This week TLDR i.e. 1 minutes version (For executives):
Amazon S3 on Outposts enables support for IPv6.
Amazon SNS has introduced support for delivering mobile push notifications through Google Firebase's HTTP V1 API.
AWS Private CA now helps issue ISO/IEC mobile driver’s license certificates.
Trending in Cloud & Cyber Security (News, Blogs, Tweets etc):
AWS Security Blogs & Bulletins:
Generate AI powered insights for Amazon Security Lake using Amazon SageMaker Studio and Amazon Bedrock. Link.
Building a security-first mindset: three key themes from AWS re:Invent 2023. Link.
OT/IT convergence security maturity model. Link.
How to use AWS Database Encryption SDK for client-side encryption and perform searches on encrypted attributes in DynamoDB tables. Link.
The AWS Community Builder's program application is now open through January 28th, 2024. Link.
Interesting take by Daniel Grzelak - ‘The final answer: AWS account IDs are secrets’. Link. (Great humor on the article too).
Cool read -’Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining’ by Martin McCloskey & Christophe Tafani-Dereeper. Link.
FBI and CISA are released joint CSA to disseminate known IOCs and TTPs associated with threat actors deploying
Atlassian RCE Vulnerability in Confluence Data Center & Server. Advised immediate action. Link.
Snyk Acquires Runtime Data Pioneer Helios, Empowering Global AppSec Teams with Unparalleled Cloud-to-Code Risk Visibility. Link.
GitHub received a bug bounty report of a vulnerability that allowed access to the environment variables of a production container & patched GitHub.com and rotated all affected credentials. Link.
Chrome patch for actively exploited zero-day flaw. Link.
Citrix- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549. Link.
CISA Issues Emergency Directive on Ivanti Vulnerabilities. Link.
Microsoft nation-state actor Midnight Blizzard attack corporate systems. Link.
This week Long i.e. 5 minutes version (For architects & engineers):
You now have the capability to utilize Amazon S3 on Outposts buckets through IPv6 using S3 on Outposts dual-stack endpoints. With IPv6 support for S3 on Outposts, you can oversee your S3 on Outposts buckets and control plane resources over IPv6 networks. This new feature broadens the range of IP addressing options and streamlines network configuration, facilitating the creation of a straightforward hybrid cloud storage architecture across both IPv4 and IPv6 networks. Additionally, you can employ source address filtering in IAM and bucket policies using IPv6 addresses to limit access to S3 on Outposts buckets to specific IPv6 applications. Furthermore, the option to use IPv6 over AWS PrivateLink ensures secure and private communication between IPv6 services and VPCs, eliminating the need to traverse the public internet. Link. For example, I tried this for my outpost endpoint & a sample policy (If you’re using AWS PrivateLink with IPv6, you must create an IPv6 or dual-stack VPC interface endpoint.)
Amazon Simple Notification Service (Amazon SNS) has introduced support for delivering mobile push notifications through Google Firebase's HTTP V1 API. When establishing a new platform application either through the Amazon SNS console or API, you have the option to opt for token-based authentication. This choice empowers Amazon SNS to convey mobile push notifications on your behalf, leveraging the latest Google FCM HTTP v1 API. Additionally, for existing platform applications, you can choose to upgrade them to utilize token-based authentication. Upon providing a valid key file, Amazon SNS will seamlessly transition your application from the legacy FCM API to the advanced HTTP v1 API. Link. For example:
AWS Private Certificate Authority (AWS Private CA) can now be utilized for issuing certificates compliant with the ISO/IEC 18013-5:2021 international standard for mobile driver’s licenses (mDL). These mDLs serve as digital counterparts to the details found in physical driver’s licenses or non-driver identification cards. Collaborative efforts among organizations aim to leverage mDLs in diverse scenarios, such as verifying identity during airplane boarding and exchanging information for age-restricted activities. Link.
© 2024 aws-cloudsec.com
Thanks for reading AWS Cloud Security Weekly! Subscribe for free to receive new posts and support my work. If you enjoyed this newsletter, I’d be grateful if you could forward it to your professional circle