SRE Weekly Issue #331 • 📖 [The CloudSecList] Issue 147 • [tl;dr sec] #142 - OAuth Security, Cryptocurrency • Amazon Athena - 1 new methods • Amazon DocumentDB with MongoDB compatibility - 14 updated methods • Amazon Fraud Detector - 15 updated methods • AWS IoT SiteWise - 3 new methods • AWS re:Inforce 2022: Network & Infrastructure Security track preview • Automatically block suspicious DNS activity with Amazon GuardDuty and Route 53 Resolver DNS Firewall • A pathway to the cloud: Analysis of the Reserve Bank of New Zealand’s Guidance on Cyber Resilience • Use Security Hub custom actions to remediate S3 resources based on Macie discovery results • vendor-insights: • cloudformation: 3 updated actions, 1 updated condition • storagegateway: 2 updated actions • How attackers use exposed Prometheus server to exploit Kubernetes clusters – Sysdig • Update detected · z0ph/MAMIP@8518b1c • MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Explained Part 1 • Enforce AWS Instance Metadata Service v2 on your workspace • 🤖 pdiscovery-bot by <a href="https://twitter.com/pry0cc" target="_blank">@pry0cc</a> A <a href="https://twitter.com/pdiscoveryio" target="_blank">@pdiscoveryio</a>-driven Attack Surface Management (ASM) bot Uses subfinder, httpx, dnsx, nuclei and notify! <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://twitter.com/hashtag/OSINT" target="_blank">#OSINT</a> <a href="https://t.co/eR0NKOsVqh" target="_blank">github.com/pry0cc/pdiscov…</a> • 🗒️ OAuth 2.0 Security Cheat Sheet Covers: * Architectural decisions * Client credentials * Tokens * Authorization code grant * PKCE * and more Vulnerable apps for practice: <a href="https://t.co/uFLRnAaJsi" target="_blank">github.com/koenbuyens/Vul…</a> <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://twitter.com/hashtag/infosec" target="_blank">#infosec</a> <a href="https://t.co/CwxS54LReI" target="_blank">github.com/koenbuyens/oau…</a> • Livestream links for fwd:cloudsec, happening on July 25. Room 1: <a href="https://t.co/ej60YK978D" target="_blank">youtube.com/watch?v=tvDpQ3…</a> Room 2/3: <a href="https://t.co/P60kxK7hBo" target="_blank">youtube.com/watch?v=YHZdkp…</a> Videos will be put on youtube after the conference. • This is awesome! 🎉🎉 CloudFormation now publishes to EventBridge for stack-level and resource-level events when stacks are created, updated, deleted, etc. I’ve wanted this for a while 🤩 <a href="https://t.co/GTCWantqy2" target="_blank">twitter.com/Zach_German_De…</a> • GuardDuty is getting into the snapshot scanning business. • SREs might want to start thinking about migrating workloads to the southern hemisphere during the summer months to avoid cooling failures. Are there seasonal pricing diffs on cloud regions currently that reflect increased cooling costs? • ⁦<a href="https://twitter.com/fwdcloudsec" target="_blank">@fwdcloudsec</a>⁩ setup begins! • 🫙 Build, sign, and compute the SBOM of a container image I've just released a reusable Github Action workflow that: builds, signs, and computes the SBOM of a container image <a href="https://t.co/AKQQBaOvEW" target="_blank">github.com/marco-lancini/…</a> • Finally got to meet <a href="https://twitter.com/__steele" target="_blank">@__steele</a> in person! • fwd:cloudsec happens today! Check in at 8am, welcome talk at 9am ET. - Room 1 livestream: <a href="https://t.co/ej60YK978D" target="_blank">youtube.com/watch?v=tvDpQ3…</a> - Room 2/3 livestream: <a href="https://t.co/P60kxK7hBo" target="_blank">youtube.com/watch?v=YHZdkp…</a> - Schedule: <a href="https://t.co/KT2UmIv2Pj" target="_blank">pretalx.com/fwd-cloudsec-2…</a> • NAT gateways are too expensive • New SSO and IAM integration: AWS SSO adding support for Customer Managed Policies and Permission Boundaries • TIL the AWS Console UI is open source • Changes to AWS CloudFormation-based stacks and resources are now available as event notifications in Amazon EventBridge. • Superior Cloud Security Management Only Found with Trend Micro - PR Newswire • Axonius announces integration with AWS to help customers strengthen their security posture - Help Net Security

ASD Logo

25
Monday July, 2022

Sponsor

There's an IAM change in this Terraform pull request, what do I do?!

