The day when the AWS Support got access to your S3 data

Update from: 2021-12-23 Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update https://aws.amazon.com/security/security-bulletins/AWS-2021-007/ You will find below details about the security incident that leads to this unattended access for millions of AWS customers. On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy used by a mandatory role: AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action: s3:getObject which gives access to all customer Amazon S3 data by AWS Support teams. ...

December 22, 2021 · 3 min · 539 words · zoph

Do AWS drinks their own champagne? 🍾

TL;DR: AWS Managed Policies are safe. Currently. :arrows_counterclockwise: Previously in Policy Validation Before AWS Access Analyzer (AA) - Policy Validation release, few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs, CloudSplaining (Salesforce). The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scrapping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules — Isn’t it? ...

April 6, 2021 · 4 min · 802 words · zoph

[MAMIP] Monitor AWS Managed IAM Policies

This Article was created posted in September 2019. Updated in February 2020. Disclaimer Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing. Purpose When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scene. It’s also interesting to monitor new AWS services releases prior announcements to get spoiled. This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS) using “Watch” feature from Github, RSS or dedicated Twitter Account. ...

February 22, 2020 · 2 min · 304 words · zoph