This issue is Co-sponsored by Invary- Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE. & Co-sponsored by Sonrai Security- The First Cloud Permissions Firewall!

This week TLDR i.e. 1 minute version (For executives):

1. Amazon ECR announces support for dual-layer server-side encryption in the AWS GovCloud (US) Regions.

2. AWS Backup Audit Manager adds new control to audit resources inside logically air-gapped vault.

3. AWS Private CA now supports SCEP for mobile devices.

4. AWS IAM Identity Center now supports language and visual mode preferences in the AWS access portal.

5. AWS Network Firewall now supports AWS PrivateLink.

6. Amazon Cognito user pools now offer email as a multi-factor authentication (MFA) option.

7. AWS WAF Bot Control Managed Rule Group expands bot detection capabilities.

Trending in Cloud & Cyber Security (News, Blogs, Tweets etc):

1. AWS Security Blogs & Bulletins:

   • Methodology for incident response on generative AI workloads. Link.

   • Create security observability using generative AI with Security Lake and Amazon Q in QuickSight. Link.

   • Podcast: Empowering organizations to address their digital sovereignty requirements with AWS. Link.

   • Reduce risks of user sign-up fraud and SMS pumping with Amazon Cognito user pools. Link.

   • New whitepaper available: Building security from the ground up with Secure by Design. Link.

2. General security blogs, articles & reports:

   • The Complexity of AWS Data Access with KMS Encryption: KMS Key Grants and all the possible combinations by Jason Kao. Link.

   • Scorecarding Security by Rami. Link & FinOps 🤝 Security by Rami. Link1.

   • Security Flaw in AWS Transit Gateway Peering Attachments (Patched) James Sheard. Link.

   • AWS CloudTrail downloader V2 By David Cowen. Link.

   • The cloud is darker and more full of Terror by Chris Farris. Link. (Slides HERE, YouTube HERE).

   • Stratus attack techniques for Entra ID, grouped by MITRE ATT&CK Tactic by stratus-red-team. Link.

   • Transitive Access Abuse - Data Exfiltration via Document AI by Kat Traxler. Link.

   • Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence by Katie Knowles. Link.

   • Tool: Cloud Testing VM with common cloud assessment tools pre-installed. Github Link.

   • SANS CloudSecNext Summit & Training 2024. Link.

   • fwd:cloudsec Europe 2024. Link. Videos (later) Youtube HERE.

3. Trending on the news & advisories:

   • Mastercard has an agreement to acquire Recorded Future. Link.

   • Snowflake Strengthens Security with Default Multi-Factor Authentication and Stronger Password Policies. Link.

   • Fake recruiter coding tests target devs with malicious Python packages. Link.

   • Wordpress MFA enforcement. Link.

   • CISA, FBI: Secure by Design Alert: Eliminating Cross-Site Scripting Vulnerabilities. Link.

   • Highway Blobbery: Data Theft using Azure Storage Explorer By: Britton Manahan. Link.

   • Large AT&T Data breach fine. Link.

   • Data Protection Commission launches inquiry into Google AI model. Link.

   • GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7. Link.

   • 17 years old’s arrest made in NCA investigation into Transport for London cyber attack. Link.

   • Fortinet data breach: Notice of Recent Security Incident. Link.

   • FBI Cryptocurreny Fraud report. Link.

   • Redefining CNAPP: A Complete Guide To the Future of Cloud Security by Francis (Software Analyst) and James Berthoty. Link.

   • CISA FY23 Risk & Vulnerability Assessment (RCA) results. Link.

   • [GAZEploit] Remote Keystroke Inference Attack by Gaze Estimation from Avatar Views in VR/MR Devices from Texas Tech University. Link.

   • FBI Statement: Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections. Link.

   • Chrome: Kyber in the web. ML-KEM quantum encryption. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. Amazon Elastic Container Registry (ECR) now offers dual-layer server-side encryption in the AWS GovCloud (US) Regions, allowing two separate layers of server-side encryption to your images. With dual-layer server-side encryption using keys managed by AWS Key Management Service (DSSE-KMS), you can meet stricter compliance and regulatory standards by applying multiple encryption layers. Link. For example here’s my ECR encryption option using KMS:

   

2. AWS Backup has introduced a new AWS Backup Audit Manager control (framework) that lets you audit and verify if a resource's backup data is stored in a logically air-gapped vault, within a defined time frame and assess whether it aligns with your business or compliance requirements. Link. For example, below is my framework to assess for the control for resources in last 7 days:

   

3. AWS Private Certificate Authority (AWS Private CA) has now made the Connector for SCEP generally available which allows you to securely and efficiently enroll mobile devices at scale using a managed cloud certificate authority (CA). The Connector for SCEP is one of three connectors designed to integrate AWS Private CA with Kubernetes, Active Directory, and now mobile devices. These connectors enable you to replace existing CAs with AWS Private CA in environments with established native certificate distribution solutions. This consolidation allows you to streamline your enterprise's CA management by using a single private CA solution. Link. For example, here is my connector:

   

4. AWS IAM Identity Center now supports language and visual mode preferences in the AWS access portal. Link. Here’s my settings:

   

5. AWS Network Firewall now supports AWS PrivateLink meaning you can privately access the service without routing traffic through the public internet i.e. all management and control traffic between clients and Network Firewall is transmitted over a private network. Link. Here’s my endpoint:

   

6. Amazon Cognito has enhanced its multi-factor authentication (MFA) capabilities by adding email as an additional authentication factor, alongside the existing options of text messages (SMS) and time-based one-time passwords (TOTP). Email MFA can be enabled during the sign-in process or used as a challenge for adaptive authentication. Link. Here are my settings:

   

7. AWS WAF has launched an updated Bot Control Managed Rule Group with enhanced features to improve protection against bot activity. New capabilities include token reuse detection across ASNs and locations, customizable sensitivity levels, expanded bot categories with 19 new bots, and new Cloud Service Provider and automated browser extension labels. Additionally, improved CloudWatch visibility now provides detailed insights into matched rules. Link. Here’s are the details for my rule on Version_3.0:

   

   

   Subscribe

   Share