SRE Weekly Issue #351 • [tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices • Auto Scaling - 3 new 4 updated methods • AWS IoT TwinMaker - 5 new 8 updated methods • Migration Hub Strategy Recommendations - 1 new 14 updated methods • AWS Cost Explorer Service - 1 updated methods • AWS achieves GNS Portugal certification for classified information • Approaches for authenticating external applications in a machine-to-machine scenario • How to secure your SaaS tenant data in DynamoDB with ABAC and client-side encryption • Renewal of AWS CyberGRX assessment to enhance customers’ third-party due diligence process

ASD Logo

12
Monday December, 2022

Sponsor

Automate compliance with Drata—G2’s highest-rated cloud compliance software.

As an AWS partner, Drata provides continuous control monitoring and evidence collection across your company’s AWS footprint for 14+ frameworks including SOC 2, ISO 27001, and even custom frameworks.

Drata will discover and import your AWS virtual assets to simplify the collection and categorization process, and eliminate manual processes. With an enhanced vulnerability scanning connection for AWS Inspector and a risk management tool, you'll know where you stand at all times. Request a demo today!

🔦 Highlight of the week

  1. Top Security Talks from AWS re:Invent 2022 from Scott Piper
  2. [Updated] Approaches for authenticating external applications in a machine-to-machine scenario
  3. A Security Tools Crash Is Coming

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

Newsletters
SRE Weekly Issue #351
Lex NevaDec 12
[tl;dr sec] #161 - ChatGPT, Scaling Vulnerability Management in Microservices
Clint at tl;dr secDec 08
AWS API Changes
Auto Scaling - 3 new 4 updated methods
Dec 8
Adds support for metric math for target tracking scaling policies, saving you the cost and effort of publishing a custom metric to CloudWatch. Also adds support for VPC Lattice by adding the Attach/Detach/DescribeTrafficSources APIs and a new health check type to the CreateAutoScalingGroup API.
AWS IoT TwinMaker - 5 new 8 updated methods
Dec 8
This release adds the following new features: 1) New APIs for managing a continuous sync of assets and asset models from AWS IoT SiteWise. 2) Support user friendly names for component types (ComponentTypeName) and properties (DisplayName).
Migration Hub Strategy Recommendations - 1 new 14 updated methods
Dec 8
This release adds known application filtering, server selection for assessments, support for potential recommendations, and indications for configuration and assessment status. For more information, see the AWS Migration Hub documentation at https://docs.aws.amazon.com/migrationhub/index.html
AWS Cost Explorer Service - 1 updated methods
Dec 7
This release adds the LinkedAccountName field to the GetAnomalies API response under RootCause
AWS Security Blog
AWS achieves GNS Portugal certification for classified information
Rodrigo FiuzaDec 9
We continue to expand the scope of our assurance programs at Amazon Web Services (AWS), and we are pleased to announce that our Regions and AWS Edge locations in Europe are now certified by the Portuguese GNS/NSO (National Security Office) at the National Restricted level. This certification demonstrates our ongoing …
Approaches for authenticating external applications in a machine-to-machine scenario
Patrick SardDec 8
December 8, 2022: This post has been updated to reflect changes for M2M options with the new service of IAMRA. This blog post was first published November 19, 2013. August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS …
How to secure your SaaS tenant data in DynamoDB with ABAC and client-side encryption
Jani MuuriaisniemiDec 7
If you’re a SaaS vendor, you may need to store and process personal and sensitive data for large numbers of customers across different geographies. When processing sensitive data at scale, you have an increased responsibility to secure this data end-to-end. Client-side encryption of data, such as your customers’ contact information, …
Renewal of AWS CyberGRX assessment to enhance customers’ third-party due diligence process
Naranjan GoklaniDec 5
Amazon Web Services (AWS) is pleased to announce renewal of the AWS CyberGRX cyber risk assessment report. This third-party validated report helps customers perform effective cloud supplier due diligence on AWS and enhances their third-party risk management process. With the increase in adoption of cloud products and services across multiple sectors and industries, AWS has …
IAM Permission Changes
iottwinmaker: 5 new actions, 1 new resource | 3 updated actions
Dec 10
5 new actions: CreateSyncJob (Grants permission to create a sync job), DeleteSyncJob (Grants permission to delete a sync job), GetSyncJob (Grants permission to get a sync job), ListSyncJobs (Grants permission to list all sync jobs in a workspace), ListSyncResources (Grants permission to list all sync resources for a sync job); …
fsx: 1 updated action
Dec 9
1 updated action: DeleteVolume (dependents)
amplifyuibuilder: 6 new actions, 1 new resource, 5 new conditions | 2 updated resources, 13 updated actions, 3 updated conditions | 2 removed actions
Dec 7
6 new actions: CreateForm (Grants permission to create a form), ExportForms (Grants permission to export forms), GetMetadata (Grants permission to get an existing metadata), PutMetadataFlag (Grants permission to put an existing metadata), ResetMetadataFlag (Grants permission to reset an existing metadata), UpdateForm (Grants permission to update a form); 1 new resource: …
Top Links from Security Folks
Stories of reaching Staff-plus engineering roles - StaffEng
staffeng.com
Stories of folks reaching Staff Engineer roles.
StaffEng Security
tldrsec.com
When I was on my path to Staff, I found tremendous value in the resources available about Staff+ Software Engineering. Despite the relative glut of …
AWS Security Folks
colmmacc
Colm MacCárthaigh @colmmacc

