DEV Community: Harish Bennalli

AWS Firewall Manager now supports AWS Network Firewall Centralized Deployment Model

Harish Bennalli — Mon, 28 Feb 2022 10:24:40 +0000

AWS Firewall Manager now allows you to deploy AWS Network Firewall to inspect traffic using a centralized deployment model.
Previously, Firewall Manager could deploy AWS Network Firewall only in a decentralized deployment model, where we deploy AWS Network Firewall into each VPC which requires protection.

With this release, customers can now use Firewall Manager to deploy AWS Network Firewall in either a distributed deployment model or a centralized deployment model.

When you deploy an AWS Network Firewall policy using a centralized deployment model, Firewall Manager creates Network Firewall endpoints in an Inspection VPC that you select. You can either choose the availability zones in which the firewall endpoints will be created for your in-scope VPCs or allow Firewall Manager to automatically create endpoints in availability zones with public subnets. These options provide granular control over the deployment of your Network Firewall endpoints.

This feature is now available in all AWS regions where Network Firewall is offered.

AWS Firewall Manager is a security management service that acts as a central place for you to configure and deploy firewall rules across accounts and resources in your organization.

With Firewall Manager, you can deploy and monitor rules for AWS WAF, AWS Shield Advanced, VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall across your entire organization.

Firewall Manager ensures that all firewall rules are consistently enforced, even as new accounts and resources are created.

How Firewall Manager creates firewall endpoints

The deployment model in your policy determines how Firewall Manager creates firewall endpoints.

There are two deployment models to choose from, the distributed deployment model, and the centralized deployment model:

Distributed deployment model

With the distributed deployment model, Firewall Manager creates endpoints for each VPC that's within policy scope.

You can either customize the endpoint location by specifying which Availability Zones to create firewall endpoints in, or Firewall Manager can automatically create endpoints in the Availability Zones with public subnets.

If you manually choose the Availability Zones, you have the option to restrict the set of allowed CIDRs per Availability Zone.
If you decide to let Firewall Manager automatically create the endpoints, you must also specify whether the service will create a single endpoint or multiple firewall endpoints within your VPCs.

For multiple firewall endpoints, Firewall Manager deploys a firewall endpoint in each Availability Zone where you have a subnet with an internet gateway or a Firewall Manager-created firewall endpoint route in the route table. This is the default option for a Network Firewall policy.

For a single firewall endpoint, Firewall Manager deploys a firewall endpoint in a single Availability Zone in any subnet that has an internet gateway route. With this option, traffic in other zones needs to cross zone boundaries in order to be filtered by the firewall.

Note
For both of these options, there must be a subnet associated to a route table that has an IPv4/prefixlist route in it. Firewall Manager does not check for any other resources.

Centralized deployment model

With the centralized deployment model, Firewall Manager creates one or more firewall endpoints within an inspection VPC.

An inspection VPC is a central VPC where Firewall Manager launches your endpoints.

When you use the centralized deployment model, you also specify which Availability Zones to create firewall endpoints in. You can't change the inspection VPC after you create your policy. To use a different inspection VPC, you must create a new policy.

If you change the list of Availability Zones, Firewall Manager will try to clean up any endpoints that were created in the past, but that aren't currently in policy scope. Firewall Manager will remove the endpoint only if there are no route table routes that reference the out of scope endpoint. If Firewall Manager finds that it is unable to delete these endpoints, it will mark the firewall subnet as being non-compliant and will continue attempting to remove the endpoint until such time as it is safe to delete.

Hope you liked this Blog!

More to come on AWS Security!!

Amazon SageMaker Autopilot

Harish Bennalli — Wed, 09 Feb 2022 11:52:08 +0000

What is Amazon SageMaker Autopilot?

Amazon SageMaker Autopilot automatically builds, trains, and tunes the best machine learning models based on your data, while allowing you to maintain full control and visibility.

Amazon SageMaker Autopilot eliminates the heavy lifting of building ML models, and helps you automatically build, train, and tune the best ML model based on your data. With SageMaker Autopilot, you simply provide a tabular dataset and select the target column to predict, which can be a number (such as a house price, called regression), or a category (such as spam/not spam, called classification). SageMaker Autopilot will automatically explore different solutions to find the best model. You then can directly deploy the model to production with just one click, or iterate on the recommended solutions with Amazon SageMaker Studio to further improve the model quality.

