SRE Weekly Issue #330 • 📖 [The CloudSecList] Issue 146 • [tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries • Elastic Disaster Recovery Service - 5 updated methods • Amazon CloudWatch Evidently - 6 new 9 updated methods • AWS WAFV2 - 8 updated methods • CodeArtifact - 2 new 3 updated methods • Reported EKS IAM Authenticator Issue • AWS achieves TISAX certification (Information with Very High Protection Needs (AL3) • AWS achieves HDS certification to three additional Regions • A sneak peek at the governance, risk, and compliance sessions for AWS re:Inforce 2022 • Eligible customers can now order a free MFA security key • rekognition: 1 new action | 3 updated resources • devops-guru: 2 new actions • chime: 2 new actions • Eligible customers can now order a free MFA security key | Amazon Web Services • Eligible customers can now order a free MFA security key | Amazon Web Services • GitHub - aquasecurity/chain-bench: An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. • Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions • Out with the old and in with the new! We’ve refreshed the IAM best practices. We now have 1⃣4⃣ best practices to guide your identity and access management journey on <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> 🧵 (1/10) <a href="https://t.co/MYm0fcbTLK" target="_blank">go.aws/3APQW9T</a> • Stratus Red Team v2.2.0 is out with 3 new attack techniques! • AWS: launch unusual EC2 instances • AWS: persistence through IAM Roles Anywhere • K8s: persistence through the TokenRequest API <a href="https://t.co/R1qZeOp6Z2" target="_blank">github.com/datadog/stratu…</a> • 📖 CIS Software Supply Chain Security Guide v1.0 100+ recommendations across: 1⃣Source code 2⃣Build pipelines 3⃣Dependencies 4⃣Artifacts 5⃣Deployment Audit your SDLC based on these recs: ➡️<a href="https://t.co/uqryfWga3h" target="_blank">github.com/aquasecurity/c…</a> H/T <a href="https://twitter.com/AquaSecTeam" target="_blank">@AquaSecTeam</a>, <a href="https://twitter.com/CISecurity" target="_blank">@CISecurity</a> <a href="https://t.co/vhuc6FD74M" target="_blank">github.com/aquasecurity/c…</a> • 📺 MITRE ATT&amp;CKcon 3.0 Slides and videos posted! 25 talks, including a keynote by <a href="https://twitter.com/selenalarson" target="_blank">@selenalarson</a> H/T <a href="https://twitter.com/MITREattack" target="_blank">@MITREattack</a> <a href="https://t.co/nI2EWLFDWY" target="_blank">attack.mitre.org/resources/atta…</a> • Eligible US-based customers can order their free MFA security key using our new ordering site. See if you're eligible to order: <a href="https://t.co/3GjplSV04d" target="_blank">console.aws.amazon.com/securityhub/ho…</a> <a href="https://twitter.com/hashtag/morethanapassword" target="_blank">#morethanapassword</a> <a href="https://t.co/dczyNC0Vp2" target="_blank">twitter.com/AWSSecurityInf…</a> • I implemented an open-source version of the AWS IAM Roles Anywhere client because I wanted to understand how it works. I wouldn't suggest using it, but it does let you use private keys in an SSH agent rather than on-disk, which is nice. 1/2 <a href="https://t.co/DEIbKb7jRn" target="_blank">awsteele.com/blog/2022/07/1…</a> • Looking for a quick cheatsheet around <a href="https://twitter.com/hashtag/SLSA" target="_blank">#SLSA</a>, explaining threats, levels, requirements, and implementations? I've just made one on <a href="https://t.co/OMFol4oIZw" target="_blank">CloudSecDocs.com</a>: <a href="https://t.co/kPKQk3BT82" target="_blank">cloudsecdocs.com/devops/pipelin…</a> • “Code is a liability. Code can at best do exactly what you intend it to. Bugs detract from this. You can only lose points through more coding. The more code you own, the more opportunities exist to depart from your intended value.” Love this quote from <a href="https://twitter.com/ben11kehoe" target="_blank">@ben11kehoe</a> • The security research team <a href="https://twitter.com/datadoghq" target="_blank">@datadoghq</a> is launching a dedicated blog: <a href="https://t.co/0bKtYCeMiB" target="_blank">securitylabs.datadoghq.com/articles/welco…</a> We have some exciting content coming up shortly (including from the amazing <a href="https://twitter.com/Frichette_n" target="_blank">@Frichette_n</a> 👀), make sure this is in your RSS feed! • Interesting to see this still had another issue after <a href="https://twitter.com/_fel1x" target="_blank">@_fel1x</a> had found one issue in the same code: <a href="https://t.co/Ty7HKWTBBv" target="_blank">bugs.chromium.org/p/project-zero…</a> which was a derivative of his finding in Hashicorp Vault <a href="https://t.co/Sx2SRI8IGk" target="_blank">googleprojectzero.blogspot.com/2020/10/</a> and a second look had happened at this code <a href="https://t.co/EIxIS1lFWg" target="_blank">github.com/kubernetes-sig…</a> • The DynamoDB paper - A rare look at a real-world distributed system that runs at massive scale • AWS Customers Can Now Order a Free MFA Security Key • Amazon VPC Flow Logs adds Transit Gateway support for improved visibility and monitoring • Eligible customers can now order a free MFA security key • AWS Customers Can Now Order a Free MFA Security Key - thenewstack.io • Contrast Security Unlocks the Power of Serverless Technology at AWS re:Inforce Conference - PR Newswire

ASD Logo

18
Monday July, 2022

Sponsor

Besides AWS Security Digest Newsletter and building a SaaS product to save your money from AWS Invoice knock, I'm also running an AWS Consulting boutique (zoph.io) specialized in AWS Security and Architecture. Don't hesitate to drop me a mail or schedule a 30 minutes meeting with me to discuss your project or AWS pain points.

