This issue is sponsored by Invary. Check out Invary's ability to detect hidden rootkits, a task that modern threat detection solutions fail in action » HERE.

This week TLDR i.e. 1 minute version (For executives):

1. Application Load Balancer enables configuring HTTP client keepalive duration.

2. AWS Signer launches signing container images in AWS GovCloud (US) Regions.

3. AWS Backup now supports restore testing for Amazon Elastic Block Store (EBS) Snapshots Archive.

4. Amazon Verified Permissions increases default quotas for authorization APIs.

5. Introducing Service-linked role for AWS Marketplace Resale Authorization.

Trending in Cloud & Cyber Security (Security Blogs, articles, news, advisories etc):

1. AWS Security Blogs & Bulletins:

   • AWS Wickr achieves FedRAMP High authorization. Link.

2. General security blogs, articles & reports:

   • Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns by Martin McCloskey from Datatog. Link.

   • Amazon S3 Block Public Access Bypass by Jason Kao. Link.

   • S3 Streaming Copy for CloudTrail bypass by Houston Hopkins. Link.

   • Check out the shiny new Cloud Security Maturity Model 2.0 by Rich. Link.

3. Trending on the news & advisories:

   • Google chrome introducing Real-time, privacy-preserving URL protection. Link.

   • Cyber Startup Wiz to Buy Gem Security for $350 Million. Link.

   • The 2024 Sophos Threat Report: Cybercrime on Main Street. Link.

   • Annual Threat assessment- The US Intelligence community. Link.

   • NSA Releases Top Ten Cloud Security Mitigation Strategies. Link.

This week Long i.e. 3-5 minutes version (For architects & engineers):

1. AWS Application Load Balancer (ALB) duration of HTTP client keepalive for communication between clients and the load balancer now supports a duration ranging from 60 seconds to 7 days, through a load balancer attribute, with the default value set to 3600 seconds. The HTTP client keepalive duration dictates the maximum period ALB maintains an HTTP connection with a client before terminating it. This feature empowers users to gracefully end their connections, particularly useful for deployment strategies like Blue/Green or rollbacks, migrating legacy applications, and during the evacuation of Availability Zones using zonal shift with Amazon Route 53 Application Recovery Controller. Link. For example, this is my ALB attribute and I was able to verify the new timeout value support:

   

2. AWS Signer container image signing and verification is now supported in Gov US regions. AWS Signer, a managed signing service, to sign images within registries like Amazon Elastic Container Registry (ECR) ensures the validation of only authorized images being deployed to Amazon Elastic Kubernetes Service (EKS) clusters or being utilized within Amazon Elastic Container Service (ECS) clusters. Link.

3. AWS Backup has introduced support for conducting restore testing on Amazon EBS Snapshots Archive. This feature enables automated and regular restore tests on backed-up AWS resources, facilitating enhanced data protection. With this enhancement, AWS Backup users can assess recovery readiness, ensuring preparedness for potential data loss scenarios, and measure restoration job durations for Amazon EBS Snapshots Archive to meet compliance and regulatory standards. Link. For example, these are the resource types under the protected resource under Restore testing plans, which now includes EBS.

   

4. Amazon Verified Permissions has raised the standard quotas for the IsAuthorized and IsAuthorizedWithToken APIs from 30 to 200 transactions per second (TPS). These APIs allow applications to solicit an authorization verdict. Enhancing the default TPS empowers you to consistently authenticate user activities, aligning with the principles of zero trust Link. Here’s the default quota from my Quota console:

   

5. AWS Marketplace introduced a service-linked role for AWS Marketplace Resale Authorization, enabling AWS Marketplace sellers such as Independent Software Vendors (ISVs), Consulting Partners, and Channel Partners to exchange and approve resale authorizations. Link. I was able to observe the option to create the role in my Marketplace console. (AWS Note: When you create a service-linked role in the AWS Marketplace Management Portal, AWS Marketplace creates the service-linked role for you.)