SRE Weekly Issue #352 • [tl;dr sec] #162 - Meaningful Security Product Metrics, Vulnerability Inbox Zero • AWS Notification Message • Amazon Appflow - 1 updated methods • AWS DataSync - 3 updated methods • Amazon SageMaker Service - 3 updated methods • AWS Backup Gateway - 6 new 2 updated methods • Reported ECR Public Gallery Issue • Prepare for consolidated controls view and consolidated control findings in AWS Security Hub • Authority to operate (ATO) on AWS Program now available for customers in Spain • How to use Amazon Verified Permissions for authorization • Support for multiple multi-factor authentication (MFA) devices for root users and IAM users • timestream: 4 new actions • backup-gateway: 6 new actions • kinesisvideo: 2 new actions • AWS ECR Public Vulnerability • 2022 Wrap-up - Hacking The Cloud • Hey Twitter, I'm on the lookout for a new role starting in the new year. If you're doing something interesting with <a href="https://twitter.com/hashtag/AWS" target="_blank">#AWS</a> or <a href="https://twitter.com/hashtag/serverless" target="_blank">#serverless</a> and have open roles. I'd love to hear from you! • In response to the cross-tenant cloud vulns that have been found over the past 2 years, the Wiz team, with feedback from cloud providers and others in the industry, have put together guidance on securing infrastructure from these attacks, whether it's a cloud or SaaS solution. • Cloud penetration testing: Not your typical internal penetration test <a href="https://t.co/YP7P0aLMe9" target="_blank">sethsec.blogspot.com/2022/12/cloud-…</a> by <a href="https://twitter.com/sethsec" target="_blank">@sethsec</a> • This is probably the most delightful thing I have ever read about myself. I love it so much. <a href="https://twitter.com/forrestbrazeal" target="_blank">@forrestbrazeal</a>: thank you for *getting* me. Everyone else: read the whole article, it’s great. <a href="https://t.co/TQf8S3pekt" target="_blank">newsletter.goodtechthings.com/p/crimes-again…</a> • ⛈️ Three FREE Cloud Security Training Labs Vulnerable by design infrastructure for different cloud providers 🐐 GCPGoat <a href="https://t.co/zujG1cKZ4M" target="_blank">github.com/ine-labs/GCPGo…</a> 🐐 AWSGoat <a href="https://t.co/RgYt8p91yg" target="_blank">github.com/ine-labs/AWSGo…</a> 🐐 AzureGoat <a href="https://t.co/R3qZZ93yL2" target="_blank">github.com/ine-labs/Azure…</a> By <a href="https://twitter.com/ine" target="_blank">@ine</a> <a href="https://t.co/zujG1cKZ4M" target="_blank">github.com/ine-labs/GCPGo…</a> • This is a good change, I like this. <a href="https://t.co/ooqOZXCAbo" target="_blank">aws.amazon.com/about-aws/what…</a> • 2022 is coming to a close so I wrote a short end of year summary for Hacking the Cloud! You'll have to read the post for the full details but here are some noteworthy stats and updates: In 2022 we had over 73,925 visitors with 124,278 page views! <a href="https://t.co/hcjG4wFqcC" target="_blank">hackingthe.cloud/blog/2022_wrap…</a> • I enjoyed this talk by <a href="https://twitter.com/ebrandwine" target="_blank">@ebrandwine</a> about how SigV4 authN works and the design rationale behind it. I have one nitpick though. At 21:06 he says the access key ID has no internal structure. Is this true? Maybe it was until a few years ago? 1/3 <a href="https://t.co/lEImBK81cX" target="_blank">youtube.com/watch?v=tPr1Ag…</a> • how is there always one (1) random guinness in the fridge until the day i go to make porter cake, upon which there are somehow zero (0) guinnesses? • Added a bunch of PyPI malware samples to the GitHub repository, we're now close to 250 real-world samples! All found using GuardDog, an open-source tool that allows to identify malicious Python packages in your dependencies <a href="https://t.co/wKQkFqJSc8" target="_blank">github.com/datadog/securi…</a> <a href="https://t.co/xSpS5IfbCa" target="_blank">github.com/datadog/guardd…</a> • The Ai has spoken! • Amazon S3 Security Changes Are Coming in April of 2023 • AWS Gateway Load Balancer and Gateway Load Balancer endpoint now support IPv6 traffic • Route 53 cost up 784%, Analytics shows no unusual traffic • Logicworks Achieves AWS Level 1 Managed Security Service ... - MarTech Series • What is AWS Security? - Check Point Software • AWS IP Ranges update for 2022-12-09 02:43:09 • AWS IP Ranges update for 2022-12-09 11:33:08 • AWS IP Ranges update for 2022-12-09 11:53:09

ASD Logo

19
Monday December, 2022

Sponsor

Write secure code and catch vulnerabilities at every step of the software development lifecycle.

Codiga is a static code analyzer that works in your favorite IDE with your Git hooks and is integrated with your code repository on GitHub, GitLab, and Bitbucket.

Codiga not only catches coding errors but suggests fixes directly in your IDE. The Codiga engine already has 2,000 rules, and you can write custom code analysis rules for your team.

