AWS SAR Vulnerability in Course

[johspaeth]

Hi @iDVB

I suggest updating one of the courses, as it contains an AWS SAR security vulnerability that has been recently discovered. We wrote a detailed explanation on the vulnerability.

It affects the bucket policy for the course "Work with Serverless"

It is important to add a link to the source account that deploys to the bucket by adding an additional condition.

            Condition:
              StringEquals:
                "aws:SourceAccount":  <AWS::AccountId>

[iDVB]

Thanks for calling this out. I’ll circle back with ACG about having it updated.

On Mon, Sep 27, 2021 at 9:15 AM Johannes Späth @.***> wrote:

Hi @iDVB https://github.com/iDVB

I suggest updating one of the courses, as it contains an AWS SAR security vulnerability that has been recently discovered. We wrote a detailed explanation https://codeshield.io/blog/2021/08/26/sar_confused_deputy/ on the vulnerability.

It affects the bucket policy https://github.com/ACloudGuru-Resources/course-mastering-aws-cloudformation/blob/master/Ch07%20-%20Work%20with%20Serverless/AWS%20SAR/sar-bucket-policy.json for the course "Work with Serverless"

It is important to add a link to the source account that deploys to the bucket by adding an additional condition.

        Condition:
          StringEquals:
            "aws:SourceAccount":  <AWS::AccountId>

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ACloudGuru-Resources/course-mastering-aws-cloudformation/issues/98, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABOIQWBUINMK6F5CCOPA4TUEBU7HANCNFSM5E2RDFYA .