Issue #82
Monday · September 05, 2022
π₯ AWS security blogs
- Scaling cross-account AWS KMSβencrypted Amazon S3 bucket access using ABAC β This blog post shows you how to share encrypted Amazon Simple Storage Service (Amazon S3) buckets across accounts on a multi-tenant data lake. Our objective is to show scalability over a larger volume of accounts that can access the data lake, in a scenario where there is one central account β¦
- How to automate updates for your domain list in Route 53 Resolver DNS Firewall β Note: This post includes links to third-party websites. AWS is not responsible for the content on those websites. Following the release of Amazon Route 53 Resolver DNS Firewall, Amazon Web Services (AWS) published several blog posts to help you protect your Amazon Virtual Private Cloud (Amazon VPC) DNS resolution, including β¦
- Announcing new AWS IAM Identity Center APIs to manage users and groups at scale β If you use AWS IAM Identity Center (successor to AWS Single Sign-On) as your identity source, you create and manage your users and groups manually in the IAM Identity Center console. However, you may prefer to automate this process to save time, spend less administrative effort, and to scale effectively β¦
- How to let builders create IAM resources while improving security and agility for your organization β Many organizations restrict permissions to create and manage AWS Identity and Access Management (IAM) resources to a group of privileged users or a central team. This post explains how you can safely grant these permissions to builders β the people who are developing, testing, launching, and managing cloud infrastructure β β¦
π Reddit threads on r/aws
- AWS IP Ranges increase of 4,718,592 IPs β Just a heads up, AWS just added 4,718,592 new IPs in their second largest expansion to date. This is something like a 7% increase, and impacts pretty much all of the regions, though they haven't doled out the IP addresses to specific services yet. Edit: They've actually added 7,602,312 IPs β¦
- Announcing new AWS IAM Identity Center APIs to manage users and groups at scale
- Since S3 charges by request, couldn't a malicious hacker cause a huge AWS bill just by spamming requests? β What would stop them from doing so, against, say, a static website hosted using S3? Is there a good way to deny some requests such that one avoids getting billed for them? (Context: I want to host a static website on S3, but I wouldn't want to end up with β¦
- Just another reminder of the importance of not hard coding credentials
π Newsletters
π Top Links from Security Folks
- Crawl, walk, run: Operationalizing your IaC security program - Bridgecrew Blog β Learn how to operationalize your infrastructure as code security program with our rollout timeline and guidance for your first ninety days.
- GitHub - devops-kung-fu/bomber: Scans SBoMs for security vulnerabilities β Scans SBoMs for security vulnerabilities. Contribute to devops-kung-fu/bomber development by creating an account on GitHub.
π "AWS Security" on Google News
π§ IAM permission changes
- events: 1 new resource | 11 updated actions, 1 updated resource β 1 new resource: rule-on-custom-event-bus; 11 updated actions: DeleteRule (resources), ListTagsForResource (resources), ListTargetsByRule (resources), EnableRule (resources), DisableRule (resources), DescribeRule (resources), PutTargets (resources), RemoveTargets (resources), TagResource (resources), PutRule (resources), UntagResource (resources); 1 updated resource: rule-on-default-event-bus (arn)
- controltower: 4 new actions β 4 new actions: DisableControl (Grants permission to remove a control from an organizational unit), EnableControl (Grants permission to activate a control for an organizational unit), GetControlOperation (Grants permission to get the current status of a particular EnabledControl or DisableControl operation), ListEnabledControls (Grants permission to list all enabled controls in a β¦
- identitystore: 5 updated actions β 5 updated actions: ListGroupMembershipsForMember (resources), ListGroups (resources), IsMemberInGroups (resources), ListGroupMemberships (resources), ListUsers (resources)
πͺ API changes
- AWS Control Tower - 4 new methods β This release contains the first SDK for AWS Control Tower. It introduces a new set of APIs: EnableControl, DisableControl, GetControlOperation, and ListEnabledControls.
- AWS SSO Identity Store - 15 new 4 updated methods β Expand IdentityStore API to support Create, Read, Update, Delete and Get operations for User, Group and GroupMembership resources.
- Amazon Interactive Video Service - 3 updated methods β IVS Merge Fragmented Streams. This release adds support for recordingReconnectWindow field in IVS recordingConfigurations. For more information see https://docs.aws.amazon.com/ivs/latest/APIReference/Welcome.html
- Amazon SageMaker Service - 2 updated methods β SageMaker Inference Recommender now accepts Inference Recommender fields: Domain, Task, Framework, SamplePayloadUrl, SupportedContentTypes, SupportedInstanceTypes, directly in our CreateInferenceRecommendationsJob API through ContainerConfig
