Hey Folks 👋

The 46-Minute Problem The IAMTrail detection engine fetches ~1,500 AWS managed IAM policies every run. The original approach was pure bash: 1 2 3 4 aws iam list-policies --output json | jq -cr '...' | xargs -P 16 -n3 sh -c \ 'aws iam get-policy-version --policy-arn $1 --version-id $2 | jq --indent 4 . > "policies/$3"' sh Looks fine, right? Except each iteration spawns a full AWS CLI process. That means a fresh Python runtime, boto3 import, credential resolution, one single HTTP call, then exit. Times 1,500. ...

📜 The Origins Back in 2019, Scott Piper started a Github repository to track changes to AWS Managed Policies. It was a simple setup, manually triggered but it worked well and was incredibly useful. Using git diff or Github.com UI, Scott and the community could easily see how policies evolved over time. At that time, AWS didn’t publicly share the changes made to managed policies by the various “two-pizza” product teams inside AWS. ...

✨ Introduction It starts with an innocuous-looking email. The sender claims to be AWS Support, warning the recipient about an urgent security issue. A single button labeled “Launch Stack” is prominently placed, urging immediate action. What appears to be a standard security advisory is, in reality, the gateway to a sophisticated AWS account takeover attempt. Threat actors are exploiting AWS CloudFormation StackSets in phishing campaigns designed to compromise AWS environments. Originally reported by Rami McCarthy back in 2022 and by Scott Piper in this blogpost (2021), this technique continues to evolve, demonstrating how adversaries leverage AWS automation against its own users. ...

Busy Holidays? You’ll find below my preferred papers from this summer, 2024 🏖️ Cloud Security Holding Cloud Vendors to a Higher Security Bar An AWS IAM Security Tooling Reference [2024] AWS Organizations Viewer Are my AWS Resources Encrypted or Unencrypted by Default? Strategies for performing security migrations Infrastructure Continuous reinvention: A brief history of block storage at AWS DNS best practices for Amazon Route 53 Introducing Parameter Store cross-account sharing Engineering The Over-Engineering Trap Anyone can Access Deleted and Private Repository Data on GitHub That’s all, folks! 👋🏼 ...

Background I started my career in the glass industry as a SysAdmin, specifically in a glass factory crafting fragrance bottles and bottles for pharmaceutical industries in the north of France. Since then, I’ve focused on IT security and cloud computing. After many full-time positions for Microsoft, French Logistic Railroad, and IT Consulting parties, I decided to run my AWS consulting boutique by myself 5 years ago. Just at the beginning of the pandemic, what a visionary… ...