Welcome to Practical Cloud Security Newsletter for July 5, 2020

This past week would have been AWS re:Inforce were it not for the Pandemic. I’d expected a few more security-related announcements to drop, but without a keynote deadline I guess AWS is getting these services truly launch-ready (which takes about 6 months as this week we saw two re:Invent announcements finally go GA).

Site Updates

This week we released updates on the following services: * Amazon WorkSpaces * Amazon RDS Proxy

AWS Service Updates for the week of July 5, 2020

There were 50 announcements since Thursday, June 25 2020 at 09:23PM. These are the ones of interest.

  • Introducing EC2 Launch v2 to simplify customizing Windows instances
    EC2Launch v2 is a redesigned, unified launch agent for EC2 Windows instances, which simplifies the configuration of Windows instances to meet the needs of your workloads.
    EC2Launch.exe is included on all AWS provided Windows images. It allows you to set various Windows OS settings at launch and has both a gui interface and can be configured with a yaml file

  • AWS Systems Manager adds support for patching newer versions of supported Linux platforms
    Patch Manager, a capability of AWS Systems Manager, now allows you to deploy patches automatically to instances running Red Hat Enterprise Linux 7.8, 8.0, 8.1, and 8.2; CentOS 7.8, 8.0, and 8.1; and Oracle Linux 7.5, 7.7 and 7.8. This support provides more patching options for your mixed Linux environments. 
    Patching sucks and it sucks more when the OS you want to patch isn’t supported.

  • NEW LAUNCH! Amazon RDS Proxy is Generally Available
    Amazon RDS Proxy, a fully managed, highly available database proxy for Amazon Relational Database Service (RDS), is now generally available with MySQL and PostgreSQL compatibility. RDS Proxy makes applications more scalable, more resilient to database failures, and more secure.
    Also announced at AWS re:Invent 2019, this service simplifies the process of letting lambda talk to RDS. There are some dragons with this one, so check out our write-up of it

  • NEW LAUNCH! Find your most expensive lines of code and improve code quality with Amazon CodeGuru - now generally available
    This was announced at re:Invent last year and is now generally available. There is the Reviewer and Profiler. The Reviewer would be of interest to security practitioners. As AWS states: “Amazon CodeGuru Reviewer helps improve code quality by scanning for critical issues, identifying bugs, and recommending how to remediate them.” Sadly this service is both limited to java and very expensive $0.75 per 100 lines of code).

  • Amazon Virtual Private Cloud (VPC) customers can now use their own Prefix Lists to simplify the configuration of security groups and route tables
    Amazon Virtual Private Cloud (VPC) now allows you to create your own Prefix Lists that can be easily audited and applied across all your accounts to have a consistent security posture and routing behavior. A Prefix List is a collection of CIDR blocks that can be used to configure VPC security groups and route tables and shared with other AWS accounts using Resource Access Manager (RAM).
    This announcement is very interesting. Prefix lists allow you to define custom CIDR ranges and leverage those in Security Groups and VPC Routing tables. Prefix lists can be defined centrally and pushed to child accounts via Resource Access Manager.

  • Kernel Live Patching for Amazon Linux 2 is now generally available
    Kernel Live Patching enables customers to patch security vulnerabilities and bugs in the Linux kernel without reboots or disruptions to running applications. As a result, Amazon Linux 2 customers benefit from improved service availability and a better security posture. This feature is now generally available to all Amazon Linux 2 customers, free of charge.
    Another improvement to patching. Give your developers & operations folks less excuses for not doing it.

CloudTrail tip of the week

Discover AWS Workspaces getting created in your environment:

index=cloudtrail eventSource="workspaces.amazonaws.com" eventName="CreateWorkspaces" \
	eventName="RegisterWorkspaceDirectory "

News and tools from around the cloud security community

  • Leonidas was released at fwd:Cloudsec this week. It’s designed to replicate cloud TTPs so you can test your defenses.