Trusted by more than 20,000 users and 2,000 organizations, merge with confidence with Codiga.

Get Codiga

🔦 Highlight of the week

  1. AWS ECR Public Vulnerability
  2. Hardeneks - Runs checks to see if an EKS cluster follows EKS Best Practices
  3. A look at 10 years of AWS Security Bulletins focusing on cloud security research trends

📢 MAMIP (Monitor AWS Managed IAM Policies)

Policies changed since last week:

Weekly diff

🪖 Army of AWS Bots: MAMIP / MASE / MGDA / MIRA

#AdventOfCloudSecurity
Dec 18

🗓️ December 18th

If you have a security group that's open to something else than 0.0.0.0/0 and you restrict it further, it will not close established TCP connections.

This means in an IR case where you're blocking IPs, it's important to do it at the NACL level …

Dec 17

🗓️ December 17th

You can retrieve the AWS account ID from any public S3 bucket. This technique leverages the s3:ResourceAccount condition key.

  1. Create an IAM role in the attacking account
  2. Assume the role, passing it a session policy only allowing S3 calls where s3:ResourceAccount: 0*
  3. If, from this …
Newsletters
SRE Weekly Issue #352
Lex NevaDec 19
[tl;dr sec] #162 - Meaningful Security Product Metrics, Vulnerability Inbox Zero
Clint at tl;dr secDec 15
AWS Notification Message
GuardDutyAnnouncementsDec 14
AWS API Changes
Amazon Appflow - 1 updated methods
Dec 16
This release updates the ListConnectorEntities API action so that it returns paginated responses that customers can retrieve with next tokens.
AWS DataSync - 3 updated methods
Dec 16
AWS DataSync now supports the use of tags with task executions. With this new feature, you can apply tags each time you execute a task, giving you greater control and management over your task executions.
Amazon SageMaker Service - 3 updated methods
Dec 16
AWS sagemaker - Features: This release adds support for random seed, it's an integer value used to initialize a pseudo-random number generator. Setting a random seed will allow the hyperparameter tuning search strategies to produce more consistent configurations for the same tuning job.
AWS Backup Gateway - 6 new 2 updated methods
Dec 15
This release adds support for VMware vSphere tags, enabling customer to protect VMware virtual machines using tag-based policies for AWS tags mapped from vSphere tags. This release also adds support for customer-accessible gateway-hypervisor interaction log and upload bandwidth rate limit schedule.
Security Bulletins
Reported ECR Public Gallery Issue
aws@amazon.comDec 13

Initial Publication Date: 12/13/2022 9:00AM EST

On November 14, 2022, a security researcher reported an issue in Amazon Elastic Container Registry (ECR) Public Gallery, a public website for finding and sharing public container images. The researcher identified an ECR API action that, if called, could have enabled modification or removal …

AWS Security Blog
Prepare for consolidated controls view and consolidated control findings in AWS Security Hub
Priyanka PrakashDec 15
Currently, AWS Security Hub identifies controls and generates control findings in the context of security standards. Security Hub is aiming to release two new features in the first quarter of 2023 that will decouple controls from standards and streamline how you view and receive control findings. The new features to …
Authority to operate (ATO) on AWS Program now available for customers in Spain
Greg HerrmannDec 12
Meeting stringent security and compliance requirements in regulated or public sector environments can be challenging and time consuming, even for organizations with strong technical competencies. To help customers navigate the different requirements and processes, we launched the ATO on AWS Program in June 2019 for US customers. The program involves …
How to use Amazon Verified Permissions for authorization
Jeremy WareDec 12
Applications with multiple users and shared data require permissions management. The permissions describe what each user of an application is permitted to do. Permissions are defined as allow or deny decisions for resources in the application. To manage permissions, developers often combine attribute-based access control (ABAC) and role-based access control …
AWS IAM Release Notes
Support for multiple multi-factor authentication (MFA) devices for root users and IAM users
Nov 16
Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens.
IAM Permission Changes
timestream: 4 new actions
Dec 17
4 new actions: GetAwsBackupStatus (Grants permission to get Status of a Timestream Table Backup), GetAwsRestoreStatus (Grants permission to get Status of a Timestream Table Restore), StartAwsBackupJob (Grants permission to start a Backup Job for a Timestream Table), StartAwsRestoreJob (Grants permission to start Restore Job for a Backup of Timestream Table)
backup-gateway: 6 new actions
Dec 17
6 new actions: GetBandwidthRateLimitSchedule (Grants permission to GetBandwidthRateLimitSchedule), GetHypervisor (Grants permission to GetHypervisor), GetHypervisorPropertyMappings (Grants permission to GetHypervisorPropertyMappings), PutBandwidthRateLimitSchedule (Grants permission to PutBandwidthRateLimitSchedule), PutHypervisorPropertyMappings (Grants permission to PutHypervisorPropertyMappings), StartVirtualMachinesMetadataSync (Grants permission to StartVirtualMachinesMetadataSync)
kinesisvideo: 2 new actions
Dec 17
2 new actions: DescribeEdgeConfiguration (Grants permission to describe the edge configuration of your Kinesis Video Stream), StartEdgeConfigurationUpdate (Grants permission to start edge configuration update of your Kinesis Video Stream)
Top Links from Security Folks
AWS ECR Public Vulnerability
blog.lightspin.io
Let’s go over a critical AWS Elastic Container Registry Public (ECR Public) vulnerability that allowed external actors to delete, update, and create ECR Public images, …
2022 Wrap-up - Hacking The Cloud
hackingthe.cloud
An end of year summary for Hacking the Cloud in 2022.
AWS Security Folks
steven_bryen
Steven Bryen @steven_bryen

Hey Twitter, I'm on the lookout for a new role starting in the new year.

