SRE Weekly Issue #336 • 📖 [The CloudSecList] Issue 152 • [tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security • SRE Weekly Issue #335 • 📖 [The CloudSecList] Issue 151 • AWS IoT Greengrass V2 - 1 updated methods • Amazon Lookout for Equipment - 9 new 4 updated methods • Amazon Macie 2 - 5 new 2 updated methods • Amazon Voice ID - 1 updated methods • AWS achieves FedRAMP P-ATO for 20 services in the AWS US East/West Regions and AWS GovCloud (US) Regions • How to subscribe to the new Security Hub Announcements topic for Amazon SNS • AWS announces migration plans for NIST 800-53 Revision 5 • How to deploy AWS Network Firewall by using AWS Firewall Manager • wafv2: 1 new resource | 3 updated actions • sqlworkbench: 19 new actions, 1 new resource | 3 updated actions • lexv2: 1 new action • How to detect suspicious activity in your AWS account by using private decoy resources | Amazon Web Services • GitHub - DataDog/threatest: Threatest is a Go framework for end-to-end testing threat detection rules. • Software Engineer, AWS Security • Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling • Now that I run a company, I can make ridiculous rules like making Kubernetes illegal • On this day 8 years ago I started at AWS as a product manager for IAM. The job, people, business, and tech have all changed since then. Still happy to be here at <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> 🥳 🍾 • 📢 Today I'm releasing Threatest, a Go framework for end-to-end testing of threat detection rules <a href="https://t.co/7vapkdqA2o" target="_blank">securitylabs.datadoghq.com/articles/threa…</a> <a href="https://t.co/eCUCBY2zGd" target="_blank">github.com/datadog/threat…</a> 🧵⬇️ • 🔥 RCE-as-a-Service Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise BlackHat 2022 talk by <a href="https://twitter.com/NCCGroupInfosec" target="_blank">@NCCGroupInfosec</a>'s <a href="https://twitter.com/smarticu5" target="_blank">@smarticu5</a> &amp; <a href="https://twitter.com/wucpi" target="_blank">@wucpi</a> Slides: <a href="https://t.co/YjN8j50fnW" target="_blank">i.blackhat.com/USA-22/Wednesd…</a> Abstract <a href="https://t.co/pSggfHeAGg" target="_blank">blackhat.com/us-22/briefing…</a> • 🗒️ How To Hack Web Applications in 2022: Part 2 <a href="https://twitter.com/hakluke" target="_blank">@hakluke</a> provides an overview of several vulnerability classes: * SSRF * Business logic flaws * IDORs * AuthN issues * CSRF * Directory traversal * File inclusion + more <a href="https://twitter.com/hashtag/bugbounty" target="_blank">#bugbounty</a> <a href="https://twitter.com/hashtag/bugbountytips" target="_blank">#bugbountytips</a> <a href="https://t.co/XaVfF4yt5l" target="_blank">labs.detectify.com/2022/08/05/how…</a> • Mailchimp compromised -&gt; Used to compromise the password resets for DigitalOcean accounts -&gt; Used to compromise crypto companies. • This BlackHat talk by <a href="https://twitter.com/albinowax" target="_blank">@albinowax</a> is 🔥 (and I was lucky to attend it live) "How I used an HTTP desync attack to have random <a href="https://t.co/VWruuskvAx" target="_blank">amazon.com</a> customers post their session cookies to my wishlist" <a href="https://t.co/Dbi3ErJrvX" target="_blank">i.blackhat.com/USA-22/Wednesd…</a> <a href="https://t.co/HKIjDsuWrw" target="_blank">portswigger.net/research/brows…</a> • Come work on the AWS security team at Square with me and other great folks! No cloudsec or security experience needed. Remote. • Always use AWS SSO/Identity Center. Always. If you have IAM users, get ride of them. If you're following a guide that says "Create an Administration user", don't. Friends don't let friends use IAM users. All roles. All the time. • We're hiring early career software engineers who are looking to break into cloud security. No previous security experience required - we'll teach you! Apply here: <a href="https://t.co/OwOewiWTDg" target="_blank">jobs.smartrecruiters.com/Square/7439998…</a> • Hacked AWS Account is facing $200,000+ in charges after support ticket • ECS Anywhere cluster running on a bunch of 2007 Intel Macbooks (link to it in the comments) • We are members of AWS Premium Support, ask us anything • CDK for Terraform (CDKTF) is now generally available • Insecure Deserialization in AWS Lambda | What is the Vulnerability and How to Avoid It? | Contrast Security - Security Boulevard • CJ Moses might be the CISO of AWS, but service leaders own their own security - Protocol

ASD Logo

31
Wednesday August, 2022

Sponsor

There's an IAM change in this Terraform pull request, what do I do?!

