SRE Weekly Issue #347 • [tl;dr sec] #158 - Open Security Jobs, Career Advice • AWS IoT - 1 new 7 updated methods • AWS License Manager - 2 new methods • AWS Marketplace Catalog Service - 3 new 1 updated methods • Amazon Rekognition - 2 updated methods • Detect and block advanced bot traffic • AWS Security Profile: Param Sharma, Principal Software Engineer • How to evaluate and use ECDSA certificates in AWS Certificate Manager • config: 3 new actions | 25 updated actions, 3 updated resources • backup-storage: 14 new actions • geo: 1 new action, 2 new conditions | 9 updated actions, 2 updated resources • Introducing Amazon EventBridge Scheduler | Amazon Web Services • Update detected · z0ph/MAMIP@e15adad • aws.permissions.cloud • 🗒️ A Dive Into Web Application Authentication <a href="https://twitter.com/jameschiapet" target="_blank">@jameschiapet</a> discusses: * The difference between authentication and authorization * Why we need MFA * How "sign in with" works * SSO * Passwordless authentication * API authentication * Deep links <a href="https://t.co/DfQA6oUHmS" target="_blank">betterappsec.com/a-medium-dive-…</a> • A while ago I tweeted about how secrets could be populated as env vars in Lambda. <a href="https://twitter.com/theburningmonk" target="_blank">@theburningmonk</a> said it would be preferable if secrets were available via the function handler context. So I built a proof-of-concept of that. Try guess how it works! <a href="https://t.co/LCJhXqHsDh" target="_blank">github.com/aidansteele/se…</a> • I do look at lines of code and number of commits by engineer. Mostly to see if they might need a break from organizational wrangling and find some space to code again and if I can help with that. It's always a good reminder for me to code more too. • Make it free you cowards. • Well this is freakin’ awesome <a href="https://t.co/eOkd0q4MNu" target="_blank">aws.amazon.com/blogs/compute/…</a> • guys get it together <a href="https://t.co/bQjDgSWFPR" target="_blank">twitter.com/TwitterSupport…</a> • I've just booked a trip to re:Invent... and discovered nearly all sessions are full. 😭 I'm going to be wandering around. My DMs are open if anyone wants to meet up! • Still waiting for the Senate results from D.C., Puerto Rico, and Guam. • I empathize with software vendors using the SSO Tax - Single-Sign-On costs money to implement, it ain't free, &amp; it drives sales But it's fucking ridiculous to expect companies to pay $600 PER USER/month just to get SAML. That's a real quote from a vendor Looking at you, <a href="https://twitter.com/vercel" target="_blank">@vercel</a> • Just your semi-regular reminder that if you work with AWS IAM, you should be taking advantage of <a href="https://twitter.com/iann0036" target="_blank">@iann0036</a>'s <a href="https://t.co/iXVZU3CkEQ" target="_blank">permissions.cloud</a> reference for a clear, user-friendly way to navigate the different service API methods and actions • Amazon Time Sync is now available over the internet as a public NTP service (time.aws.com) • The new AWS region in Switzerland is now open • Introducing Amazon EventBridge Scheduler • AWS Launches New Cloud Region in Switzerland, Unveils 15-Year $5.9B Investment • The World's Best Amazon AWS-Security-S Dumps PDF [2022] - NewzHook • Veza debuts Authorization Platform for Data in AWS Marketplace and achieves AWS Security Competency as it joins the AWS Partner Network - Business Wire

ASD Logo

14
Monday November, 2022

Sponsor

New Blog! 5 Advantages of Securing Cloud Infrastructure with Teleport and AWS Identity Federation

This time, learn about the advantages of easily controlling who can provision and access your critical AWS resources:

  1. Fine-grained control of each AWS service
  2. Consistent experience in using AWS Console and CLI
  3. Simplified role-based access control
  4. JIT elevated privileges
  5. Insights through AWS CloudTrail and Teleport Audit

Read Now

In a nutshell

Re:Invent 2022 is coming in just a few days now, there is already a lot of movements in November's pre:Revent. I will, with many contributors update this one-pager with all relevant new AWS services and updated services. Stay connected, Folks.

