(This is just the highlight of Issue 46 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-46 << Subscribe to receive the full version in your inbox weekly).
What happened in AWS CloudSecurity & CyberSecurity last week May 22-May 28, 2024?
- AWS Billing and Cost Management console now offers a streamlined, console-based migration process for policies with retired IAM actions (aws-portal). Customers who have not yet transitioned to fine-grained IAM actions can initiate this process by selecting the Update IAM Policies recommended action on the Billing and Cost Management home page. This feature identifies affected policies, recommends equivalent new actions to maintain current access, provides testing options, and completes the migration of all affected policies across the organization.
- AWS IAM now supports signing AWS API requests with the Sigv4A encryption algorithm using session tokens issued in the AWS GovCloud (US-West) Region. By using the Sigv4A algorithm to cryptographically sign an AWS request, you can send the request to service endpoints in any of the AWS GovCloud (US) Regions. If your account's workloads or callers need to sign AWS requests with Sigv4A, or if you plan to use an AWS feature that requires it, configure the AWS Security Token Service (STS) endpoint in the AWS GovCloud (US-West) Region to issue session tokens that support the Sigv4A algorithm. This configuration can be done via the AWS IAM Console or by calling the AWS IAM SetSecurityTokenServicePreferences API. These session tokens are larger in size, similar to those issued by the STS endpoint in the AWS GovCloud (US-East) Region, which already supports Sigv4A.
Trending on the news & advisories (Subscribe to the newsletter for details):
- GitHub. On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.
- LastPass Is Encrypting URLs. Here’s What’s Happening.
- SEC Charges Intercontinental Exchange and Nine Affiliates Including the New York Stock Exchange with Failing to Inform the Commission of a Cyber Intrusion.
- GitLab high severity patch release.
Top comments (0)