DEV Community: AJ

Issue 79 of AWS Cloud Security Weekly

AJ — Tue, 14 Jan 2025 23:24:01 +0000

(This is just the highlight of Issue 79 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-79 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week January 07 - January 14, 2025?

The AWS WAF console dashboard now offers enhanced visualizations, providing detailed insights into the primary sources of traffic. Customers using CloudWatch logging destinations can access a new "top insights" section within the all-traffic dashboard.
WS Security Hub now integrates with Amazon Route 53 Resolver DNS Firewall, enabling you to receive security findings related to DNS queries from Amazon VPCs for domains flagged as potentially malicious or low-reputation

Issue 75, 76 & 77 of AWS Cloud Security Weekly

AJ — Tue, 07 Jan 2025 23:30:42 +0000

(This is just the highlight of Issue 75, 76 & 77 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-76-77-and-78 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week December 17 - January 07, 2025?

AWS launched notification actions in the AWS Console Mobile Application for iOS. The action buttons will appear on the notification details screen when you receive a push notification from AWS User Notifications on your mobile device so that you can quickly take actions such as viewing logs, or starting, stopping, or rebooting an EC2 instance directly from the event notification.
AWS Network Firewall, AWS Secrets Manager and CloudTrail now support IPv6, IPv4, or dual stack clients. This support extends to private access to the services API endpoint from your Amazon Virtual Private Cloud (VPC) via AWS PrivateLink.
SES Mail Manager now provides comprehensive logging for both ingress endpoints and rules engine actions. Customers can configure a variety of monitoring options across three standard logging destinations: CloudWatch, S3, and Firehose.
Amazon Elastic Container Registry (Amazon ECR) introduces Registry Policy v2, which now enables the management of IAM permissions for all ECR API actions. This updated registry policy simplifies the process for customers to control access to ECR features within their accounts.

Issue 75 of AWS Cloud Security Weekly

AJ — Wed, 18 Dec 2024 01:25:04 +0000

(This is just the highlight of Issue 75 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-75 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week December 10 - December 17, 2024?

WS IAM Roles Anywhere has released version 1.4.0 of its credential helper, which now includes native support for Trusted Platform Module (TPM) 2.0. This update allows the credential helper to directly access X.509 certificates and their corresponding private keys stored in TPMs on both Windows and Linux systems. The keys remain securely stored within the TPM hardware.
AWS Security Hub now offers automated security checks that are aligned with the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1, a compliance framework that outlines rules and guidelines for the secure handling of credit and debit card information. v4.0.1 includes 144 automated controls.

Issue 74 of AWS Cloud Security Weekly

AJ — Tue, 10 Dec 2024 22:45:54 +0000

(This is just the highlight of Issue 74 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-74 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week December 04 - December 10, 2024?

AWS Config now supports a service-linked recorder, a new type of recorder managed by an AWS service that captures configuration data for service-specific resources, for example, Amazon CloudWatch telemetry configurations audit. With this feature, you can record telemetry configurations for AWS services like VPC Flow Logs, EC2 Detailed Metrics, Lambda Traces etc

Issue 72 & 73 of AWS Cloud Security Weekly

AJ — Wed, 04 Dec 2024 22:24:31 +0000

(This is just the highlight of Issue 72 & 73 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-72-and-73 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week November 19 - December 04, 2024?

