(This is just the highlight of Issue 64 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-64 << Subscribe to receive the full version in your inbox weekly for free!!)
What happened in AWS CloudSecurity & CyberSecurity last week September 24- October 01, 2024?
- Amazon Inspector introduced an upgraded engine for its Lambda standard scanning which offers a more thorough view of vulnerabilities in the third-party dependencies used in Lambda functions and associated layers within the environment. Do note that: with this change, you may observe some findings being closed as the engine re-assesses resources for improved risk evaluation, while also identifying new vulnerabilities.
- AWS Serverless Application Repository now supports AWS PrivateLink, allowing you to connect to the repository through an interface VPC endpoint ie. you can establish a direct connection from VPC to the Serverless Application Repository via AWS PrivateLink, eliminating the need for an internet connection.
- AWS introduced CloudTrail network activity for VPC endpoints (in preview) which allows you to gain enhanced visibility into AWS API activity passing through your VPC endpoints. During the preview, network activity events for VPC endpoints are available for four AWS services: EC2, KMS, Secrets Manager & CloudTrail. These network activity events provide insights into who is accessing resources within your network. For example, as the VPC endpoint owner, you can view logs of actions blocked by VPC endpoint policies or use these events to verify the effects of policy updates.
- AWS announced the general availability of Security Group Referencing across VPCs connected via AWS Transit Gateway (TGW). This feature simplifies Security Group management and enhances the security posture of TGW-based networks. Previously, it was not possible to use Security Group references to control traffic between VPCs connected through TGW. This capability eliminates the need to reconfigure security rules when applications scale or IP addresses change. Additionally, rules with Security Group references offer greater scalability by covering thousands of instances with a single rule, helping you avoid hitting Security Group or ENI limits.
- Amazon Aurora MySQL-Compatible Edition now offers a redesigned RDS Data API for both Aurora Serverless v2 and provisioned database instances, allowing you to securely access Aurora clusters via an HTTP endpoint and execute SQL statements without needing database drivers or managing connections.
- Amazon RDS for PostgreSQL 17.0 is now available in the Amazon RDS Database Preview Environment, enabling you to test the pre-release version of PostgreSQL 17 on Amazon RDS.
- AWS has announced the general availability of AWS Organizations integration with AWS Chatbot. You can now centrally manage account access through Slack and Microsoft Teams using AWS Organizations. Also, a new chatbot management policy type has been introduced in AWS Organizations, enabling control over account access from chat channels. Additionally, Service Control Policies (SCPs) allow you to enforce global permission boundaries on CLI commands initiated from chat channels.
- You can now manage your Amazon S3 general-purpose bucket quotas through Service Quotas. This feature allows you to view the total number of buckets in your AWS account, compare it to your current bucket quota, and request an increase, if needed.
- AWS re:Post has introduced “re:Post Agent”, a generative AI-powered assistant designed to improve interactions by delivering intelligent, near real-time responses on the platform. re:Post Agent offers the initial response to questions within the re:Post community.
- Amazon Simple Email Service (SES) now supports HTTPS for tracking open and click events when using custom domains. This enhancement helps meet security compliance standards and reduces the likelihood of email delivery problems with mailbox providers that reject non-secure links. The feature allows you to configure HTTPS as either mandatory for both open and click tracking or optional, depending on the protocol used in the links within your emails.
- Amazon Redshift is expanding the authentication options to include mutual Transport Layer Security (mTLS) between Amazon Redshift provisioned clusters or serverless workgroups and Amazon Managed Streaming for Apache Kafka (MSK) clusters or serverless setups.