Links:
Cyber-security insurance providers are increasing their requirements to be insurable: https://Twitter.com/SwiftOnSecurity/status/1467879429707866112

“Why the C-suite doesn’t need access to all corporate data”: https://www.darkreading.com/vulnerabilities-threats/why-the-c-suite-doesn-t-need-access-to-all-corporate-data

“Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3”: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/

Cloud provider security mistakes: https://github.com/SummitRoute/csp_security_mistakes

TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor. List and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.Corey: re:Invent has come and gone, and with it remarkably few security announcements. Shockingly, it was a slow week for the industry. I’m glad but also disappointed to be proven wrong in my, “The only thing you, as a company who isn’t AWS, should be announcing during re:Invent is your data breach since nobody will be paying attention,” snark. But it’s for the best. It means that maybe—maybe—we’re starting to see things normalize a bit.Now, from the Community, we saw some interesting stuff. Scuttlebutt has it that cyber-security insurance providers are increasing their requirements to be insurable. This makes a lot of sense; as ransomware attacks become more numerous, nobody is going to want to cut large insurance checks to folks who didn’t think to have offline backups. You might want to check the specific terms and conditions of your policy.I also liked a writeup as to “Why the C-suite doesn’t need access to all corporate data.” It’s true, but it’s super hard to defend against. When the CTO ‘requests’ access to the AWS root account, who’s likely to say no? If you’re going to push for proper separation of duties, either do it the right way or don’t even bother.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: if you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they’ve opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial’ button on the homepage and use the promo code, ‘CLOUD’ when checking out. That’s C-L-O-U-D. Like loud—what I am—with a C in front of it. They’ve got a free trial, too, so you’ll get seven days to try it out to make sure it really is a good fit. You’ve got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Corey: And from AWS, there was really one glaring announcement that made me happy in the security context, and that was that “Amazon S3 Object Own