Welcome to Practical Cloud Security Newsletter for June 28, 2020
This is our first newsletter. Our goal here at Practical Cloud Security is to summarize what a security processional needs to know with regard to AWS Security. Our information should be timely, informative and actionable to security programs of all sizes.
This week we released updates on the following services:
- Amazon Honeycode
- AWS Client VPN
- AWS Organizations
- AWS Lambda
- Amazon Virtual Private Cloud (VPC)
- Amazon Macie
What has Amazon been up to this week?
There were 52 announcements since Friday, June 19 2020 at 11:11PM. These are the ones of interest.
Manage your AWS Identity and Access Management quotas with AWS Service Quotas
If they haven’t bitten you in the butt yet, Service quotas will do so someday. Amazon is making it easier to managed across multiple accounts.
AWS Backup and AWS Organizations bring cross-account data protection management and monitoring
AWS Backup now supports cross-account management, enabling AWS customers to manage and monitor backups across their AWS accounts with AWS Organizations.
This is a new feature in AWS Organizations that can enforce backup policies across all our accounts (or across accounts in an OU).
Announcing Amazon Honeycode
From AWS: Amazon Honeycode, which is available in beta, is a fully managed service that allows customers to quickly build powerful mobile and web applications – with no programming required. Customers who need applications to track and manage things like process approvals, event scheduling, customer relationship management, user surveys, to-do lists, and content and inventory tracking no longer need to do so by error-prone methods like emailing spreadsheets or documents, or hiring and waiting for developers to build costly custom applications.
Amazon’s goal was to make MS Access in the cloud. It’s got some interesting nuances around how the account and billing happens. Check out our writeup on it here and make your own risk-decisions.
AWS Organizations is now available in AWS China (Beijing) region, operated by Sinnet and AWS China (Ningxia region) operated by NWCD
AWS Organizations is a great security tool, so if you’re stuck doing business in mainland China, this should be on your road map to implement.
AWS Certificate Manager Extends Automation of Certificate Issuance Via CloudFormation
AWS Certificate Manager (ACM) now supports CloudFormation templates for automating SSL/TLS certificate issuance for DNS-validated certificates with domains managed in Route 53, issuance of private certificates from an ACM Private Certificate Authority, and configuration of certificate transparency (CT) logging.
Configuring ACM as always been one of those annoying artisanal activities that I do before deploying a Cloudformation template. Now it looks like more of the process can be automated.
CloudTrail tip of the week
Today’s CloudTrail tip of the week will help you find VPC Traffic Mirroring in your environment. VPC Traffic mirroring snarfs the packets destined to an eni to another eni. Great if you want to sniff the traffic off of a load balancer after the TLS decrypt happens.
index=cloudtrail eventSource="ec2.amazonaws.com" eventName="CreateTrafficMirror*" eventName="DeleteTrafficMirror*" eventName="ModifyTrafficMirror*"
News and tools from around the cloud security community
- fwd:CloudSec kicks off tomorrow morning at 10am Eastern time. You can watch it live via the Twitch stream, or catch the videos when they’re posted on YouTube.
- AWS released CloudFormation Guard a policy linter like tool. Matt Fuller has already issues a massive PR to run policy checks for most resources.