In a nutshell

Digital Nomad Life, this issue was crafted in the french Alpes. Recharging for a few weeks before intense weeks ahead (re:Inforce, fwd:Cloudsec).

Killed by AWS: AWS seems to deprecate Amazon WorkLink service. It's rare enough to be mentioned.

I'm removing two sections of ASD (r/cloudsec and r/netsec) to keep it digest (target read time: 2-3 min)

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #330
Lex NevaJul 18
📖 [The CloudSecList] Issue 146
Marco from CloudSecListJul 17
[tl;dr sec] #141 - CIS Supply Chain Security Guide, Static Analysis on Binaries
Clint at tl;dr secJul 14
AWS API Changes
Elastic Disaster Recovery Service - 5 updated methods
Jul 15
Changed existing APIs to allow choosing a dynamic volume type for replicating volumes, to reduce costs for customers.
Amazon CloudWatch Evidently - 6 new 9 updated methods
Jul 15
This release adds support for the new segmentation feature.
AWS WAFV2 - 8 updated methods
Jul 15
This SDK release provide customers ability to add sensitivity level for WAF SQLI Match Statements.
CodeArtifact - 2 new 3 updated methods
Jul 14
This release introduces Package Origin Controls, a mechanism used to counteract Dependency Confusion attacks. Adds two new APIs, PutPackageOriginConfiguration and DescribePackage, and updates the ListPackage, DescribePackageVersion and ListPackageVersion APIs in support of the feature.
Security Bulletins
Reported EKS IAM Authenticator Issue
aws@amazon.comJul 11

Initial Publication Date: 2022/07/11 9:00 PST

A security researcher recently reported an issue with the AWS IAM Authenticator for Kubernetes, used by Amazon Elastic Kubernetes Service (EKS). The researcher identified a query parameter validation issue within the authenticator plugin when configured to use the “AccessKeyID” template parameter within query strings. …

AWS Security Blog
AWS achieves TISAX certification (Information with Very High Protection Needs (AL3)
Janice LeungJul 15
We’re excited to announce the completion of the Trusted Information Security Assessment Exchange (TISAX) certification on June 30, 2022 for 19 AWS Regions. These Regions achieved the Information with Very High Protection Needs (AL3) label for the control domains Information Handling and Data Protection. This alignment with TISAX requirements demonstrates …
AWS achieves HDS certification to three additional Regions
Janice LeungJul 15
We’re excited to announce that three additional AWS Regions—Asia Pacific (Korea), Europe (London), and Europe (Stockholm)—have been granted the Health Data Hosting (Hébergeur de Données de Santé, HDS) certification. This alignment with the HDS requirements demonstrates our continued commitment to adhere to the heightened expectations for cloud service providers. AWS …
A sneak peek at the governance, risk, and compliance sessions for AWS re:Inforce 2022
Greg EppelJul 11
Register now with discount code SALUZwmdkJJ to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. Today we want to tell you about some of the exciting governance, risk, and compliance sessions planned for AWS re:Inforce 2022. AWS re:Inforce is …
Eligible customers can now order a free MFA security key
CJ MosesJul 11
One of the best ways for individuals and businesses to protect themselves online is through multi-factor authentication (MFA). MFA offers an additional layer of protection to help prevent unauthorized individuals from gaining access to systems or data. In fall 2021, Amazon Web Services (AWS) Security began offering a free MFA …
IAM Permission Changes
rekognition: 1 new action | 3 updated resources
Jul 18
1 new action: UpdateStreamProcessor (Grants permission to modify properties for a stream processor); 3 updated resources: collection (conditions), streamprocessor (conditions), projectversion (conditions)
devops-guru: 2 new actions
Jul 18
2 new actions: ListAnomalousLogGroups (Grants permission to list log anomalies of a given insight in your account), ListMonitoredResources (Grants permission to list resource monitored by DevOps Guru in your account)
chime: 2 new actions
Jul 18
2 new actions: BatchUpdateAttendeeCapabilitiesExcept (Grants permission to update AttendeeCapabilities except the capabilities listed in an ExcludedAttendeeIds table), UpdateAttendeeCapabilities (Grants permission to the capabilties that you want to update)
Top Links from Security Folks
Eligible customers can now order a free MFA security key | Amazon Web Services
aws.amazon.com
One of the best ways for individuals and businesses to protect themselves online is through multi-factor authentication (MFA). MFA offers an additional layer of protection …
Eligible customers can now order a free MFA security key | Amazon Web Services
aws.amazon.com
One of the best ways for individuals and businesses to protect themselves online is through multi-factor authentication (MFA). MFA offers an additional layer of protection …
GitHub - aquasecurity/chain-bench: An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
github.com
An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. - GitHub - …
Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions
www.cidersecurity.io
Attackers are always on the lookout to gain access to credentials, which are a critical asset to protect and are widespread throughout the organization.
AWS Security Folks
bjohnso5y
Brigid Johnson @bjohnso5y

