Podcasts about aws cloudtrail

Chris Camacho is the Co-Founder and COO of Abstract Security. Abstract Security collects and routes data from cloud sources (such as AWS CloudTrail, Azure Activity Logs and GCP Audit Logs), removes unwanted noise, performs optimization, threat enrichment and normalizes data to OCSF schema in real-time before routing it to any SIEM or data lake of your choice.Join us as we discuss his path in information security, pivoting from an executive security career for global financial originations to startups, all as part of a passion for helping to make the world more secure. And check out Abstract Security's new book, Applied Security Data Strategy, with sections written by leaders in the information security field. Download it for free at https://www.abstract.security/applied-security-data-strategy-ebook.

AWS Morning Brief for the week of February 10, with Corey Quinn. Links:Amazon EBS now supports additional resource-level permissions for creating EBS volumes from snapshotsAmazon Managed Service for Prometheus collector adds support for cross-account ingestionAmazon Redshift Concurrency Scaling is now available in 1 additional regionAmazon Q Developer now troubleshoots AWS Console errors in all AWS Commercial regionsAmazon Q Developer introduces a new, simplified setup experience for Pro tier subscriptionsAWS IAM Identity Center now offers improved error messages and AWS CloudTrail logging for provisioning issuesAWS Step Functions now supports 100,000 state machines and activities per AWS accountCost Optimization Hub supports more EC2 Auto Scaling group recommendationsAnnouncing the general availability of AWS Database Migration Service Serverless support for files with an S3 source endpointAI-Powered Football Match Analysis: SAP Sports One on AWSIntroducing AWS CloudFormation Stack RefactoringAWS Tightens the Reins: New AWS SaaS Marketplace Rules Will Impact Your Commitments

AWS Morning Brief for the week of December 23, with Corey Quinn. Links:Amazon AppStream 2.0 introduces client for macOSAmazon EC2 instances support bandwidth configurations for VPC and EBSAmazon Timestream for InfluxDB now supports Internet Protocol Version 6 (IPv6) connectivityAmazon WorkSpaces Thin Client now available to purchase in IndiaAWS Backup launches support for search and item-level recoveryAWS Mainframe Modernization now supports connectivity over Internet Protocol version 6 (IPv6)AWS Marketplace now supports self-service promotional media on seller product detail pagesAWS re:Post now supports Spanish and PortugueseAWS Resource Explorer supports 59 new resource typesAWS offers a self-service feature to update business names on AWS InvoicesAnnouncing CloudFormation support for AWS Parallel Computing ServiceAnnouncing Node Health Monitoring and Auto-Repair for Amazon EKS - AWSAnd that's a wrap!Best practices for creating a VPC for Amazon RDS for Db2How the Amazon TimeHub team handled disruption in AWS DMS CDC task caused by Oracle RESETLOGS: Part 3How to detect and monitor Amazon Simple Storage Service (S3) access with AWS CloudTrail and Amazon CloudWatchEnforce resource configuration to control access to new features with AWSMaximizing your cloud journey: Engaging an AWS Solutions Architect

In the realm of Amazon Web Services (AWS), two essential services, AWS Config and AWS CloudTrail, play crucial roles in maintaining security, compliance, and operational visibility within cloud environments. While both services contribute to monitoring and auditing, they fulfill distinct objectives and provide unique functionalities. Let's delve into a detailed comparison of AWS Config and CloudTrail to understand their differences and advantages.

AWS Morning Brief for the week of Monday, June 10th, with Corey Quinn. Links:Introducing Amazon EC2 High Memory U7i InstancesAmazon API Gateway integration timeout limit increase beyond 29 secondsAmazon CloudWatch GetMetricData API now supports AWS CloudTrail data event loggingAmazon CloudWatch Logs announces Live Tail streaming CLI supportAmazon CodeCatalyst now supports GitHub Cloud source code with blueprintsAmazon EC2 instance type finder capability is generally available in AWS ConsoleAWS Transfer Family increases message size and throughput limits for AS2Integrate AWS Cost Anomaly Detection Notifications with IT Service Management Workflow – Part1 JiraIntroducing CloudFront Hosting Toolkit

Summary Monitoring and auditing IT systems for security events requires the ability to quickly analyze massive volumes of unstructured log data. The majority of products that are available either require too much effort to structure the logs, or aren't fast enough for interactive use cases. Cliff Crosland co-founded Scanner to provide fast querying of high scale log data for security auditing. In this episode he shares the story of how it got started, how it works, and how you can get started with it. Announcements Hello and welcome to the Data Engineering Podcast, the show about modern data management Data lakes are notoriously complex. For data engineers who battle to build and scale high quality data workflows on the data lake, Starburst powers petabyte-scale SQL analytics fast, at a fraction of the cost of traditional methods, so that you can meet all your data needs ranging from AI to data applications to complete analytics. Trusted by teams of all sizes, including Comcast and Doordash, Starburst is a data lake analytics platform that delivers the adaptability and flexibility a lakehouse ecosystem promises. And Starburst does all of this on an open architecture with first-class support for Apache Iceberg, Delta Lake and Hudi, so you always maintain ownership of your data. Want to see Starburst in action? Go to dataengineeringpodcast.com/starburst (https://www.dataengineeringpodcast.com/starburst) and get $500 in credits to try Starburst Galaxy today, the easiest and fastest way to get started using Trino. Your host is Tobias Macey and today I'm interviewing Cliff Crosland about Scanner, a security data lake platform for analyzing security logs and identifying issues quickly and cost-effectively Interview Introduction How did you get involved in the area of data management? Can you describe what Scanner is and the story behind it? What were the shortcomings of other tools that are available in the ecosystem? What is Scanner explicitly not trying to solve for in the security space? (e.g. SIEM) A query engine is useless without data to analyze. What are the data acquisition paths/sources that you are designed to work with?- e.g. cloudtrail logs, app logs, etc. What are some of the other sources of signal for security monitoring that would be valuable to incorporate or integrate with through Scanner? Log data is notoriously messy, with no strictly defined format. How do you handle introspection and querying across loosely structured records that might span multiple sources and inconsistent labelling strategies? Can you describe the architecture of the Scanner platform? What were the motivating constraints that led you to your current implementation? How have the design and goals of the product changed since you first started working on it? Given the security oriented customer base that you are targeting, how do you address trust/network boundaries for compliance with regulatory/organizational policies? What are the personas of the end-users for Scanner? How has that influenced the way that you think about the query formats, APIs, user experience etc. for the prroduct? For teams who are working with Scanner can you describe how it fits into their workflow? What are the most interesting, innovative, or unexpected ways that you have seen Scanner used? What are the most interesting, unexpected, or challenging lessons that you have learned while working on Scanner? When is Scanner the wrong choice? What do you have planned for the future of Scanner? Contact Info LinkedIn (https://www.linkedin.com/in/cliftoncrosland/) Parting Question From your perspective, what is the biggest gap in the tooling or technology for data management today? Closing Announcements Thank you for listening! Don't forget to check out our other shows. Podcast.__init__ (https://www.pythonpodcast.com) covers the Python language, its community, and the innovative ways it is being used. The Machine Learning Podcast (https://www.themachinelearningpodcast.com) helps you go from idea to production with machine learning. Visit the site (https://www.dataengineeringpodcast.com) to subscribe to the show, sign up for the mailing list, and read the show notes. If you've learned something or tried out a project from the show then tell us about it! Email hosts@dataengineeringpodcast.com (mailto:hosts@dataengineeringpodcast.com)) with your story. Links Scanner (https://scanner.dev/) cURL (https://curl.se/) Rust (https://www.rust-lang.org/) Splunk (https://www.splunk.com/) S3 (https://aws.amazon.com/s3/) AWS Athena (https://aws.amazon.com/athena/) Loki (https://grafana.com/oss/loki/) Snowflake (https://www.snowflake.com/en/) Podcast Episode (https://www.dataengineeringpodcast.com/snowflakedb-cloud-data-warehouse-episode-110/) Presto (https://prestodb.io/) Trino (thttps://trino.io/) AWS CloudTrail (https://aws.amazon.com/cloudtrail/) GitHub Audit Logs (https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) Okta (https://www.okta.com/) Cribl (https://cribl.io/) Vector.dev (https://vector.dev/) Tines (https://www.tines.com/) Torq (https://torq.io/) Jira (https://www.atlassian.com/software/jira) Linear (https://linear.app/) ECS Fargate (https://aws.amazon.com/fargate/) SQS (https://aws.amazon.com/sqs/) Monoid (https://en.wikipedia.org/wiki/Monoid) Group Theory (https://en.wikipedia.org/wiki/Group_theory) Avro (https://avro.apache.org/) Parquet (https://parquet.apache.org/) OCSF (https://github.com/ocsf/) VPC Flow Logs (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) The intro and outro music is from The Hug (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/Love_death_and_a_drunken_monkey/04_-_The_Hug) by The Freak Fandango Orchestra (http://freemusicarchive.org/music/The_Freak_Fandango_Orchestra/) / CC BY-SA (http://creativecommons.org/licenses/by-sa/3.0/)