🔦 Highlight of the week

  1. AWS IAM Roles, a tale of unnecessary complexity
  2. Exploring AWS Resource Explorer
  3. Introducing Amazon EventBridge Scheduler

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

[...]

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

Newsletters
SRE Weekly Issue #347
Lex NevaNov 14
[tl;dr sec] #158 - Open Security Jobs, Career Advice
Clint at tl;dr secNov 10
AWS API Changes
AWS IoT - 1 new 7 updated methods
Nov 11
This release add new api listRelatedResourcesForAuditFinding and new member type IssuerCertificates for Iot device device defender Audit.
AWS License Manager - 2 new methods
Nov 11
AWS License Manager now supports onboarded Management Accounts or Delegated Admins to view granted licenses aggregated from all accounts in the organization.
AWS Marketplace Catalog Service - 3 new 1 updated methods
Nov 11
Added three new APIs to support tagging and tag-based authorization: TagResource, UntagResource, and ListTagsForResource. Added optional parameters to the StartChangeSet API to support tagging a resource while making a request to create it.
Amazon Rekognition - 2 updated methods
Nov 11
Adding support for ImageProperties feature to detect dominant colors and image brightness, sharpness, and contrast, inclusion and exclusion filters for labels and label categories, new fields to the API response, "aliases" and "categories"
AWS Security Blog
Detect and block advanced bot traffic
Etienne MunnichNov 10
Automated scripts, known as bots, can generate significant volumes of traffic to your mobile applications, websites, and APIs. Targeted bots take this a step further by targeting website content, such as product availability or pricing. Traffic from targeted bots can result in a poor user experience by competing against legitimate …
AWS Security Profile: Param Sharma, Principal Software Engineer
Maddie BaconNov 8
In the weeks leading up to AWS re:Invent 2022, I’m interviewing some of the humans who work in AWS Security, help keep our customers safe and secure, and also happen to be speaking at re:Invent. This interview is with Param Sharma, principal software engineer for AWS Private Certificate Authority (AWS …
How to evaluate and use ECDSA certificates in AWS Certificate Manager
Zachary MillerNov 8
AWS Certificate Manager (ACM) is a managed service that enables you to provision, manage, and deploy public and private SSL/TLS certificates that you can use to securely encrypt network traffic. You can now use ACM to request Elliptic Curve Digital Signature Algorithm (ECDSA) certificates and associate the certificates with AWS …
IAM Permission Changes
config: 3 new actions | 25 updated actions, 3 updated resources
Nov 12
3 new actions: GetCustomRulePolicy (Grants permission to return the policy definition containing the logic for your AWS Config Custom Policy rule), GetOrganizationCustomRulePolicy (Grants permission to return the policy definition containing the logic for your organization AWS Config Custom Policy rule), ListConformancePackComplianceScores (Grants permission to return the percentage of compliant rule-resource …
backup-storage: 14 new actions
Nov 12
14 new actions: CommitBackupJob (Grants permission to commit backup job), DeleteObjects (Grants permission to delete objects), DescribeBackupJob (Grants permission to describe backup job), GetBaseBackup (Grants permission to get base backup), GetChunk (Grants permission to get data from a recovery point for a restore job), GetIncrementalBaseBackup (Grants permission to get incremental …
geo: 1 new action, 2 new conditions | 9 updated actions, 2 updated resources
Nov 12
1 new action: GetPlace (Grants permission to find a place by its unique ID); 2 new conditions: geo:DeviceIds (Filters access by the presence of device ids in the request), geo:GeofenceIds (Filters access by the presence of geofence ids in the request); 9 updated actions: BatchDeleteDevicePositionHistory (conditions), BatchDeleteGeofence (conditions), BatchGetDevicePosition (conditions), …
Top Links from Security Folks
Introducing Amazon EventBridge Scheduler | Amazon Web Services
aws.amazon.com
Today, we are announcing Amazon EventBridge Scheduler. This is a new capability from Amazon EventBridge that allows you to create, run, and manage scheduled tasks …
Update detected · z0ph/MAMIP@e15adad
github.com
[MAMIP] Monitor AWS Managed IAM Policies Changes . Contribute to z0ph/MAMIP development by creating an account on GitHub.
aws.permissions.cloud
aws.permissions.cloud
Permissions Reference for AWS IAM
AWS Security Folks
clintgibler
Clint Gibler @clintgibler

