SRE Weekly Issue #339 • 📖 [The CloudSecList] Issue 155 • [tl;dr sec] #150 - How to Start an AppSec Program with the OWASP Top 10, Leadership in Cybersecurity • Amazon Elastic Compute Cloud - 11 updated methods • Amazon SageMaker Service - 4 updated methods • AWS Amplify UI Builder - 8 new 4 updated methods • Amazon Elastic Compute Cloud - 8 new 10 updated methods • 10 reasons to import a certificate into AWS Certificate Manager (ACM) • 154 AWS services achieve HITRUST certification • Amazon introduces dynamic intermediate certificate authorities • Use AWS Network Firewall to filter outbound HTTPS traffic from applications hosted on Amazon EKS and collect hostnames provided by SNI • evidently: 6 new actions, 1 new resource | 4 updated resources, 4 updated actions • lookoutequipment: 9 new actions, 1 new resource | 1 updated resource, 3 updated actions • cloudtrail: 5 new actions, 1 new resource | 3 updated actions, 1 updated resource • GitHub - awslabs/aws-security-assessment-solution: An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks. • GitHub - matanolabs/matano: The open-source security lake platform for AWS • Kubernetes API Server Bypass Risks • GitHub - google/magic-github-proxy: An access-limiting stateless GitHub API Proxy • ✨Linux tips 🧵 1. Always remove the french language pack: sudo rm -fr ./* • After using AWS for ~14 years, I've internalised a handful of design patterns that I try to apply to my own software. I'm keen to know if it's the same for other folks. Roughly: tags, IDs (thrice), limits, pagination. (I'm not going to use the thread emoji) • Turns out they gave you a session ID instead of an order ID. Doh! This is where resource ID *prefixes* are insanely useful. Think EC2 instance IDs: i-abc123 or EBS volumes: vol-def456. Now when you ask a user for an ID, you'll know immediately if it's the wrong thing entirely. • ☁️ AWS Security Assessment Solution An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks <a href="https://t.co/GQIzBwQdFe" target="_blank">github.com/awslabs/aws-se…</a> • ✅ Kubernetes Security Checklist <a href="https://twitter.com/hashtag/Kubernetes" target="_blank">#Kubernetes</a> documentation page that covers: * Authentication and Authorization * Network security * Pod security * Pod placement * Secrets * Images * Admission controllers <a href="https://t.co/4f2eL4qP3n" target="_blank">kubernetes.io/docs/concepts/…</a> • I've been an advisor to Noq, and I'm thrilled to see <a href="https://twitter.com/ccastrapel" target="_blank">@ccastrapel</a> and <a href="https://twitter.com/krisharms" target="_blank">@krisharms</a> have taken it out of stealth! • Pour yourself a bowl of doritos and mountain dew, grab a spoon, and chow down on this AWS wisdom! • This is a new amazing piece of AWS security tooling! Great work <a href="https://twitter.com/sethsec" target="_blank">@sethsec</a> <a href="https://twitter.com/cvendramini2" target="_blank">@cvendramini2</a> <a href="https://t.co/LiNiSBKOKR" target="_blank">github.com/BishopFox/clou…</a> • lol damn be easy on the French people guys • 🔖 matano An open source security lake platform for AWS. It lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting. <a href="https://t.co/Vo1LxRQNDi" target="_blank">github.com/matanolabs/mat…</a> • Visualizing how S3 deletes 1 billion objects with Athena and Rust • GA! AWS Enterprise Support launches AWS Incident Detection and Response • Unlimited free data storage by (ab)using ECS • Control Tower upgrade Landing Zone from 2.9 to 3.0 -- failures and now disabled • Uber reels from 'security incident' in which cloud systems seemingly hijacked - The Register • stackArmor Achieves AWS Security and AWS Level 1 MSSP Competencies - Business Wire