AWS News – October Round Up
With the endless flood of new products, features and changes from AWS and its surrounding ecosystem, it can be easy to miss an update. Our monthly round up highlights major AWS news, announcements, product updates and behind the scenes changes we think are most relevant.
Amazon ECS Now Supports ECS Image SHA Tracking
Normally, you correlate your container images pulled from ECR with scheduled tasks and where it is running on Amazon EC2 and Fargate. Now, however, Amazon ECS SHA Tracking allows for visibility and identification to track where container images are deployed by using task state events emitted to CloudWatch Events.
This is particularly interesting if you always pull the latest version of a container image. One thing we do is give each image a unique tag so we can tell them apart, but another option is to use the SHA hash.
For more information, read the announcement here: Amazon ECS Now Supports ECS Image SHA Tracking
Stronger Protection in Amazon GuardDuty
This month, three new threat detections were added to Amazon GuardDuty, which will help prevent problems for some in the future. Two of these are related to S3 and one is related directly to EC2 instances, but all three are great detections.
The first S3 threat detection is in regards to your S3 block public access. Essentially, if this was disabled for an S3 bucket in your AWS account, or accounts if using multi-account configuration, you would be informed about this change. The second threat detection applies to S3 server access logging. This is important, as you would be informed when your Amazon S3 server access logging is disabled, which could be an indicator of a misconfiguration or malicious activity. This helps prevent both current and future problems. Really helpful.
Lastly, the third threat detection for EC2 instances is for metadata IP addresses. You would be informed if your EC2 instance in your AWS environment is querying a domain that resolves to the EC2 metadata IP address. This could indicate an attempt to gain metadata from an EC2 instance through DNS rebinding. This could trickle even further to IAM credentials being gathered, which could cause larger-scale problems. This is a very important addition.
Read more about the additions to GuardDuty last month here: Amazon GuardDuty Adds Three New Threat Detections
Amazon RDS on VMware
This is a great announcement made in October: Amazon RDS is finally available for on-premise virtualized environments. This has been something in the works since last year, and it is finally being rolled out. The initial support of the rollout includes Microsoft SQL Server, PostgreSQL and MySQL. One important note is that it only runs on vSphere clusters that are on version 6.5 or better. This is an awesome announcement, and continued support for this is definitely something to keep an eye out for, as I am sure they will continue improving it. I definitely recommend reading the announcement here: Amazon Relational Database Service (RDS) on VMware
- AWS CodePipeline Adds Execution Visualization to Pipeline Execution History: Before you were only able to see actions that ran in a failed pipeline execution. Now, when execution fails, you also can see the actions that did not run. This is going to allow for easier debugging in the future.
- Amazon Aurora Supports Cost Allocation Tags for Aurora Storage: Now supports Amazon Aurora Cluster tagging to add tags to your Amazon Aurora storage for improved usage categorization. This will make viewing costs much more efficient and easy for the customer as well as the architect.
- Amazon ECS Patterns are Generally Available in the AWS Cloud Development Kit: Amazon ECS customers can now use the AWS CDK to configure and deploy ECS patterns into their CloudFormation stacks. While many like us use Terraform, those who predominantly use CloudFormation will find this as a nice addition. I cannot wait until more support is added to Terraform.
- Application Load Balancer and Network Load Balancer Updates: ALB and NLB now support additional security policies for forward secrecy. Not much to say other than: Yay, more security!