Features

Automatic data pre-processing and feature engineering

You can use Amazon SageMaker Autopilot even when you have missing data. SageMaker Autopilot automatically fills in the missing data, provides statistical insights about columns in your dataset, and automatically extracts information from non-numeric columns, such as date and time information from timestamps.

Automatic ML model selection

Amazon SageMaker Autopilot automatically infers the type of predictions that best suit your data, such as binary classification, multi-class classification, or regression. SageMaker Autopilot then explores high-performing algorithms such as gradient boosting decision tree, feedforward deep neural networks, and logistic regression, and trains and optimizes hundreds of models based on these algorithms to find the model that best fits your data.

Model leaderboard

Amazon SageMaker Autopilot allows you to review all the ML models that are automatically generated for your data. You can view the list of models, ranked by metrics such as accuracy, precision, recall, and area under the curve (AUC), review model details such as the impact of features on predictions, and deploy the model that is best suited to your use case.

Automatic notebook creation

You can automatically generate a Amazon SageMaker Studio Notebook for any model Amazon SageMaker Autopilot creates and dive into the details of how it was created, refine it as desired, and recreate it from the notebook at any point in the future.

Feature importance

Amazon SageMaker Autopilot provides an explainability report, generated by Amazon SageMaker Clarify, that makes it easier for you to understand and explain how models created with SageMaker Autopilot make predictions. You can also identify how each attribute in your training data contributes to the predicted result as a percentage. The higher the percentage, the more strongly that feature impacts your model’s predictions.

Easy integration with your applications

You can use the Amazon SageMaker Autopilot application programming interface (API) to easily create models and make inferences right from your applications, such as your data analytics and data warehousing tools.

How it works

Load tabular data from Amazon S3 to train the model
Select target column for prediction
The correct algorithm is chosen, training and tuning is done automatically for the right model
Full visibility and control provided with model notebooks
Select the best model for your needs from a ranked list of recommendations
Deploy and monitor the model

We can choose from model notebooks to optimize and retrain the models to improve the quality.

Use Cases

Price predictions
Amazon SageMaker Autopilot can predict future prices to help you make sound investment decisions based on your historical data such as demand, seasonal trends, and price of other commodities.

Churn prediction
Customer churn is the loss of customers or clients, and every company looks for ways to eliminate it. Models automatically generated by Amazon SageMaker Autopilot help you understand churn patterns. Churn prediction models work by first learning patterns in your existing data and identifying patterns in new datasets so you can get a prediction about customers mostly likely to churn.

Risk assessment
Risk assessment requires identifying and analyzing potential events that may negatively impact individuals, assets, and your company. Models automatically generated by Amazon SageMaker Autopilot predict risks as new events unfold. Risk assessment models are trained using your existing datasets so you can get optimized predictions for your business.

Hope you liked this post!

AWS Firewall Manager

Harish Bennalli — Thu, 27 Jan 2022 12:01:52 +0000

What is AWS Firewall Manager?

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.

Key Benefits of AWS Firewall Manager

Simplify management of firewall rules across your accounts
Centrally deploy protections for your VPCs
Ensure compliance of existing and new applications
Easily deploy managed rules across accounts

AWS Firewall Manager features

Centrally deploy AWS Network Firewall across VPCs
Automatically deploy Amazon VPC security groups, AWS WAF rules, AWS Shield Advanced protections, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules
Multi-account resource groups
Cross-account protection policies
Hierarchical rule enforcement
Dashboard with compliance notifications
Audit existing and future security groups in your VPCs

Prerequisites for AWS Firewall Manager

There are three mandatory pre-requisites and one optional pre-requisite to use AWS Firewall Manager.

AWS Organizations - Your accounts must be part of AWS Organizations and have enabled all features.
Set the AWS Firewall Manager Administrator Account - Firewall Manager must be associated with the management account of your AWS organization or associated with a member account that has the appropriate permissions. The account that you associate with
Firewall Manager is called the Firewall Manager administrator account.
Enable AWS Config on accounts - Enable AWS Config for each member account in your organization.
Enable AWS Resource Access Manager (Optional) - To enable Firewall Manager to centrally configure AWS Network Firewalls or associate Amazon Route 53 Resolver DNS Firewall rules across accounts and VPCs, you must first enable sharing of resources using AWS Resource Access Manager.