In this podcast, we will dive deep into Domain 1, which focuses on incident response and the overall security of AWS services and infrastructure. We will explore topics such as AWS CloudTrail, Amazon Inspector, AWS Config, and more. By the end of this Podcast, you will have a solid foundation in Domain 1 concepts and be well-prepared for any AWS Certified Security Specialty interview. #AWS #SecuritySpecialty #Domain1 #InterviewQA #CloudSecurity #AWSInterview #AWSExams #ITIndustry

AWS Morning Brief for the week of September 11, 2023, with Corey Quinn. Links: Amazon Aurora and Amazon RDS announces Extended Support for MySQL and PostgreSQL databases Amazon CloudWatch adds Amazon EKS control plane logs as Vended Logs Amazon CloudWatch Logs announces regular expression filter pattern syntax support As SwiftOnSecurity pointed out a week or two ago, a lot of folks can now discover firsthand just how many of their rules allow all 10* traffic Introducing Amazon EC2 R7iz instances  AWS Marketplace now supports AWS CloudTrail to improve procurement activity monitoring  AWS Step Functions launches enhanced error handling AWS Trusted Advisor adds 1 new fault tolerance check Announcing daily disbursements for AWS Marketplace sellers  Embracing FinOps to Maximize Cloud Value and Control Costs with the Deloitte FinOps Framework  Transforming Aviation Maintenance with the Infosys Generative AI Solution Built on Amazon Bedrock  How Vercel Shipped Cron Jobs in 2 Months Using Amazon EventBridge Scheduler How contact center leaders can prepare for generative AI  A Culture of Resilience  How generative AI is energizing the beauty industry Migrating AWS Direct Connect to a new location Reduce the security and compliance risks of messaging apps with AWS Wickr  AWS Guild Tournament builds cloud skills and innovative customer solutions From chocolate sales to a career in cloud with training from AWS re/Start Amazon to Discontinue Honeycode App-Building Service 

