This week TLDR i.e. 2 minutes version (For executives):
Beginning 2024, AWS Root MFA will be enforced.
Amazon Macie adds support for discovering more types of sensitive data.
AWS Verified Access now supports customer managed KMS keys.
Application & Network Load Balancer now support registering instances addressed by IPv6 as targets.
New major updates to the AWS Well-Architected Framework especially in security pillar (v11).
Trending in Cloud & Cyber Security (News, Blogs, Tweets etc):
AWS Security Blogs & Bulletins:
How to use AWS Certificate Manager to enforce certificate issuance controls? Link.
Validate IAM policies with Access Analyzer using AWS Config rules. Link.
Use AWS Secrets Manager to store and manage secrets in on-premises or multi-cloud workloads. Link.
Bulletins: Reported TorchServe Issue (CVE-2023-43654). Link.
Bulletins: Issue with Amazon WorkSpaces Windows Client Version 5.9 and 5.10. Link.
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. Link.
Interesting article: Using CloudFlare to bypass CloudFlare by Stefan Proksch. Link. (Disclaimer: I didn’t independently verify this in the lab).
GitHub secret scanning validity checks has been extended for select tokens from AWS, Microsoft, Google, and Slack. Link.
This week Long i.e. 5-10 minutes version (For architects & engineers):
Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed. Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign in to the console. AWS will also expand the program to additional scenarios such as standalone accounts (those outside an organization in AWS Organizations). IMO, this may a hint that AWS will release some features that make MFA even easier to adopt and manage at scale but no details were provided. Link.
Amazon Macie has incorporated additional managed data identifiers to enhance its functionality for detecting and categorizing Stripe API keys, Google Cloud API keys, as well as Indian driver's license numbers and national identification numbers stored within Amazon Simple Storage Service (Amazon S3). Link. I tried to test the scan using key 51KExyL2eZvKY0000abcdefg and macie was able to pick it up. (Note: AWS Account ID is not sensitive IMO, and it’s a test account).
AWS Systems Manager Fleet Manager RDP now supports up to 1080p Resolution. Link.
AWS Verified Access, a service designed to facilitate secure, VPN-less access to your corporate applications, has introduced support for customer managed KMS keys (CMKs) for data encryption at rest. This enhancement simplifies the process of adhering to your organization's compliance and regulatory requirements.
By default, AWS Verified Access has always ensured data encryption for all stored information, encompassing trust provider data, group policies, and endpoint policies, utilizing AWS-owned KMS keys. Now, you also have the flexibility to opt for customer managed keys to encrypt your data, including trust provider information, group policies, and endpoint policies. You can initiate the use of customer managed keys with a simple action in the AWS Management Console or via the Verified Access APIs. Link. For example, I used a Customer Managed KMS key for my verified access trust provider:
Application Load Balancer (ALB) and Network Load Balancer (NLB) have introduced a new capability that allows instances to be registered as targets when they are identified by Internet Protocol Version 6 (IPv6). This enhancement streamlines the configuration of load balancers. With this feature, you can seamlessly register instances using their IPv6 addresses as targets, eliminating the necessity to manually monitor individual IP addresses. Additionally, this functionality facilitates the utilization of EC2 auto scaling groups with your target groups, enabling automatic target registration based on the scaling requirements of your application. Link. I was able to test with ipV6. Please note:
All IP addresses within a target group must have the same IP address type. For example, you can't register an IPv4 target with an IPv6 target group.
IPv6 target groups can only be used with dualstack load balancers.
IPv6 target groups support IP and Instance type targets.
AWS introduced a major update to the AWS Well-Architected Framework. The improved implementation guidance within this release offers increased specificity, featuring enhanced recommendations and comprehensive steps for leveraging reusable architectural patterns that are tailored to achieve specific business objectives in the AWS Cloud. In general, there was a large update to best practices and guidance in the security pillar in Incident response (SEC 10), content changes and consolidation in operational excellence areas OPS 04, 05, 06, 08, and 09, guidance updates throughout the cost optimization & reliability pillars as well as minor updates to sustainability pillar risk levels. Latest v11 Link.
Thank You for reading! If you enjoyed this newsletter, I’d be grateful if you could forward it to your professional circle.
Thanks for reading AWS Cloud Security Weekly! Subscribe for free to receive new posts and support my work.