How do I use AWS Firewall Manager?

First, complete the prerequisites mentioned above.
Second, create a policy type for AWS WAF, AWS Shield Advanced, VPC security group, AWS Network Firewall, or Amazon Route 53 Resolver DNS Firewall.
Third, depending on the policy, specify the set of rules or protections. For example, for a policy for AWS WAF specify the rule groups (custom or managed) that you want to deploy across accounts. Similarly, for a VPC security group policy, reference the security group you want replicated in each resource within accounts. For AWS Network Firewall, specify the rule groups (stateful and stateless) that you want to deploy across VPCs in your accounts. For Amazon Route 53 Resolver DNS Firewall, specify the set of rules (rule groups) you want to associate with your VPCs in your accounts.
Fourth, specify the scope of the policy by choosing the accounts, resource type and, optionally, resource tags, where you want the policy to be deployed.
Finally, you can review and create the policy. Firewall Manager will automatically apply the rules and protections to all resources across accounts.

Once complete, Firewall Manager also shows a compliance dashboard indicating any accounts/resources that are non-compliant and those that are compliant.

Dashboard and Visibility

How can I view the compliance status to a particular policy?

With Firewall Manager you can quickly view the compliance status for each policy by looking at how many accounts are included in the scope of the policy and how many out of those are compliant. Further, for each policy configured on Firewall Manager, you get a compliance dashboard. The central compliance dashboard allows you to view which accounts are non-compliant to a given policy, which specific resources are non-compliant, and also provides information about the reason why a particular resource is not compliant. You can also view non-compliant events for each account on AWS Security Hub.

Does AWS Firewall Manager provide notifications when a resource is non-compliant?

Yes, you can create new SNS notification channels to receive real-time notifications when new non-compliant resources are discovered. Similarly, each account scoped as part of a Firewall Manager policy is notified for non-compliant events on AWS Security Hub.

How can I view all threats across my organization?

For each Firewall Manager policy created, you can aggregate CloudWatch metrics for each Rule in the Rule Group, indicating how many requests were allowed or blocked across the entire organization. This gives you a central place to set up alerts for threats across your organization.

New Feature

AWS Firewall Manager now supports AWS Shield Advanced automatic application layer DDoS mitigation

AWS Firewall Manager now enables you to centrally deploy AWS Shield Advanced automatic application layer (L7) DDoS protections across accounts in your organization. AWS Shield Advanced automatic L7 DDoS protections block application layer DDoS events with no manual intervention needed. With this launch, security administrators for AWS Firewall Manager can now enable automatic L7 DDoS protections across accounts using the Firewall Manager security policy for AWS Shield Advanced.

To get started, enable automatic L7 DDoS mitigation on a Firewall Manager Shield Advanced policy. A Shield-managed WAF rule group will then be added to a WAF web access control list (web ACL) for the resources under protection. Shield Advanced evaluates each WAF rule it creates against normal traffic into your resources to minimize false positives and deploys them in either count, allow, or block mode.

Hope you liked this Blog!

More to come on AWS Security!!

AWS Private 5G Easily deploy, manage, and scale a private cellular network

Harish Bennalli — Sun, 23 Jan 2022 11:05:29 +0000

What is AWS Private 5G?

It is a new managed service that helps enterprises set up and scale private 5G mobile networks in their facilities in days instead of months.

Features

Connect thousands of devices and machines with the low latency and high bandwidth of a private 5G network.
Get your network up and running in days with no long planning cycles, no complex integrations, and automated setup.
Secure your network with granular access controls for all connected devices, integrated with existing IT policies.
Scale your network capacity on demand or add devices with a few clicks, and pay only for the capacity and throughput you use.