In cybersecurity, the teaching of Cloud security is often weak. So, here are my Top 100 things about encryption in the Cloud. I've focused on AWS, but Azure is likely to also be applicable. Keys are created in the AWS KMS (Key Management Store). In Azure, this is named KeyVault. The cost of using a key in KMS is around $1/month (prorated hourly). When a key is disabled, it is not charged. With AWS KMS, we use a shared customer HSM (Hardware Security Module), and with AWS CloudHSM it is dedidated to one customer. For data at rest, with file storage, we can integrate encryption with Amazon EBS (Elastic Block Storage) and Amazon S3. Amazon EBS drives are encrypted with AES-256 with XTS mode. For AWS-managed keys, a unique key is used for every object within S3 buckets. Amazon S3 uses server-side encryption to store encrypted data. The customer can use client-side encryption to encrypt data before it is stored in the AWS infrastructure. AWS uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) for its symmetric key encryption. In AWS S3, by default, all the objects are encrypted. A customer can use client-side encryption to encrypt data before it goes into the AWS infrastructure. For data at rest, for databases, we can integrate encryption with Amazon RDS (AWS's relational database service) and Amazon Redshift (AWS's data warehousing). For data at rest, we can integrate encryption into ElastiCache (AWS's content caching service), AWS Lambda (AWS's serverless computing service), and Amazon SageMake (AWS's machine learning service). Keys are tokenized and have an ARN (Amazon Resource Names) and alias. An example ARN for a key is arn:aws:kms:us-east-1:103269750866:key/de30e8e6-c753–4a2c-881a-53c761242644, and an example alias is “Bill's Key”. Both of these should be unique in the user's account. To define a KMS key, we can either use its key ID, its key ARN, its alias name, or alias ARN. You can link keys to other AWS Accounts. For this, we specify in the form of “arn:aws:iam::[AWS ID]:root”, and where AWS ID is the ID of the other AWS account. To enhance security, we can use AWS CloudHSM (Hardware Security Module). For simpler and less costly solutions, we typically use AWS KMS (Key Management Solution). For CloudHSM, we pay per hour, but for KMS, we just pay for the usage of the keys. The application of the keys is restricted to defined services. Key identifiers and policies are defined with a JSON key-value pair for data objects. Each key should have a unique GUID, such as “de30e8e6-c753–4a2c-881a-53c761242644”. Users are identified and roles are identified with an ARN, such as : “arn:aws:iam::222222:root”. With the usage of keys we have Key Administrative Permission and a Key Usage policies. There is an explicit denial on a policy if there is not a specific allow defined in a policy. For key permissions, we have fields of “Sid” (the descriptive name of the policy), “Effect” (typically “Allow”), Principal (the ARN of the user/group), “Action” (such as Create, Disable and Delete) and “Resource”. A wildcard (“*”) allows or disallows all. To enable a user of “root” access to everything with a key would be : “Sid”: “Enable IAM User Permissions”, “Effect”: “Allow”,“Principal”: {“AWS”: “arn:aws:iam::22222222:root”},“Action”: “kms:*”, “Resource”: “*”}. The main operations within the KMS are to encrypt/decrpyt data, sign/verify signatures, export data keys, and generate/verify MACs (Message Authentication Codes). Key are either AWS managed (such as for the Lambda service), Customer managed keys (these are created and managed by the customer). Custom key stores are where the customer has complete control over the keys). The main use of keys are for EC2 (Compute), EBS (Elastic Block Storage) and S3 (Storage). AES symmetric keys or an RSA key pair are used to encrypt and decrypt. RSA uses 2K, 3K or 4K keys, and with either “RSA PCKS1 v1.5” or “RSA PSS” padding. RSA PCKS1 v1.5 padding is susceptible to Bleichenbacher's attack, so it should only be used for legacy applications, and for all others, we should use RSA PSS. For RSA, we can use a hashing method of SHA-256, SHA-384 or SHA-512. In RSA, we encrypt with the public key and decrypt with the private key. For signatures, we can use either RSA or ECC signing. For RSA, we have 2K, 3K, or 4K keys, whereas ECC signing uses NIST P256, NIST P384, NIST P521, and SECG P256k1 (as used in Bitcoin and Ethereum). For MACs (Message Authentication Codes), Bob and Alice have the same shared secret key and can authenticate the hash version of a message. In the KMS, we can have HMAC-224, HMAC-256, HMAC-384 and HMAC-512. KMS uses hardware security modules (HSMs) with FIPS 140–2 and which cannot be accessed by AWS employees (or any other customer). Keys will never appear in an AWS disk or backup, and only existing the memory of the HSM. They are only loaded when used. Encryption keys can be restricted to one region of the world (unless defined by the user). With symmetric keys, the key never appears outside the HSM, and for asymmetric keys (public key encryption), the private key stays inside the HSM, and only the public key is exported outside. AWS CloudWatch shows how and when the encryption keys are being used. The minimum time that can be set for a key to be deleted is seven days (and up to 30 days maximum). An organisation can also create its own HSM with the CloudHSM cluster. When a key is then created in KMS, it is then stored in the cluster. The usage of encryption keys should be limited to a minimal set of service requirements. If possible, separate key managers and key users. With a key management (KEY_ADMINISTRATOR) role, we typically have the rights to create, revoke, put, get, list and disable keys. The key management role will typically not be able to encrypt and decrypt. For a key user (KEY_WORKER) role, we cannot create or delete keys and typically focus on tasks such as encrypting and decrypting. Hae a rule of minimum access rights, and simplify user access by defining key administration and usage roles. Users are then added to these roles. Avoid manual updates to keys and use key rotation. The system keeps track of keys that are rotated and can use previously defined ones. The default time to rotate keys is once every year. Key rotation shows up in the CloudWatch and CloudTrail logs. KMS complies with PCI DSS Level 1, FIPS 140–2, FedRAMP, and HIPAA. AWS KMS is matched to FIPS 140–2 Level 2. AWS CloudHSM complies with FIPS 140–2 Level 3 validated HSMs. AWS CloudHSM costs around $1.45 per hour to run, and the costs end when it is disabled or deleted. The CloudHSM is backed-up every 24 hours, and where we can cluster the HSMs into a single logical HSM. CloudHSM can be replicated in AWS regions. AWS KSM is limited to the popular encryption methods, whereas the CloudHSM can implement a wider range of methods. The CloudHSM can support methods such as 3DES with AWS Payment Cryptography. This complies with payment card industry (PCI) standards, such as PCI PIN, PCI P2PE, and PCI DSS. In the CloudHSM for payments, we can generate CVV, CVV2 and ARQC values, and where sensitive details never exist outside the HSM in an unprotected form. With the CloudHSM, we have a command line interface where we can issue commands, and is named CloudHSM CLI. Within the CloudHSM CLI, we can use the genSymKey command to generate symmetric key within the HSM, such as where -t is a key type (31 is AES), -s is a key size (32 bytes) and -l is the label: genSymKey -t 31 -s 32 -l aes256 With genSymKey the key types are: 16 (Generic Secret), 18 (RC4), 21 (Triple DES), and 31 (AES). Within the CloudHSM CLI, we can use the genRSAKeyPair command to generate an RSA key pair, such as where -m is the modulus and -e is the public exponent: genRSAKeyPair -m 2048 -e 65537 -l mykey AWS CloudHSM is integrated with AWS CloudTrail, and where we can track user, role, or an AWS service within AWS CloudHSM. With AWS Payments Cryptography, the 2KEY TDES is Two-key Triple DES and has a 112-bit equivalent key size. The Pin Encryption Key (PEK) is used to encryption PIN values and uses a KEY TDES key. This can store PINs in a secure way, and then decrypt them when required. S3 buckets can be encrypted either with Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) keys. There is no cost to use SSE keys. For symmetric key encryption, AWS uses envelope encryption, and where a random key is used to encrypt data, and then the key is encrypted with the user's key. AWS should not be able to access the key used for the encryption. The default in creating an encryption key is for it only be to used in a single region, but this can be changed to multi-region, and where the key will be replicated across more than one region. In AWS, a region is a geographical area, and which is split into isolated locations. US-East-1 (N.Virginia) and US-East-2 (Ohio) are different regions, while us-east-1a, us-east-1b and us-east-1c are in the same region. A single region key the US-East-1 region would replicate across eu-east-1a, eu-east-1b and eu-east-1c, and not to eu-east-2a, eu-east-2b and eu-east-2c. When creating a key, you can either create in the KMS, import a key (BYOK — bring your own key), create in the AWS CloudHSM, or create in an external key store (HYOK — hold you own key). For keys stored on-premise we can use an external key store (XKS) — this can be defined as Hold Your Own Keys (HYOKs), and where and where no entity in AWS will able to read any of the encrypted data. [here]. You can BYOK (bring your own key) with KMS, and import keys. KMS will keep a copy of this key. With XKS, we need a proxy URI endpoint, with the proxy credentials of an access key ID, and secret access key. To export keys from AWS CloudHSM, we can encrypt them with an AES key. This is known as key wrapping, as defined in RFC 5648 (for padding with zeros) or RFC 3394 (without padding). A strong password should always be used for key wrapping. AWS encryption operations can either be conducted from the command line or within API, such as with Python, Node.js or Golang. With KMS, the maximum data size is 4,096 bytes for a symmetric key, 190 bytes for RSA 2048 OAEP SHA-256, 318 bytes for RSA 3072 OAEP SHA-256, ad 446 bytes for RSA 4096 OAEP SHA-256. An example command to encrypt a file for 1.txt with symmetric key encryption is: aws kms encryp --key-id alias/MySymKey --plaintext fileb://1.txt --query CiphertextBlob --output text > 1.out To decrypt a file with symmetric key encryption, an example with 1.enc is: aws kms decrypt --key-id alias/BillsNewKey --output text --query Plaintext --ciphertext-blob fileb://1.enc > 2.out In Python, to integrate with KMS, we use the Boto3 library. The standard output of encrypted content is in byte format. If we need to have a text version of ciphertext, we typically use Base64 format. The base64 command can be used to convert byte format in Base64, such as with: $ base64 -i 1.out — decode > 1.enc The xxd command in the command line allows the cipher text to be dumped to a hex output and can then be edited. We can then convert it back to a binary output with: An example piece of Python code for encrypting a plaintext message with the symmetric key in Python is: ciphertext = kms_client.encrypt(KeyId=alias,Plaintext=bytes(secret, encoding='utf8') An example piece of Python code to decrypt some cipher text (in Base64 format) is: plain_text = kms_client.decrypt(KeyId=alias,CiphertextBlob=bytes(base64.b64decode(ciphertext))) To generate an HMAC signature for a message in the command line, we have the form of: aws kms generate-mac --key-id alias/MyHMACKey --message fileb://1.txt --mac-algorithm HMAC_SHA_256 --query Mac > 4.out To verify an HMAC signature for a message in the command line, we have the form of: aws kms verify-mac -key-id alias/MyHMACKey -message fileb://1.txt -mac-algorithm HMAC_SHA_256 -mac fileb://4.mac To create an ECDSA signature in the command line, we have the form of: aws kms sign -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signing-algorithm ECDSA_SHA_256 -query Signature > 1.out To verify an ECDSA signature in the command line, we have the form of: aws kms verify -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signature fileb://1.sig -signing-algorithm ECDSA_SHA_256 To encrypt data using RSA in the command line, we have the form of: aws kms encrypt -key-id alias/PublicKeyForDemo -plaintext fileb://1.txt -query CiphertextBlob -output text -encryption-algorithm RSAES_OAEP_SHA_1 > 1.out To decrypt data using RSA in the command line, we have the form of: aws kms decryptb -key-id alias/PublicKeyForDemo -output text -query Plaintext -ciphertext-blob fileb://1.enc -encryption-algorithm RSAES_OAEP_SHA_1 > 2.out To sign data using RSA in the command line, we have the form of: aws kms sign --key-id alias/MyRSAKey --message fileb://1.txt --signing-algorithm RSASSA_PSS_SHA_256 --query Signature --output text > 1.out To verify data using RSA in the command line, we have the form of: aws kms verify --key-id alias/MyRSAKey --message fileb://1.txt — signature fileb://1.sig --signing-algorithm RSASSA_PSS_SHA_256 You cannot encrypt data with Elliptic Curve keys. Only RSA and AES can do that. Elliptic Curve keys are used to sign data. If you delete an encryption key, you will not be able to decrypt any ciphertext that uses it. We can store our secrets, such as application passwords, in the secrets manager. An example of a secret name of “my-secret-passphrase” and a secret string of “Qwery123” we can have: aws secretsmanager create-secret --name my-secret-passphrase --secret-string Qwerty123 In China regions, along with RSA and ECDSA, you can use SM2 KMS signing keys. In China Regions, we can use SM2PKE to encrypt data with asymmetric key encryption. Find out more here: https://asecuritysite.com/aws

Ever wondered how to gain deep insights into the myriad of activities within your AWS organization accounts? In this episode of AWS Bites, we dive into the world of AWS CloudTrail and Athena, showing you how to seamlessly query and analyze CloudTrail logs for valuable information, troubleshooting, security, and compliance.

On this episode of The Cloud Pod, the team sits to talk about AWS's new patching policies, the general availability of Azure OpenAI, and the role of addressing IM or access management challenges in ensuring the seamless transition to the Cloud. A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

We've got a cloud focused episode this week, starting with a logging bypass in AWS CloudTrail, a SSH Key injection, and cross-tenant data access in Azure Cognitive Search. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/181.html [00:00:00] Introduction [00:00:25] Undocumented API allows CloudTrail bypass [00:06:00] Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) [00:14:53] SSH key injection in Google Cloud Compute Engine [Google VRP] [00:19:08] Chat Question: Why is Cross-Site Scripting called That [00:22:36] Cross-tenant network bypass in Azure Cognitive Search The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9