AWS introduced Virtual Private Cloud (VPC) Block Public Access (BPA), a new centralized, declarative control that allows you to effectively block internet traffic in VPCs. VPC BPA takes precedence over any other configurations, ensuring that VPC resources are shielded from unrestricted internet access.
AWS announced the general availability of declarative policies, a new policy type within AWS Organizations. These policies streamline the enforcement of long-term intentions, such as establishing baseline configurations for AWS services across an organization. For eg, you can use declarative policies to configure EC2 instances to launch only with AMIs from specific providers or restrict public access in their VPCs.
Amazon Cognito now allows passwordless authentication to secure user access to applications, supporting sign-ins via passkeys (eg built-in authenticators like Touch ID on Apple MacBooks or Windows Hello).
AWS Security Token Service (STS) now supports digitally signing OpenID Connect (OIDC) JSON Web Tokens (JWTs) using Elliptic Curve Digital Signature Algorithm (ECDSA) keys. A digital signature ensures the authenticity and integrity of the JWT, with ECDSA being a widely recognized, NIST-approved signature algorithm. When your identity provider (IdP) authenticates a user, it generates a signed OIDC JWT that represents the user's identity. When the authenticated user invokes the AssumeRoleWithWebIdentity API and submits their OIDC JWT, STS issues temporary credentials that grant access to your secure AWS resources.
Amazon OpenSearch Ingestion now enables real-time data ingestion into Amazon Security Lake, allowing you to import security data from both AWS and custom sources to gain near-real-time insights into potential security threats.
AWS has announced support for new protocols in AWS Network Firewall, enabling you to protect Amazon VPCs with application-specific inspection rules. With this update, AWS Network Firewall can now detect protocols such as HTTP2, QUIC, and PostgreSQL, allowing you to apply firewall inspection rules to these protocols. Additionally, new rule keywords for TLS, SNMP, DHCP, and Kerberos are now available, giving you more granular control over your stateful inspection rules.
AWS announced the general availability of Amazon GuardDuty Extended Threat Detection. This new feature helps you identify complex, multi-stage attacks targeting your AWS accounts, workloads, and data.
AWS announced the general availability of AWS Security Incident Response, a new service designed to help you prepare for, respond to, and recover from security events. This service provides automated monitoring and investigation of security findings. It also includes communication and collaboration tools to streamline response coordination, along with direct 24/7 access to the AWS Customer Incident Response Team (CIRT).
AWS announced the preview of a new feature in AWS Verified Access that supports secure access to resources using protocols like TCP, SSH, and RDP. With this release, Verified Access allows you to provide secure, VPN-free access to corporate applications and resources based on AWS zero trust principles.
You can now send CloudFront access logs directly to two new destinations: Amazon CloudWatch Logs and Amazon Kinesis Data Firehose. Additionally, you can choose from an expanded range of log output formats, including JSON and Apache Parquet (for logs delivered to S3). You can also enable automatic partitioning of logs delivered to S3, select specific log fields, and define the order in which those fields appear in the logs.
Amazon S3 now allows you to enforce conditional write operations for general-purpose buckets using bucket policies. With this feature, you can require S3 to verify the existence of an object before creating it in your bucket. Similarly, you can mandate that S3 check the state of an object’s content before allowing updates. This helps simplify distributed applications by preventing accidental data overwrites, particularly in high-concurrency, multi-writer environments.
Amazon EC2 introduced Allowed AMIs, a new account-wide setting that lets you restrict the discovery and usage of Amazon Machine Images (AMIs) within your AWS accounts. You can now specify the AMI owner accounts or aliases that are allowed in your account, ensuring that only AMIs from these owners are visible and available for launching EC2 instances. Previously, you could use any AMI explicitly shared with your account or any public AMI, regardless of its source or trustworthiness, which posed a risk. With Allowed AMIs, you can now define which accounts or owner aliases are authorized for AMI discovery and use in your AWS environment.

Issue 71 of AWS Cloud Security Weekly

AJ — Tue, 19 Nov 2024 22:24:50 +0000

(This is just the highlight of Issue 70 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-70 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week November 12 - November 19, 2024?

