Lex NevaNov 28
28
Monday November, 2022
In a nutshell
re:Invent 2022 is starting today! I hope our wish list will be granted.
ERRATUM, last week, I told you that "AWSCodePipelineFullAccess and ReadOnlyAccess" was deprecated. Sorry for that misleading information. I intend to say that AWSCodePipelineReadOnlyAccess was deprecated.
📢 MAMIP (Monitor AWS Managed IAM Policies)
Policies changed since last week:
- AWSApplicationMigrationEC2Access
- AWSApplicationMigrationReadOnlyAccess
- AWSApplicationMigrationSSMAccess
- AWSLicenseManagerUserSubscriptionsServiceRolePolicy
- AWSReachabilityAnalyzerServiceRolePolicy
- AWSWickrFullAccess
- AWSXrayCrossAccountSharingConfiguration
- AmazonOpenSearchServerlessServiceRolePolicy
SRE Weekly Issue #349
Amazon Managed Grafana - 2 new 6 updated methods
Nov 23
This release includes support for configuring a Grafana workspace to connect to a datasource within a VPC as well as new APIs for configuring Grafana settings.
Amazon Recycle Bin - 2 new 4 updated methods
Nov 23
This release adds support for Rule Lock for Recycle Bin, which allows you to lock retention rules so that they can no longer be modified or deleted.
Amazon Appflow - 3 updated methods
Nov 22
Adding support for Amazon AppFlow to transfer the data to Amazon Redshift databases through Amazon Redshift Data API service. This feature will support the Redshift destination connector on both public and private accessible Amazon Redshift Clusters and Amazon Redshift Serverless.
Amazon Kinesis Analytics - 6 updated methods
Nov 22
Support for Apache Flink 1.15 in Kinesis Data Analytics.
Reported AWS AppSync Issue
aws@amazon.comNov 21
Initial Publication Date: 2022/11/21 10:00AM EST
A security researcher recently disclosed a case-sensitivity parsing issue within AWS AppSync, which could potentially be used to bypass the service’s cross-account role usage validations and take action as the service across customer accounts.
No customers were affected by this issue, and no customer …
AWS Digital Sovereignty Pledge: Control without compromise
Matt GarmanNov 27
French | German | Italian | Japanese | Korean We’ve always believed that for the cloud to realize its full potential it would be essential that customers have control over their data. Giving customers this sovereignty has been a priority for AWS since the very beginning when we were the …
2022 Canadian Centre for Cyber Security Assessment Summary report available with 12 additional services
Naranjan GoklaniNov 23
We are pleased to announce the availability of the 2022 Canadian Centre for Cyber Security (CCCS) assessment summary report for Amazon Web Services (AWS). This assessment will bring the total to 132 AWS services and features assessed in the Canada (Central) AWS Region, including 12 additional AWS services. A copy of the summary …
Establishing a data perimeter on AWS: Allow only trusted identities to access company data
Tatyana YatskevichNov 23
As described in an earlier blog post, Establishing a data perimeter on AWS, Amazon Web Services (AWS) offers a set of capabilities you can use to implement a data perimeter to help prevent unintended access. One type of unintended access that companies want to prevent is access to corporate data …
AWS Security Profile: Sarah Currey, Delivery Practice Manager
Maddie BaconNov 22
In the weeks leading up to AWS re:invent 2022, I’ll share conversations I’ve had with some of the humans who work in AWS Security who will be presenting at the conference, and get a sneak peek at their work and sessions. In this profile, I interviewed Sarah Currey, Delivery Practice …
quicksight: 3 new actions, 1 new resource | 1 updated action
Nov 22
3 new actions: DeleteAccountSubscription (Grants permission to delete a QuickSight account), SearchDataSets (Grants permission to search for a sub-set of QuickSight DatSets), SearchDataSources (Grants permission to search for a sub-set of QuickSight Data Sources); 1 new resource: topic; 1 updated action: GenerateEmbedUrlForAnonymousUser (resources)
connect: 1 new action, 1 new condition
Nov 22
1 new action: MonitorContact (Grants permission to monitor an ongoing contact); 1 new condition: connect:MonitorCapabilities (Filters access by restricting the monitor capabilities of the user in the request)
appflow: 1 new action | 1 updated action
Nov 22
1 new action: UpdateConnectorRegistration (Grants permission to update a registered connector configured in Amazon AppFlow); 1 updated action: DescribeFlow (resources)
A Confused Deputy Vulnerability in AWS AppSync | Datadog Security Labs
Public disclosure of a cross-account security vulnerability in AWS AppSync.
rowan Another great AWS security article by @Frichette_n this time about AppSync as a confused deputy securitylabs.datadoghq.com/articles/appsy… If you u…
Teri Radichel #cybersecurity #cloudsecurity Yikes!
Karim El-Melhaoui Interesting vulnerability with an incredible response time from AWS. Exactly the response time one would expect when a vulnerability impacts tenant i…
Aidan W Steele @__steele
👀 Look at what has popped up in the CloudWatch Logs web console
349
44Nov 27 · 11:16 PM
Colm MacCárthaigh @colmmacc
Just before every AWS re:Invent I get this feeling of awe deep in my stomach at the sheer number of customers and partners that take the time to come along. It's a humbling glimpse at how many people are impacted by the decisions and designs we make.
23226Nov 27 · 4:37 PM
Christophe Tafani-Dereeper @christophetd
Want to see what a real world backdoor looks like? We identified and analyzed a backdoored PyPI package targeting FastAPI applications
securitylabs.datadoghq.com/articles/malic…
Sample: github.com/DataDog/securi…
17655Nov 23 · 10:22 PM Aidan W Steele @__steele
Ultra hot take: AWS EFS is becoming *too good* and people are going to build new apps that rely on it instead of something like S3.
aws.amazon.com/blogs/aws/new-…
8212Nov 28 · 6:07 AM Colm MacCárthaigh @colmmacc
It's pretty bonkers and very rare to get to work on systems of this scale and use; where most lines of code we write will be executed trillions of times in service of real people's goals. I hope every AWS engineer appreciates it!
775Nov 27 · 4:37 PM
Abby Fuller @abbyfuller
Reinvent time once again! I’ll be wandering around during the week, and talking about log4j on Friday. If you see me, say hi!
801Nov 27 · 1:14 AM
Nick Frichette - @frichetten@fosstodon.org @Frichette_n
I wrote a short post on abusing misconfigured resource-based policies of AWS ECR private registries. They (hopefully) come up rarely, but it can be tricky to remember the syntax to authenticate with them. This step-by-step guide makes it easy :) hackingthe.cloud/aws/exploitati…
4824Nov 27 · 3:09 AM
Christophe Tafani-Dereeper @christophetd
I love how companies getting breached through an open S3 bucket tend to say "We don't have evidence the data has been accessed".
Of course you don't. If you have public buckets, you most likely didn't enable S3 data events either...
google.com/search?client=…
609Nov 24 · 5:03 PM
AWS pre:Invent 2022 - interesting announcements so far leading up to re:Invent
pre:Invent is the time before AWS re:Invent that always brings a ton of AWS announcements you might miss. We've counted 310 of them so far! The following post provides a rundown on 36 of the most interesting ones.
- 🖊️ This digest was forwarded to you? Subscribe here
- 📢 Promote your content with sponsorship
- 💌 Want to suggest new content: contact me or reply to this email