You know it, we know it – change is scary, but change is inevitable.

IAM Pulse is bringing much-needed clarity to Terraform change reviews by delivering actionable insights about what could happen downstream if an IAM change is applied.

Join our private beta and get a free AWS IAM Assessment!

In a nutshell

AWS Security Digest (ASD) will take a break in August, I will be back in September. I hope you will be able to have some rest and enjoy your summer break with Friends and Family.

Today kicks off the two most anticipated events in the AWS infosec world: re:Inforce and fwd:sec conferences in Boston. I will post some insights on the Newsletter Twitter Account.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 From AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA

Newsletters
SRE Weekly Issue #336
Lex NevaAug 29
📖 [The CloudSecList] Issue 152
Marco from CloudSecListAug 28
[tl;dr sec] #147 - Twitter Whistleblower, CI/CD Security
Clint at tl;dr secAug 25
SRE Weekly Issue #335
Lex NevaAug 22
📖 [The CloudSecList] Issue 151
Marco from CloudSecListAug 21
AWS API Changes
AWS IoT Greengrass V2 - 1 updated methods
Aug 30
Adds topologyFilter to ListInstalledComponentsRequest which allows filtration of components by ROOT or ALL (including root and dependency components). Adds lastStatusChangeTimestamp to ListInstalledComponents response to show the last time a component changed state on a device.
Amazon Lookout for Equipment - 9 new 4 updated methods
Aug 30
This release adds new apis for providing labels.
Amazon Macie 2 - 5 new 2 updated methods
Aug 30
This release of the Amazon Macie API adds support for using allow lists to define specific text and text patterns to ignore when inspecting data sources for sensitive data.
Amazon Voice ID - 1 updated methods
Aug 29
Amazon Connect Voice ID now detects voice spoofing. When a prospective fraudster tries to spoof caller audio using audio playback or synthesized speech, Voice ID will return a risk score and outcome to indicate the how likely it is that the voice is spoofed.
AWS Security Blog
AWS achieves FedRAMP P-ATO for 20 services in the AWS US East/West Regions and AWS GovCloud (US) Regions
Steve EarleyAug 29
Amazon Web Services (AWS) is pleased to announce that 20 additional AWS services have achieved Provisional Authority to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). The following are the 20 AWS services with FedRAMP authorization for the U.S. federal government and organizations …
How to subscribe to the new Security Hub Announcements topic for Amazon SNS
Mike SaintcrossAug 29
With AWS Security Hub you are able to manage your security posture in AWS, perform security best practice checks, aggregate alerts, and automate remediation. Now you are able to use Amazon Simple Notification Service (Amazon SNS) to subscribe to the new Security Hub Announcements topic to receive updates about new …
AWS announces migration plans for NIST 800-53 Revision 5
James MuellerAug 29
Amazon Web Services (AWS) is excited to begin migration plans for National Institute of Standards and Technology (NIST) 800-53 Revision 5. The NIST 800-53 framework is a regulatory standard that defines the minimum baseline of security controls for U.S. federal information systems. In 2020, NIST released Revision 5 of the …
How to deploy AWS Network Firewall by using AWS Firewall Manager
Harith GaddamanuguAug 26
AWS Network Firewall helps make it easier for you to secure virtual networks at scale inside Amazon Web Services (AWS). Without having to worry about availability, scalability, or network performance, you can now deploy Network Firewall with the AWS Firewall Manager service. Firewall Manager allows administrators in your organization to …
IAM Permission Changes
wafv2: 1 new resource | 3 updated actions
Aug 27
1 new resource: userpool; 3 updated actions: AssociateWebACL (resources), DisassociateWebACL (resources), GetWebACLForResource (resources)
sqlworkbench: 19 new actions, 1 new resource | 3 updated actions
Aug 26
19 new actions: BatchGetNotebookCell (Grants permission to get notebook cells content on your account), CreateNotebook (Grants permission to create a new notebook on your account), CreateNotebookCell (Grants permission to create a notebook cell on your account), CreateNotebookFromVersion (Grants permission to create a new notebook from a notebook version on your …
lexv2: 1 new action
Aug 24
1 new action: StopBotRecommendation (Grants permission to stop a bot recommendation for an existing bot locale)
Top Links from Security Folks
How to detect suspicious activity in your AWS account by using private decoy resources | Amazon Web Services
aws.amazon.com
As customers mature their security posture on Amazon Web Services (AWS), they are adopting multiple ways to detect suspicious behavior and notify response teams or …
GitHub - DataDog/threatest: Threatest is a Go framework for end-to-end testing threat detection rules.
github.com
Threatest is a Go framework for end-to-end testing threat detection rules. - GitHub - DataDog/threatest: Threatest is a Go framework for end-to-end testing threat detection …
Software Engineer, AWS Security
jobs.smartrecruiters.com
Company Description: Block is one company built from many blocks, all united by the same purpose of economic empowerment. The blocks that form our foundational …
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
portswigger.net
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has …
AWS Security Folks
kmcquade3
Kinnaird McQuade 💻☁️💥 @kmcquade3

