This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE.
This week TLDR i.e. 1 minutes version (For executives):
Amazon GuardDuty Runtime Monitoring protects clusters running in shared VPC.
Amazon RDS for Db2 now supports audit logging.
API Gateway now supports TLS 1.3.
Amazon AppStream 2.0 now supports administrative controls for limiting clipboard.
AWS Control Tower introduces APIs to register Organizational Units.
Trending in Cloud & Cyber Security (Security Blogs, articles, news, advisories etc):
AWS Security Blogs & Bulletins:
General security blogs, articles & reports:
New attack vectors in EKS by Shay Berkovich & Lior Sonntag at Wiz. Link.
Minimally Viable Cloud Governance by Chris Farris. Link.
Tapping the Leaking AWS Account ID Faucet by Daniel Grzelak. Link.
Hack AWS in 60 minutes by Cloud Security Partners. PDF Link.
Hacking the Amazon Elastic Container Service (ECS) Meta-data Service. Link.
Trending on the news & advisories:
Wyze cameras let some owners see into a stranger’s home — again. Link.
FBI Most wanted Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses. Link.
Good episode of RiskyBiz: A deep dive on how Russia's SVR is hacking Microsoft 365 tenants. Link.
According to a tweet by vxunderground LockBit infra has been seized by the law enforcement.
This week Long i.e. 5-10 minutes version (For architects & engineers):
Amazon GuardDuty Runtime Monitoring, designed to identify potential threats during runtime, now extends its protection to workloads operating within shared Virtual Private Clouds (VPCs) across all supported compute services. Shared VPCs enable multiple AWS accounts to deploy their application resources, such as Amazon EC2 instances, within collectively managed VPCs. This streamlines network management across various accounts, delivering cost advantages and reducing operational complexity by minimizing the number of VPCs to oversee. GuardDuty Runtime Monitoring utilizes a secure VPC endpoint to transmit the agent telemetry to the GuardDuty backend for threat detection and processing. With GuardDuty Runtime Monitoring, you can can effortlessly handle the security agent, including the establishment of the VPC endpoint and the installation, deployment, and updates of the agent, all without incurring additional costs. Link. For example, I created a shared subnet & spun an ECS (self-managed infrastructure using Amazon Linux 2 EC2) in the shared subnet. However, I wasn’t able to observed the shared resources (ECS) under the GuardDuty ECS runtime coverage & wasn’t able to debug more due to time constraints. Only my default ECS cluster was visible).
Audit capabilities are now available for Amazon Relational Database Service (Amazon RDS) for Db2. Upon activation, Amazon RDS for Db2 securely preserves the audit logs in Amazon S3, aligning with extended data retention requirements. The configuration of audit log retention in Amazon S3, along with other auditing categories, can be conveniently managed through the option group using the
rdsadmin.configure_db_auditstored procedure. Link. For example, I was able to enable auditing from my DB2 option group. (Note: You may additionally require to set the audit policy & configuration from the database as the admin).
API Gateway has incorporated support for version 1.3 of the Transport Layer Security (TLS) protocol across its Regional REST, HTTP, and WebSocket endpoints. In this context, TLS 1.3 enhances performance and security by managing the encryption and decryption of TLS traffic directly within API Gateway, relieving application servers of this responsibility. The implementation of TLS 1.3 in API Gateway is optimized for efficiency and security, utilizing one round trip (1-RTT) TLS handshakes and exclusively endorsing ciphers that provide perfect forward secrecy. By leveraging TLS 1.3 with API Gateway as the central control point, developers can ensure secure communication between the client and the gateway, maintaining the confidentiality, integrity, and authenticity of their API traffic. Additionally, developers can take advantage of API Gateway's seamless integration with AWS Certificate Manager (ACM) to centrally deploy SSL certificates using TLS. Link. For example, I was able to observe these options on my API Gateway custom domains. (Note: If you choose a TLS 1.2 security policy, the security policy accepts TLS 1.2 and TLS 1.3 traffic and rejects TLS 1.0 traffic.)
You now have enhanced control over the movement of data to and from users' Amazon AppStream 2.0 streaming sessions through the clipboard feature. It is possible to independently define the maximum number of characters (up to 20,971,520) allowed for transfer both into and out of the session via the clipboard. For instance, you can permit users to copy a maximum of 300 characters from their AppStream 2.0 session to their personal devices, while establishing a different limit of 100 characters for data movement from their personal device to AppStream 2.0, and vice versa. If desired, you still retain the option to completely disable the clipboard functionality. This new configuration provides customers with the flexibility to effectively manage data exfiltration. Link. For example, this is my Amazon AppStream 2.0 user settings:
AWS Control Tower users now have the capability to systematically expand governance to organizational units (OUs) through APIs. These newly introduced APIs facilitate the implementation of the AWS Control Tower baseline, encompassing optimal configuration settings, controls, and essential resources for effective AWS Control Tower governance. By activating a baseline on an OU, member accounts within that specific OU gain access to resources such as AWS IAM roles, AWS CloudTrail, AWS Config, AWS Identity Center, and are brought under the purview of AWS Control Tower governance. Prior to this update, the registration of OUs in the AWS Control Tower console was the only available method. With the introduction of these APIs, governance can be extended to OUs programmatically, enabling the automation of the OU provisioning workflow. Additionally, these APIs offer support for OUs that are already subject to AWS Control Tower governance, facilitating the re-registration of OUs after updates to the landing zone. Furthermore, the APIs provide compatibility with AWS CloudFormation, empowering customers to manage their OUs through infrastructure as code (IaC). Link. (I wasn’t able to run an actual CLI command because I don’t have a test control tower however you can find the CLI reference guide HERE). These were the controltower API options available in my AWS CLI version 2.15.19:
© 2024 aws-cloudsec, LLC