SRE Weekly Issue #348 • [tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees • AWS Amplify - 5 updated methods • Amazon Appflow - 4 updated methods • AWS AppSync - 1 new 10 updated methods • AWS Database Migration Service - 9 updated methods • Considerations for security operations in the cloud • AWS Security Profile: Jonathan “Koz” Kozolchyk, GM of Certificate Services • AWS Security Profile: Reef D’Souza, Principal Solutions Architect • Fall 2022 SOC reports now available with 154 services in scope

ASD Logo

21
Monday November, 2022

In a nutshell

This week, two AWS Managed Policies were deprecated: AWSCodePipelineFullAccess and ReadOnlyAccess. If you want to follow MAMIP Bot, there is a new option with the Mastodon Account, similar to the Twitter version but without the boring Elon...

🔦 Highlight of the week

  1. Sustainable Personal AWS Accounts
  2. Manage your resources from AWS Organizations using AWS CloudFormation
  3. The Security Design of the AWS Nitro System

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

[...]

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

Newsletters
SRE Weekly Issue #348
Lex NevaNov 21
[tl;dr sec] #159 - Twitter vs Mastodon, GitHub Attack Trees
Clint at tl;dr secNov 17
AWS API Changes
AWS Amplify - 5 updated methods
Nov 17
Adds a new value (WEB_COMPUTE) to the Platform enum that allows customers to create Amplify Apps with Server-Side Rendering support.
Amazon Appflow - 4 updated methods
Nov 17
AppFlow simplifies the preparation and cataloging of SaaS data into the AWS Glue Data Catalog where your data can be discovered and accessed by AWS analytics and ML services. AppFlow now also supports data field partitioning and file size optimization to improve query performance and reduce cost.
AWS AppSync - 1 new 10 updated methods
Nov 17
This release introduces the APPSYNC_JS runtime, and adds support for JavaScript in AppSync functions and AppSync pipeline resolvers.
AWS Database Migration Service - 9 updated methods
Nov 17
Adds support for Internet Protocol Version 6 (IPv6) on DMS Replication Instances
AWS Security Blog
Considerations for security operations in the cloud
Stuart GreggNov 18
Cybersecurity teams are often made up of different functions. Typically, these can include Governance, Risk & Compliance (GRC), Security Architecture, Assurance, and Security Operations, to name a few. Each function has its own specific tasks, but works towards a common goal—to partner with the rest of the business and help …
AWS Security Profile: Jonathan “Koz” Kozolchyk, GM of Certificate Services
Roger ParkNov 18
In the AWS Security Profile series, we interview AWS thought leaders who help keep our customers safe and secure. This interview features Jonathan “Koz” Kozolchyk, GM of Certificate Services, PKI Systems. Koz shares his insights on the current certificate landscape, his career at Amazon and within the security space, what …
AWS Security Profile: Reef D’Souza, Principal Solutions Architect
Maddie BaconNov 17
In the weeks leading up to AWS re:invent 2022, I’ll share conversations I’ve had with some of the humans who work in AWS Security who will be presenting at the conference, and get a sneak peek at their work and sessions. In this profile, I interviewed Reef D’Souza, Principal Solutions …
Fall 2022 SOC reports now available with 154 services in scope
Andrew NajjarNov 17
At Amazon Web Services (AWS), we’re committed to providing customers with continued assurance over the security, availability, and confidentiality of the AWS control environment. We’re proud to deliver the Fall 2022 System and Organizational Controls (SOC) 1, 2, and 3 reports, which cover April 1–September 30, 2022, to support our …
IAM Permission Changes
elasticache: 1 new action, 1 new condition | 2 updated actions, 1 updated resource
Nov 19
1 new action: Connect (Allows an IAM user or role to connect as a specified EliastCache user to a node in a replication group); 1 new condition: elasticache:UserAuthenticationMode (Filters access by the UserAuthenticationMode parameter in the request); 2 updated actions: CreateUser (conditions), ModifyUser (conditions); 1 updated resource: user (conditions)
iotroborunner: 1 updated resource
Nov 19
1 updated resource: DestinationResource (arn)
iottwinmaker: 3 new actions | 1 updated condition
Nov 19
3 new actions: ExecuteQuery (Grants permission to execute query), GetPricingPlan (Grants permission to get pricing plan), UpdatePricingPlan (Grants permission to update pricing plan); 1 updated condition: aws:TagKeys (type)
Top Links from Security Folks
Finding malicious PyPI packages through static code analysis: Meet GuardDog | Datadog Security Labs
securitylabs.datadoghq.com
GuardDog is an open-source tool to identify malicious PyPI packages through source code and metadata analysis
Stealing passwords from infosec Mastodon - without bypassing CSP
portswigger.net
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter …
The Security Design of the AWS Nitro System
docs.aws.amazon.com
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale …
GitHub - DataDog/guarddog: GuardDog is a CLI tool to Identify malicious PyPI packages
github.com
:snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI packages - GitHub - DataDog/guarddog: GuardDog is a CLI tool to Identify malicious PyPI …
AWS Security Folks
colmmacc
Colm MacCárthaigh @colmmacc

A new AWS whitepaper covering Nitro -
"The Security Design of the AWS Nitro System". Super interesting deep dive into virtualization and the AWS approach to security.

