This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE. Note: The author donates proceeds from the newsletter sponsorship.

This week TLDR i.e. 1 minutes version (For executives):

1. AWS announced a new Amazon S3 Express One Zone high performance storage class (a new bucket type, a new authentication model, and a bucket naming convention).

2. AWS announces Amazon Q- a generative AI-powered assistant crafted for professional use (preview).

3. Three new capabilities for Amazon Inspector added for vulnerability scanning for workloads including agent & agentless EC2 (hybrid) scanning & new Lambda, CI/CD capabilities.

4. Guardrails for Amazon Bedrock is in preview- which helps organizations implement customized safeguards and responsible AI policies.

5. Amazon One Enterprise- a palm-based identity service designed for enterprise access control, is in preview.

6. Amazon Redshift announces new fine-grained access control capabilities to nested objects (preview).

7. Amazon EFS Replication now supports failback.

8. AWS announced Amazon OpenSearch Service zero-ETL integration with Amazon S3 (preview).

9. Amazon EBS Snapshots Archive is now available with AWS Backup.

Trending in Cloud & Cyber Security (News, Blogs, Tweets etc):

1. AWS Security Blogs (& Bulletins):

   • Security at multiple layers for web-administered apps. Link.

   • Use IAM Roles Anywhere to help you improve security in on-premises container workloads. Link.

   • Optimize AWS administration with IAM paths. Link.

   • How to improve cross-account access for SaaS applications accessing customer accounts. Link.

   • Use CodeWhisperer to identify issues and use suggestions to improve code security in your IDE. Link.

2. Interesting blog by Daniel Grzelak - “The Deputy Is Confused About AWS Security Hub”. Link.

3. Cool blog by Sam Cox, CTO & Co-Founder @ Tracebit- “How fast is CloudTrail today? Investigating CloudTrail delays using Athena”. Link.

4. Okta: October Customer Support Security Incident - Update and Recommended Actions. Link. Related blog “Abusing Okta's SWA authentication” by Luke Jennings. Link.

This week Long i.e. 5-10 minutes version (For architects & engineers):

1. Amazon announced a new Amazon S3 Express One Zone high performance storage class. The storage class is designed to deliver up to 10x better performance than the S3 Standard storage class while handling hundreds of thousands of requests per second with consistent single-digit millisecond latency. This blog explains it well- Link. (From security perspectives, do note the new authentication model and a bucket naming convention).

2. Amazon EBS Snapshots Archive is now available with AWS Backup. Link. With this, you can transition infrequently accessed EBS Snapshots to low-cost archive, long-term storage of your rarely-accessed snapshots that do not need frequent or fast retrieval. Snapshots Archive with AWS Backup is only available for snapshots with a backup frequency of one month or longer (28-day cron expression) and a retention of more than 90 days. This is a protective measure to ensure that you don’t archive snapshots, such as hourly snapshots that wouldn’t benefit from the transition to the cold tier.

3. Amazon Redshift announces new fine-grained access control capabilities to nested objects (preview). Link. With this capability, you can seamlessly implement AWS Lake Formation FGAC (Fine-Grained Access Control) for your nested data and conduct queries using Amazon Redshift data lake analytics. Leveraging Dynamic Data Masking (DDM) within Amazon Redshift provides a means to safeguard sensitive data within your data warehouse. DDM policies can be applied specifically to scalar attributes in columns of the SUPER data type. Consequently, your SUPER data undergoes masking based on the defined masking functions within these policies.

4. Amazon EFS Replication now supports failback, making it easier and more cost-effective to synchronize changes between EFS file systems after Disaster Recovery (DR) and other failover events. Link. This new feature allows you to synchronize changes from secondary file system back to primary- eg when performing failback workflows after a DR event, EFS will automatically identify and transfer only incremental changes to synchronize file systems.  

5. AWS introduced Amazon Q, a generative AI-powered assistant crafted for professional use. This assistant can be customized to align with your business needs, engaging in conversations, tackling problems, creating content, and executing tasks by leveraging the data and expertise within your company's information repositories, code, and enterprise systems. Link. (Note: per AWS docs, Amazon Q "takes actions based on your company's data, information, and system" and I didn’t have a chance to dig more on what this means from compliance/privacy standpoints.)

   

6. AWS has unveiled a preview of the Amazon OpenSearch Service's zero-ETL integration with Amazon S3. This introduces a novel approach to querying operational logs within Amazon S3 and S3-based data lakes seamlessly, eliminating the need to toggle between services. This enhancement allows you to analyze data stored in cloud object stores, even those infrequently queried, while simultaneously leveraging the operational analytics and visualization features provided by the OpenSearch Service. Link.

   

   (Source: AWS blogs)

7. Amazon One Enterprise (Preview)- a palm-based identity service designed for enterprise access control allows organizations to offer a quick, convenient, and contactless access experience for their employees and authorized users, both to physical locations and digital assets like restricted software resources. By eliminating the operational burden associated with traditional enterprise authentication methods such as badges and PINs, Amazon One Enterprise streamlines the authentication process. IT and security administrators can effortlessly deploy Amazon One devices and handle user, device, and software updates through the AWS Management Console. Link.

8. Three new capabilities for Amazon Inspector for vulnerability scanning for workloads. Link.

   • Introduces a new set of open source plugins and an API allowing you to assess your container images for software vulnerabilities at build time directly from your continuous integration and continuous delivery (CI/CD) pipelines wherever they are running.

   • Now continuously monitors EC2 instances without installing an agent or additional software (in preview).

     

   • Uses generative artificial intelligence (AI) and automated reasoning to provide assisted code remediation for your AWS Lambda functions. Basically, Inspector suggests a fix with a “diff” of the current vs recommended secure code for Lambdas. For example":

     

9. Guardrails for Amazon Bedrock helps implement safeguards customized to your use cases and responsible AI policies (preview). Link. Key controls include:

   • Denied a set of topics that are undesirable in the context of your application using a short natural language description.

   • Content filters to configure thresholds to filter harmful content across hate, insults, sexual, and violence categories.

   • PII redaction (coming..)- Select a set of personally identifiable information (PII) like name, e-mail address, and phone number, that can be redacted in FM-generated responses or block a user input if it contains PII.

   

Thank You for reading! If you enjoyed this newsletter, I’d be grateful if you could forward it to your professional circle.

Best,

AJ

Find me in LinkedIn & X (Previously Twitter)