Release Date: August 28, 2023
This week TLDR i.e. 2 minutes version (For executives):
AWS Batch on Amazon ECS now supports Amazon Linux 2023.
AWS PrivateLink announces support for user defined IP on VPC endpoints.
Amazon Aurora Global Database introduces Global Database Failover.
Amazon SageMaker Data Wrangler now supports role-based access control for Amazon EMR.
AWS Global Accelerator now supports client IP address preservation for Network Load Balancer endpoints.
AWS Certificate Manager introduces Enterprise Controls to help govern certificate issuance.
Amazon RDS for PostgreSQL supports minor versions 15.4, 14.9, 13.12, 12.16, and 11.21.
Amazon WorkSpaces announces new Linux client with versions supporting Ubuntu 20.04 and 22.04.
AWS AppFabric is now HIPAA eligible.
Amazon Announced AWS Dedicated Local Zones.
Trending in Cloud & Cyber Security (News, Blogs etc):
Starting with Chrome 117, users will be alerted when an installed extension is no longer on the Chrome Web Store, covering cases where it's unpublished by the developer, removed for policy violations, or marked as malware. Especially the Malware removal is a welcoming release. Link. For details, check Chrome web store policy HERE.
Good blog on AWS Security Monitoring in 2023: Untangle the chaos by Michael Wittig. Link.
Microsoft now provides administrators with a new Windows 11 policy that controls how monthly non-security preview updates are installed on enterprise devices. Link. Also, Microsoft released the optional KB5029331 Preview cumulative update for Windows 10 22H2, including the introduction of a new Backup app (seems interesting. I haven’t tried yet. Not a windows guy). Link.
Good read “CISO Insight: Every AWS Service Is a Security Service” by Clarke Rodgers in LinkedIn. Link.
Meta has confirmed it will introduce default end-to-end encryption (E2EE) for personal chats on Messenger with friends and family by the year's end. Link.
Google Workspace will require two admins to sign off on critical changes popular security news site BleepingComputer. This is a good one. Wish many vendors supported such features. Link.
Kali Linux 2023.3 Release (Internal Infrastructure & Kali Autopilot). Link
AWS released Security Bulletin addressing Kubernetes Security Concerns (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955). It's been verified that these issues don't impact the Kubernetes control plane or the service, and they don't pose a risk of affecting multiple customers. To address this, updated Amazon EKS Windows AMIs are accessible for Kubernetes versions 1.23 to 1.27. These AMIs include patched versions of kubelet and csi-proxy. AWS advises EKS users to update their configurations and utilize the latest AMI for launching new worker nodes. Link.
Bitwarden End-to-end encrypted Bitwarden Secrets Manager now generally available Link.
This week Long i.e. 5-10 minutes version (For architects & engineers):
AWS Batch on Amazon Elastic Container Service (ECS) now supports ECS-optimized Amazon Linux 2023 (AL2023) AMIs. AL2023 provides customers the latest innovations in Linux with long-term technical support until March 2028. One of the things I love, is that Amazon Linux 2023 has IMDSv2 enabled by default. AWS Batch will continue to use Amazon Linux 2 (AL2) as the default AMI for ECS Compute Environments. In your AWS Batch console, when you choose the EC2 option, you can fine the image type options under "Additional configuration". Link.
AWS PrivateLink has introduced a new feature that enables users to define their own IP addresses for VPC endpoints. This update allows you to have greater control over the assignment of IP addresses to your AWS PrivateLink VPC endpoints. This is especially beneficial for managing traditional workloads, including those located on-premises, that rely on IP allowlisting controls for security. The feature also streamlines the management of on-premise firewalls by allowing you to allocate a consistent set of IP addresses to VPC endpoints across multiple VPCs. By default, AWS previously allocated IP addresses from the subnet IP address ranges and assigned them to the network interfaces of endpoints. However, with this enhancement, you can now designate specific IP addresses for the network interfaces of your endpoints. To achieve this, simply choose the "Designate IP addresses" option and input an IPv4 address from the relevant subnet address range. If the endpoint service supports IPv6, you also have the option to input an IPv6 address from the subnet address range. Link. In this example, I created a privatelink for com.amazonaws.us-east-1.ec2 and choose “Designate IP address”.
