Issue 49 and 50 of AWS Cloud Security Weekly

(This is just the highlight of Issue 49 and 50 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-49-and-50 << Subscribe to receive the full version in your inbox weekly for free!!).

What happened in AWS CloudSecurity & CyberSecurity last week June 10-June 20, 2024?

• IAM Access Analyzer now provides actionable recommendations to assist you in addressing unused access. For roles, access keys, and passwords that are not in use, IAM Access Analyzer offers convenient console links to facilitate their deletion. Regarding unused permissions, IAM Access Analyzer evaluates your current policies and suggests refined versions customized to your access patterns.
• AWS has launched Amazon GuardDuty Malware Protection for Amazon S3 which enables scanning of newly uploaded objects to Amazon S3 buckets for potential malware, viruses, and suspicious uploads so that you can action to isolate these objects before they impact downstream processes.
• AWS Private Certificate Authority (AWS Private CA) introduces the Connector for SCEP, enabling secure and scalable enrollment of mobile devices using a managed cloud certificate authority (CA). Simple Certificate Enrollment Protocol (SCEP) is widely adopted by mobile device management (MDM) solutions for obtaining digital identity certificates from a CA and enrolling both corporate-issued and bring-your-own-device (BYOD) mobile devices. With the Connector for SCEP, organizations can leverage a managed private CA and SCEP solution to streamline operations, reduce costs, and optimize their public key infrastructure (PKI). Furthermore, this connector allows integration of AWS Private CA with leading SCEP-compatible MDM solutions such as Microsoft Intune and Jamf Pro.
• AWS Identity and Access Management (IAM) now introduces passkeys for multi-factor authentication. Built on FIDO standards and utilizing public key cryptography, passkeys provide robust authentication that is resistant to phishing attacks, surpassing traditional password security measures. The support is compatible with built-in authenticators such as Touch ID on Apple MacBooks and facial recognition via Windows Hello on PCs. Passkeys can be generated using a hardware security key or through a chosen passkey provider, utilizing methods like fingerprint, facial recognition, or device PIN.
• Amazon EKS has released the Pod Identity agent as open source that you can package and deploy the agent within EKS clusters. Pod Identity is a feature designed to streamline the configuration of Kubernetes applications with AWS IAM permissions for cluster administrators. To leverage the Pod Identity feature, it is necessary to run the Pod Identity agent on the worker nodes of the cluster. By open sourcing the Pod Identity agent, users now have the ability to independently build the agent. This grants a range of options for packaging and deploying the agent, allowing alignment with organizational deployment practices.
• AWS KMS has introduced support for Elliptic Curve Diffie-Hellman (ECDH) key agreement. This feature enables two parties to establish a shared secret securely over a public channel. With ECDH in AWS KMS, you can use another party's public key along with your own elliptic-curve KMS key hosted within the FIPS 140-2 validated hardware security module (HSM) of AWS Key Management Service (KMS) to derive this shared secret. Subsequently, the shared secret can be utilized to derive a symmetric key for encrypting and decrypting data between the parties using a symmetric encryption algorithm within your application.
• AWS introduced natural language query generation powered by generative AI in AWS CloudTrail Lake (preview) which equips you to analyze AWS activity events without needing to write intricate SQL queries and just simply ask questions in plain English. (Note: I did have some errors at times- "Query generator failed to generate a query. A valid SQL statement could not be generated using the given prompt. Reword your prompt and try again” and this feature is in early phase so you should double check the generated SQL queries to make sure it’s generating what you are investigating.)

Trending on the news & advisories (Subscribe to the newsletter for details):

• Panera disclosed security incident.
• Advanced Auto Parts confirms data breach.