SRE Weekly Issue #350 • [tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses • Firewall Management Service - 4 updated methods • AWS Elemental MediaConvert - 11 updated methods • Amazon Polly - 7 updated methods • Redshift Serverless - 3 new 9 updated methods • How to use Amazon Macie to preview sensitive data in S3 buckets • Use Amazon Macie for automatic, continual, and cost-effective discovery of sensitive data in S3 • Get the best out of Amazon Verified Permissions by using fine-grained authorization methods • Deploy AWS Organizations resources by using CloudFormation

ASD Logo

5
Monday December, 2022

Sponsor

Automate compliance with Drata—G2’s highest-rated cloud compliance software.

As an AWS partner, Drata provides continuous control monitoring and evidence collection across your company’s AWS footprint for 14+ frameworks including SOC 2, ISO 27001, and even custom frameworks.

Drata will discover and import your AWS virtual assets to simplify the collection and categorization process, and eliminate manual processes. With an enhanced vulnerability scanning connection for AWS Inspector and a risk management tool, you'll know where you stand at all times. Request a demo today!

In a nutshell

Now that re:Infect is over, we can say that many of the services announced this year are in preview, with 24 services up from 2021 which had only 12 services in preview. Probably consequence of covid on product teams during the past year, or the lack of confidence on maturity of the product: IaC, API Coverage, etc..

🔦 Highlight of the week

  1. re:Invent 2022 recap from Ian Mckay
  2. Learn how to display secrets from already deployed CFN stacks
  3. ChatGPT almost knows about AWS IAM policies

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

and a lot more...

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

Newsletters
SRE Weekly Issue #350
Lex NevaDec 05
[tl;dr sec] #160 - Application Security Foundations, Machine Learning Uses
Clint at tl;dr secDec 01
AWS API Changes
Firewall Management Service - 4 updated methods
Dec 2
AWS Firewall Manager now supports Fortigate Cloud Native Firewall as a Service as a third-party policy type.
AWS Elemental MediaConvert - 11 updated methods
Dec 2
The AWS Elemental MediaConvert SDK has added support for configurable ID3 eMSG box attributes and the ability to signal them with InbandEventStream tags in DASH and CMAF outputs.
Amazon Polly - 7 updated methods
Dec 2
Add language code for Finnish (fi-FI)
Redshift Serverless - 3 new 9 updated methods
Dec 2
Add Table Level Restore operations for Amazon Redshift Serverless. Add multi-port support for Amazon Redshift Serverless endpoints. Add Tagging support to Snapshots and Recovery Points in Amazon Redshift Serverless.

Sponsor

Write secure code and catch vulnerabilities at every step of the software development lifecycle.

Codiga is a static code analyzer that works in your favorite IDE, with your Git hooks and is integrated with your code repository on GitHub, GitLab and Bitbucket.

Codiga not only catches coding errors but suggests fixes directly in your IDE. The Codiga engine has already 2,000 rules and you can write custom code analysis rules for your team.

Trusted by more than 20,000 users and 2,000 organizations, merge with confidence with Codiga.

Get Codiga

AWS Security Blog
How to use Amazon Macie to preview sensitive data in S3 buckets
Koulick GhoshDec 1
Security teams use Amazon Macie to discover and protect sensitive data, such as names, payment card data, and AWS credentials, in Amazon Simple Storage Service (Amazon S3). When Macie discovers sensitive data, these teams will want to see examples of the actual sensitive data found. Reviewing a sampling of the …
Use Amazon Macie for automatic, continual, and cost-effective discovery of sensitive data in S3
Jonathan NguyenNov 29
Customers have an increasing need to collect, store, and process data within their AWS environments for application modernization, reporting, and predictive analytics. AWS Well-Architected security pillar, general data privacy and compliance regulations require that you appropriately identify and secure sensitive information. Knowing where your data is allows you to implement …
Get the best out of Amazon Verified Permissions by using fine-grained authorization methods
Jeff LombardoNov 29
With the release of Amazon Verified Permissions, developers of custom applications can implement access control logic based on caller and resource information; group membership, hierarchy, and relationship; and session context, such as device posture, location, time, or method of authentication. With Amazon Verified Permissions, you can focus on building simple …
Deploy AWS Organizations resources by using CloudFormation
Matt LuttrellNov 29
AWS recently announced that AWS Organizations now supports AWS CloudFormation. This feature allows you to create and update AWS accounts, organizational units (OUs), and policies within your organization by using CloudFormation templates. With this latest integration, you can efficiently codify and automate the deployment of your resources in AWS Organizations. You can …
IAM Permission Changes
vpc-lattice-svcs: 1 new action, 1 new resource, 8 new conditions
Dec 3
1 new action: Invoke (Grants permission to invoke a VPC Lattice service); 1 new resource: Service; 8 new conditions: vpc-lattice-svcs:Port (Filters access by the destination port the request is made to), vpc-lattice-svcs:RequestHeader/${HeaderName} (Filters access by a header name-value pair in the request headers), vpc-lattice-svcs:RequestMethod (Filters access by the method of …
drs: 3 new actions | 2 updated actions
Dec 3
3 new actions: ReverseReplication (Grants permission to reverse replication), StartReplication (Grants permission to start replication), StopReplication (Grants permission to stop replication); 2 updated actions: DescribeRecoveryInstances (dependents), TerminateRecoveryInstances (dependents)
glue: 22 new actions, 1 new resource | 2 updated actions
Dec 3
22 new actions: CancelDataQualityRuleRecommendationRun (Grants permission to stop a running Data Quality rule recommendation run), CancelDataQualityRulesetEvaluationRun (Grants permission to stop a running Data Quality ruleset evaluation run), CreateDataQualityRuleset (Grants permission to create a Data Quality ruleset), DeleteDataQualityRuleset (Grants permission to delete a Data Quality ruleset), DeregisterDataPreview (Grants permission to terminate …
Top Links from Security Folks
Fine-Grained Authorization – Amazon Verified Permissions – Amazon Web Services
aws.amazon.com
Amazon Verified Permissions provides developers with a centralized fine-grained permissions management and authorization system for custom applications.
Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication (Preview) | Amazon Web Services
aws.amazon.com
Modern applications are built using modular and distributed components. Each component is a service that implements its own subset of functionalities. To make these services …
Update detected · z0ph/MAMIP@fbb2158
github.com
[MAMIP] Monitor AWS Managed IAM Policies Changes . Contribute to z0ph/MAMIP development by creating an account on GitHub.
A Security Tools Crash Is Coming
blog.crashoverride.com
An explosion of security startups and the economic climate are colliding and going to result in a train wreck. This post dives deeper in this …
AWS Security Folks
iann0036
Ian Mckay @iann0036