Links: Ben Kehoe has left iRobot. And where's he going next? Presumably to re:Invent! I am too, with my re:Quinnvent nonsense Amazon Athena announces Query Result Reuse to accelerate queries Amazon EC2 enables you to opt out of directly shared Amazon Machine Images Amazon EC2 placement groups can now be shared across multiple AWS accounts  Amazon EC2 now supports specifying list of instance types to use in attribute-based instance type selection for Auto Scaling groups, EC2 Fleet, and Spot Fleet  Amazon Lightsail announces support for domain registration and DNS autoconfiguration Amazon RDS now supports new General Purpose gp3 storage volumes Announcing recurring custom line items for AWS Billing Conductor AWS Lambda announces Telemetry API, further enriching monitoring and observability capabilities of Lambda Extensions AWS Cost Explorer's New Look and Common Use Cases A New AWS Region Opens in Switzerland - eu-central-2 is now available. Introducing AWS Resource Explorer – Quickly Find Resources in Your AWS Account  Overview of building resilient applications with Amazon DynamoDB global tables  Publish Amazon DevOps Guru Insights to Slack Channel Uncompressed Media over IP on AWS: Read the whitepaper  Enable cross-account queries on AWS CloudTrail lake using delegated administration from AWS Organizations NASA and ASDI announce no-cost access to important climate dataset on the AWS Cloud 

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00] Intro[00:01:23]  AWS CloudTrail supports Delegated Administrator account in Organizationshttps://aws.amazon.com/about-aws/whats-new/2022/11/aws-cloudtrail-delegated-account-support-aws-organizations/[00:02:41] AWS Resource Explorerhttps://aws.amazon.com/about-aws/whats-new/2022/11/announcing-aws-resource-explorer/[00:04:38] AWS app runnerhttps://aws.amazon.com/about-aws/whats-new/2022/11/aws-app-runner-supports-privately-accessible-services-amazon-vpc/[00:05:56] GitHub Discussions Now Support RSS Feedshttps://github.com/orgs/community/discussions/31#discussioncomment-4048867[00:09:01]  The most active repositories over the past four yearshttps://ossinsight.io/2022/#the-most-active-repositories[00:11:05] Careers at Cloud Possehttps://cloudposse.com/careers/[00:13:07] Does anyone here backup their git repos? If so what service do you use?  [00:22:48] Anyone knows ways to test GitHub actions locally?[00:32:14] We've been trying out Spacelift and it obviously rocks. It seems to think in pure Terraform so I would love to know/see how you dovetail it with Atmos?[00:58:35] Outro#officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show