You know it, we know it – change is scary, but change is inevitable.

IAM Pulse is bringing much-needed clarity to Terraform change reviews by delivering actionable insights about what could happen downstream if an IAM change is applied.

Join our private beta and get a free AWS IAM Assessment!

In a nutshell

AWS Security Digest (ASD) will take a break in August, I will be back in September. I hope you will be able to have some rest and enjoy your summer break with Friends and Family.

Today kicks off the two most anticipated events in the AWS infosec world: re:Inforce and fwd:sec conferences in Boston. I will post some insights on the Newsletter Twitter Account.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #331
Lex NevaJul 25
📖 [The CloudSecList] Issue 147
Marco from CloudSecListJul 24
[tl;dr sec] #142 - OAuth Security, Cryptocurrency
Clint at tl;dr secJul 21
AWS API Changes
Amazon Athena - 1 new methods
Jul 21
This feature allows customers to retrieve runtime statistics for completed queries
Amazon DocumentDB with MongoDB compatibility - 14 updated methods
Jul 21
Enable copy-on-write restore type
Amazon Fraud Detector - 15 updated methods
Jul 21
The release introduces Account Takeover Insights (ATI) model. The ATI model detects fraud relating to account takeover. This release also adds support for new variable types: ARE_CREDENTIALS_VALID and SESSION_ID and adds new structures to Model Version APIs.
AWS IoT SiteWise - 3 new methods
Jul 21
Added asynchronous API to ingest bulk historical and current data into IoT SiteWise.
AWS Security Blog
AWS re:Inforce 2022: Network & Infrastructure Security track preview
Satinder KhasriyaJul 22
Register now with discount code SALvWQHU2Km to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. Today we’re going to highlight just some of the network and infrastructure security focused sessions planned for AWS re:Inforce. AWS re:Inforce 2022 will take …
Automatically block suspicious DNS activity with Amazon GuardDuty and Route 53 Resolver DNS Firewall
Akshay KaranthJul 20
In this blog post, we’ll show you how to use Amazon Route 53 Resolver DNS Firewall to automatically respond to suspicious DNS queries that are detected by Amazon GuardDuty within your Amazon Web Services (AWS) environment. The Security Pillar of the AWS Well-Architected Framework includes incident response, stating that your …
A pathway to the cloud: Analysis of the Reserve Bank of New Zealand’s Guidance on Cyber Resilience
Julian BusicJul 18
The Reserve Bank of New Zealand’s (RBNZ’s) Guidance on Cyber Resilience (referred to as “Guidance” in this post) acknowledges the benefits of RBNZ-regulated financial services companies in New Zealand (NZ) moving to the cloud, as long as this transition is managed prudently—in other words, as long as entities understand the …
Use Security Hub custom actions to remediate S3 resources based on Macie discovery results
Jonathan NguyenJul 18
The amount of data available to be collected, stored and processed within an organization’s AWS environment can grow rapidly and exponentially. This increases the operational complexity and the need to identify and protect sensitive data. If your security teams need to review and remediate security risks manually, it would either …
IAM Permission Changes
vendor-insights:
Jul 24
AWS Service Removed
cloudformation: 3 updated actions, 1 updated condition
Jul 23
3 updated actions: CreateStackInstances (conditions), TagResource (conditions), UntagResource (conditions); 1 updated condition: cloudformation:ResourceTypes (type)
storagegateway: 2 updated actions
Jul 23
2 updated actions: AssociateFileSystem (dependents), UpdateFileSystemAssociation (dependents)
Top Links from Security Folks
How attackers use exposed Prometheus server to exploit Kubernetes clusters – Sysdig
sysdig.com
Kubernetes and Prometheus advise problems with exposing your data to the world, but regardless, exposed Prometheus are still widespread.
Update detected · z0ph/MAMIP@8518b1c
github.com
[MAMIP] Monitor AWS Managed IAM Policies Changes . Contribute to z0ph/MAMIP development by creating an account on GitHub.
MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Explained Part 1
www.weave.works
Learn about the first four threat vectors in Kubernetes: initial access, execution, persistence, and privilege escalation.
Enforce AWS Instance Metadata Service v2 on your workspace
docs.databricks.com
Learn how to migrate to enforce AWS Instance Metadata Service v2 on your workspace.
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

🤖 pdiscovery-bot by @pry0cc

A @pdiscoveryio-driven Attack Surface Management (ASM) bot

Uses subfinder, httpx, dnsx, nuclei and notify!

