📖 [The CloudSecList] Issue 145 • AWS Notification Message • [tl;dr sec] #140 - AppSec, Building AWS Security Guardrails • AWS Notification Message • Amazon Chime SDK Meetings - 3 updated methods • AWS Database Migration Service - 1 new methods • AWS IoT - 2 updated methods • AWS IoT Wireless - 5 new 3 updated methods • OSPAR 2022 report now available with 142 services in scope • Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere • Top 2021 AWS service launches security professionals should review – Part 2 • 2022 H1 IRAP report is now available on AWS Artifact • redshift-serverless: 37 new actions, 5 new resources, 8 new conditions • rolesanywhere: 26 new actions, 4 new resources, 3 new conditions • quicksight: 2 new actions, 1 new resource, 1 new condition | 7 updated actions • fwd:cloudsec • Learnings from 5 years of tech startup code audits - Ken Kantzer's Blog • The Center for Internet Security released the Supply Chain Security Benchmark! It is SO awesome to see more industry attention on locking down CICD pipelines. Table of contents attached. PDF link: <a href="https://t.co/WSyOoZme7p" target="_blank">github.com/aquasecurity/c…</a> • I am very curious to learn more about the new Roles Anywhere service that hit the SDK today. "Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications running outside of AWS to obtain Temporary AWS credentials." <a href="https://t.co/LclEG1G2oC" target="_blank">twitter.com/publiccloudbot…</a> • 🛠️ bypass-url-parser Tool by <a href="https://twitter.com/TheLaluka" target="_blank">@TheLaluka</a> that attempts to bypass 40X protected pages using a variety of tricks <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://t.co/hm6Oql2KKn" target="_blank">github.com/laluka/bypass-…</a> • 🔖 CloudGoat Scenario: Avoiding AWS Security Detection and Response This will walk through the CloudGoat AWS detection_evasion scenario, detailing how to avoid AWS security detection and response services, such as in Lambda. From <a href="https://twitter.com/RhinoSecurity" target="_blank">@RhinoSecurity</a> <a href="https://t.co/z8cVGPXmyc" target="_blank">rhinosecuritylabs.com/cloud-security…</a> • 😱 Let's talk about Kubernetes on the Internet <a href="https://twitter.com/raesene" target="_blank">@raesene</a> discusses: 1. <a href="https://twitter.com/hashtag/Kubernetes" target="_blank">#Kubernetes</a>' network attack surface 2. Tricks for identifying Kubernetes clusters based on their responses to basic requests 3. Using Shodan to find k8s clusters on the Internet <a href="https://t.co/2BaCwnHm0z" target="_blank">raesene.github.io/blog/2022/07/0…</a> • This could have a huge impact: “IAM now enables workloads that run outside of AWS to access AWS resources using IAM Roles Anywhere” 🤯 <a href="https://t.co/r2ZXFbcukX" target="_blank">aws.amazon.com/about-aws/what…</a> • I've added <a href="https://twitter.com/PaloAltoNtwks" target="_blank">@PaloAltoNtwks</a> Prisma Cloud (<a href="https://twitter.com/prisma_cloud" target="_blank">@prisma_cloud</a>) to the IMDSv2 Wall of Shame. Prisma has a feature to to scan AMIs, but in doing so, it spins up an EC2 that does not allow IMDSv2 enforcement. <a href="https://t.co/LCkOOzxGgw" target="_blank">prismacloud.ideas.aha.io/ideas/PANW-I-3…</a> <a href="https://t.co/TgDSupBAfG" target="_blank">github.com/SummitRoute/im…</a> • BRB, getting an IAM role for my smart fridge. • The schedule is up for fwd:cloudsec: <a href="https://t.co/KT2UmIdrqJ" target="_blank">pretalx.com/fwd-cloudsec-2…</a> Masks and vaccinations are required for attendees: <a href="https://t.co/CLS98QRSQH" target="_blank">fwdcloudsec.org/#covid</a> Tickets have sold out. Talks will be live-steamed and recorded. See you in Boston on July 25! <a href="https://t.co/QOXMTq6p65" target="_blank">fwdcloudsec.org</a> • I've always loved ♥️ IAM roles in AWS...now you can use them from anywhere. A welcome addition to IAM. <a href="https://t.co/GSDPKS81M8" target="_blank">tinyurl.com/yxecw238</a> • My depiction of ALB SSL offloading. • AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS • Time to Upgrade to TLS 1.2 • AWS running out of IPs? • Amazon GuardDuty introduces new machine learning capabilities to more accurately detect potentially malicious access to data stored in S3 buckets • Scanning 1.7 million Australian domains and finding 1.62 million SPF & DMARC security issues • Automating binary vulnerability discovery with Ghidra and Semgrep • Aqua Security partners with CMD to support customers on AWS - SecurityBrief Asia • BeyondTrust makes all products available on AWS Marketplace - SecurityBrief Australia

ASD Logo

11
Monday July, 2022

Sponsor

There's an IAM change in this Terraform pull request, what do I do?!

