AWS CloudFormation Phishing Attack: A Growing Threat

✨ Introduction It starts with an innocuous-looking email. The sender claims to be AWS Support, warning the recipient about an urgent security issue. A single button labeled “Launch Stack” is prominently placed, urging immediate action. What appears to be a standard security advisory is, in reality, the gateway to a sophisticated AWS account takeover attempt. Threat actors are exploiting AWS CloudFormation StackSets in phishing campaigns designed to compromise AWS environments. Originally reported by Rami McCarthy back in 2022 and by Scott Piper in this blogpost (2021), this technique continues to evolve, demonstrating how adversaries leverage AWS automation against its own users. ...

February 10, 2025 · 3 min · 621 words · zoph

About AWS Security Digest acquisition

📜 History In late 2020, I was floored by the number of announcements, changes, re:Invent releases, and blog posts that AWS announces every week. Then, I decided to automate part of my weekly routine to stay up to date. The idea was to get a digest email summary of what was going on. It was very helpful for my job as an Indie AWS Security Consultant. A few weeks later, I decided to open my weekly digest to external subscribers as I believe it could interest folks in the same field. Here we are with the ASD Newsletter in January 2021. ...

July 31, 2024 · 2 min · 362 words · zoph

Brewing the Best in AWS Security: Top Reads of the Year

As we welcome 2024, I’m excited to share a special post for the AWS Security Digest Newsletter. It’s been a remarkable year, and your engagement has made it even more so. 🔗 I’ve compiled the top 5 most-clicked links from our 2023 editions. These links represent the most intriguing, informative, and impactful topics in AWS Security landscape. 1️⃣ Enabling Just-In-Time (JIT) Access for AWS S3 Buckets 2️⃣ Actionable AWS Security Best Practices [Cheat Sheet] 3️⃣ AWS Security Foundations For Dummies 4️⃣ Bare minimum AWS Security Alerting and Configuration 5️⃣ AWS ImdsPacketAnalyzer 👨‍🍳 Why a Chef? You might wonder about the image. In our newsletter, we ‘cook’ complex AWS concepts into digestible insights, much like a chef preparing a gourmet meal. This theme has been a fun and integral part of our journey. ...

December 17, 2023 · 1 min · 199 words · zoph

Elevate your AWS Security with basic alerting

As businesses continue to adopt cloud computing and move their operations to the cloud, it’s crucial to ensure the security of their cloud environment. Amazon Web Services (AWS) is the leading cloud platform, but with the ease of use comes the responsibility of securing the data, applications, and services deployed on the cloud. AWS provides a vast array of security services, but it can be challenging to keep track of all the activities and changes happening in your AWS account. That’s where the AWS Security Survival Kit (ASSK) comes in. This comprehensive and Free Open-Source kit sets up a basic proactive monitoring and alerting environment on common suspicious activities in your AWS account. ...

February 12, 2023 · 2 min · 330 words · zoph

The day when the AWS Support got access to your S3 data

Update from: 2021-12-23 Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update https://aws.amazon.com/security/security-bulletins/AWS-2021-007/ You will find below details about the security incident that leads to this unattended access for millions of AWS customers. On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy used by a mandatory role: AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action: s3:getObject which gives access to all customer Amazon S3 data by AWS Support teams. ...

December 22, 2021 · 3 min · 430 words · zoph