The day when the AWS Support got access to your S3 data

Update from: 2021-12-23 Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update https://aws.amazon.com/security/security-bulletins/AWS-2021-007/ You will find below details about the security incident that leads to this unattended access for millions of AWS customers. On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy used by a mandatory role: AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action: s3:getObject which gives access to all customer Amazon S3 data by AWS Support teams. ...

December 22, 2021 · 3 min · 539 words · zoph

Serverless AWS WebRedirect

Rational Lately, I was looking for small automation to deploy a simple web redirect for a domain name hosted on Amazon Route 53. I didn’t find anything relevant so I’ve decided to do it by myself. The goal was to have a subdomain redirect to a totaly different domain and path using minimal efforts and infrastructure. From: asd.zoph.io To: http://awssecuritydigest.com Schema Tradeoff It does not support https, but you could use the http as an entrypoint, and then redirect traffic to https as needed. ...

November 7, 2021 · 1 min · 115 words · zoph

How to deal with custom recorder of AWS Config?

Disclaimer: I’m not a REGEX expert :smile: Lately, I was working for one of my customers on a custom configuration of AWS Config recorder. My customer wanted to record using AWS Config All resources except a few of them: 'AWS::EC2::Subnet' 'AWS::EC2::VPC' 'AWS::EC2::SecurityGroup' Unfortunately, the AWS API and Console do not allow you to do this, you should cherry-pick manually which resource you want to record. The trade-off of this method is that if a new AWS Config resource type came out, it won’t be recorded until you manually select it in your AWS Config recorder setting. ...

August 15, 2021 · 3 min · 543 words · zoph

Do AWS drinks their own champagne? 🍾

TL;DR: AWS Managed Policies are safe. Currently. :arrows_counterclockwise: Previously in Policy Validation Before AWS Access Analyzer (AA) - Policy Validation release, few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs, CloudSplaining (Salesforce). The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scrapping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules — Isn’t it? ...

April 6, 2021 · 4 min · 802 words · zoph

Keep you posted on AWS Security

Since my last post, on how to deal with information Overload and reading pipeline, I’ve created a free digest newsletter about AWS Security. The goal of this curated AWS Security Digest is to condensate what was happening from last week on the most relevant sources: 🔦 A Highlight of the week 👮 Change since last week on AWS Managed IAM Policies 💌 Curated Cloud Security Newsletters 👀 AWS API changes 🔒 IAM Permissions changes 🆙 Most upvoted posts on r/AWS 🔗 Top shared links on Twitter (by cloudsec folks) 🐦 Most engaged Tweets from the community This is an ongoing side project, so more content will be added over time. ...

January 22, 2021 · 1 min · 208 words · zoph