you’re interested! I promise I’m nice. 😅

0Jul 01 · 3:20 AM
clintgibler
Clint Gibler @clintgibler

🎓 Securing Your Software Supply Chain with @projectsigstore

New 🎉free course🎉 with hands-on labs and code examples

From @LF_Training, @lisaironcutter, John Speed Meyers, @chainguard_dev

blog.chainguard.dev/get-started-wi…

21Jun 29 · 7:00 PM
lancinimarco
Marco Lancini @lancinimarco

🔖 Google Cloud Security Overview

A bird’s eye view of the Google Cloud Security Services, illustrated via sketchnotes

cloud.google.com/blog/topics/de…

10Jun 29 · 10:00 PM
__steele
Aidan W Steele @__steele

Autocorrect has got my mum thinking my life is way cooler than it actually is.

1Jun 30 · 3:04 PM
elrowan
rowan @elrowan

There's a companion workshop to the AWS data perimeter whitepaper catalog.us-east-1.prod.workshops.aws/workshops/a11f…

It's a good idea to go through this, especially if you're moving from on-premises to the cloud

8Jun 29 · 1:55 AM
0xdabbad00
Scott Piper @0xdabbad00

The behind-the-scenes look at the work Clint puts into his newsletter is something I remember all to well when I used to write one.
Reading your newsletter is something I look forward to every week. Thank you for your continued work on this @clintgibler!

clintgibler
Clint Gibler @clintgibler

tl;dr sec 139
* @TheLaluka 60 RCE in 60 min
* @lisaironcutter Free @projectsigstore course
* @orcasec Cloud Risk Encyclopedia
* @apps3c Semgrep rules for PHP
* SLSA 3 @golang GitHub Action
* @nirohfeld, @shirtamari Cloud service provider agent security

tldrsec.com/blog/tldr-sec-…

4Jun 30 · 8:26 PM
bjohnso5y
Brigid Johnson @bjohnso5y

Pickles loved the beach ⛱️. Waves not so much 🌊. Amazing trip to an amazing place with an amazing horse 🐴.

0Jun 29 · 1:27 AM
r/aws
AWS Perimeter: a new open source tool to check your AWS accounts for public resources, resources shared with untrusted accounts, and insecure network configurations
1307github.com
Amazon EKS improves control plane scaling and update speed by up to 4x
10916aws.amazon.com
The new AWS region in Zaragoza (Spain) is called eu-south-2
8112

It has just appeared here: https://ip-ranges.amazonaws.com/ip-ranges.json

Some IPs for latency tests:

13.248.65.0

13.248.65.128

52.95.138.0

52.95.138.16

52.95.138.18

99.77.55.12

99.77.55.14

Prescriptive Security Guidance for Startups Building on AWS. If you’re starting out on AWS or just using a personal account to learn, follow this guide to get your security foundations in place quickly and easily.
744docs.aws.amazon.com
AWS Enterprise Support Plan WTF horribad
6056

Okay, so wtf is happening with the AWS support?

I've used the service since \~2016 and before we used to be on a much lower support plan (Business); recently the company got acquired by a bigger fish and they moved us to Enterprise support.

Just to quickly go through my …

r/netsec
Exploiting Intel Graphics Kernel Extensions on macOS to Escape the Safari Sandbox
1932blog.ret2.io
Weaponizing and Abusing Hidden Functionalities Contained in Office Document Properties
1557offensive-security.com
r/cloudsecurity
SASE/CASB/SSE/ZTNA…wtf alphabet soup? Straighten me out please.
34

We currently use global protect as our VPN client but is voluntary, as it is only required to access internal servers. And since COVID, employees have been wfh exasperating the visibility problem.

To capture and decrypt the traffic of those not on the VPN, what is the solution? Upper mgmt …

"AWS Security" on Google News
Vectra AI named as AWS security competency partner - DataCenterNews Asia
DataCenterNews AsiaJuly 4
AWS Cloud Security: Top Dos and Don'ts - Virtualization Review
Virtualization ReviewJune 30