Issue 64 – by AWS-CloudSec weekly newsletter

This issue is co-sponsored by Invarie– See Invary’s ability to detect hidden rootkits, a task that modern threat detection solutions in action fail to achieve » HERE. & Co-sponsored by Sonrai Security– The first cloud permissions firewall!

This week TLDR or 1 minute version (For executives):

1. Amazon Inspector improves the Lambda standard scanning engine.

2. AWS Serverless Application Repository now supports AWS PrivateLink.

3. AWS CloudTrail launches network activity events for VPC endpoints (preview).

4. AWS announces security group credential on AWS Transit Gateway.

5. Amazon Aurora MySQL now supports RDS Data API.

6. PostgreSQL 17.0 is now available in the Amazon RDS Database preview environment.

7. Chatbot management policies introduced in AWS organizations.

8. Amazon S3 adds service quota support for general purpose S3 buckets.

9. AWS announces AWS re:Post Agent, a generative, AI-powered virtual assistant.

10. Amazon SES adds HTTPS open tracking for custom domains.

11. Amazon Redshift announces mTLS support for Amazon MSK.

Trending in cloud and cybersecurity (News, blogs, tweets etc.):

1. AWS Security Blogs and Bulletins:

   • Identity source transition management for AWS IAM Identity Center. Link.

   • How to migrate 3DES keys from a FIPS to a non-FIPS AWS CloudHSM cluster. Link.

   • How to implement relationship-based access control with Amazon Verified Permissions and Amazon Neptune. Link.

   • Keep your firewall rules up to date with Network Firewall features. Link.

   • How to run a proof of concept for automated discovery using Amazon Macie. Link.

2. General security blogs, articles and reports:

   • An attack chain for the ChatGPT macOS application: Spyware injection into the long-term memory of your ChatGPT (SpAIware). Link.

   • Threat overview: Unraveling SloppyLemming’s activities in South Asia. Link.

   • Hacking Kia: Control cars remotely with just a license plate. Link.

   • Attacking UNIX Systems via CUPS, Part I (Remote Command Execution). Link. Related: Remote Execution Exploitation Chain in CUPS: Overview, Detection, and Remediation by Christophe Tafani-Dereeper and Nick Frichette. Link.

   • Storm-0501: Ransomware attacks are expanding into hybrid cloud environments. Link.

   • Your AWS EC2 has been hacked. What will happen now? Sena Yakut. Link.

   • Critical vulnerabilities discovered in automated fuel gauge systems by Pedro Umbelino. Link.

   • Backdooring Azure Automation account packages and runtime environments

     Karl Fosaaen. Link.

   • Exploring the Infrastructure and Tactics of the Phishing-as-a-Service Platform Sniper Dz by Shehroze Farooqi, Howard Tong, Alex Starov. Link.

   • Securing your temporary workers without trust by Kane Narraway. Link.

   • Tool: Cloud Prefixes: A lightweight tool designed to aid in exploration by processing IP prefixes published by cloud and hosting providers. Link.

   • Detecting Vulnerability by Scanning Underground Tool Traffic Using Machine Learning by Chris Navarrete, Qian Feng, Durgesh Sangvikar, Yanhui Jia. Link.

   • Why multiple accounts in AWS? by Marty Henderson. Link.

   • Search AWS Transit Gateway flow logs with Amazon Athena. Link.

3. Trending in the news and advice:

   • U.S. Department of State reward offers under the Transnational Organized Crime Rewards Program of up to $10 million. Link.

   • NVIDIA: Security Bulletin: NVIDIA Container Toolkit – September 2024. Link.

   • Ireland’s Data Protection Commission fines Meta Ireland €91 million for storing passwords in clear text. Link.

   • Europol: LockBit power outage: four new arrests and financial sanctions against affiliated companies. Link.

