Dec. 7 - 11 re:Invent Security re:Cap

AWS re:Invent is an annual cloud computing event held to showcase new features and services available on Amazon Web Services. This year, re:Invent is completely virtual, free, and spans three weeks.

At ScaleSec, our focus is always on security and compliance. In order to stay on the cutting edge of cloud computing, we monitor AWS re:Invent announcements and consider how each one can help our customers keep their AWS environments secure.

ScaleSec’s re:Invent Security re:Cap is a running list of our favorite security announcements from each week, along with a brief summary and direct link for more in-depth information.

AWS Announces AWS Audit Manager | 08 Dec 2020 | LINK

AWS introduced a new managed service called AWS Audit Manager that is designed to assist Security and Compliance professionals in executing continuous audits in their AWS environments. Specifically it automates evidence collection required for assessing risk and compliance across various regulations and standards. It will also generate audit-friendly reports with direct links to the associated evidence. The initial release provides prebuilt framework support for CIS AWS Foundations Benchmarks, General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS). However, custom frameworks can also be created for other environments and regulations. At launch Audit Manager will also support integration with Security Hub to receive control-based findings directly from Security Hub. [link]

Amazon Virtual Private Cloud (VPC) announces Reachability Analyzer to simplify connectivity testing and troubleshooting | 12 Dec 2020 | LINK

How many hours have you spent digging through VPC, security group, and NACL configurations, or searching VPC Flow logs to try and determine why your instances or services can’t communicate with each other? It’s a common problem and AWS has introduced the VPC Reachability Analyzer to help shorten that troubleshooting time. The Reachability Analyzer is a network diagnostic tool that can be used to identify connectivity issues between two endpoints in a VPC, or within multiple VPCs. Using the VPC console you can now enter the source, destination and desired ports and protocols and the tool will provide a report showing the route hop by hop including any network blocks. If an issue is encountered you can view exact details on what is preventing the connection, such as a restrictive Security Group or a Network ACL (NACL).

Amazon ECR announces cross region replication of images | 08 Dec 2020 | LINK

Amazon’s Elastic Container Registry (ECR) now supports cross-region replication for container images in your private ECR repositories. This can reduce image download times, and potentially cross region traffic costs, by allowing developers or services to download images from a local region. Automatic replication also provides redundancy that may be required to satisfy your disaster recovery requirements. When enabled, AWS handles the backend logic necessary to automatically sync repositories, including new images and changes to existing images, to all configured destination regions. No more home-grown scripts and workflows required to sync your images.

AWS CloudTrail provides more granular control of data event logging through advanced event selectors | 07 Dec 2020 | LINK

CloudTrail now allows you to customize the granularity of your S3 and Lambda data event logging using advanced event selectors. These selectors allow you to limit what data logging you collect with CloudTrail based on specific event names, event sources, resource ARNs, or value pattern matching. Being able to limit the data events you collect to just those required for your use case, say DeleteObject API calls, can result in significant cost savings in environments with a large number of events.

Amazon Machine Images (AMIs) now support tag-on-create and tag-based access control | 04 Dec 2020 | LINK

A seemingly minor update with larger repercussions. AMIs, and associated EBS Snapshots created during AMI creation, can now be tagged at the time of creation. This eliminates the need to make additional API calls to tag the AMIs and snapshots, leading to more consistent application of tags to resources. But more importantly it now allows for you to control access to AMIs and EBS Snapshot actions via IAM policies using tag based conditions. Tagging AMIs on create enables you to lock down who can access, delete, or use your private AMIs and snapshots.

Python Support for Amazon CodeGuru is available in Preview | 04 Dec 2020 | LINK

CodeGuru is an AI based code review and performance profiling service that was announced at re:Invent 2019. It integrates with various IDEs and code repositories. CodeGuru reviewer previously only supported Java but starting this week it now supports automated reviews of Python code as well. It can provide best-practice recommendations to optimize the performance of your Python applications that run on Python 3.6 to 3.9. It’s a straightforward way to improve your code quality and identify any potential performance bottlenecks when deploying Python code on EC2, containers, or Lambda functions.

Amazon RDS for Oracle supports managed disaster recovery (DR) with Amazon RDS Cross-Region Automated Backups | 04 Dec 2020 | LINK

Amazon RDS for Oracle is now capable of cross-region automated backups bringing it in line with some of the other RDS offerings. System snapshots and transactions logs can now be automatically replicated from a primary AWS region to a secondary region. As long as you are running Oracle 12.1.0.2v10 or higher it’s available now for replication between select regions.

Amazon ECS Announces the Preview of ECS Deployment Circuit Breaker | 04 Dec 2020 | LINK

Amazon ECS now provides circuit breaker capabilities for container deployments. The circuit breaker will monitor task deployments and identify recurring failures. If a predetermined number of failures are identified, new deployments will be terminated and an automated action can be performed. The service can even roll back to a previously working configuration reducing the potential for system downtime.

Multiple Machine Learning (ML) Announcements and Integrations with various Database, Data Warehouse and Analytics Services | 08 Dec 2020 | LINK

Tuesday was a big day for ML at re:Invent. Numerous AWS data and data analytics services announced new ML integrations and capabilities. In addition, SageMaker capabilities were greatly enhanced with new discovery, training, and debugging features. SageMaker now even supports the first purpose built CI/CD service for machine learning with Amazon SageMaker Pipelines.