This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE.

This week TLDR i.e. 1 minute version (For executives):

1. AWS IAM Access Analyzer now offers recommendations to refine unused access.

2. Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty.

3. AWS Private CA introduces Connector for SCEP for mobile devices (Preview).

4. AWS Identity and Access Management now supports passkey as a second authentication factor.

5. AWS IAM Access Analyzer now offers policy checks for public and critical resource access.

6. Amazon EKS open sources Pod Identity agent.

7. Simplify AWS CloudTrail log analysis with natural language query generation in CloudTrail Lake (preview).

Trending in Cloud & Cyber Security (Security Blogs, articles, news, advisories etc):

1. AWS Security Blogs & Bulletins:

   • Bulletin- Issue with AWS Deployment Framework - CVE-2024-37293. Link.

   • Bulletin- Issue with Amazon EC2 VM Import Export Service. Link.

   • Bulletin- Issue with DeepJavaLibrary - CVE-2024-37902. Link.

   • Passkeys enhance security and usability as AWS expands MFA requirements. Link.

   • How to create a pipeline for hardening Amazon EKS nodes and automate updates. Link.

2. General security blogs, articles & reports:

   • Mandiant- Lessons Learned from Responding to Cloud Compromises. Link.

   • Attackers deploying new tactics in campaign targeting exposed Docker APIs by Matt Muir. Link.

   • Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets by Martin McCloskey. Link.

   • AWS’s head of security shares 7 reasons why security will always be Amazon’s top priority. Link.

3. Trending on the news & advisories:

   • Panera disclosed security incident. Link.

   • Advanced Auto Parts confirms data breach. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. IAM Access Analyzer now provides actionable recommendations to assist you in addressing unused access. For roles, access keys, and passwords that are not in use, IAM Access Analyzer offers convenient console links to facilitate their deletion. Regarding unused permissions, IAM Access Analyzer evaluates your current policies and suggests refined versions customized to your access patterns. Link. For example, I enabled unused access for my AWS organization for 180 days period and was able to get reports on findings within minutes. This is a handy feature for security audit.

   

2. AWS has launched Amazon GuardDuty Malware Protection for Amazon S3 which enables scanning of newly uploaded objects to Amazon S3 buckets for potential malware, viruses, and suspicious uploads so that you can action to isolate these objects before they impact downstream processes. Link. Its well explained in THIS blog. Setting up was pretty straight forward. For example, I choose a S3 bucket in my account and initiated the scan. CloudWatch metrics showed the scanned objects and findings (if any) too.

   

3. AWS Private Certificate Authority (AWS Private CA) introduces the Connector for SCEP, enabling secure and scalable enrollment of mobile devices using a managed cloud certificate authority (CA). Simple Certificate Enrollment Protocol (SCEP) is widely adopted by mobile device management (MDM) solutions for obtaining digital identity certificates from a CA and enrolling both corporate-issued and bring-your-own-device (BYOD) mobile devices. With the Connector for SCEP, organizations can leverage a managed private CA and SCEP solution to streamline operations, reduce costs, and optimize their public key infrastructure (PKI). Furthermore, this connector allows integration of AWS Private CA with leading SCEP-compatible MDM solutions such as Microsoft Intune and Jamf Pro. Link.

4. AWS Identity and Access Management (IAM) now introduces passkeys for multi-factor authentication. Built on FIDO standards and utilizing public key cryptography, passkeys provide robust authentication that is resistant to phishing attacks, surpassing traditional password security measures. The support is compatible with built-in authenticators such as Touch ID on Apple MacBooks and facial recognition via Windows Hello on PCs. Passkeys can be generated using a hardware security key or through a chosen passkey provider, utilizing methods like fingerprint, facial recognition, or device PIN. Link. A note that passkeys synchronize across your devices so something to keep in mind from security perspectives.

   

5. Amazon EKS has released the Pod Identity agent as open source that you can package and deploy the agent within EKS clusters. Pod Identity is a feature designed to streamline the configuration of Kubernetes applications with AWS IAM permissions for cluster administrators. To leverage the Pod Identity feature, it is necessary to run the Pod Identity agent on the worker nodes of the cluster. By open sourcing the Pod Identity agent, users now have the ability to independently build the agent. This grants a range of options for packaging and deploying the agent, allowing alignment with organizational deployment practices. Link. Here’s the Git page.

6. AWS KMS has introduced support for Elliptic Curve Diffie-Hellman (ECDH) key agreement. This feature enables two parties to establish a shared secret securely over a public channel. With ECDH in AWS KMS, you can use another party's public key along with your own elliptic-curve KMS key hosted within the FIPS 140-2 validated hardware security module (HSM) of AWS Key Management Service (KMS) to derive this shared secret. Subsequently, the shared secret can be utilized to derive a symmetric key for encrypting and decrypting data between the parties using a symmetric encryption algorithm within your application. Link. You can learn more about the #aws kms derive-shared-secret API HERE.

7. AWS introduced natural language query generation powered by generative AI in AWS CloudTrail Lake (preview) which equips you to analyze AWS activity events without needing to write intricate SQL queries and just simply ask questions in plain English. Link. Its well explained in THIS blog post. (Note: I did have some errors at times- "Query generator failed to generate a query. A valid SQL statement could not be generated using the given prompt. Reword your prompt and try again” and this feature is in early phase so you should double check the generated SQL queries to make sure it’s generating what you are investigating.)