Amazon Aurora now supports Global Database Failover, a fully managed experience for performing a cross-Region database failover to respond to unplanned events such as a regional outage. With Global Database Failover, you can convert a secondary region into the new primary region in typically a minute and also maintain the multi-region Global Database configuration. Blog Link. To perform the managed failover on your Aurora global database, choose Databases and find the Aurora global database you want to fail over. Choose Switch over or fail over global database from the Actions menu. Choose Failover (allow data loss).
Amazon SageMaker Data Wrangler now supports role-based access control for Amazon EMR Link. You can use role-based access control with AWS Lake Formation in EMR Hive and Presto connections to create datasets for ML in SageMaker Data Wrangler. Detailed blog Link.
Amazon GuardDuty Delegated Administrators (DAs) can now enable one or more GuardDuty features, for all existing and newly-added members of an organization within the same region. Link.
AWS Global Accelerator now supports client IP address preservation for Network Load Balancer. This supports security and compliance needs related to client IP addresses, permits the application of client-specific logic for IP or location-based filters, and facilitates the collection of connection statistics. This preservation can be activated on a per-endpoint basis when configuring NLB endpoints behind the accelerator. Notably, this functionality is compatible only with NLBs that have security groups enabled. For NLBs associated with existing accelerators, client IP address preservation is turned off by default. Importantly, no extra charges are incurred for utilizing client IP address preservation with NLB endpoints. Link.
AWS Cost Explorer announces support for AWS Billing Conductor. AWS Billing Conductor (ABC) customers can view proforma costs in AWS Cost Explorer. This release allows ABC customers’ account owners to analyze and save reports of their proforma costs. For example, organizations can use the feature to grant cross-account billing visibility for their business units. Partners can use the feature to give their customers a cost reporting experience in AWS Cost Explorer that matches the customer’s specific pricing agreement. Link. (Image source: AWS)
Amazon Announced AWS Dedicated Local Zones. AWS Dedicated Local Zones represent a class of AWS infrastructure that is under complete AWS management. They are designed for exclusive utilization either by you or a specific community you're part of. These zones are positioned in a location or data center of your choice, facilitating adherence to regulatory mandates. Dedicated Local Zones are managed by local AWS staff and provide the same advantages as standard Local Zones—like elasticity, scalability, and pay-as-you-go billing. Furthermore, they come with supplementary security and governance features. Through Dedicated Local Zones, we collaborate to set up customized Local Zones tailored to your service and feature necessities, ensuring alignment with your regulatory obligations. Link. I think this may be useful from compliance perspectives. Would be interesting to see more use cases evolve.
AWS Certificate Manager introduces Enterprise Controls to help govern certificate issuance. You can now utilize IAM condition context keys in conjunction with AWS Certificate Manager (ACM) so that you can ensure that users are generating certificates that adhere to the organization's public key infrastructure (PKI) guidelines. For instance, condition keys can be employed to permit only DNS validation. Link. Example of policy below:
Amazon RDS for PostgreSQL supports minor versions 15.4, 14.9, 13.12, 12.16, and 11.21. Link.
AWS Cost Explorer announces support for AWS Billing Conductor. Link.
Amazon WorkSpaces announces new Linux client with versions supporting Ubuntu 20.04 and 22.04.. Additionally, the new Linux client version supports connecting to PCoIP WorkSpaces on Ubuntu 20.04. Link. You can download workspace client from HERE.
Security Jobs (Occasional post):
Datadog. Engineering Manager II - Cloud Security (New York). Link.
Adobe. Sr. Cloud Security Engineer. Link.
Datadog. Detection Engineer 2 - Cloud SIEM. Link.
USBank. Cyber Range Engineer. Link.
Bayer. Radiology Cloud Platform Cybersecurity Lead. Link.
Thank You for reading! If you enjoyed this newsletter, I’d be grateful if you could forward it to your professional circle.
Thanks for reading AWS Cloud Security Weekly! Subscribe for free to receive new posts and support my work.