Now that I run a company, I can make ridiculous rules like making Kubernetes illegal

137Aug 08 · 6:50 AM
bjohnso5y
Brigid Johnson @bjohnso5y

On this day 8 years ago I started at AWS as a product manager for IAM. The job, people, business, and tech have all changed since then. Still happy to be here at #AWS 🥳 🍾

9Aug 11 · 5:20 PM
christophetd
Christophe @christophetd

📢 Today I'm releasing Threatest, a Go framework for end-to-end testing of threat detection rules

securitylabs.datadoghq.com/articles/threa…

github.com/datadog/threat…

🧵⬇️

95Aug 13 · 9:04 PM
clintgibler
Clint Gibler @clintgibler

🔥 RCE-as-a-Service

Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise

BlackHat 2022 talk by @NCCGroupInfosec's @smarticu5 & @wucpi

Slides:
i.blackhat.com/USA-22/Wednesd…

Abstract
blackhat.com/us-22/briefing…

86Aug 17 · 7:00 PM
clintgibler
Clint Gibler @clintgibler

🗒️ How To Hack Web Applications in 2022: Part 2

@hakluke provides an overview of several vulnerability classes:

* SSRF
* Business logic flaws
* IDORs
* AuthN issues
* CSRF
* Directory traversal
* File inclusion

+ more

#bugbounty #bugbountytips

labs.detectify.com/2022/08/05/how…

68Aug 08 · 9:30 PM
0xdabbad00
Scott Piper @0xdabbad00

Mailchimp compromised -> Used to compromise the password resets for DigitalOcean accounts -> Used to compromise crypto companies.

campuscodi
Catalin Cimpanu @campuscodi

Mailchimp discloses security breach: mailchimp.com/august-2022-se…

Digital Ocean was also impacted as a result: digitalocean.com/blog/digitaloc…

102Aug 16 · 4:39 PM
christophetd
Christophe @christophetd

This BlackHat talk by @albinowax is 🔥 (and I was lucky to attend it live)

"How I used an HTTP desync attack to have random amazon.com customers post their session cookies to my wishlist"

i.blackhat.com/USA-22/Wednesd…

portswigger.net/research/brows…

47Aug 18 · 10:07 AM
0xdabbad00
Scott Piper @0xdabbad00

Come work on the AWS security team at Square with me and other great folks! No cloudsec or security experience needed. Remote.

santosh_ankr
Santosh @santosh_ankr

We're hiring early career software engineers who are looking to break into cloud security. No previous security experience required - we'll teach you!

Apply here:
jobs.smartrecruiters.com/Square/7439998…

40Aug 01 · 9:24 PM
elrowan
rowan @elrowan

Always use AWS SSO/Identity Center. Always.

If you have IAM users, get ride of them.
If you're following a guide that says "Create an Administration user", don't.

Friends don't let friends use IAM users.
All roles. All the time.

12Aug 31 · 1:55 AM
santosh_ankr
Santosh @santosh_ankr

We're hiring early career software engineers who are looking to break into cloud security. No previous security experience required - we'll teach you!

Apply here:
jobs.smartrecruiters.com/Square/7439998…

26Aug 01 · 9:04 PM
r/aws
Hacked AWS Account is facing $200,000+ in charges after support ticket
198157

After about a month of going back and forth with AWS support for my account, I am now being told I am liable for most of the total amount of the original bill of $213,000. I've been in contact with AWS support for 4 weeks, and now they are refusing …

ECS Anywhere cluster running on a bunch of 2007 Intel Macbooks (link to it in the comments)
19236
We are members of AWS Premium Support, ask us anything
161234

Post anything about how the support organization works, what its like to work here, how we troubleshoot and handle cases, what you'd like to see change in support, or anything else that comes to mind. Post your questions below and we'll answer them in this thread live for 1 hour …

CDK for Terraform (CDKTF) is now generally available
13563aws.amazon.com
"AWS Security" on Google News
Insecure Deserialization in AWS Lambda | What is the Vulnerability and How to Avoid It? | Contrast Security - Security Boulevard
Security BoulevardAugust 30
CJ Moses might be the CISO of AWS, but service leaders own their own security - Protocol
ProtocolAugust 12