Issue 72 & 73 of AWS Cloud Security Weekly

(This is just the highlight of Issue 72 & 73 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-72-and-73 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week November 19 - December 04, 2024?

• AWS introduced Virtual Private Cloud (VPC) Block Public Access (BPA), a new centralized, declarative control that allows you to effectively block internet traffic in VPCs. VPC BPA takes precedence over any other configurations, ensuring that VPC resources are shielded from unrestricted internet access.
• AWS announced the general availability of declarative policies, a new policy type within AWS Organizations. These policies streamline the enforcement of long-term intentions, such as establishing baseline configurations for AWS services across an organization. For eg, you can use declarative policies to configure EC2 instances to launch only with AMIs from specific providers or restrict public access in their VPCs.
• Amazon Cognito now allows passwordless authentication to secure user access to applications, supporting sign-ins via passkeys (eg built-in authenticators like Touch ID on Apple MacBooks or Windows Hello).
• AWS Security Token Service (STS) now supports digitally signing OpenID Connect (OIDC) JSON Web Tokens (JWTs) using Elliptic Curve Digital Signature Algorithm (ECDSA) keys. A digital signature ensures the authenticity and integrity of the JWT, with ECDSA being a widely recognized, NIST-approved signature algorithm. When your identity provider (IdP) authenticates a user, it generates a signed OIDC JWT that represents the user's identity. When the authenticated user invokes the AssumeRoleWithWebIdentity API and submits their OIDC JWT, STS issues temporary credentials that grant access to your secure AWS resources.
• Amazon OpenSearch Ingestion now enables real-time data ingestion into Amazon Security Lake, allowing you to import security data from both AWS and custom sources to gain near-real-time insights into potential security threats.
• AWS has announced support for new protocols in AWS Network Firewall, enabling you to protect Amazon VPCs with application-specific inspection rules. With this update, AWS Network Firewall can now detect protocols such as HTTP2, QUIC, and PostgreSQL, allowing you to apply firewall inspection rules to these protocols. Additionally, new rule keywords for TLS, SNMP, DHCP, and Kerberos are now available, giving you more granular control over your stateful inspection rules.
• AWS announced the general availability of Amazon GuardDuty Extended Threat Detection. This new feature helps you identify complex, multi-stage attacks targeting your AWS accounts, workloads, and data.
• AWS announced the general availability of AWS Security Incident Response, a new service designed to help you prepare for, respond to, and recover from security events. This service provides automated monitoring and investigation of security findings. It also includes communication and collaboration tools to streamline response coordination, along with direct 24/7 access to the AWS Customer Incident Response Team (CIRT).
• AWS announced the preview of a new feature in AWS Verified Access that supports secure access to resources using protocols like TCP, SSH, and RDP. With this release, Verified Access allows you to provide secure, VPN-free access to corporate applications and resources based on AWS zero trust principles.
• You can now send CloudFront access logs directly to two new destinations: Amazon CloudWatch Logs and Amazon Kinesis Data Firehose. Additionally, you can choose from an expanded range of log output formats, including JSON and Apache Parquet (for logs delivered to S3). You can also enable automatic partitioning of logs delivered to S3, select specific log fields, and define the order in which those fields appear in the logs.
• Amazon S3 now allows you to enforce conditional write operations for general-purpose buckets using bucket policies. With this feature, you can require S3 to verify the existence of an object before creating it in your bucket. Similarly, you can mandate that S3 check the state of an object’s content before allowing updates. This helps simplify distributed applications by preventing accidental data overwrites, particularly in high-concurrency, multi-writer environments.
• Amazon EC2 introduced Allowed AMIs, a new account-wide setting that lets you restrict the discovery and usage of Amazon Machine Images (AMIs) within your AWS accounts. You can now specify the AMI owner accounts or aliases that are allowed in your account, ensuring that only AMIs from these owners are visible and available for launching EC2 instances. Previously, you could use any AMI explicitly shared with your account or any public AMI, regardless of its source or trustworthiness, which posed a risk. With Allowed AMIs, you can now define which accounts or owner aliases are authorized for AMI discovery and use in your AWS environment.