If you're doing something interesting with #AWS or #serverless and have open roles. I'd love to hear from you!

45Dec 15 · 6:53 PM
0xdabbad00
Scott Piper @0xdabbad00

In response to the cross-tenant cloud vulns that have been found over the past 2 years, the Wiz team, with feedback from cloud providers and others in the industry, have put together guidance on securing infrastructure from these attacks, whether it's a cloud or SaaS solution.

wiz_io
Wiz @wiz_io

🚨 Major news: Today we're releasing PEACH, a new framework that can help companies ensure the security of their multi-tenant cloud apps.

Proudly developed by Wiz researchers with the help of other members of the cloud security community.

@AmitaiCo

peach.wiz.io

18Dec 14 · 3:57 PM
christophetd
Christophe Tafani-Dereeper @christophetd

Cloud penetration testing: Not your typical internal penetration test

sethsec.blogspot.com/2022/12/cloud-…

by @sethsec

18Dec 16 · 2:45 PM
__steele
Aidan W Steele @__steele

This is probably the most delightful thing I have ever read about myself. I love it so much.

@forrestbrazeal: thank you for *getting* me.

Everyone else: read the whole article, it’s great.

newsletter.goodtechthings.com/p/crimes-again…

11Dec 14 · 12:10 AM
clintgibler
Clint Gibler @clintgibler

⛈️ Three FREE Cloud Security Training Labs

Vulnerable by design infrastructure for different cloud providers

🐐 GCPGoat
github.com/ine-labs/GCPGo…

🐐 AWSGoat
github.com/ine-labs/AWSGo…

🐐 AzureGoat
github.com/ine-labs/Azure…

By @ine

github.com/ine-labs/GCPGo…

21Dec 16 · 5:00 PM
Frichette_n
Nick Frichette - @frichetten@fosstodon.org @Frichette_n

This is a good change, I like this.
aws.amazon.com/about-aws/what…

15Dec 13 · 10:56 PM
Frichette_n
Nick Frichette - @frichetten@fosstodon.org @Frichette_n

2022 is coming to a close so I wrote a short end of year summary for Hacking the Cloud! You'll have to read the post for the full details but here are some noteworthy stats and updates: In 2022 we had over 73,925 visitors with 124,278 page views!
hackingthe.cloud/blog/2022_wrap…

13Dec 14 · 4:14 PM
__steele
Aidan W Steele @__steele

I enjoyed this talk by @ebrandwine about how SigV4 authN works and the design rationale behind it.

I have one nitpick though. At 21:06 he says the access key ID has no internal structure. Is this true? Maybe it was until a few years ago?

1/3

youtube.com/watch?v=tPr1Ag…

7Dec 13 · 12:34 PM
abbyfuller
Abby Fuller @abbyfuller

how is there always one (1) random guinness in the fridge until the day i go to make porter cake, upon which there are somehow zero (0) guinnesses?

0Dec 16 · 5:58 PM
christophetd
Christophe Tafani-Dereeper @christophetd

Added a bunch of PyPI malware samples to the GitHub repository, we're now close to 250 real-world samples!

All found using GuardDog, an open-source tool that allows to identify malicious Python packages in your dependencies

github.com/datadog/securi…

github.com/datadog/guardd…

14Dec 13 · 8:51 AM
r/aws
The Ai has spoken!
13914
Amazon S3 Security Changes Are Coming in April of 2023
11217aws.amazon.com
AWS Gateway Load Balancer and Gateway Load Balancer endpoint now support IPv6 traffic
1053aws.amazon.com
Route 53 cost up 784%, Analytics shows no unusual traffic
6428

One day this week, my Route 53 costs (which are normally $0.01 per day), shot up to $10. Obviously it's not putting me at financial risk or anything, but I genuinely don't understand what happened. My analytics for that day are totally normal, and the AWS budget tools aren't really …

"AWS Security" on Google News
Logicworks Achieves AWS Level 1 Managed Security Service ... - MarTech Series
MarTech SeriesDecember 19
What is AWS Security? - Check Point Software
Check Point SoftwareDecember 14
AWS IP Ranges Updates
AWS IP Ranges update for 2022-12-09 02:43:09
No changes to IPs
AWS IP Ranges update for 2022-12-09 11:33:08
Changed by +64

Added 13.34.88.0/26
AWS IP Ranges update for 2022-12-09 11:53:09
Changed by -64

Removed 13.34.88.0/26