You know it, we know it – change is scary, but change is inevitable.

IAM Pulse is bringing much-needed clarity to Terraform change reviews by delivering actionable insights about what could happen downstream if an IAM change is applied.

Join our private beta and get a free AWS IAM Assessment!

In a nutshell

AWS Introduces a new way to interact with AWS Services from outside AWS (Datacenter or other CSP): IAM Roles Anywhere. It comes with a few trade-offs:

  • You will need a PKI or Private ACM ($400/month).
  • You will need to use a closed source helper provided by AWS.
  • You will need to store the private key as a file on FS.

Read more on Ben's Twitter thread.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

(Weekly diff)

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
📖 [The CloudSecList] Issue 145
Marco from CloudSecListJul 10
AWS Notification Message
GuardDutyAnnouncementsJul 08
[tl;dr sec] #140 - AppSec, Building AWS Security Guardrails
Clint at tl;dr secJul 07
AWS Notification Message
GuardDutyAnnouncementsJul 06
AWS API Changes
Amazon Chime SDK Meetings - 3 updated methods
Jul 7
Adds support for AppKeys and TenantIds in Amazon Chime SDK WebRTC sessions
AWS Database Migration Service - 1 new methods
Jul 7
New api to migrate event subscriptions to event bridge rules
AWS IoT - 2 updated methods
Jul 7
This release adds support to register a CA certificate without having to provide a verification certificate. This also allows multiple AWS accounts to register the same CA in the same region.
AWS IoT Wireless - 5 new 3 updated methods
Jul 7
Adds 5 APIs: PutPositionConfiguration, GetPositionConfiguration, ListPositionConfigurations, UpdatePosition, GetPosition for the new Positioning Service feature which enables customers to configure solvers to calculate position of LoRaWAN devices, or specify position of LoRaWAN devices & gateways.
AWS Security Blog
OSPAR 2022 report now available with 142 services in scope
Joseph GohJul 7
We’re excited to announce the completion of our annual Outsourced Service Provider’s Audit Report (OSPAR) audit cycle on July 1, 2022. The 2022 OSPAR certification cycle includes the addition of 15 new services in scope, bringing the total number of services in scope to 142 in the AWS Asia Pacific …
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere
Faraz AngabiniJul 6
AWS Identity and Access Management (IAM) has now made it easier for you to use IAM roles for your workloads that are running outside of AWS, with the release of IAM Roles Anywhere. This feature extends the capabilities of IAM roles to workloads outside of AWS. You can use IAM …
Top 2021 AWS service launches security professionals should review – Part 2
Marta TaggartJul 6
In Part 1 of this two-part series, we shared an overview of some of the most important 2021 Amazon Web Services (AWS) Security service and feature launches. In this follow-up, we’ll dive deep into additional launches that are important for security professionals to be aware of and understand across all …
2022 H1 IRAP report is now available on AWS Artifact
Matt BrunkerJul 5
We’re excited to announce that a new Information Security Registered Assessors Program (IRAP) report is now available on AWS Artifact. Amazon Web Services (AWS) successfully completed an IRAP assessment in May 2022 by an independent ASD (Australian Signals Directorate) certified IRAP assessor. The new IRAP report includes an additional nine …
IAM Permission Changes
redshift-serverless: 37 new actions, 5 new resources, 8 new conditions
Jul 8
37 new actions: ConvertRecoveryPointToSnapshot (Grants permission to convert a recovery point to a snapshot), CreateEndpointAccess (Grants permission to create an Amazon Redshift Serverless managed VPC endpoint), CreateNamespace (Grants permission to create an Amazon Redshift Serverless namespace), CreateSnapshot (Grants permission to create a snapshot of all databases in a namespace), CreateUsageLimit …
rolesanywhere: 26 new actions, 4 new resources, 3 new conditions
Jul 8
26 new actions: CreateProfile (Grants permission to create a profile), CreateTrustAnchor (Grants permission to create a trust anchor), DeleteCrl (Grants permission to delete a certificate revocation list (crl)), DeleteProfile (Grants permission to delete a profile), DeleteTrustAnchor (Grants permission to delete a trust anchor), DisableCrl (Grants permission to disable a certificate …
quicksight: 2 new actions, 1 new resource, 1 new condition | 7 updated actions
Jul 8
2 new actions: CreateAccountSubscription (Grants permission to subscribe to QuickSight), DescribeAccountSubscription (Grants permission to describe a QuickSight account); 1 new resource: account; 1 new condition: quicksight:AllowedEmbeddingDomains (Filters access by the allowed embedding domains); 7 updated actions: TagResource (resources), UntagResource (resources), CreateAdmin (conditions), CreateGroup (conditions), CreateNamespace (conditions), CreateReader (conditions), CreateUser (conditions)
Top Links from Security Folks
fwd:cloudsec
pretalx.com
Schedule, talks and talk submissions for fwd:cloudsec
Learnings from 5 years of tech startup code audits - Ken Kantzer's Blog
kenkantzer.com
While I was leading PKC’s security practice, we did probably 20-30 code security audits, almost of all of them for startups that were just around …
AWS Security Folks
kmcquade3
Kinnaird McQuade ⛅️🧨 @kmcquade3

The Center for Internet Security released the Supply Chain Security Benchmark!

