ScaleSecNov 30, 2023 4:45:24 PM3 min read

AWS re:Invent Day 4: myApplications launch and Inspector, Route 53 love

AWS Re:Invent Daily Update Blog - 11/30

Today at AWS Re:Invent, there were several updates to Amazon Inspector that will create more opportunities for your organization to gain valuable security insights. AWS Management Console also added a new feature to help users get a central view into applications running in AWS. Additionally, updates to the Amazon Route 53 Application Recovery Controller give powerful functionality to increase availability of your AWS environment. We dive into these updates a bit more below. 

 

Three new capabilities for Amazon Inspector broaden the realm of vulnerability scanning for workloads | AWS News Blog

AWS announced three new capabilities for Amazon Inspector, their automated vulnerability management service. The first of these is the introduction of a set of open source plugins and an API to assess container images during the build phase within the CI/CD process. Prior to today, Amazon Inspector could only assess container images once they were stored in an Amazon ECR registry. Plugins are available today for Jenkins and JetBrain’s TeamCity, and the API allows the integration of Amazon Inspector into a variety of CI/CD tools. These scan results are available in near real-time, and found vulnerabilities will result in a failed pipeline run. 

The second new feature released today leverages generative AI to analyze Lambda function code to automatically create code patches to remediate security vulnerabilities. This feature will explain the finding in plain language while also providing a “diff” view of the suggested code updates. This is a useful feature that provides another security check for things like hard-coded secrets and missing encryption against Lambda functions. 

Lastly, Amazon Inspector now offers agentless EC2 instance scanning in a preview phase. Normally, Amazon Inspector uses the SSM agent to evaluate EC2 instances in your fleet. However, with agentless instance scanning Amazon Inspector takes a snapshot of your instance’s EBS volumes and analyzes the snapshot for vulnerabilities, afterwards deleting the snapshot. This can be especially useful for organizations using EC2 instances on a large scale where maintaining the SSM agent can be a cumbersome endeavor. 

 

New myApplications in the AWS Management Console simplifies managing your application resources | AWS News Blog

AWS announced the general availability of myApplications, a new AWS Management Console feature to more easily monitor your applications on AWS. With the Create application wizard, you can easily set a name and add resources to the new application. Widgets including Application summary, Cost and usage, and Security help you get a clear, simple view of your AWS application’s important data. While some organizations will be beyond this new feature in terms of maturity, for others it is a great way for business users to get important visibility into an AWS environment without getting overwhelmed by technical details they may not be familiar with.

 

Zonal autoshift – Automatically shift your traffic away from Availability Zones when we detect potential issues

Today, AWS announced zonal autoshift as a new feature of the Amazon Route 53 Application Recovery Controller. Zonal autoshift can automatically shift workload traffic away from potentially failing Availability Zones and shift it back once the problems have been resolved. This new feature leverages AWS internal monitoring tools to determine when to trigger an automatic traffic shift, taking the burden off of your shoulders to determine when to shift away from a failing Availability Zone. 

Since the shift of traffic from an Availability Zone is an action that shouldn’t be taken lightly, AWS has included multiple safeguards to ensure workload availability degradation is kept to a minimum. AWS will not shift traffic from more than one Availability Zone at a time, and you can define times when you don’t want the zonal autoshift to apply. Additionally, CloudWatch alarms can be set to roll back or stop a zonal autoshift if application health drops below a specified point. This monitoring is important, as having enough capacity within each Availability Zone subject to zonal autoshift is crucial in maintaining desired application availability.  While shifting traffic across Availability Zones in an automated fashion is targeted for sophisticated environments already using the manual shift feature, it is worth investigating if your organization can benefit from the new zonal autoshift feature. 

While the use of AI and automation at scale in your AWS environment can be scary, the benefits to be gained are often worth the risk. Still unsure how AI can help your organization operate more securely in the cloud? Check out our eBook, Maximize Generative AI to Accelerate Your Business Securely. Additionally, feel free to reach out to us should you have any questions around generative AI or security in general. 

RELATED ARTICLES

The information presented in this article is accurate as of 12/1/23. Follow the ScaleSec blog for new articles and updates.