HTML: docs.aws.amazon.com/whitepapers/la…
PDF: docs.aws.amazon.com/pdfs/whitepape…

133Nov 18 · 4:50 PM
colmmacc
Colm MacCárthaigh @colmmacc

+1 to this. I have several times thrown well-meaning but nevertheless interrupting high-ranking executives off of incident calls. Got positive credit for this in promotions! At AWS, we give executives their own call focused on customer communication and I love the separation.

yvonnezlam
Yvonne Lam @yvonnezlam

CEOs, hell. I have neither forgiven nor forgotten some of the non-contributing managers/ICs in the room during incidents.

24Nov 19 · 6:44 PM
abbyfuller
Abby Fuller @abbyfuller

I’m sorry but I don’t want to talk to people enough to put the work into mastodon

10Nov 19 · 3:44 AM
bjohnso5y
Brigid Johnson @bjohnso5y

🗝️ 🗝️ Multiple MFAs for root account is here! One of our top customer asks 🥳 🔐

AWSIdentity
AWS Identity @AWSIdentity

Configuring MFA is an important step in strengthening your security posture. Starting today, you can add multiple MFA devices to AWS root account and IAM users 🔑 #EnableMFA go.aws/3hPLf4v

29Nov 17 · 1:19 AM
christophetd
Christophe Tafani-Dereeper @christophetd

Just released a new tool: GuardDog, identify malicious PyPI packages with Semgrep and package metadata analysis

securitylabs.datadoghq.com/articles/guard…

github.com/datadog/guardd…

Bonus: a corpus of 140+ actual malicious packages we found in the wild

github.com/DataDog/securi…

42Nov 15 · 4:57 PM
clintgibler
Clint Gibler @clintgibler

🔎 s3crets_scanner

A tool to find secrets in public S3 buckets

1. Lists public buckets in an account
2. Lists textual or sensitive files (e.g. `.p12`, `.pgp`, etc.)
3. Downloads and scans files using truffleHog3

github.com/Eilonh/s3crets…

35Nov 18 · 5:00 PM
zoph
Victor Grenu @zoph

I've just been fired from @Twitter after telling @elonmusk why AWS IAM Users are still relevant nowadays. 🫡

1Nov 16 · 4:54 PM
iann0036
Ian Mckay @iann0036

Clearly the best pre:Invent announcement. Also a candidate for best of the year, period. 🎉

AWSIdentity
AWS Identity @AWSIdentity

Configuring MFA is an important step in strengthening your security posture. Starting today, you can add multiple MFA devices to AWS root account and IAM users 🔑 #EnableMFA go.aws/3hPLf4v

2Nov 17 · 1:16 AM
bradgeesaman
Brad Geesaman @bradgeesaman

All he had to do as CEO was “literally nothing”, and we’d all have had a better outcome here. I think most could safely say “I could do that!” and be absolutely correct.

4Nov 16 · 3:00 PM
clintgibler
Clint Gibler @clintgibler

🗡️ SLSA dip — At the Source of the problem!

Red & blue team strategies for attacking GitHub

Attack trees for 3 three malicious goals:
* Submit malicious source code
* Delete source
* Push a release tag pointing to vulnerable commit

By @francoisproulx

medium.com/boostsecurity/…

8Nov 17 · 12:15 AM
r/aws
Node.js 18.x runtime now available in AWS Lambda
16722aws.amazon.com
Multiple MFA devices in IAM! | Amazon Web Services
13632aws.amazon.com
Without saying "it's scalable", please convince me that a serverless architecture is worth it
133208

Hi there –

I have many years of experience developing traditional, serverful web apps.

About six months ago, I made the leap to serverless development (in Python, using AWS Lambda and related services).

I see the advantages in terms of scalability. And scalability is obviously a valid concern.

But everything …

The Distributed Computing Manifesto (from Dr. Werner Vogels) - "...a canonical document from the early days of Amazon that transformed the architecture of Amazon’s ecommerce platform. It highlights the challenges we were facing at the end of the 20th century, and hints at where we were headed."
1007allthingsdistributed.com
"AWS Security" on Google News
Peraton Achieves Amazon Web Services Premier Tier Services Partner Status - PR Newswire
PR NewswireNovember 21
Don't Miss Amazon's Black Friday Sale on Outdoor Security Cameras and Floodlights - Popular Mechanics
Popular MechanicsNovember 18