🗒️ A Dive Into Web Application Authentication

@jameschiapet discusses:
* The difference between authentication and authorization
* Why we need MFA
* How "sign in with" works
* SSO
* Passwordless authentication
* API authentication
* Deep links

betterappsec.com/a-medium-dive-…

41Nov 08 · 7:00 PM
__steele
Aidan W Steele @__steele

A while ago I tweeted about how secrets could be populated as env vars in Lambda. @theburningmonk said it would be preferable if secrets were available via the function handler context. So I built a proof-of-concept of that. Try guess how it works!

github.com/aidansteele/se…

__steele
Aidan W Steele @__steele

The recent launch from AWS of a new way to access secrets from Lambda got me thinking.

Specifically thinking "I should stop complaining every six months on Twitter and demonstrate how I think it is should work". So here's a blog and Github repo.

awsteele.com/blog/2022/10/1…

17Nov 13 · 3:35 AM
colmmacc
Colm MacCárthaigh @colmmacc

I do look at lines of code and number of commits by engineer. Mostly to see if they might need a break from organizational wrangling and find some space to code again and if I can help with that. It's always a good reminder for me to code more too.

3Nov 07 · 7:30 PM
abbyfuller
Abby Fuller @abbyfuller

Make it free you cowards.

LillyPad
Eli Lilly and Company @LillyPad

We apologize to those who have been served a misleading message from a fake Lilly account. Our official Twitter account is @LillyPad.

3Nov 11 · 8:13 PM
__steele
Aidan W Steele @__steele

Well this is freakin’ awesome

aws.amazon.com/blogs/compute/…

7Nov 11 · 12:45 AM
abbyfuller
Abby Fuller @abbyfuller

guys get it together twitter.com/TwitterSupport…

TwitterSupport
Twitter Support @TwitterSupport

We’re not currently putting an “Official” label on accounts but we are aggressively going after impersonation and deception.

4Nov 11 · 5:17 AM
0xdabbad00
Scott Piper @0xdabbad00

I've just booked a trip to re:Invent... and discovered nearly all sessions are full. 😭 I'm going to be wandering around. My DMs are open if anyone wants to meet up!

1Nov 08 · 6:01 PM
colmmacc
Colm MacCárthaigh @colmmacc

Still waiting for the Senate results from D.C., Puerto Rico, and Guam.

5Nov 09 · 3:08 PM
kmcquade3
Kinnaird McQuade 💻☁️💥 @kmcquade3

I empathize with software vendors using the SSO Tax - Single-Sign-On costs money to implement, it ain't free, & it drives sales

But it's fucking ridiculous to expect companies to pay $600 PER USER/month just to get SAML. That's a real quote from a vendor

Looking at you, @vercel

3Nov 08 · 8:03 PM
elrowan
rowan @elrowan

Just your semi-regular reminder that if you work with AWS IAM, you should be taking advantage of @iann0036's permissions.cloud reference for a clear, user-friendly way to navigate the different service API methods and actions

6Nov 11 · 1:02 AM
r/aws
Amazon Time Sync is now available over the internet as a public NTP service (time.aws.com)
22634aws.amazon.com
The new AWS region in Switzerland is now open
21245aws.amazon.com
Introducing Amazon EventBridge Scheduler
15339aws.amazon.com
AWS Launches New Cloud Region in Switzerland, Unveils 15-Year $5.9B Investment
10927petri.com
"AWS Security" on Google News
The World's Best Amazon AWS-Security-S Dumps PDF [2022] - NewzHook
NewzHookNovember 10
Veza debuts Authorization Platform for Data in AWS Marketplace and achieves AWS Security Competency as it joins the AWS Partner Network - Business Wire
Business WireNovember 8