How it works

Place the order from the console specifying the coverage and capacity requirements for your private cellular network
As part of Installation, AWS delivers you network hardware(small cell radio base stations and servers) Attach power and internet connectivity to small cells and servers.
For Activation, open the console and acknowledge hardware receipt for automated network configuration. Once the network is ready, insert the SIM cards into the devices to connect
Operating and Managing your cellular network and connected device as any other AWS resource. Need to integrate with exiting access and security policies
Scalability can be quick as we can easily adjust the network capacity and number of connected devices to match your business needs

Why AWS Private 5G?

AWS Private 5G offers an easy way to leverage cellular technology to augment your current network. This can help you to increase reliability, extend coverage, or enable a new class of workloads such as factory automation, autonomous robotics, and advanced augmented and virtual reality (AR/VR) interactions.

Who is responsible for operating my network?

Operating a network on your premises is a shared responsibility. You are responsible for monitoring the physical sites where AWS Private 5G is deployed, and for keeping internet connectivity and power running. AWS provides and controls all the hardware, software, and network functions required to operate the network. Private 5G ensures that infrastructure and network functions are up to date and running the latest firmware, software, and security patches. The service also monitors ongoing operations and makes any changes needed to maximize performance and availability. AWS Private 5G can be monitored through a rich set of Amazon CloudWatch metrics, managed through the AWS Management Console or the APIs.

Where can I find devices that work with AWS Private 5G?

The number of devices that support LTE and 5G has steadily increased over the past several years. A great place to start is the Citizens Broadband Radio Service (CBRS) Alliance, which developed the OnGo Certification Program with an up-to-date list of over 250 devices noted here. For licensed spectrum, device selection will depend on the specific spectrum offered by the partner CSP. AWS Private 5G also works with various devices that bridge between WiFi and cellular networks, extending support to devices that do not natively support SIMs.

How do I add/remove devices to and from my network?

Once you insert the SIM card into your device, AWS Private 5G will automatically recognize the SIM and you can use the AWS Management Console or AWS Command Line Interface (CLI) to ensure that your devices have the right access to your network. Once on the network, Private 5G runs speed and validation tests, enforces access, and provides monitoring and alerting for full visibility into your network usage. As you add more devices and your connectivity needs grow, the service will ensure that your network support scales as needed.

Use cases

Run a smart manufacturing facility
Enable business-critical applications
Deliver reliable campus connectivity

Video Link:
https://youtu.be/2tGMop1ncTk

Hope you liked it! In next blog, We will explore more on Private 5G capabilities.

Amazon Inspector : Automated and continual vulnerability management at scale

Harish Bennalli — Mon, 17 Jan 2022 18:35:43 +0000

What is Amazon Inspector?

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Amazon Inspector can be used across all accounts in your organization. Once started, Amazon Inspector automatically discovers running Amazon Elastic Compute Cloud (EC2) instances and container images residing in Amazon Elastic Container Registry (ECR), at any scale, and immediately starts assessing them for known vulnerabilities.

Amazon Inspector calculates a highly contextualized risk score for each finding by correlating common vulnerabilities and exposures (CVE) information with factors such as network access and exploitability. This score is used to prioritize the most critical vulnerabilities to improve remediation response efficiency. All findings are aggregated in a newly designed Amazon Inspector console and pushed to AWS Security Hub and Amazon EventBridge to automate workflows. Vulnerabilities found in container images are also sent to Amazon ECR for resource owners to view and remediate.

With Amazon Inspector, even small security teams and developers can ensure infrastructure workload security and compliance across your AWS workloads.

Overview

Immediately discover and scan AWS workloads for software vulnerabilities and unintended network exposure with a single click.
Consolidate your vulnerability management solutions for both Amazon EC2 and ECR into one fully managed service.
Use the highly accurate Inspector risk score to efficiently prioritize your remediation.
Reduce mean time to remediate (MTTR) vulnerabilities and streamline workflow with Amazon EventBridge and AWS Security Hub integrations.

How it works?

Enable Amazon Inspector
Get started with a few clicks and use AWS Organizations for multi account management(upto 5000 AWS accounts). Try for Free 15-day trial for accounts new to Amazon Inspector.

Discover and Scan
Auto-discover AWS workloads and continually scan them for vulnerabilities. Includes vulnerabilities published on CVE landscape and scan is done as soon as you add a new software/package.

