AWS Cloud Security Weekly

AWS Cloud Security Weekly

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 51
Copy link
Facebook
Email
Notes
More
User's avatar
Discover more from AWS Cloud Security Weekly
A hands-on style weekly newsletter for cloud security professional, including executives, focused on latest cloud security (especially AWS) news/releases/trends.
Over 1,000 subscribers
Already have an account? Sign in

Issue 51

Subscribe for free! If you enjoy this newsletter, please consider forwarding to your professional circle.

Jul 03, 2024

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 51
Copy link
Facebook
Email
Notes
More
Share

This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action ยป HERE.

This week TLDR i.e. 1 minute version (For executives):

  1. Amazon GuardDuty EC2 Runtime Monitoring now supports Ubuntu and Debian OS.

  2. AWS CloudShell now supports Amazon Virtual Private Cloud (VPC).

  3. Amazon CodeCatalyst now supports GitLab.com source code repositories.

  4. Amazon DocumentDB announces IAM database authentication.

  5. AWS CodeBuild build timeout limit increased to 36 hours.

Trending in Cloud & Cyber Security (Security Blogs, articles, news, advisories etc):

  1. AWS Security Blogs & Bulletins:

    • Access AWS services programmatically using trusted identity propagation. Link.

    • ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024. Link.

  2. General security blogs, articles & reports:

    • AWS IAM Roles Anywhere with open-source private CA by Paul Schwarzenberger. Link.

    • Publicly Exposed AWS SSM Command Documents by Rami. Link.

    • Setting up AWS IAM Identity Center as an identity provider for Confluence. Link.

    • Attack Paths Into VMs in the Cloud by Jay Chen. Link.

    • RegreSSHion vulnerability CVE-2024-6387: Overview, detection, and remediation by Datadog. Link.

    • AWS Managed KMS Keys and their Key Policies: Security Implications and Coverage for AWS Services by Jason Kao. Link.

    • Achieving Exactly Once Semantics in AWS by Josh Liburdi. Link.

  3. Trending on the news & advisories:

    • GitLab critical patch which could allow an attacker to trigger a pipeline as another user. Link.

    • CISA: Exploring Memory Safety in Critical Open Source Projects. Link.

    • Grafana security update: Grafana Loki and unintended data write attempts to Amazon S3 buckets. Link.

    • TeamViewer breached in alleged APT hack. Link.

    • Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data. Link.

    • Microsoft- Toward greater transparency: Unveiling Cloud Service CVEs. Link.

    • Geisinger provides notice of Nuanceโ€™s data security incident. Link.

    • regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server. Link.

    • Rapid7 Agrees to Acquire Cyber Asset Attack Surface Management Company, Noetic Cyber. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

  1. Amazon GuardDuty EC2 Runtime Monitoring eBPF security agent now extends its support to Amazon Elastic Compute Cloud (EC2) workloads running on Ubuntu (versions 20.04 and 22.04) and Debian (versions 11 and 12) operating systems. If you utilize GuardDuty EC2 Runtime Monitoring with automated agent management, the security agent for your Amazon EC2 instances will be upgraded automatically. However, if you do not use automated agent management, you are responsible for manually upgrading the agent. Link. For example, this is my Ubuntu 22.x EC2 automatically picked up by the GuardDuty:

  2. AWS has launched Amazon Virtual Private Cloud (VPC) support for AWS CloudShell, enabling creation of CloudShell environments within a VPC. This allows you to securely use CloudShell alongside other resources within the same subnet of your VPC without requiring additional network setup. Before this release, there was no method to control network traffic for CloudShell to the internet. Link. It was pretty straight forward to create the VPCs:

  3. Amazon CodeCatalyst now integrates support for using source code repositories hosted on GitLab.com within CodeCatalyst projects, allowing you to leverage GitLab.com repositories with CodeCatalystโ€™s features, including its cloud IDE (Development Environments). You can initiate CodeCatalyst workflows in response to GitLab.com events, monitor the status of CodeCatalyst workflows directly within GitLab.com, and enforce blocking of GitLab.com pull request merges based on CodeCatalyst workflow statuses. Link. For example I was able to link my GitLab into CodeCatalyst space from the spaceโ€™s source repositories page:

  4. Amazon DocumentDB (with MongoDB compatibility) now includes support for cluster authentication using AWS Identity and Access Management (IAM) users and roles ARNs. This enhancement allows users and applications connecting to an Amazon DocumentDB cluster for data operations such as reading, writing, updating, or deleting to authenticate using AWS IAM identities. This means that the same AWS IAM user or role can be used consistently across connections to different DocumentDB clusters and other AWS services. For applications deployed on AWS EC2, AWS Lambda, AWS ECS, or AWS EKS, there is no longer a need to manage passwords within the application for authentication to Amazon DocumentDB. Instead, these applications retrieve their connection credentials securely through environment variables associated with an AWS IAM role, thereby establishing a passwordless authentication mechanism. Link.

  5. AWS CodeBuild now offers the ability to extend their build timeout to up to 36 hours, a significant increase from the previous limit of 8 hours. This enhancement allows you to set the maximum duration before CodeBuild terminates a build request if it remains incomplete. With this update, organizations managing workloads that demand extended timeouts, such as extensive automated test suites or builds involving embedded machines, can effectively utilize CodeBuild's capabilities. Link. For example, I was able to set 36 hours for my new CodeBuild project:

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 51
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar
Issue 79
7 days of Cloud Security, recapped in 7 minutes or less!
Jan 14
3

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 79
Copy link
Facebook
Email
Notes
More
1
Issue 91
7 days of Cloud Security, recapped in 7 minutes or less!
Apr 8
3

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 91
Copy link
Facebook
Email
Notes
More
Issue 75
7 days of Cloud Security, recapped in 7 minutes or less!
Dec 18, 2024
4

Share this post

AWS Cloud Security Weekly
AWS Cloud Security Weekly
Issue 75
Copy link
Facebook
Email
Notes
More

Ready for more?

ยฉ 2025 AJ
Privacy โˆ™ Terms โˆ™ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.