AWS introduced Resource Control Policies (RCPs) in AWS Organizations which allows centrally defining a data perimeter across AWS environment. With RCPs, you can efficiently restrict external access to your AWS resources at scale. For now, RCPs support Amazon S3, STS, KMS, SQS & AWS Secrets Manager.
AWS Identity and Access Management (IAM) Access Analyzer's unused access findings now allows excluding specific accounts, roles, or users from the analysis, saving costs and allowing more narrowed scope.
AWS Identity and Access Management (IAM) introduced new capability that enables you to centrally manage root credentials from the AWS Organizations Management account. Administrators can now remove unnecessary root credentials for member accounts & use temporary credentials to perform specific privileged actions.
AWS introduced Amazon Route 53 Resolver DNS Firewall Advanced, an enhanced set of capabilities that enables you to monitor and block suspicious DNS traffic linked to advanced DNS threats, such as DNS tunneling and Domain Generation Algorithms (DGAs). Route 53 Resolver DNS Firewall already helped block DNS queries for domains with low reputations or those suspected of being malicious, while allowing queries for trusted domains. With DNS Firewall Advanced, you can now implement additional protections that monitor and block DNS traffic in real-time based on anomalies detected in the domain names being queried from your VPCs.
The AWS Command Line Interface (AWS CLI) v2 now supports OAuth 2.0 authorization code flows with the Proof Key for Code Exchange (PKCE) standard, which is a secure method for obtaining credentials to execute AWS CLI commands.
Important changes to CloudTrail events for AWS IAM Identity Center (AWS SSO): Starting January 13, 2025, IAM Identity Center will no longer include the userName and principalId fields in the user identity element of CloudTrail events. These fields will be removed from events triggered when users sign in to IAM Identity Center, use the AWS access portal, or access AWS accounts via the AWS CLI. Instead, IAM Identity Center will provide the userId and the Identity Store Amazon Resource Name (ARN) fields, which will replace the userName and principalId fields, simplifying the identification process.

Issue 70 of AWS Cloud Security Weekly

AJ — Tue, 12 Nov 2024 23:11:43 +0000

(This is just the highlight of Issue 70 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-70 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week November 05 - November 12, 2024?

AWS Security Hub has released 7 new security controls, increasing the total number of controls offered to 437.
Starting October 25, 2024, all requests blocked by AWS WAF on Amazon CloudFront will be free of charge. This means you won’t be billed for request or data transfer fees for any requests that AWS WAF blocks. No changes to applications are required, and this update automatically applies to all CloudFront distributions using AWS WAF.
Amazon Verified Permissions has introduced a new API batchGetPolicies, allowing you to retrieve multiple policies with a single API call. This is especially useful for populating a list of policies that apply to a specific principal or resource.
AWS IAM now offers support for AWS PrivateLink in the AWS GovCloud (US) Regions, allowing you to establish a private connection between your Virtual Private Cloud (VPC) and IAM and reducing reliance on public internet connectivity.
(Finally!!) AWS IAM Identity Center (SSO) now supports permission set search, allowing you to filter permission sets by their names (ie using any substring search).
Amazon EC2 now offers Microsoft Windows Server 2025 with License Included (LI) Amazon Machine Images (AMIs).
Amazon QuickSight is supports Client Credentials flow-based OAuth via API/CLI for connecting to Snowflake & Starburst data sources.
AWS Lambda now supports native capture of application logs in a JSON structured format for Lambda functions running on the .NET managed runtime. The JSON format organizes logs as key-value pairs, making it easier to search, filter, and analyze large volumes of logs. This enhancement helps you efficiently troubleshoot issues and gain insights into the performance of your Lambda functions.

Issue 69 of AWS Cloud Security Weekly

AJ — Tue, 05 Nov 2024 23:08:41 +0000

(This is just the highlight of Issue 69 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-69 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week October 29- November 05, 2024?

