AWS Security Digest

ASD Logo

26

Monday September, 2022

Sponsor - Secure your Cloud Infrastructure with Teleport and AWS IAM

Join Teleport for the webinar on October 13th and learn about the challenges in securely delegating access to your AWS resources. Save your spot to find out:

How companies are currently managing their AWS infrastructure
Integrating Teleport Access Plane with AWS IAM
The top 5 advantages of using Teleport to access AWS resources

Register today for free

In a nutshell

An important change in AWS IAM Role Trust Policy: TL;DR

BEFORE: Roles implicitly trusted themselves from a role trust policy perspective if they had identity-based permissions to assume themselves.
NOW: Role trust policy must explicitly grant permission to all principals, including the role itself.

🔦 Highlight of the week

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

👉🏻 AWS Bots: 📃 MAMIP / 🤖 MASE / 👮🏻‍♂️ MGDA / 🌐 MIRA

Newsletters

SRE Weekly Issue #340

Lex NevaSep 25

📖 [The CloudSecList] Issue 156

Marco from CloudSecListSep 25

[tl;dr sec] #151 - Why Security Products Fail, Pentesting.Cloud

Clint at tl;dr secSep 22

AWS API Changes

AWS App Runner - 6 updated methods

Sep 23

AWS App Runner adds a Node.js 16 runtime.

Amazon Elastic Compute Cloud - 3 updated methods

Sep 23

Letting external AWS customers provide ImageId as a Launch Template override in FleetLaunchTemplateOverridesRequest

Amazon Lightsail - 1 new 88 updated methods

Sep 23

This release adds Instance Metadata Service (IMDS) support for Lightsail instances.

Amazon Lex Model Building V2 - 7 updated methods

Sep 23

This release introduces additional optional parameters promptAttemptsSpecification to PromptSpecification, which enables the users to configure interrupt setting and Audio, DTMF and Text input configuration for the initial and retry prompt played by the Bot

AWS Security Blog

Announcing an update to IAM role trust policy behavior

Mark RylandSep 21

AWS Identity and Access Management (IAM) is changing an aspect of how role trust policy evaluation behaves when a role assumes itself. Previously, roles implicitly trusted themselves from a role trust policy perspective if they had identity-based permissions to assume themselves. After receiving and considering feedback from customers on this …

AWS achieves its second ISMAP authorization in Japan

Hidetoshi TakeuchiSep 20

Earning and maintaining customer trust is an ongoing commitment at Amazon Web Services (AWS). Our customers’ security requirements drive the scope and portfolio of the compliance reports, attestations, and certifications we pursue. We’re excited to announce that AWS has achieved authorization under the Information System Security Management and Assessment Program …

Sign Amazon SNS messages with SHA256 hashing for HTTP subscriptions

Daniel CaminhasSep 19

Amazon Simple Notification Service (Amazon SNS) now supports message signatures based on Secure Hash Algorithm 256 (SHA256) hashing. Amazon SNS signs the messages that are delivered from your Amazon SNS topic so that subscribed HTTP endpoints can verify the authenticity of the messages. In this blog post, we will show …

IAM Permission Changes

iotfleetwise: 5 new actions, 3 new conditions | 8 updated actions, 6 updated resources

Sep 24

5 new actions: GetLoggingOptions (Grants permission to get the logging options for the AWS account), ListTagsForResource (Grants permission to list tags for a resource), PutLoggingOptions (Grants permission to put the logging options for the AWS account), TagResource (Grants permission to add tags to a resource), UntagResource (Grants permission to remove …

ssm: 5 updated actions, 1 updated resource

Sep 24

5 updated actions: UpdateInstanceInformation (resources), AddTagsToResource (resources), CreateAssociation (conditions), ListTagsForResource (resources), RemoveTagsFromResource (resources); 1 updated resource: association (conditions)

comprehend: 2 new actions | 2 updated actions

Sep 23

2 new actions: BatchDetectTargetedSentiment (Grants permission to detect the sentiments associated with specific entities (such as brands or products) within the given list of text documents), DetectTargetedSentiment (Grants permission to detect the sentiments associated with specific entities (such as brands or products) in a document); 2 updated actions: TagResource (resources), …

Top Links from Security Folks

Announcing an update to IAM role trust policy behavior | Amazon Web Services

aws.amazon.com

AWS Identity and Access Management (IAM) is changing an aspect of how role trust policy evaluation behaves when a role assumes itself. Previously, roles implicitly …

AWS Security Folks

Aidan W Steele @__steele

I regret to inform that I am extremely back on my bullshit.