Pull your podcast player out of instant retrieval, because we're discussing re:Invent 2021 as well as the weeks before it. Lots of announcements; big, small, weird, awesome, and anything in between. We had fun with this episode and hope you do too. Find us at melb.awsug.org.au or as @AWSMelb on Twitter. News Finally in Sydney AWS Snowcone SSD is now available in the US East (Ohio), US West (San Francisco), Asia Pacific (Singapore), Asia Pacific (Sydney) and AWS Asia Pacific (Tokyo) regions Amazon EC2 M6i instances are now available in 5 additional regions Serverless Introducing Amazon EMR Serverless in preview Announcing Amazon Kinesis Data Streams On-Demand Announcing Amazon Redshift Serverless (Preview) Introducing Amazon MSK Serverless in public preview Introducing Amazon SageMaker Serverless Inference (preview) Simplify CI/CD Configuration for AWS Serverless Applications and your favorite CI/CD system – General Availability Amazon AppStream 2.0 launches Elastic fleets, a serverless fleet type AWS Chatbot now supports management of AWS resources in Slack (Preview) Lambda AWS Lambda now supports partial batch response for SQS as an event source AWS Lambda now supports cross-account container image pulling from Amazon Elastic Container Registry AWS Lambda now supports mTLS Authentication for Amazon MSK as an event source AWS Lambda now logs Hyperplane Elastic Network Interface (ENI) ID in AWS CloudTrail data events Step Functions AWS Step Functions Synchronous Express Workflows now supports AWS PrivateLink Amplify Introducing AWS Amplify Studio AWS Amplify announces the ability to override Amplify-generated resources using CDK AWS Amplify announces the ability to add custom AWS resources to Amplify-created backends using CDK and CloudFormation AWS Amplify UI launches new Authenticator component for React, Angular, and Vue AWS Amplify announces the ability to export Amplify backends as CDK stacks to integrate into CDK-based pipelines AWS Amplify expands its Notifications category to include in-app messaging (Developer Preview) AWS Amplify announces a redesigned, more extensible GraphQL Transformer for creating app backends quickly Containers Fargate Announcing AWS Fargate for Amazon ECS Powered by AWS Graviton2 Processors ECS Amazon ECS now adds container instance health information Amazon ECS has improved Capacity Providers to deliver faster Cluster Auto Scaling Amazon ECS-optimized AMI is now available as an open-source project Amazon ECS announces a new integration with AWS Distro for OpenTelemetry EKS Amazon EKS on AWS Fargate now Supports the Fluent Bit Kubernetes Filter Amazon EKS adds support for additional cluster configuration options using AWS CloudFormation Visualize all your Kubernetes clusters in one place with Amazon EKS Connector, now generally available AWS Karpenter v0.5 Now Generally Available AWS customers can now find, subscribe to, and deploy third-party applications that run in any Kubernetes environment from AWS Marketplace Other Amazon ECR announces pull through cache repositories AWS App Mesh now supports ARM64-based Envoy Images EC2 & VPC Instances New – EC2 Instances (G5) with NVIDIA A10G Tensor Core GPUs | AWS News Blog Announcing new Amazon EC2 G5g instances powered by AWS Graviton2 processors Introducing Amazon EC2 R6i instances Introducing two new Amazon EC2 bare metal instances Amazon EC2 Mac Instances now support hot attach and detach of EBS volumes Amazon EC2 Mac Instances now support macOS Monterey Announcing Amazon EC2 M1 Mac instances for macOS Announcing preview of Amazon Linux 2022 Elastic Beanstalk supports AWS Graviton-based Amazon EC2 instance types Announcing preview of Amazon EC2 Trn1 instances Announcing new Amazon EC2 C7g instances powered by AWS Graviton3 processors Announcing new Amazon EC2 Im4gn and Is4gen instances powered by AWS Graviton2 processors Introducing the AWS Graviton Ready Program Introducing Amazon EC2 M6a instances AWS Compute Optimizer now offers enhanced infrastructure metrics, a new feature for EC2 recommendations AWS Compute Optimizer now offers resource efficiency metrics Networking AWS price reduction for data transfers out to the internet Amazon Virtual Private Cloud (VPC) customers can now create IPv6-only subnets and EC2 instances Application Load Balancer and Network Load Balancer end-to-end IPv6 support AWS Transit Gateway introduces intra-region peering for simplified cloud operations and network connectivity Amazon Virtual Private Cloud (VPC) announces IP Address Manager (IPAM) to help simplify IP address management on AWS Amazon Virtual Private Cloud (VPC) announces Network Access Analyzer to help you easily identify unintended network access Introducing AWS Cloud WAN Preview Introducing AWS Direct Connect SiteLink Other Recover from accidental deletions of your snapshots using Recycle Bin Amazon EBS Snapshots introduces a new tier, Amazon EBS Snapshots Archive, to reduce the cost of long-term retention of EBS Snapshots by up to 75% Amazon CloudFront now supports configurable CORS, security, and custom HTTP response headers Amazon EC2 now supports access to Red Hat Knowledgebase Amazon EC2 Fleet and Spot Fleet now support automatic instance termination with Capacity Rebalancing AWS announces a new capability to switch license types for Windows Server and SQL Server applications on Amazon EC2 AWS Batch introduces fair-share scheduling Amazon EC2 Auto Scaling Now Supports Predictive Scaling with Custom Metrics Dev & Ops New services Measure and Improve Your Application Resilience with AWS Resilience Hub | AWS News Blog Scalable, Cost-Effective Disaster Recovery in the Cloud | AWS News Blog Announcing general availability of AWS Elastic Disaster Recovery AWS announces the launch of AWS AppConfig Feature Flags in preview Announcing Amazon DevOps Guru for RDS, an ML-powered capability that automatically detects and diagnoses performance and operational issues within Amazon Aurora Introducing Amazon CloudWatch Metrics Insights (Preview) Introducing Amazon CloudWatch RUM for monitoring applications' client-side performance IaC AWS announces Construct Hub general availability AWS Cloud Development Kit (AWS CDK) v2 is now generally available You can now import your AWS CloudFormation stacks into a CloudFormation stack set You can now submit multiple operations for simultaneous execution with AWS CloudFormation StackSets AWS CDK releases v1.126.0 - v1.130.0 with high-level APIs for AWS App Runner and hotswap support for Amazon ECS and AWS Step Functions SDKs AWS SDK for Swift (Developer Preview) AWS SDK for Kotlin (Developer Preview) AWS SDK for Rust (Developer Preview) CICD AWS Proton now supports Terraform Open Source for infrastructure provisioning AWS Proton introduces Git management of infrastructure as code templates AWS App2Container now supports Jenkins for setting up a CI/CD pipeline Other Amazon CodeGuru Reviewer now detects hardcoded secrets in Java and Python repositories EC2 Image Builder enables sharing Amazon Machine Images (AMIs) with AWS Organizations and Organization Units Amazon Corretto 17 Support Roadmap Announced Amazon DevOps Guru now Supports Multi-Account Insight Aggregation with AWS Organizations AWS Toolkits for Cloud9, JetBrains and VS Code now support interaction with over 200 new resource types AWS Fault Injection Simulator now supports Amazon CloudWatch Alarms and AWS Systems Manager Automation Runbooks. AWS Device Farm announces support for testing web applications hosted in an Amazon VPC Amazon CloudWatch now supports anomaly detection on metric math expressions Introducing Amazon CloudWatch Evidently for feature experimentation and safer launches New – Amazon CloudWatch Evidently – Experiments and Feature Management | AWS News Blog Introducing AWS Microservice Extractor for .NET Security AWS Secrets Manager increases secrets limit to 500K per account AWS CloudTrail announces ErrorRate Insights AWS announces the new Amazon Inspector for continual vulnerability management Amazon SQS Announces Server-Side Encryption with Amazon SQS-managed encryption keys (SSE-SQS) AWS WAF adds support for Captcha AWS Shield Advanced introduces automatic application-layer DDoS mitigation Security Hub AWS Security Hub adds support for AWS PrivateLink for private access to Security Hub APIs AWS Security Hub adds three new FSBP controls and three new partners SSO Manage Access Centrally for CyberArk Users with AWS Single Sign-On Manage Access Centrally for JumpCloud Users with AWS Single Sign-On AWS Single Sign-On now provides one-click login to Amazon EC2 instances running Microsoft Windows AWS Single Sign-On is now in scope for AWS SOC reporting Control Tower AWS Control Tower now supports concurrent operations for detective guardrails AWS Control Tower now supports nested organizational units AWS Control Tower now provides controls to meet data residency requirements Deny services and operations for AWS Regions of your choice with AWS Control Tower AWS Control Tower introduces Terraform account provisioning and customization Data Storage & Processing Databases Relational databases Announcing Amazon RDS Custom for SQL Server New Multi-AZ deployment option for Amazon RDS for PostgreSQL and for MySQL; increased read capacity, lower and more consistent write transaction latency, and shorter failover time (Preview) Amazon RDS now supports cross account KMS keys for exporting RDS Snapshots Amazon Aurora supports MySQL 8.0 Amazon RDS on AWS Outposts now supports backups on AWS Outposts Athena Amazon Athena adds cost details to query execution plans Amazon Athena announces cross-account federated query New and improved Amazon Athena console is now generally available Amazon Athena now supports new Lake Formation fine-grained security and reliable table features Announcing Amazon Athena ACID transactions, powered by Apache Iceberg (Preview) Redshift Announcing preview for write queries with Amazon Redshift Concurrency Scaling Amazon Redshift announces native support for SQLAlchemy and Apache Airflow open-source frameworks Amazon Redshift simplifies the use of other AWS services by introducing the default IAM role Announcing Amazon Redshift cross-region data sharing (preview) Announcing preview of SQL Notebooks support in Amazon Redshift Query Editor V2 Neptune Announcing AWS Graviton2-based instances for Amazon Neptune AWS releases open source JDBC driver to connect to Amazon Neptune MemoryDB Amazon MemoryDB for Redis now supports AWS Graviton2-based T4g instances and a 2-month Free Trial Database Migration Service AWS Database Migration Service now supports parallel load for partitioned data to S3 AWS Database Migration Service now supports Kafka multi-topic AWS Database Migration Service now supports Azure SQL Managed Instance as a source AWS Database Migration Service now supports Google Cloud SQL for MySQL as a source Introducing AWS DMS Fleet Advisor for automated discovery and analysis of database and analytics workloads (Preview) AWS Database Migration Service now offers a new console experience, AWS DMS Studio AWS Database Migration Service now supports Time Travel, an improved logging mechanism Other Database Activity Streams now supports Graviton2-based instances Amazon Timestream now offers faster and more cost-effective time series data processing through scheduled queries, multi-measure records, and magnetic storage writes Amazon DynamoDB announces the new Amazon DynamoDB Standard-Infrequent Access table class, which helps you reduce your DynamoDB costs by up to 60 percent Achieve up to 30% better performance with Amazon DocumentDB (with MongoDB compatibility) using new Graviton2 instances S3 Amazon S3 on Outposts now delivers strong consistency automatically for all applications Amazon S3 Lifecycle further optimizes storage cost savings with new actions and filters Announcing the new Amazon S3 Glacier Instant Retrieval storage class - the lowest cost archive storage with milliseconds retrieval Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3 Amazon S3 Glacier storage class is now Amazon S3 Glacier Flexible Retrieval; storage price reduced by 10% and bulk retrievals are now free Announcing the new S3 Intelligent-Tiering Archive Instant Access tier - Automatically save up to 68% on storage costs Amazon S3 Event Notifications with Amazon EventBridge help you build advanced serverless applications faster Amazon S3 console now reports security warnings, errors, and suggestions from IAM Access Analyzer as you author your S3 policies Amazon S3 adds new S3 Event Notifications for S3 Lifecycle, S3 Intelligent-Tiering, object tags, and object access control lists Glue AWS Glue DataBrew announces native console integration with Amazon AppFlow AWS Glue DataBrew now supports custom SQL statements to retrieve data from Amazon Redshift and Snowflake AWS Glue DataBrew now allows customers to create data quality rules to define and validate their business requirements FSx Introducing Amazon FSx for OpenZFS Amazon FSx for Lustre now supports linking multiple Amazon S3 buckets to a file system Amazon FSx for Lustre can now automatically update file system contents as data is deleted and moved in Amazon S3 Announcing the next generation of Amazon FSx for Lustre file systems Backup Announcing preview of AWS Backup for Amazon S3 AWS Backup adds support for Amazon Neptune AWS Backup adds support for Amazon DocumentDB (with MongoDB compatibility) AWS Backup provides new resource assignment rules for your data protection policies AWS Backup adds support for VMware workloads Other AWS Lake Formation now supports AWS PrivateLink AWS Transfer Family adds identity provider options and enhanced monitoring capabilities Introducing ability to connect to EMR clusters in different subnets in EMR Studio AWS Snow Family now supports external NTP server configuration Announcing data tiering for Amazon ElastiCache for Redis Now execute python files and notebooks from another notebook in EMR Studio AWS Snow Family launches offline tape data migration capability AI & ML SageMaker Introducing Amazon SageMaker Canvas - a visual, no-code interface to build accurate machine learning models Announcing Fully Managed RStudio on Amazon SageMaker for Data Scientists | AWS News Blog Amazon SageMaker now supports inference testing with custom domains and headers from SageMaker Studio Amazon SageMaker Pipelines now supports retry policies and resume Announcing new deployment guardrails for Amazon SageMaker Inference endpoints Amazon announces new NVIDIA Triton Inference Server on Amazon SageMaker Amazon SageMaker Pipelines now integrates with SageMaker Model Monitor and SageMaker Clarify Amazon SageMaker now supports cross-account lineage tracking and multi-hop lineage querying Introducing Amazon SageMaker Inference Recommender Introducing Amazon SageMaker Ground Truth Plus: Create high-quality training datasets without having to build labeling applications or manage the labeling workforce on your own Amazon SageMaker Studio Lab (currently in preview), a free, no-configuration ML service Amazon SageMaker Studio now enables interactive data preparation and machine learning at scale within a single universal notebook through built-in integration with Amazon EMR Other General Availability of Syne Tune, an open-source library for distributed hyperparameter and neural architecture optimization Amazon Translate now supports AWS KMS Encryption Amazon Kendra releases AWS Single Sign-On integration for secure search Amazon Transcribe now supports automatic language identification for streaming transcriptions AWS AI for data analytics (AIDA) partner solutions Introducing Amazon Lex Automated Chatbot Designer (Preview) Amazon Kendra launches Experience Builder, Search Analytics Dashboard, and Custom Document Enrichment Other Cool Stuff In The Works – AWS Canada West (Calgary) Region | AWS News Blog Unified Search in the AWS Management Console now includes blogs, knowledge articles, events, and tutorials AWS DeepRacer introduces multi-user account management Amazon Pinpoint launches in-app messaging as a new communications channel Amazon AppStream 2.0 Introduces Linux Application Streaming Amazon SNS now supports publishing batches of up to 10 messages in a single API request Announcing usability improvements in the navigation bar of the AWS Management Console Announcing General Availability of Enterprise On-Ramp Announcing preview of AWS Private 5G AWS Outposts is Now Available in Two Smaller Form Factors Introducing AWS Mainframe Modernization - Preview Introducing the AWS Migration and Modernization Competency Announcing AWS Data Exchange for APIs Amazon WorkSpaces introduces Amazon WorkSpaces Web Amazon SQS Enhances Dead-letter Queue Management Experience For Standard Queues Introducing AWS re:Post, a new, community-driven, questions-and-answers service AWS Resource Access Manager enables support for global resource types AWS Ground Station launches expanded support for Software Defined Radios in Preview Announcing Amazon Braket Hybrid Jobs for running hybrid quantum-classical workloads on Amazon Braket Introducing AWS Migration Hub Refactor Spaces - Preview Well-Architected Framework Customize your AWS Well-Architected Review using Custom Lenses New Sustainability Pillar for the AWS Well-Architected Framework IoT Announcing AWS IoT RoboRunner, Now Available in Preview AWS IoT Greengrass now supports Microsoft Windows devices AWS IoT Core now supports Multi-Account Registration certificates on IoT Credential Provider endpoint Announcing AWS IoT FleetWise (Preview), a new service for transferring vehicle data to the cloud more efficiently Announcing AWS IoT TwinMaker (Preview), a service that makes it easier to build digital twins AWS IoT SiteWise now supports hot and cold storage tiers for industrial data New connectivity software, AWS IoT ExpressLink, accelerates IoT development (Preview) AWS IoT Device Management Fleet Indexing now supports two additional data sources (Preview) Connect Amazon Connect now enables you to create and orchestrate tasks directly from Flows Amazon Connect launches scheduled tasks Amazon Connect launches Contact APIs to fetch and update contact details programmatically Amazon Connect launches API to configure security profiles programmatically Amazon Connect launches APIs to archive and delete contact flows Amazon Connect now supports contact flow modules to simplify repeatable logic Sponsors CMD Solutions Silver Sponsors Cevo Versent

