What's New With AWS Security? | December Edition

 
Welcome back to my series where I take you through the latest and greatest updates for AWS security services!
 

AWS re:Invent 2023

If you haven't been living under a rock for November, you would have probably known that AWS had AWS re:Invent where they unveiled a bunch of new services and functions for all of their users.

It's no surprise that this time the theme was focused predominantly on artificial intelligence, with the folks over at AWS flexing their muscles by showing off what they've come up with and it's safe to say it was a treat with a lot of focus directed at Amazon Q; their latest take on a generative AI assistant that enables users to get faster and accurate answers that are tailored to their businesses.

If you're thinking how that is even possible, then let me give you the short answer. It's all because of its connectors that allow Amazon Q to learn about your business to give customized answers.

Click on the links below to learn more about the services and features announced during this year's re:Invent or to see if you've missed out on some awesome announcements.

• AWS re:Invent 2023 Keynotes
• AWS re:Invent 2023 Innovation Talks

What's New With AWS Security Now?

Let's put a pin on the re:Invent talks and dive right into why we're here! and that's to check out what happened in December and all the cool additions that AWS made to their security services!

I must say December was a very quiet month in terms of releases for security services since most of the releases came with re:Invent and within November; which I covered within the November Edition of this series.

So without further ado, let's check out the latest additions to the AWS security services.

Announcement Date: 05/12/2023

1. AWS Secrets Manager announces 99.99% Service Level Agreement

Announcement Date: 18/12/2023

1. Amazon Redshift supports single sign-on with Amazon QuickSight and AWS Lake Formation
2. AWS Security Hub launches 15 new security controls
3. Amazon Cognito user pools now support the ability to customize access tokens
4. Amazon EKS introduces simplified controls for IAM cluster access management

Announcement Date: 19/12/2023

1. AWS Audit Manager now supports PCI 4.0 for automated evidence collection
2. AWS Network Firewall egress TLS inspection is now available in all regions

Announcement Date: 20/12/2023

1. Amazon Cognito is now available in Asia Pacific (Jakarta) Region
2. Amazon Cognito is now available in the Africa (Cape Town) Region

Announcement Date: 21/12/2023

1. AWS Resource Access Manager is now available in the AWS Canada West (Calgary) Region
2. AWS Config now supports 1000 AWS Config rules per AWS Region per account

Announcement Date: 26/12/2023

1. Remediating non-compliant resources with AWS Config rules is now available in Israel (Tel Aviv)
2. IAM Roles Anywhere is now available in 6 additional AWS Regions

Announcement Date: 28/12/2023

1. Amazon EKS now supports assigning EC2 security groups to IPv6 Kubernetes pods
2. AWS Directory Service for Microsoft AD and AD Connector available in Calgary

 

Noteworthy Updates To Services

 

1. AWS Secrets Manager

• AWS Secrets Manager now maintains an SLA of at least 99.99%; which equates to 52.60 minutes per year or 13.15 minutes per quarter
• If these SLAs are not met, you are eligible for service credits according to the AWS Secrets Manager SLA

2. AWS Security Hub

• The service also supports additional services such as Amazon FSx and AWS Private CA, while introducing new controls for previously supported services such as Amazon EC2, Amazon EKS, and Amazon S3.
• AWS Security Hub introduced 15 new security controls that it can evaluate. You simply need to enable to respective security standard that they belong to and AWS Security Hub will start evaluating them automatically.
• If you have already enabled the relevant standard, then AWS Security Hub will automatically evaluate these new controls
• List of new security controls:
  • [Backup.1] AWS Backup recovery points should be encrypted at rest
  • [DynamoDB.6] DynamoDB tables should have deletion protection enabled
  • [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
  • [EKS.8] EKS clusters should have audit logging enabled
  • [EMR.2] Amazon EMR block public access setting should be enabled
  • [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
  • [Macie.1] Macie should be enabled
  • [MSK.2] MSK clusters should have enhanced monitoring configured
  • [Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones
  • [NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones
  • [NetworkFirewall.2] Network Firewall logging should be enabled
  • [OpenSearch.10] OpenSearch domains should have the latest software update installed
  • [PCA.1] AWS Private CA root certificate authority should be disabled
  • [S3.19] S3 access points should have block public access settings enabled
  • [S3.20] S3 general purpose buckets should have MFA delete enabled

3. Amazon EKS

• You can now use EC2 security groups with Amazon EKS in clusters that use IPv6
• Previously administrators were constrained to the limits of IPv6, but NO MORE!
• Now you can use Amazon VPC CNI network policies to control the traffic within your cluster and use security groups to control access to AWS services outside the cluster.

 

Wrapping Up

I've highlighted some of the major service announcements and feature introductions that were noteworthy. There may have been some announcements that I didn't cover in this month's announcement, therefore feel free to mention what you think was important in the comment section.

Stay Tuned for the next edition of "What's New With AWS Security"!

Thank you for reading. I hope you found this useful.