I'm back home from #AWS #reInvent which means it's time to go through my top 10 favourite / most impactful announcements, in order. Let's begin!

85Dec 04 · 9:14 AM
abbyfuller
Abby Fuller @abbyfuller

if you're still at @AWSreInvent tomorrow, i'll be speaking at 10am about how @awscloud handled log4shell (BOA204) 👀

historically, we haven't shared much detail about our internal security processes, and i'm super excited to open the curtains a bit on our log4shell response.

43Dec 01 · 7:07 PM
colmmacc
Colm MacCárthaigh @colmmacc

Almost time for @abbyfuller’s talk about how Amazon responded to Log4Shell! Follow this live thread if you’re not here in person.

abbyfuller
Abby Fuller @abbyfuller

if you're still at @AWSreInvent tomorrow, i'll be speaking at 10am about how @awscloud handled log4shell (BOA204) 👀

historically, we haven't shared much detail about our internal security processes, and i'm super excited to open the curtains a bit on our log4shell response.

18Dec 02 · 6:57 PM
colmmacc
Colm MacCárthaigh @colmmacc

It's only Tuesday and we've already launched Lambda SnapStart, AWS Wickr, Verified Permissions and the Cedar Policy Language for applications, Nitro Enclaves for EKS and Kubernetes, multiple MFA and MFA root account support, and the AWS Digital Sovereignty Pledge. #AWSSecurity twitter.com/i/web/status/1…

13Nov 29 · 4:03 PM
0xdabbad00
Scott Piper @0xdabbad00

I’d forgotten to mention it on Twitter, but I started working for Wiz recently. I’m at re:Invent and can be found at our booth if you want to say hi.

2Nov 29 · 6:37 PM
steven_bryen
Steven Bryen @steven_bryen

I wont be at reInvent anymore. I flew to Vegas Sunday & landed to news that my mum had passed very unexpectedly

Thanks to the amazing @VirginAtlantic team for getting me home ASAP & taking care of me ❤️

She really was one in a million ⭐️ Looking after Dad now. We’ve got this💪

0Nov 29 · 5:28 PM
0xdabbad00
Scott Piper @0xdabbad00

It's awesome to see how fast AWS is getting the re:Invent videos up on youtube. Here's AWS's Security, Compliance, and Identity playlist so far. Thank you AWS for being so quick with this! In total there's been 275+ videos from this week uploaded so far! youtube.com/watch?v=uFrj0j…

25Dec 02 · 6:18 PM
iann0036
Ian Mckay @iann0036

#1. VPC Lattice. This thing is amazing 😍 Imagine exposing your HTTP(S)/gRPC services like PrivateLink, but instead of an ENI it's a link-local address right in your compute - just like how the metadata service works. Features include IAM auth, cross-account, advanced routing.

10Dec 04 · 9:24 AM
clintgibler
Clint Gibler @clintgibler

📉 A Security Tools Crash Is Coming

1. Security teams want fewer tools
2. More vendors than the market can support
3. Venture market has changed. Many startups will run out of $ in 2023
4. Security budgets frozen due to economic climate

By @crashappsec

blog.crashoverride.com/a-security-too…

18Nov 28 · 7:00 PM
christophetd
Christophe Tafani-Dereeper @christophetd

This summer at the Cloud Village I released an open-source project to facilitate end-to-end testing of threat detection rules: Threatest

github.com/DataDog/threat…

It currently supports Datadog, but I'd love to see contributions for other platforms. Hit me up if interested!

24Nov 30 · 2:10 PM
r/aws
Attended AWS reinvent and returned with Covid
18768

How many of you returned home with Covid positive after attending reinvent at Las Vegas? I protected myself with a mask but some how the virus made it to me. Hope rest of you all are feeling ok as I noticed the crowds are equal or bigger than 2019 and …

What are the best tech talks from re:Invent 2022
14821

Barring the leadership sessions, partner experiences etc; What according to you are the best (technically dense) tech talks from AWS re:Invent 2022?

A closer look at AWS Lambda

Deep dive into AWS Nitro System

Suggestions from other participants

A day in the life of a billion requests

Peter Desantis keynote …

AWS Lambda SnapStart for Java functions
13557aws.amazon.com
New: Amazon VPC Lattice - Simplify Networking for Service-to-Service Communication (Preview)
11813aws.amazon.com
"AWS Security" on Google News
AWS launches new cybersecurity service Amazon Security Lake - CSO Online
CSO OnlineNovember 30
ThreatMapper Integrates with AWS Security Hub for Improved Security Observability - Security Boulevard
Security BoulevardNovember 29