#bugbounty #bugbountytips #OSINT

github.com/pry0cc/pdiscov…

44Jul 20 · 5:00 PM
clintgibler
Clint Gibler @clintgibler

🗒️ OAuth 2.0 Security Cheat Sheet

Covers:
* Architectural decisions
* Client credentials
* Tokens
* Authorization code grant
* PKCE
* and more

Vulnerable apps for practice:
github.com/koenbuyens/Vul…

#bugbounty #bugbountytips #infosec

github.com/koenbuyens/oau…

27Jul 22 · 9:00 PM
fwdcloudsec
fwd:cloudsec @fwdcloudsec

Livestream links for fwd:cloudsec, happening on July 25.
Room 1: youtube.com/watch?v=tvDpQ3…
Room 2/3: youtube.com/watch?v=YHZdkp…
Videos will be put on youtube after the conference.

26Jul 19 · 3:55 PM
__steele
Aidan W Steele @__steele

This is awesome! 🎉🎉

CloudFormation now publishes to EventBridge for stack-level and resource-level events when stacks are created, updated, deleted, etc. I’ve wanted this for a while 🤩 twitter.com/Zach_German_De…

Zach_German_Dev
Zachary German @Zach_German_Dev

@__steele It took a minute, but... DONE
"Managing events with AWS CloudFormation and Amazon EventBridge - AWS CloudFormation" docs.aws.amazon.com/AWSCloudFormat…

6Jul 21 · 12:05 AM
0xdabbad00
Scott Piper @0xdabbad00

GuardDuty is getting into the snapshot scanning business.

mamip_aws
MAMIP - Monitor AWS Managed IAM Policies @mamip_aws

AmazonGuardDutyMalwareProtectionServiceRolePolicy... github.com/z0ph/MAMIP/com…

16Jul 19 · 10:23 PM
0xdabbad00
Scott Piper @0xdabbad00

SREs might want to start thinking about migrating workloads to the southern hemisphere during the summer months to avoid cooling failures. Are there seasonal pricing diffs on cloud regions currently that reflect increased cooling costs?

GCP_Incidents
GCP Incidents @GCP_Incidents

There has been a cooling related failure in one of our buildings that hosts zone europe-west2-a for region europe-west2. This caused a partial failure of capacity in that zone, leading to VM terminations and a loss of machines for a small set of our customers 4/9

9Jul 20 · 4:39 PM
jcfarris
Chris Farris @jcfarris

@fwdcloudsec⁩ setup begins!

4Jul 24 · 4:46 PM
lancinimarco
Marco Lancini @lancinimarco

🫙 Build, sign, and compute the SBOM of a container image

I've just released a reusable Github Action workflow that: builds, signs, and computes the SBOM of a container image

github.com/marco-lancini/…

8Jul 21 · 6:30 PM
kmcquade3
Kinnaird McQuade ⛅️🧨 @kmcquade3

Finally got to meet @__steele in person!

0Jul 23 · 12:04 AM
fwdcloudsec
fwd:cloudsec @fwdcloudsec

fwd:cloudsec happens today! Check in at 8am, welcome talk at 9am ET.
- Room 1 livestream: youtube.com/watch?v=tvDpQ3…
- Room 2/3 livestream: youtube.com/watch?v=YHZdkp…
- Schedule: pretalx.com/fwd-cloudsec-2…

15Jul 25 · 12:32 PM
r/aws
NAT gateways are too expensive
143124

I was looking at my AWS bill and saw a line item called EC2-other which was about half of my bill. It was strange because I only have 1 free tier EC2 instance, and mainly use ECS spot instances for dev. I went through all the regions couldn’t find any …

New SSO and IAM integration: AWS SSO adding support for Customer Managed Policies and Permission Boundaries
12620aws.amazon.com
TIL the AWS Console UI is open source
11222cloudscape.design
Changes to AWS CloudFormation-based stacks and resources are now available as event notifications in Amazon EventBridge.
759aws.amazon.com
"AWS Security" on Google News
Superior Cloud Security Management Only Found with Trend Micro - PR Newswire
PR NewswireJuly 25
Axonius announces integration with AWS to help customers strengthen their security posture - Help Net Security
Help Net SecurityJuly 23