I've been thinking about connectivity in unusual places. And I got to thinking: can I establish bidirectional connectivity over the Internet between two EC2 instances in private subnets without a third-party relay?

364

49Sep 22 · 3:00 AM

Kinnaird McQuade 💻☁️💥 @kmcquade3

Are you serious Oracle? A cross tenant vulnerability in OCI where you could just specify the disk ID of another customer on compute boot & it would attach to yours? That’s fucking unreal

Congrats to Wiz on another great finding. But Jesus Christ that’s such a bad look for Oracle

Shir Tamari @shirtamari

Vulnerability full disclosure - New Oracle cloud vulnerability allowed users to access the virtual disks of other Oracle customers >>

129

34Sep 20 · 4:40 PM

Clint Gibler @clintgibler

🌩️ PenTesting.Cloud

Free cloud-focused security challenges

* Bypassing IMDSv2 meta-data controls
* S3 buckets
* Leaky CloudFormation templates

#Pentesting

pentesting.cloud

119

42Sep 20 · 9:00 PM

Scott Piper @0xdabbad00

BGP hijack of AWS IPs on August 17 to steal cryptocurrency.
AFAIK this is the 3rd BGP hijack against AWS to steal cryptocurrency.
- 2014 secureworks.com/research/bgp-h…
- 2018 arstechnica.com/information-te…

Info on AWS's work to stop BGP hijacks from 2021: aws.amazon.com/blogs/networki…

Doug Madory @DougMadory

Must-read report from @coinbase that explains what last month's BGP hijack against Amazon was all about: a front-end hijack attack against Celer Bridge resulting in 32 victims and $235k in crypto losses.

And @kentikinc's view of the hijack route:
twitter.com/DougMadory/sta…

83

41Sep 24 · 3:10 PM

Aidan W Steele @__steele

Here's the GitHub link, but I swear to god if anyone deploys this to production I'm going to cry - and then buy you all the drinks in the world at re:invent.

github.com/aidansteele/ma…

77

6Sep 22 · 3:00 AM

Colm MacCárthaigh @colmmacc

Even Republican Senator Mike Lee calls this what it is ... racism. What Indian and Chinese immigrants have to deal with is especially insane. We badly need a more functioning immigration system in the US.

Deedy @debarghya_das

1/9 Indians in the US on a work visa can't go home. There’s NO appointments.

The now ~200k H-1B Telegram group is growing by 13,000 per month.

Even with ~$40m in fees, the 5 VACs process ~10,000 a month. The next availability is ~2024!

Here’s 6 stories from hurting families:

56

10Sep 24 · 11:08 AM

Scott Piper @0xdabbad00

Lazy twitter, someone please put together a list of thematic breach lists (a list of lists). Examples:
- magoo.github.io/Blockchain-Gra…: crypto currency hacks
- cloudvulndb.org: Cloud provider security incidents
- github.com/ramimac/aws-cu…: AWS customer security incidents

49

12Sep 19 · 6:12 PM

Victor Grenu 🏴‍☠️ @zoph

🆕 AWS Security Survival Kit: Bare minimum AWS Security Alerting on:

1. Root User activities
2. CloudTrail changes
3. AWS Personal Health Events
4. IAM Users changes
5. MFA updates
6. Unauthorized Operations
7. Failed AWS Console login authentication

👉🏻 github.com/zoph-io/aws-se…

49

10Sep 20 · 5:00 PM

Victor Grenu 🏴‍☠️ @zoph

Have you ever wondered what recent AccessDenieds were on your AWS account?

This dead simple CloudWatch Insights query will answer it for you, and you will be surprised.

Copy/PasteOps, see you next tweet 👋