AWS Payment Cryptography announced an EMV PIN change feature, cardholder-selectable PINs, and PIN reveal. The EMV PIN change feature allows issuers to create secure payloads for updating PINs stored on the EMV chip of credit or debit cards. Cardholder-selectable PINs and PIN reveal, can enable cardholders to set or retrieve their PINs through a mobile app, ensuring PCI compliance with end-to-end PIN data encryption. AWS Payment Cryptography enables you to migrate payment processing workloads to the cloud.
AWS Network Firewall has introduced a new feature that enables you to adjust the TCP idle timeout value to match your application’s specific TCP idle timeout needs. This enhancement allows AWS Network Firewall to perform continuous stateful inspection on applications with long-lived connections, such as financial systems, databases, and ERP applications. Previously, the TCP idle timeout was set to a fixed 350 seconds, which could disrupt the long-lived connections of some applications. Now, with this update, you can configure the TCP idle timeout anywhere from 60 to 6000 seconds, while the default remains at 350 seconds for compatibility with existing setups.
AWS Incident Detection and Response is now available in 16 additional AWS regions.
SES Mail Manager has introduced three new features. First, it now supports authenticated connections to ingress endpoints over TCP port 587 (the email submission port). Second, it enforces verified customer identity when using Mail Manager SMTP relays, and allows you to create routing rules based on MIME header content. Lastly, Mail Manager archives now support message envelope search, enabling users to distinguish between named and blind-copied recipients when searching and exporting archived messages. With support for connections over TCP port 587, ingress endpoints can now more seamlessly replace on-premises mail servers, such as Exchange or Postfix, which often use this same port. Additionally, Mail Manager’s relay function now includes a custom header to identify the specific source, and a corresponding rule action allows you to enforce this unique identifier as a delivery condition. Together, these features enhance relaying security beyond simply relying on allowlisted IP addresses. Lastly, the search and export capabilities in archiving now treat the message envelope ‘From’ and ‘To’ as distinct fields, separate from the visible ‘From’ and ‘To’ fields, which may show different values. This makes it possible to easily identify messages received via BCC.
Amazon WorkMail now offers multi-factor authentication (MFA) support through integration with AWS IAM Identity Center, adding an extra layer of security to WorkMail logins and helping prevent unauthorized access. Administrators can link IAM Identity Center with Active Directory or external identity providers like Okta or Microsoft Entra ID, allowing mailbox users to sign in to the WorkMail web app using IAM Identity Center credentials.
AWS now simplifies security group management with new sharing features. You can associate a security group with multiple VPCs in the same account and share it across participant accounts in a shared VPC. This improves consistency and eases configuration for administrators, allowing uniform traffic control across VPCs and accounts. Previously, security groups were limited to the VPC they were created in, but now you can enforce consistent traffic rules for resources across VPCs and accounts within your organization.

Issue 68 of AWS Cloud Security Weekly

AJ — Tue, 29 Oct 2024 23:41:46 +0000

(This is just the highlight of Issue 68 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-68 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week October 22- October 29, 2024?

EC2 Image Builder now includes support for the Apple macOS operating system, enabling you to use macOS as base images in the image pipelines. Previously, you had to manually build up-to-date macOS images or rely on separate tools. EC2 Image Builder supports the latest x86 and ARM64 macOS images available for EC2 Mac instances and offers automatic updates.
AWS IAM Identity Center now allows a single identity context to propagate user identities when accessing AWS services. Previously, you needed to use two separate IAM role sessions to call AWS services: one for user-authorized services and another for services that only logged user identities for auditing purposes. With this update, you can now use a single IAM role session with sts:identity_context to call any AWS service. In trusted identity propagation scenarios, AWS services use this identity context to authorize user access directly. For services not in a trusted identity propagation setup, resource access remains authorized via IAM roles. Additionally, AWS services using CloudTrail event version 1.09 or higher now log IAM Identity Center userId in their logs, including within the OnBehalfOf element in Amazon CloudTrail logs.
AWS Firewall Manager now allows you to centrally create policies for AWS WAF, adding baseline rule sets to existing WAF WebACLs associated with the resources. With these policies, you can add first and last rule groups, or set a centralized logging destination for existing WebACLs, while keeping custom rule sets unchanged. By enabling the “retrofit” option on a Firewall Manager WAF policy, you can centrally define baseline protection that applies to resources protected by WAF and is enforced by the WebACLs already in place. This allows you to quickly deploy standard WAF rules across all web applications, regardless of the timing—whether before, during, or after a security event—without disrupting existing WAF configurations, including those with application-specific rules or integrated into infrastructure-as-code (IaC) pipelines.

