Security News

"We want to make sure that you use public buckets and objects as needed, while giving you tools to make sure that you don't make them publicly accessible due to a simple mistake or misunderstanding," the company explained as it introduced Amazon S3 Block Public Access, a way to block public access to S3 buckets through the S3 management console. That's when AWS announced "a couple new features that simplify access management for data stored in Amazon Simple Storage Service."

A severe security flaw in the Amazon ECR Public Gallery could have allowed attackers to delete any container image or inject malicious code into the images of other AWS accounts.Amazon ECR Public Gallery is a public repository of container images used for sharing ready-to-use applications and popular Linux distributions, such as Nginx, EKS Distro, Amazon Linux, CloudWatch agent, and Datadog agent.

While some AWS partners chose to hold back on their announcements and statements ahead of AWS re:Invent 2022 - presumably in an attempt to vie for share of voice during the event - a handful were vocal in the run-up to this year's show, staged in Las Vegas between Nov. 28 and Dec. 2. How to connect to AWS. Data platform company Redis signed a tighter AWS deal this month to put its Redis Enterprise Cloud real-time data processing capabilities more closely within the global reach of AWS services.

Amazon Web Services has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources."This attack abuses the AppSync service to assume roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette said in a report published last week.

Amazon Web Services fixed a cross-tenant flaw in AWS AppSync that could allow miscreants to abuse that cloud service to assume identity and access management roles in other AWS accounts, and then gain access to and control over those resources. No customers were affected by the vulnerability and no customer action is required, according to AWS. In a statement posted on Monday, the cloud services provider thanked Datadog for reporting the "Case-sensitivity parsing issue" in AppSync.

A new open-source 'S3crets Scanner' scanner allows researchers and red-teamers to search for 'secrets' mistakenly stored in publicly exposed or company's Amazon AWS S3 storage buckets. In addition to application data, source code or configuration files in the S3 buckets can also contain 'secrets,' which are authentication keys, access tokens, and API keys.

Does your organization spend countless resources hardening operating systems in the cloud? That's why CIS pre-hardens virtual machine images to CIS Benchmark standards. See how these CIS Hardened Images work by trying one in your cloud environment.

Researchers have identified 1,859 apps across Android and iOS containing hard-coded Amazon Web Services credentials, posing a major security risk. "Over three-quarters of the apps contained valid AWS access tokens allowing access to private AWS cloud services," Symantec's Threat Hunter team, a part of Broadcom Software, said in a report shared with The Hacker News.

Researchers at Symantec's Threat Hunting team, part of Broadcom Software, found 1,859 applications containing hard-coded AWS credentials, most of them being iOS apps and just 37 for Android. The threat analysts highlight three notable cases in their report where the exposed AWS tokens could have had catastrophic consequences for both authors and users of the vulnerable apps.

From there they can send phishing messages carrying the AWS name into corporate emails systems to both get past scanners that typically would block suspicious messages and to add greater legitimacy to fool victims, according to email security vendor Avanan. In a report this week, researchers with Avanan - acquired last year by cybersecurity company Check Point - outlined a phishing campaign that uses AWS and unusual syntax construction in the messages to get past scanners.