No better day than today to watch @abbyfuller's great talk about how Amazon responded to log4shell. Super interesting breakdowns of the timelines and processes involved.
youtube.com/watch?v=pkPkm7…

30Dec 09 · 8:55 PM
clintgibler
Clint Gibler @clintgibler

🤖 ChatGPT Chrome Extension

A Chrome extension to show ChatGPT response in Google search results

github.com/wong2/chat-gpt…

36Dec 05 · 7:00 PM
clintgibler
Clint Gibler @clintgibler

☠️ New GitHub Actions Attack: Artifact Poisoning

If you're using a "download-artifact" custom action, you might be vulnerable

Why?

The download artifacts API (& wrapping actions) doesn’t differentiate between artifacts uploaded by forked vs base repos

legitsecurity.com/blog/artifact-…

51Dec 05 · 5:00 PM
christophetd
Christophe Tafani-Dereeper @christophetd

Hats off to researchers at @Unit42_Intel for sharing a detailed write-up of two real-world cloud attacks they witnessed in AWS and GCP.

unit42.paloaltonetworks.com/compromised-cl…

I encourage other companies to follow their lead!

38Dec 12 · 9:43 AM
elrowan
rowan @elrowan

I love a good AWS IAM visualisation, this time it's IAM concepts by @JulianWieg

storage.googleapis.com/multicloudiam/…

There's a lot going on there 😬

23Dec 12 · 1:06 AM
__steele
Aidan W Steele @__steele

I signed up for Github Sponsors a while ago. Imagine my surprise when the API GW->EventBridge webhook receiver I set up for it logged something for the first time today.

Apparently it's a 'thank you' for contributing to the ecosystem of open source AWS tools. Nice Xmas present!

3Dec 09 · 2:40 AM
0xdabbad00
Scott Piper @0xdabbad00

Of the 700+ re:Invent talks that have been posted so far, I chose my top 5 favorites. wiz.io/blog/top-secur…

17Dec 09 · 5:40 PM
abbyfuller
Abby Fuller @abbyfuller

do i make log4shell a birthday cake?

3Dec 06 · 11:12 PM
__steele
Aidan W Steele @__steele

I’m extremely impressed with this. I write a thread with complaints about an obscure, minor bug in an AWS service and the issue is acknowledged ~immediately and a fix rolled out in a month — with re:invent in the middle of it all! 🤯

twitter.com/amitguptaataws…

amitguptaataws
Amit Gupta @amitguptaataws

@__steele We have deployed a fix in App Runner and this should be working now. Again thanks for testing and letting us know.

2Dec 08 · 6:03 AM
bjohnso5y
Brigid Johnson @bjohnso5y

Funny I guess Pickles actually did make it to #reInvent2022.

2Dec 07 · 12:55 AM
r/aws
AWS Account Hacked - But Protected By Yubikey?
9689

My AWS account was hacked the other day, the user logged in, created a quick API key, used that to create a new admin user, then tried to do a bunch of nefarious stuff with that new admin user.

The question I have is how the attacker got in under …

Why are the docs for AWS Cognito useless?
8763

For about a week now I have been trying to configure Spring with Cognito, I have asked a lot of questions just trying to understand what is going on and every guide there is online doesn't work. Everyone's configuration just looks completely different and I genuinely have no idea where …

Cheapest way to implement a high throughput message queue?
6275

I need to process a data stream of up to 10TB per day (approx. ~1000 messages of 100KB each, per second). SQS charges per API request (so send, receive, and delete separately), so this is approximately 8B requests per month, or 3200 USD.

Is there a cheaper way to process …

What are some interesting things/architectures built using only free tier?
6239

I think this might be an interesting topic to discuss...

What are some interesting things/architectures built using only free tier or very minor additional cost?

"AWS Security" on Google News
Apiiro's Cloud Application Security Platform Now Available - GlobeNewswire
GlobeNewswireDecember 12
Key Security Announcements From AWS re:Invent 2022 - DARKReading
DARKReadingDecember 7