Contextualize Findings
Consider many factors to create a meaningful Inspector risk score.

Take Action
Use detailed findings to automate workflows like ticketing and remediation.

Amazon Inspector Features

Vulnerability management for Amazon EC2 and container workloads
Amazon Inspector is a comprehensive vulnerability management tool that functions across multiple resources, including Amazon Elastic Compute Cloud (EC2) and container workloads. It identifies different types of vulnerabilities, including software vulnerabilities and unintended network exposure, that can be used to compromise workloads, repurpose resources for malicious use, or exfiltrate data.

Simplified one-click enabling and integration with AWS Organizations
Start Amazon Inspector across multiple accounts with one click in the Amazon Inspector console or a single API call. Amazon Inspector allows you to assign an Inspector Delegated Administrator (DA) account for your organization, which can start and configure all member accounts as well as consolidate all findings.

Automated discovery and continual vulnerability scanning
Once started, Amazon Inspector automatically discovers all EC2 instances and container images residing in Amazon Elastic Container Registry (ECR) that are identified for scanning, and then immediately starts scanning them for software vulnerabilities and unintended network exposure. All workloads are continually rescanned when a new common vulnerabilities and exposures (CVE) is published, or when there are changes in the workloads, such as installation of new software in an EC2 instance.

AWS Systems Manager Agent
Amazon Inspector uses the widely deployed AWS Systems Manager (SSM) Agent to collect the software inventory and configurations from your Amazon EC2 instances. The collected application inventory and configurations are used to assess workloads for vulnerabilities.

Inspector risk score for findings
Amazon Inspector generates a highly contextualized Inspector risk score for each finding by correlating CVE information with environmental factors such as network reachability results and exploitability data. This helps prioritize the findings and highlights the most critical findings and vulnerable resources. The Inspector score calculation (and which factors influenced the score) can be viewed in the Inspector Score tab within the Findings Details side panel.

Suppression of findings
Amazon Inspector supports suppression of findings based on criteria you define. You can create these suppression rules to suppress findings that your organization deems an acceptable risk.

Automatic closure of remediated findings
Amazon Inspector automatically detects if a vulnerability has been patched or remediated. Once detected, Amazon Inspector automatically changes the state of the finding to “Closed” without manual intervention.

Detailed coverage monitoring
Amazon Inspector offers an aggregated, near real-time view of the environment coverage across an organization so you can avoid gaps in coverage. It provides metrics and detailed information on accounts using Amazon Inspector, as well as EC2 instances, ECR repositories, and container images that are actively being scanned by Amazon Inspector. Additionally, Amazon Inspector highlights the resources not being actively monitored and provides guidance on how to include them.

Integration with Security Hub and EventBridge
All findings are aggregated in the Amazon Inspector console, routed to AWS Security Hub, and pushed through Amazon EventBridge to automate workflows such as ticketing.

Few Use Cases

Quickly discover vulnerabilities
Prioritize patch remediation
Meet compliance requirements
Identify zero-day vulnerabilities sooner

More to come on Security category!

New Console Home in AWS Management Console

Harish Bennalli — Mon, 17 Jan 2022 14:22:54 +0000

Console Home
Recently AWS launched the new Console Home, a customizable home page for the AWS Management Console that offers customers a single place to access the information they need.

Customize your Console Home
The new Console Home provides customers the capability to customize their Console Home experience by adding, removing, and rearranging widgets. In some of the widgets, customers can also choose between regular view for a quick summary or an extended view for a more comprehensive overview.

At launch, customers can use 8 widgets:

Welcome to AWS
Recently visited
AWS Health
Cost and usage
Build a solution
Trusted Advisor
Explore AWS
Favorites

Data Aggregation
These widgets aggregate data from multiple services and regions to enable customers to perform various tasks.
For example, a financial administrator can use the Cost and usage widget to get an overview of forecasted costs across AWS services; and a DevOps manager can view important events and changes affecting their AWS environment in the AWS Health widget.

The new Console Home experience will persist on the user account level across browsers and devices.

You can use the new Console Home by signing in today to the AWS Management Console, and opting in to the new Console Home. The new Console Home is available in all public AWS Regions.

Additional widgets will be announced over time by AWS!