Links: Cost of a Data Breach Report: https://securityintelligence.com/cost-of-data-breach-bottom-line/ Got its ass handed to it in a security breach last week: https://threatpost.com/Godaddys-latest-breach-customers/176530/ Millions of Brazilians: https://www.zdnet.com/article/millions-of-brazilians-exposed-in-wi-fi-management-software-firm-leak/ “You can now securely connect to your Amazon MSK clusters over the internet”: https://aws.amazon.com/about-aws/whats-new/2021/11/securely-connect-amazon-msk-clusters-over-internet/ “AWS Security Profiles: Megan O'Neil, Sr. Security Solutions Architect”: https://aws.amazon.com/blogs/security/aws-security-profiles-megan-oneil-sr-security-solutions-architect/ AWS Security Profiles: Merritt Baer, Principal in OCISO: https://aws.amazon.com/blogs/security/aws-security-profiles-merritt-baer-principal-in-ociso/ Super important things to know: https://github.com/SummitRoute/aws_breaking_changes/issues/56 Permissions.cloud: https://aws.permissions.cloud/ TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I'm going to just guess that it's awful because it's always awful. No one loves their deployment process. What if launching new features didn't require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren't what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.Corey: “Security is Job Zero” according to AWS. Next week I'll have a fair bit on that I suspect, since this week is re:Invent. Let's see what happened before the storm hit.IBM put out its annual Cost of a Data Breach Report which is interesting, but personally I find it genius. This is how you pollute SEO for the search term ‘IBM Data Breach', which is surely just a matter of time if it hasn't already happened.Speaking of, GoDaddy effectively got its ass handed to it in a security breach last week. We found out of course via an SEC filing instead of GoDaddy doing the smart thing and proactively getting in front of it. Apparently they were breached for at least two-and-a-half months, nobody noticed, and 1.2 million people got their admin creds stolen. I can't stress enough that you should not be doing business with GoDaddy.And to complete the trifecta, ‘Millions of Brazilians' is a fun thing to say unless you're talking about who's been victimized by an S3 Bucket Negligence Award; then nobody's having fun at all.The AWS security blog had a few things to say. “You can now securely connect to your Amazon MSK clusters over the internet.” Wait, what? What the hell was going on before? Were you unable to access the clusters over the internet, or were you able to do so but it was insecurely? This is terrifying framing.“AWS Security Profiles: Megan O'Neil, Sr. Security Solutions Architect.” I really dig these! The problem is that the AWS security blog only really seems to put these out around major AWS conferences when there's a bunch of other announcements. I'd love it if more of the AWS blogs would do periodic “The faces, voices, and people that power AWS” profiles because I assure you, most of the people building the magic never take the stage at these conferences.There was another profile of Merritt Baer. Who is a principal in the office of the CISO, and she's an absolute delight. One of these days, post-pandemic, we're going to try and record some kind of video or other, just so we can name it “Quinn and Baer it.”Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn't think those things go together, but sometimes they do. It's both useful for individuals and large enterprises, but here's what makes this something new—I don't use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you'll have a chance to prove yourself. Compete in four unique lab challenges where they'll be awarding more than $2,000 in cash and prizes. I'm not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That's cloudacademy.com/corey. We're going to have some fun with this one.Corey: And of course, “Macie Classic alerts that derive from AWS CloudTrail global service events for AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) API calls will be retired (no longer generated) in the us-west-2 (Oregon) AWS Region.” See, that's one of those super important things to know, and I hate how AWS buries it. That said, don't use Macie Classic because it is horrifyingly expensive compared to modern Macie.And from the tools and tricks area, I discovered permissions.cloud last week and it's great. The website uses a variety of information gathered within the IAM dataset and then exposes that information in a clean, easy-to-read format. It's there to provide an alternate community-driven source of truth for AWS identity. It's gorgeous as well, so you know it's not an official AWS product.And that's what happened in AWS security. Thank you for listening. I'll talk to you next week if I survive re:Invent.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Setting a new record for delay in editing, you can finally listen to Arjen, JM, and Guy discuss the news from April 2021. This was recorded nearly two months before it was released. News Finally in Sydney Amazon Transcribe Custom Language Models now support Australian English, British English, Hindi and US Spanish Multi-Attach for Provisioned IOPS io2 Now Available in Thirteen Additional AWS Regions AWS Transit Gateway Connect is now available in additional AWS Regions AWS CloudShell is now available in the Asia Pacific (Mumbai), Asia Pacific (Sydney), and Europe (Frankfurt) regions Serverless API Gateway Amazon API Gateway custom domain names now support multi-level base path mappings Lambda AWS Lambda@Edge changes duration billing granularity from 50ms down to 1ms Amazon CloudWatch Lambda Insights Now Supports AWS Lambda Container Images (General Availability) Amazon RDS for PostgreSQL Integrates with AWS Lambda AWS Lambda@Edge now supports Node 14.x Step Functions AWS Step Functions adds new data flow simulator for modelling input and output processing EventBridge Amazon EventBridge introduces support for cross-Region event bus targets AWS Chatbot now expands coverage of AWS Services monitored through Amazon EventBridge Amplify Data management is now generally available in the AWS Amplify Admin UI Amplify iOS now available via Swift Package Manager (SPM) AWS Amplify now orchestrates multiple Amazon DynamoDB GSI updates in a single deployment Containers eksctl now supports creating node groups using resource specifications and dry run mode AWS Secrets Manager Delivers Provider for Kubernetes Secrets Store CSI Driver EC2 & VPC Amazon EC2 Auto Scaling introduces Warm Pools to accelerate scale out while saving money Amazon VPC Flow Logs announces out-of-the-box integration with Amazon Athena MacSec Encryption for some Direct Connect (apologies, linking to this prevents the podcast from getting published :shrug:) New AWS Storage Gateway management console simplifies gateway creation and management AWS Batch now supports EFS volumes at the job level AWS Backup now supports cost allocation tags for Amazon EFS Backups Internet Group Management Protocol (IGMP) Multicast on AWS Transit Gateway is now available in major AWS regions worldwide Amazon EC2 enables replacing root volumes for quick restoration and troubleshooting Announcing availability of Red Hat Enterprise Linux with High availability for Amazon EC2 AWS Nitro Enclaves now supports Windows operating system Dev & Ops Dev Amazon CodeGuru Reviewer Updates: New Predictable Pricing Model Up To 90% Lower and Python Support Moves to GA | AWS News Blog Now available credential profile support for AWS SSO and Assume Role with MFA in the AWS Toolkit for Visual Studio AWS CodeDeploy improves support for EC2 deployments with Auto Scaling Groups AWS SAM CLI now supports AWS CDK applications - public preview Better together: AWS SAM and AWS CDK | AWS Compute Blog Proton AWS Proton allows adding and removing instances from an existing service AWS Proton introduces customer-managed environments AWS Proton adds an API to cancel deployments CloudFormation You can now deploy CloudFormation Stacks concurrently across multiple AWS regions using AWS CloudFormation StackSets AWS CloudFormation Command Line Interface (CFN-CLI) now supports TypeScript AWS CloudFormation Modules now Provides YAML and Delimiter Support Now reference latest AWS Systems Manager parameter values in AWS CloudFormation templates without specifying parameter versions You can now use macros and transforms in CloudFormation templates to create AWS CloudFormation StackSets Control Tower AWS Control Tower introduces changes to preventive S3 guardrails and updates to S3 bucket encryption protocols AWS Control Tower now provides configurable naming during Landing Zone setup Systems Manager AWS Systems Manager Run Command now displays more logs and enables log download from the console AWS Systems Manager Parameter Store now supports easier public parameter discoverability Customers can now use ServiceNow to track operational items related to AWS resources AWS Systems Manager Parameter Store now supports removal of parameter labels AWS Systems Manager now supports Amazon Elastic Container Service clusters AWS Systems Manager OpsCenter and Explorer now integrate with AWS Security Hub for diagnosis and remediation of security findings Security Firewalls How to Get Started with Amazon Route 53 Resolver DNS Firewall for Amazon VPC | AWS News Blog Reduce Unwanted Traffic on Your Website with New AWS WAF Bot Control | AWS News Blog AWS Firewall Manager now supports centralized management of Amazon Route 53 Resolver DNS Firewall AWS Firewall Manager now supports centralized deployment of the new AWS WAF Bot Control across your organization AWS WAF now supports Labels to improve rule customization and reporting Identity Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles AWS Identity and Access Management now makes it easier to relate a user's IAM role activity to their corporate identity Other AWS Config launches the ability to track and visualize compliance change history of conformance packs AWS Security Hub Automated Response & Remediation Solution adds support for AWS Foundational Security Best Practices standard You now can use AWS CloudTrail to log Amazon DynamoDB Streams data-plane API activity Data Storage & Processing Glue Detect outliers and use dedicated transforms to handle outliers in AWS Glue DataBrew AWS Glue DataBrew now supports time-based, pattern-based and customizable parameters to create dynamic datasets AWS announces preview of AWS Glue custom blueprints AWS Glue now supports cross-account reads from Amazon Kinesis Data Streams AWS Glue now supports missing value imputation based on machine learning AWS announces data sink capability for the Glue connectors AWS Glue DataBrew announces native console integration with Amazon AppFlow to connect to data from SaaS (Software as a Service) applications and AWS services (in Preview) Redshift AQUA (Advanced Query Accelerator) – A Speed Boost for Your Amazon Redshift Queries | AWS News Blog Announcing cross-VPC support for Amazon Redshift powered by AWS PrivateLink Announcing general availability of Amazon Redshift native console integration with partners Announcing general availability of Amazon Redshift native JSON and semi-structured data support EMR Amazon EMR Release 5.33 now supports 10 new instance types Amazon EMR Studio is now generally available Athena Announcing general availability of Amazon Athena ML powered by Amazon SageMaker User Defined Functions (UDF) are now generally available for Amazon Athena RDS Amazon RDS for SQL Server now supports Extended Events Amazon RDS on VMware networking now simplified and more secure Other Amazon FSx and AWS Backup announce support for copying file system backups across AWS Regions and AWS accounts AWS Batch increases job scheduling and EC2 instance scaling performance Amazon Elasticsearch Service now supports integration with Microsoft Power BI AWS Ground Station now supports data delivery to Amazon S3 Amazon ElastiCache now supports publishing Redis logs to Amazon CloudWatch Logs and Kinesis Data Firehose AI & ML SageMaker Decrease Your Machine Learning Costs with Instance Price Reductions and Savings Plans for Amazon SageMaker | AWS News Blog New options to trigger Amazon SageMaker Pipeline executions ( EventBridge) Other Detect abnormal equipment behavior with Amazon Lookout for Equipment — now generally available Amazon Fraud Detector now supports Batch Fraud Predictions Get estimated run time for forecast creation jobs while using Amazon Forecast Amazon Kendra launches dynamic relevance tuning Other Cool Stuff WorkSpaces Amazon WorkSpaces webcam support now Generally Available Amazon WorkSpaces now supports smart cards with the WorkSpaces macOS client application IVS Amazon Interactive Video Service adds new Cloudwatch Metrics Amazon Interactive Video Service adds support for recording live streams to Amazon S3 Connect Amazon Connect launches audio device settings for the custom Contact Control Panel (CCP) Amazon Connect allows contact center managers to configure agent settings in a custom Contact Control Panel (CCP) Other AWS RoboMaker now supports the ability to configure tools for simulation jobs Amazon AppStream 2.0 adds support for fully managed image updates Amazon Managed Service for Grafana now supports Grafana Enterprise upgrade, Grafana version 7.5, Open Distro for Elasticsearch integration, and AWS Billing reports AWS Cloud9 now supports Amazon Linux 2 environments CloudWatch Metric Streams – Send AWS Metrics to Partners and to Your Apps in Real Time | AWS News Blog Announcing open source robotics projects for AWS DeepRacer Announcing Moving Graphs for CloudWatch Dashboards Amazon Nimble Studio – Build a Creative Studio in the Cloud | AWS News Blog AWS Snow Family now enables you to order, track, and manage long-term pricing Snow jobs The Nanos AWS Console Mobile Application adds support for Asia Pacific (Osaka) region (Arjen) Amazon Connect reduces telephony rates in Cyprus, Belgium, and Portugal (Guy) AWS Cloud9 now supports Amazon Linux 2 environments (Jean-Manuel) Sponsors Gold Sponsor Innablr Silver Sponsors AC3 CMD Solutions DoIT International