Issue 67 of AWS Cloud Security Weekly

AJ — Tue, 22 Oct 2024 22:40:41 +0000

(This is just the highlight of Issue 67 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-67 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week October 15- October 22, 2024?

Amazon EKS now offers dual stack support for both the EKS management API endpoint and the Kubernetes API server endpoint in IPv6 EKS clusters. Dual stack support is also available for private access to the EKS management API endpoint from your Amazon VPC via AWS PrivateLink. These dual stack endpoints are provided under a new AWS DNS domain name, while the existing EKS management API endpoints remain available for backward compatibility.
AWS announced integration of Amazon Q CLI into CloudShell, enabling the use of natural language to generate AWS commands and offering personalized command suggestions, minimizing the need to search through documentation.
Amazon QuickSight now supports programmatic export and import of shared folders and triggering scheduled reports via API The export/import APIs are StartAssetBundleExportJob and StartAssetBundleImportJob. This update allows you to back up, restore, replicate, and migrate QuickSight folders along with their member assets and subfolders. Previously, folder deployment had to be managed separately. Additionally, the StartDashboardSnapshotJobSchedule API runs the report according to the configured schedule settings, including export formats (PDF, CSV, Excel, etc.) and email details (subject line, body text, and attachments).

Issue 66 of AWS Cloud Security Weekly

AJ — Tue, 15 Oct 2024 22:29:34 +0000

(This is just the highlight of Issue 66 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-66 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity & CyberSecurity last week October 08- October 15, 2024?

AWS now provides service reference information to simplify the automation of policy management workflows, allowing you to retrieve available actions across AWS services from machine-readable files.
Amazon CloudFront now supports JA4 fingerprinting for incoming requests, allowing you to permit trusted clients or block malicious ones. The JA4 fingerprint is transmitted through the Cloudfront-viewer-ja4-fingerprint header. You can analyze these fingerprints with custom logic on your web servers or by using CloudFront Functions or Lambda@Edge
AWS announces the general availability of Console to Code, powered by Amazon Q Developer. With a few click, you can generate code for the console actions in the preferred format (eg YAML, JSON, SDK etc).
AWS Identity Center (IdC, previously known as SSO) now displays QR code for AWS Console Mobile Application Sign-In option.
AWS introduces End User Messaging Social, allowing you to connect to endusers via WhatsApp, with interactive capabilities. It also integrates with End User Messaging SMS and Push notifications.

Issue 65 of AWS Cloud Security Weekly

AJ — Tue, 08 Oct 2024 22:35:23 +0000

(This is just the highlight of Issue 65 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-65 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity & CyberSecurity last week October 01- October 08, 2024?

AWS Security Hub has introduced 7 additional security controls, bringing the total number of controls to 430. These new controls now extend support to additional resource types, including S3 Multi-Region Access Points, Apache Kafka (MSK) Connect & GuardDuty EKS Runtime Monitoring.
Amazon AppStream 2.0 has added support for local printer redirection and user-selected regional settings to multi-session fleets. Previously available only on single-session fleets, these features are now extended to multi-session environments.
Amazon Q Business is now HIPAA (Health Insurance Portability and Accountability Act) compliant.
Amazon WorkSpaces introduced ability to transfer files between a WorkSpaces Personal session and a local computer, enabling users to manage and share files more efficiently. This feature is available on personal WorkSpaces using the DCV streaming protocol through Windows, Linux client applications, or web access.
Amazon Route 53 Resolver endpoints for DNS-over-HTTPS (DoH) now supports Server Name Indication (SNI), allowing you to specify a target server hostname for DNS query requests from your outbound endpoints to DoH servers that require SNI for TLS validation. With DoH on Amazon Route 53 Resolver endpoints, you can encrypt DNS queries passing through the endpoints, enhancing privacy by reducing the visibility of the exchanged information. This update lets you configure the hostname in your outbound endpoint settings to facilitate TLS handshakes for DNS requests sent from the outbound endpoints to the DoH server.