It is SO awesome to see more industry attention on locking down CICD pipelines.

Table of contents attached.

PDF link: github.com/aquasecurity/c…

98Jul 06 · 6:00 AM
0xdabbad00
Scott Piper @0xdabbad00

I am very curious to learn more about the new Roles Anywhere service that hit the SDK today. "Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications running outside of AWS to obtain Temporary AWS credentials." twitter.com/publiccloudbot…

publiccloudbot
Public Cloud Bot @publiccloudbot

AWS SDK for Go has a new release "Release v1.44.48", published at 2022-07-05 18:24:57 (UTC)

#pcb_aws

github.com/aws/aws-sdk-go…

23Jul 05 · 11:28 PM
clintgibler
Clint Gibler @clintgibler

🛠️ bypass-url-parser

Tool by @TheLaluka that attempts to bypass 40X protected pages using a variety of tricks

#bugbounty #bugbountytips

github.com/laluka/bypass-…

23Jul 08 · 5:00 PM
lancinimarco
Marco Lancini @lancinimarco

🔖 CloudGoat Scenario: Avoiding AWS Security Detection and Response

This will walk through the CloudGoat AWS detection_evasion scenario, detailing how to avoid AWS security detection and response services, such as in Lambda. From @RhinoSecurity

rhinosecuritylabs.com/cloud-security…

18Jul 08 · 5:00 PM
clintgibler
Clint Gibler @clintgibler

😱 Let's talk about Kubernetes on the Internet

@raesene discusses:

1. #Kubernetes' network attack surface

2. Tricks for identifying Kubernetes clusters based on their responses to basic requests

3. Using Shodan to find k8s clusters on the Internet

raesene.github.io/blog/2022/07/0…

20Jul 08 · 11:00 PM
lancinimarco
Marco Lancini @lancinimarco

This could have a huge impact: “IAM now enables workloads that run outside of AWS to access AWS resources using IAM Roles Anywhere” 🤯

aws.amazon.com/about-aws/what…

8Jul 06 · 10:59 PM
0xdabbad00
Scott Piper @0xdabbad00

I've added @PaloAltoNtwks Prisma Cloud (@prisma_cloud) to the IMDSv2 Wall of Shame. Prisma has a feature to to scan AMIs, but in doing so, it spins up an EC2 that does not allow IMDSv2 enforcement. prismacloud.ideas.aha.io/ideas/PANW-I-3…
github.com/SummitRoute/im…

13Jul 05 · 5:46 PM
matthewdfuller
Matt Fuller @matthewdfuller

BRB, getting an IAM role for my smart fridge.

1Jul 07 · 3:01 AM
fwdcloudsec
fwd:cloudsec @fwdcloudsec

The schedule is up for fwd:cloudsec: pretalx.com/fwd-cloudsec-2…
Masks and vaccinations are required for attendees: fwdcloudsec.org/#covid
Tickets have sold out. Talks will be live-steamed and recorded.
See you in Boston on July 25! fwdcloudsec.org

9Jul 08 · 4:10 PM
bjohnso5y
Brigid Johnson @bjohnso5y

I've always loved ♥️ IAM roles in AWS...now you can use them from anywhere. A welcome addition to IAM. tinyurl.com/yxecw238

5Jul 06 · 10:43 PM
r/aws
My depiction of ALB SSL offloading.
20931
AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
20042aws.amazon.com
Time to Upgrade to TLS 1.2
8424

95% of all AWS customers are already using TLS 1.2 to connect to AWS API endpoints. If you are still on TLS 1.0 or 1.1, it is time to upgrade your clients. You can read this new blog post to learn more and to plan your upgrade.

AWS running out of IPs?
8172

I submitted a quota request to ask for 10 Elastic IPs in my account rather than the default 5. Seems like AWS is a bit strapped on IP addresses. Anyone else see this kind of response?

Edit: Not looking for a fix/solution, just seeing if other people have seen this …

Amazon GuardDuty introduces new machine learning capabilities to more accurately detect potentially malicious access to data stored in S3 buckets
536aws.amazon.com
r/netsec
Scanning 1.7 million Australian domains and finding 1.62 million SPF & DMARC security issues
23635caniphish.com
Automating binary vulnerability discovery with Ghidra and Semgrep
2289security.humanativaspa.it
"AWS Security" on Google News
Aqua Security partners with CMD to support customers on AWS - SecurityBrief Asia
SecurityBrief AsiaJuly 11
BeyondTrust makes all products available on AWS Marketplace - SecurityBrief Australia
SecurityBrief AustraliaJuly 11