Compliance and audit checks can be painful, and that's before you introduce additional cloud services and technology. In this episode featuring AJ Yawn we discuss some incredibly useful and actionable cloud security concepts and tools that can help your team boost visibility and reduce user permissions to help prevent breaches before they happen. In addition, we discuss what a good compliance audit should be, and how to turn audits from painful to incredibly valuable.Resources mentioned in this episode:- AWS CloudTrail: https://aws.amazon.com/cloudtrail/- AWS Well-Architected Framework:https://aws.amazon.com/architecture/well-architected/ - AWS Config: https://aws.amazon.com/config - AWS Organizations:https://aws.amazon.com/organizations/ - AWS Service Control Policies (SCP): https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html Our Guest - AJ Yawn AJ Yawn is the Co-Founder and CEO of ByteChek. He is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2.Sponsor's Note:Support for the Blueprint podcast comes from the SANS Institute.Are you looking for the best in-depth training for your cyber defense team? Look no further than SANS blue team curriculum courses!Whether you focus on network or host data, Windows or Linux, or even specialize in open source intel, SIEM, SOC, or defensive architecture, the SANS Blue Team curriculum has the course for you. From long-time classics like SEC503 Network Intrusion Detection to the newer SEC530 Defensible Security Architecture and Engineering and SEC487 Open Source Intelligence Gathering - we've got you covered, no matter what your specialty.With an extensive archive of free webcasts on the SANS site, and free online demos available for most courses, you can easily check out the SANS blue team catalog and see which course is the best fit for you and your team.Check out the constantly growing list of available courses at sansurl.com/blueteamopsFollow SANS Cyber Defense: Twitter | LinkedIn | YouTubeFollow John Hubbard: Twitter | LinkedIn