Out with the old and in with the new! We’ve refreshed the IAM best practices. We now have 1⃣4⃣ best practices to guide your identity and access management journey on #AWS 🧵 (1/10) go.aws/3APQW9T

59Jul 14 · 9:13 PM
christophetd
Christophe @christophetd

Stratus Red Team v2.2.0 is out with 3 new attack techniques!

• AWS: launch unusual EC2 instances
• AWS: persistence through IAM Roles Anywhere
• K8s: persistence through the TokenRequest API

github.com/datadog/stratu…

38Jul 14 · 12:03 AM
clintgibler
Clint Gibler @clintgibler

📖 CIS Software Supply Chain Security Guide v1.0

100+ recommendations across:

1⃣Source code
2⃣Build pipelines
3⃣Dependencies
4⃣Artifacts
5⃣Deployment

Audit your SDLC based on these recs:
➡️github.com/aquasecurity/c…

H/T @AquaSecTeam, @CISecurity

github.com/aquasecurity/c…

39Jul 11 · 9:03 PM
clintgibler
Clint Gibler @clintgibler

📺 MITRE ATT&CKcon 3.0

Slides and videos posted!

25 talks, including a keynote by @selenalarson

H/T @MITREattack

attack.mitre.org/resources/atta…

19Jul 13 · 9:00 PM
StephenSchmidt
stephenschmidt @StephenSchmidt

Eligible US-based customers can order their free MFA security key using our new ordering site. See if you're eligible to order: console.aws.amazon.com/securityhub/ho…

#morethanapassword twitter.com/AWSSecurityInf…

AWSSecurityInfo
AWS Security @AWSSecurityInfo

📣Eligible US-based AWS account holders can receive a free MFA security key.

Learn more and check your eligibility 👉 go.aws/3RnbQTR #morethanapassword #multifactorauth

23Jul 11 · 6:20 PM
__steele
Aidan W Steele @__steele

I implemented an open-source version of the AWS IAM Roles Anywhere client because I wanted to understand how it works.

I wouldn't suggest using it, but it does let you use private keys in an SSH agent rather than on-disk, which is nice.

1/2

awsteele.com/blog/2022/07/1…

7Jul 14 · 7:15 AM
lancinimarco
Marco Lancini @lancinimarco

Looking for a quick cheatsheet around #SLSA, explaining threats, levels, requirements, and implementations?

I've just made one on CloudSecDocs.com:

cloudsecdocs.com/devops/pipelin…

12Jul 13 · 10:00 PM
kmcquade3
Kinnaird McQuade ⛅️🧨 @kmcquade3

“Code is a liability. Code can at best do exactly what you intend it to. Bugs detract from this. You can only lose points through more coding. The more code you own, the more opportunities exist to depart from your intended value.”

Love this quote from @ben11kehoe

ben11kehoe
Ben Kehoe @ben11kehoe

@benjamin_l_s Obligatory plug for my article on the serverless mindset: ben11kehoe.medium.com/serverless-is-…

11Jul 11 · 6:20 PM
christophetd
Christophe @christophetd

The security research team @datadoghq is launching a dedicated blog:

securitylabs.datadoghq.com/articles/welco…

We have some exciting content coming up shortly (including from the amazing @Frichette_n 👀), make sure this is in your RSS feed!

9Jul 11 · 10:50 PM
0xdabbad00
Scott Piper @0xdabbad00

Interesting to see this still had another issue after @_fel1x had found one issue in the same code: bugs.chromium.org/p/project-zero…
which was a derivative of his finding in Hashicorp Vault googleprojectzero.blogspot.com/2020/10/
and a second look had happened at this code github.com/kubernetes-sig…

gafnitav
gafnit @gafnitav

Exploiting AWS IAM Authenticator by crafting malicious signed STS GetCallerIdentity request.
👉CVE-2022-2385

blog.lightspin.io/exploiting-eks…

8Jul 11 · 7:19 PM
r/aws
The DynamoDB paper - A rare look at a real-world distributed system that runs at massive scale
1153brooker.co.za
AWS Customers Can Now Order a Free MFA Security Key
10249thenewstack.io
Amazon VPC Flow Logs adds Transit Gateway support for improved visibility and monitoring
872aws.amazon.com
Eligible customers can now order a free MFA security key
8233aws.amazon.com
"AWS Security" on Google News
AWS Customers Can Now Order a Free MFA Security Key - thenewstack.io
thenewstack.ioJuly 15
Contrast Security Unlocks the Power of Serverless Technology at AWS re:Inforce Conference - PR Newswire
PR NewswireJuly 14