This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE.

This week TLDR i.e. 1 minute version (For executives):

1. AWS announces a new Amazon EC2 API to retrieve the public endorsement key from NitroTPM.

2. Amazon Route 53 Resolver DNS Firewall now supports Domain Redirection.

Trending in Cloud & Cyber Security (Security Blogs, articles, news, advisories etc):

1. AWS Security Blogs & Bulletins:

   • (N/A this week).

2. General security blogs, articles & reports:

   • AWS EC2 Access: Unlocking Seamless Control with Session Manager by Alejandro Castañeda Ocampo. Link.

   • A local network VPN leaking technique that affects all routing-based VPNs

     Authors: Dani Cronce & Lizzie Moratti. Link.

3. Trending on the news & advisories:

   • CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities. Link.

   • Read Satya Nadella’s Microsoft memo on putting security first. Link.

   • Former NSA Employee Sentenced to Over 21 Years in Prison for Attempted Espionage. Link.

   • Former Cybersecurity Consultant Arrested For $1.5 Million Extortion Scheme Against IT Company. Link.

   • White House Press Release: National Cyber Director Encourages Adoption of Skill-Based Hiring to Connect Americans to Good-Paying Cyber Jobs. Link.

   • Dropbox filed SEC Form 8-K Filing and confirmed unauthorized access. Link.

   • Change Healthcare hacked using stolen Citrix account with no MFA. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS has launched a new EC2 API GetInstanceTPMEkPub that allows you to fetch the public endorsement key (EkPub) for the Nitro Trusted Platform Module (NitroTPM) in your Amazon EC2 instance. Link. Here’s the API example for my EC2:

   

2. Now, with Route 53 Resolver DNS Firewall, you can automatically skip inspecting domains that are part of a domain redirection chain, like Canonical Name (CNAME) and Delegation Name (DNAME), eliminating the need to explicitly add every domain in the chain to your Route 53 DNS Firewall allow-list. Previously, when you created allow-lists for domains, Route 53 DNS Firewall checked each DNS query from your VPC against the allow-list tied to a DNS Firewall rule. If a query pointed to a domain in a redirection chain (like a CNAME) that wasn't included in your allow-list, the DNS Firewall would block the query, requiring you to manually add each domain in the chain to your allow-list. With this update, you can now set your DNS Firewall rules to automatically cover all domains within a redirection chain, like CNAME or DNAME, without the need to list each one individually. Link. This is well explained in THIS blog.