Issue #97
Monday · December 19, 2022
π₯ AWS security blogs
- Prepare for consolidated controls view and consolidated control findings in AWS Security Hub β Currently, AWS Security Hub identifies controls and generates control findings in the context of security standards. Security Hub is aiming to release two new features in the first quarter of 2023 that will decouple controls from standards and streamline how you view and receive control findings. The new features to β¦
- Authority to operate (ATO) on AWS Program now available for customers in Spain β Meeting stringent security and compliance requirements in regulated or public sector environments can be challenging and time consuming, even for organizations with strong technical competencies. To help customers navigate the different requirements and processes, we launched the ATO on AWS Program in June 2019 for US customers. The program involves β¦
- How to use Amazon Verified Permissions for authorization β Applications with multiple users and shared data require permissions management. The permissions describe what each user of an application is permitted to do. Permissions are defined as allow or deny decisions for resources in the application. To manage permissions, developers often combine attribute-based access control (ABAC) and role-based access control β¦
π Reddit threads on r/aws
- The Ai has spoken!
- Amazon S3 Security Changes Are Coming in April of 2023
- AWS Gateway Load Balancer and Gateway Load Balancer endpoint now support IPv6 traffic
- Route 53 cost up 784%, Analytics shows no unusual traffic β One day this week, my Route 53 costs (which are normally $0.01 per day), shot up to $10. Obviously it's not putting me at financial risk or anything, but I genuinely don't understand what happened. My analytics for that day are totally normal, and the AWS budget tools aren't really β¦
π #AdventOfCloudSecurity
- ποΈ December 18th # AdventOfCloudSecurity β If you have a security group that's open to something else than 0.0.0.0/0 and you restrict it further, it will not close established TCP connections. This means in an IR case where you're blocking IPs, it's important to do it at the NACL level β¦
- ποΈ December 17th # AdventOfCloudSecurity You can retrieve the AWS account ID from any public S3 bucket. This technique leverages the s3:ResourceAccount condition key. Create an IAM role in the attacking account Assume the role, passing it a session policy only allowing S3 calls where s3:ResourceAccount: 0* If, from this β¦
π Newsletters
π AWS IAM Release Notes
- Support for multiple multi-factor authentication (MFA) devices for root users and IAM users β Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens.
π Top Links from Security Folks
- AWS ECR Public Vulnerability β Letβs go over a critical AWS Elastic Container Registry Public (ECR Public) vulnerability that allowed external actors to delete, update, and create ECR Public images, β¦
- 2022 Wrap-up - Hacking The Cloud β An end of year summary for Hacking the Cloud in 2022.
π "AWS Security" on Google News
π AWS IP Ranges Updates
- AWS IP Ranges update for 2022-12-09 02:43:09 β No changes to IPs
- AWS IP Ranges update for 2022-12-09 11:33:08 β Changed by +64 Added 13.34.88.0/26
- AWS IP Ranges update for 2022-12-09 11:53:09 β Changed by -64 Removed 13.34.88.0/26
π§ IAM permission changes
- timestream: 4 new actions β 4 new actions: GetAwsBackupStatus (Grants permission to get Status of a Timestream Table Backup), GetAwsRestoreStatus (Grants permission to get Status of a Timestream Table Restore), StartAwsBackupJob (Grants permission to start a Backup Job for a Timestream Table), StartAwsRestoreJob (Grants permission to start Restore Job for a Backup of Timestream Table)
- backup-gateway: 6 new actions β 6 new actions: GetBandwidthRateLimitSchedule (Grants permission to GetBandwidthRateLimitSchedule), GetHypervisor (Grants permission to GetHypervisor), GetHypervisorPropertyMappings (Grants permission to GetHypervisorPropertyMappings), PutBandwidthRateLimitSchedule (Grants permission to PutBandwidthRateLimitSchedule), PutHypervisorPropertyMappings (Grants permission to PutHypervisorPropertyMappings), StartVirtualMachinesMetadataSync (Grants permission to StartVirtualMachinesMetadataSync)
- kinesisvideo: 2 new actions β 2 new actions: DescribeEdgeConfiguration (Grants permission to describe the edge configuration of your Kinesis Video Stream), StartEdgeConfigurationUpdate (Grants permission to start edge configuration update of your Kinesis Video Stream)
πͺ API changes
- Amazon Appflow - 1 updated methods β This release updates the ListConnectorEntities API action so that it returns paginated responses that customers can retrieve with next tokens.
- AWS DataSync - 3 updated methods β AWS DataSync now supports the use of tags with task executions. With this new feature, you can apply tags each time you execute a task, giving you greater control and management over your task executions.
- Amazon SageMaker Service - 3 updated methods β AWS sagemaker - Features: This release adds support for random seed, it's an integer value used to initialize a pseudo-random number generator. Setting a random seed will allow the hyperparameter tuning search strategies to produce more consistent configurations for the same tuning job.
- AWS Backup Gateway - 6 new 2 updated methods β This release adds support for VMware vSphere tags, enabling customer to protect VMware virtual machines using tag-based policies for AWS tags mapped from vSphere tags. This release also adds support for customer-accessible gateway-hypervisor interaction log and upload bandwidth rate limit schedule.
πΊ AWS security bulletins
- Reported ECR Public Gallery Issue β Initial Publication Date: 12/13/2022 9:00AM EST On November 14, 2022, a security researcher reported an issue in Amazon Elastic Container Registry (ECR) Public Gallery, a public website for finding and sharing public container images. The researcher identified an ECR API action that, if called, could have enabled modification or removal β¦
