This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE. Note: The author donates proceeds from the newsletter sponsorship.
This week TLDR i.e. 1 minutes version (For executives):
AWS Security Hub has released 15 new security controls, increasing the number of controls offered to 307.
AWS Backup Audit Manager adds new control to audit restore time targets.
Amazon Cognito user pools now offer the functionality to enhance access tokens with custom attributes through OAuth 2.0 scopes and claims.
AWS Network Firewall egress TLS inspection is now available in all regions including Gov (US).
AWS Verified Access is now available in AWS GovCloud (US).
The AWS Canada West (Calgary, ca-west-1) Region is now available.
Amazon Route 53 Resolver has introduced support for the DNS over HTTPS (DoH) protocol, catering to both inbound and outbound Resolver endpoints.
AWS announced SSH support for Amazon CodeCatalyst Dev Environments.
AWS Backup now supports SAP HANA High Availability databases on Amazon EC2.
AWS Config now supports 1000 AWS Config rules per AWS Region per account.
AWS announced Customer Managed Key (CMK) support in AWS CodeCommit.
Amazon Aurora supports PostgreSQL 15.5, 14.10, 13.13, 12.17.
Amazon CloudFront now supports 4096-bit RSA TLS certificates.
Trending in Cloud & Cyber Security (News, Blogs, Tweets etc):
AWS Security Blogs & Bulletins:
Interesting blog: ‘New IAM Access Analyzer feature uses automated reasoning to ensure that access policies written in the IAM policy language don’t grant unintended access’ by Amit Goel, Jeremiah Dunham. Link.
This week Long i.e. 5-10 minutes version (For architects & engineers):
AWS Security Hub has released 15 new security controls, increasing the number of controls offered to 307. You can find all the list of controls HERE.
AWS Backup Audit Manager now allows you to assess restoration time objectives for AWS resources. Link. This control evaluates if the restore time completed within the target restore time & will show as
NON_COMPLIANT
if value ofLatestRestoreExecutionTimeMinutes
of a resource is greater thanmaxRestoreTime
. If turned on, this control runs automatically every 24 hours. For example:Amazon Cognito user pools now offer the functionality to enhance access tokens with custom attributes through OAuth 2.0 scopes and claims. With the pre-token generation Lambda trigger, you have the capability to tailor the content of an access token originating from your user pool. This access token serves as the authorization mechanism for users seeking information from access-protected resources, such as Amazon Cognito token-authorized API operations and third-party APIs. While access tokens for machine-to-machine (M2M) authorization in Amazon Cognito can be generated using a client credentials grant, it's important to note that M2M requests do not invoke the pre-token generation trigger function, thereby restricting the issuance of customized access tokens in such scenarios. Link. (Note: This new feature is now available as part of Cognito advanced security features). For example:
Egress Transport Layer Security (TLS) inspection is now accessible across all AWS Regions where AWS Network Firewall is currently offered, including the AWS GovCloud (US) Regions. This update enables you to leverage AWS Network Firewall for decrypting TLS sessions and scrutinizing both inbound and outbound VPC traffic, eliminating the necessity for deploying or overseeing additional network security infrastructure. The process of encryption and decryption occurs seamlessly on the same firewall instance, ensuring that traffic remains confined within the firewall and doesn't traverse any network boundaries. Link. For example:
AWS Verified Access is now available in 8 more regions including AWS GovCloud (US) including the AWS GovCloud (US) Regions. Link.
The AWS Canada West (Calgary, ca-west-1) Region is now available. Link.
Amazon Route 53 Resolver has introduced support for the DNS over HTTPS (DoH) protocol, catering to both inbound and outbound Resolver endpoints. DoH leverages HTTP or HTTP/2 over TLS to encrypt the data involved in Domain Name System (DNS) resolutions. By employing TLS encryption, DoH enhances privacy and security, mitigating the risks of eavesdropping and manipulation of DNS data during exchanges between a DoH client and the DNS resolver. This capability facilitates the implementation of a zero-trust architecture, where trust is not automatically extended to any actor, system, network, or service—whether internal or external to the security perimeter—and all network traffic remains encrypted. Link. For example, I now observe the “DoH” option in the Route 53 resolver inbound endpoint option.
Amazon CodeCatalyst users can now securely access their Dev Environments using SSH over AWS Systems Manager Session Manager. This feature allows users to perform actions on Dev Environments such as port forwarding, and uploading and downloading files that were not possible while using AWS Cloud9. Link. For example, I now have the option to connect via SSH.
AWS Backup now introduces compatibility with SAP HANA High Availability (HA) databases & enables you to perform backup and restoration processes for SAP HANA HA databases that operate on Amazon EC2 instances, extending support beyond single-node SAP HANA databases and other currently supported resources. Link. For example, I was able to enable the setting. (Note: There are some pre-requisites for the feature.)
AWS Config now supports 1000 AWS Config rules per AWS Region per account. You can find all the supported rules HERE.
AWS announced the availability of Customer Managed Key (CMK) support within AWS CodeCommit, integrated with the AWS Key Management Service (KMS). Customer Managed Keys are KMS keys that customers have the authority to create, manage, and own. This feature empowers customers to utilize their own managed keys, as opposed to AWS KMS keys, for encrypting CodeCommit repositories at rest. Link. For example:
Amazon Aurora supports PostgreSQL 15.5, 14.10, 13.13, 12.17. Link.
Amazon CloudFront introduced compatibility with 4096-bit RSA TLS certificates (4K certs) allowing customers to utilize 4K certs in CloudFront distributions, enhancing the security of HTTPS connection negotiations between viewers and Amazon CloudFront. TLS certificates are pivotal for establishing secure connections over the internet. Prior to this update, CloudFront supported ECDSA certificates and RSA certificates with a key size of up to 3072 bits. While ECDSA certificates generally exhibit superior performance, some customers may opt for RSA certificates due to compliance requirements or application limitations with ECDSA certificates. This flexibility enables customers to meet specific regulatory compliance standards mandated by government entities, end customers, or security departments. Additionally, it ensures compatibility with various devices and client applications. Link. For example:
Thank You for reading! If you enjoyed this newsletter, I’d be grateful if you could forward it to your professional circle.
Best,
AJ