This week Long version of 3-5 minutes (For architects and engineers):

1. Amazon Inspector has introduced an upgraded engine for its Lambda standard scanning, providing a more thorough view of vulnerabilities in the third-party dependencies used in Lambda functions and associated layers within the environment. Please note: With this change, you may notice that some findings are closed as the engine reassesses assets for better risk assessment, while also identifying new vulnerabilities. Link.

2. AWS Serverless Application Repository now supports AWS PrivateLink, allowing you to connect to the repository via an interface VPC endpoint, i.e. you can create a direct connection from VPC to the Serverless Application Repository via AWS PrivateLink, eliminating the need for an internet connection. Link. For example, this is my endpoint:

   

3. AWS introduced CloudTrail Network Activity for VPC Endpoints (in preview), which allows you to better understand the AWS API activity running through your VPC endpoints. During the preview, network activity events for VPC endpoints are available for four AWS services: EC2, KMS, Secrets Manager & CloudTrail. These network activity events provide insight into who has access to resources within your network. For example, as the VPC endpoint owner, you can view logs of actions blocked by VPC endpoint policies or use these events to verify the effects of policy updates. Link. For example, these are my settings in my CloudTrail:

   

4. AWS has announced the general availability of Security Group Referencing for VPCs connected via AWS Transit Gateway (TGW). This feature simplifies the management of Security Groups and improves the security of TGW-based networks.

   Previously, it was not possible to use Security Group credentials to control traffic between VPCs connected via TGW. This capability eliminates the need to reconfigure security rules when applications scale or IP addresses change. Additionally, rules with security group references provide greater scalability by covering thousands of instances with a single rule, so you can avoid reaching the security group or ENI limits. Link. For example, this is my transit gateway configuration with the feature enabled:

   

5. Amazon Aurora MySQL-Compatible Edition now offers a redesigned RDS Data API for both Aurora Serverless v2 and provisioned database instances, allowing you to securely access Aurora clusters via an HTTP endpoint and execute SQL statements without the need for database drivers need or need to manage connections. Link. Here is my configuration for a new Aurora RDS & sample CLI command:

   

6. Amazon RDS for PostgreSQL 17.0 is now available in the Amazon RDS Database Preview Environment so you can test the pre-release version of PostgreSQL 17 on Amazon RDS. Link. Here are the options in my preview mode:

   

7. AWS has announced the general availability of AWS Organizations integration with AWS Chatbot. You can now centrally manage account access through Slack and Microsoft Teams using AWS Organizations. A new chatbot management policy type has also been introduced in AWS organizations, enabling control over account access through chat channels. Additionally, Service Control Policies (SCPs) allow you to enforce global permission limits for CLI commands initiated from chat channels. Link. Here is an example of a chatbot policy that blocks all three available clients:

   

8. You can now manage your Amazon S3 general purpose bucket quota through Service Quotas. This feature allows you to view the total number of buckets in your AWS account, compare it to your current bucket quota, and request an increase if necessary. Link. Here is my quota example:

   

9. AWS re:Post has introduced “re:Post Agent,” a generative AI-powered assistant designed to improve interactions by delivering intelligent, near real-time responses on the platform. re:Post Agent provides the first response to questions within the re:Post community. Link. I tried a query and interestingly the answer was not given by the re:Post agent due to security policy:

   

10. Amazon Simple Email Service (SES) now supports HTTPS for tracking open and click events when using custom domains. This improvement helps meet security standards and reduces the likelihood of email delivery issues with mailbox providers that reject non-secure links. This feature allows you to configure HTTPS as mandatory for both open and click tracking or optional depending on the protocol used in the links in your emails. Link. This is my policy in the configuration:

    

11. Amazon Redshift extends authentication options with mutual Transport Layer Security (mTLS) between Amazon Redshift provisioned clusters or serverless workgroups and Amazon Managed Streaming for Apache Kafka (MSK) clusters or serverless setups. Link. (Note: I was unable to perform this due to time constraints, but you can try using the steps in THIS document.)

    

    Part