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: Report finds old misconfiguration woes continue to hammer corporate clouds: https://www.scmagazine.com/home/security-news/cloud-security/report-finds-old-misconfiguration-woes-continue-to-hammer-corporate-clouds/ Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight: https://www.wsj.com/articles/pentagon-weighs-ending-jedi-cloud-project-amid-amazon-court-fight-11620639001 Netflix Exec Explains Where Infosec Pros are Going Wrong: https://www.infosecurity-magazine.com/news/netflix-exec-infosec-pros-going/ Firms Struggle to Secure Multicloud Misconfigurations: https://www.darkreading.com/cloud/firms-struggle-to-secure-multicloud-misconfigurations/d/d-id/1341008 Researchers Create Covert Channel Over Apple AirTag Network: https://nmap.online/news/2021/researchers-create-covert-channel-over-apple-airtag-network Ransomware is Getting Ugly: https://www.schneier.com/blog/archives/2021/05/ransomware-is-getting-ugly.html Try this One Weird Trick Russian Hackers Hate: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/ Attorneys share worst practices for data breach response: https://searchsecurity.techtarget.com/news/252501054/Attorneys-share-worst-practices-for-data-breach-response Ransomware Guidance and Resources: https://www.cisa.gov/ransomware How to Get Employees to Care About Security: https://www.darkreading.com/theedge/how-to-get-employees-to-care-about-security-/b/d-id/1341058 Corey Quinn's Twitter: https://twitter.com/QuinnyPig TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: If your mean time to WTF for a security alert is more than a minute, it's time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you're building a secure business on AWS with compliance requirements, you don't really have time to choose between antivirus or firewall companies to help you secure your stack. That's why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That's lacework.com.Jesse: All the rage is DevOps, for good reasons: it works. You can't do good cloud work without a flexible and functional DevOps operation. Similarly, you can't do good security in the cloud without DevSecOps. However, [laugh] security people love their cryptic and geeky terms, so you hear, “You should shift left.” This is derived from the left shift bitwise operators that do binary math that moves values to the left. I told you it's geeky.This moving left translates to moving security integration into a project farther left in the development process when you start on the left and move to production on the right. Ultimately, this means you bring security into the very beginning of your conceptual designs, and write your first lines of code with security processes and methods in mind from the very start. Use more security tools, authentication and authorization hooks, and more granular encryption methods in your underlying services structures through your more complex processing. More work on literally coding security in at the start could save you several orders of magnitude of direct and indirect costs in the future. Don't get owned, don't get ransomed.Meanwhile, in the news, Report finds old misconfiguration woes continue to hammer corporate clouds. If you haven't heard me and countless others rant about going back to basics of cloud security, you haven't been listening. This article should scare you into finally checking your basic permissions on things like storage and services so you don't get pwned by being stupid.Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight. When a nearly $2 trillion company drags anyone into court, things will change. The largest move to cloud services by the US Department of Defense might not happen because Amazon got pissed and sent lawyers. Watch how this unfolds to learn both how Amazon the company operates and how the market moves toward or away from cloud in general and either Azure or AWS specifically as a result of this legal challenge.Netflix Exec Explains Where Infosec Pros are Going Wrong. Most of us who work in cybersecurity will read this piece and have one of two strong reactions. People like me and everyone who isn't a security professional will nod and smile and agree that times are changing and security needs to get with the times. Everyone else in security will scowl, and pout, and get mad.Firms Struggle to Secure Multicloud Misconfigurations. We all struggle to secure all the things, but this report shows that most of us struggle to secure any of the things. Back to basics; I keep hammering on this because things like shutting down or securing ports and services and locking up cloud storage objects get you the biggest improvement in security posture out of almost anything else you do.Announcer: This episode is sponsored by ExtraHop. Extrahop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. Extrahop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Jesse: Researchers Create Covert Channel Over Apple AirTag Network. As this article says at the end, most people won't care about this obscure and difficult security thing to do. This is interesting reading, but the most important takeaway for you is to know that this type of technical wizardry is so far outside the realm of feasibility for most anyone on the planet that it should not scare you. For most of us, when we see big news about weird things like this, geek out on it and ignore it.Ransomware is Getting Ugly. The only way to not be a victim of ransomware is to not let it into your network. If you don't protect access to your systems, you won't protect access to your data, and eventually, you'll be paying to keep your information private. Even then, it may end up online for the world to peruse after you've paid.Try this One Weird Trick Russian Hackers Hate. Wow, install the right virtual keyboard and reduce your risk of getting hit with ransomware? If I ran Windows anywhere, I'd already have installed it before talking about it.Attorneys share worst practices for data breach response. I cannot stress enough that every single thing you do or say or type into any device or service could be subject to legal discovery and disclosure. Don't make bad jokes; don't make sarcastic comments that aren't sarcastic out of context, and well just don't be stupid. Any or all of it could land in a global headline.CISA Ransomware Guidance and Resources. You need to understand ransomware. It's a terrifying problem and it's not going away. Go skim this guide, which is quite short, then follow links to the trainings and webinars, and the guides and services. Be prepared to face ransomware because it's looking like we'll see it in action ourselves as time marches on.How to Get Employees to Care About Security. Fresh from the annual RSA security conference, the largest of its kind in the world. For us followers of Corey Quinn, QuinnyPig on Twitter, and chief cloud economist at The Duckbill Group, we already know humor teaches us faster than pain and suffering. Well, maybe. Make security training funny.And now for the tip of the week. Aws CloudTrail is your security friend. It's your best Robo-pet, fetching the morning paper. By default, it should be enabled, but you need to do something to make it useful. Go to your AWS Management Console, show all services, and find CloudTrail under the management and governance section.Create a trail, name it's something—anything at all that makes sense to you—and then read the notice there that you do not get charged for the creation of the logs but you will pay for the S3 bucket storage. Of course, right? Please monitor the size of this thing so you don't get shocking charges. The best thing to do is open the full create trail workflow as the fine print under trail detail says, then choose ‘sane setting' for what to log and which buckets to use. Next, ensure you have something reading those logs like using CloudWatch to pop alerts for you. Better yet, shove them into your Log Analyzer or your SEM.And that's it for the week. Securely yours Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.

In dieser Episode hat Dennis drei kurze Tipps, mit denen ihr euern AWS-Account absichern könnt. Benutzt nicht den Root-User Protokolliert die Aktivitäten im AWS-Account mit AWS CloudTrail Aktiviert Amazon GuardDuty zur automatischen Entdeckung von potenziellen Bedrohungen Der offizielle deutschsprachige Podcast rund um Amazon Web Services (AWS), für Neugierige, Cloud-Einsteiger und AWS-Experten, produziert von Dennis Traub, Developer Advocate bei AWS. Bei Fragen, Anregungen und Feedback wendet euch gerne direkt an Dennis auf Twitter (@dtraub) oder per Mail an traubd@amazon.com. Links zum Thema: Security best practices in IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html AWS CloudTrail: https://aws.amazon.com/cloudtrail/ Configure MFA delete fpr Amazon S3: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html Amazon GuardDuty: https://aws.amazon.com/guardduty/ GuardDuty finding types: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html Für mehr Infos, Tipps und Tricks rund um AWS und die Cloud folgt Dennis auf: Twitter - https://twitter.com/dtraub Twitch - https://www.twitch.tv/dennis_at_work YouTube - https://www.youtube.com/dennistraub

最新情報を "ながら" でキャッチアップ！ ラジオ感覚放送 「毎日AWS」 おはようございます、金曜日担当パーソナリティの菅谷です。 今日は 3/25 に出たアップデートをピックアップしてご紹介。 感想は Twitter にて「#サバワ」をつけて投稿してください！ ■ お知らせ 毎日AWSで使用したトークスクリプトを公開中！ 【毎日AWS #167 トークスクリプト】【AWSアップデート 3/25】AWS CloudTrail が Amazon DynamoDB のデータイベントをサポート 他13件 【AWS CloudTrail Adds Logging of Data Events for Amazon DynamoDB】 ■ UPDATE PICKUP AWS CloudTrail が Amazon DynamoDB のデータイベントをサポート AWS Elemental MediaTailor が拡張デバックログをはじめとする 4つの追加機能をサポート Red Hat OpenShift Service on AWS が 一般提供開始 AWS Toolkit for VS Code が AWS SSO credential profile による接続をサポート Amazon Timestream が Amazon VPC endpoints をサポート AWS IoT Device Defender で ML Detect 機能が追加 Amazon Elasticsearch Service の Auto-Tune 機能でパフォーマンスを最適化できるように Amazon Forecast でワークフローステータスの変更を通知できるように AWS Cloud Map が DNS 名による検出が可能なネームスペースで 非 IP ベースのリソースを管理できるように NICE DCV web client SDK のバージョン 1.00 がリリース開始 AWS Backup で リカバリポイントをまとめて削除できるように Amazon AppFlow が 送信先に Zendesk をサポート Amazon Kendra に Perficient社 による新しい検索コネクタが追加 デジタルトレーニング: Advanced Architecting on AWS がアップデート ■ サーバーワークスSNS Twitter / Facebook ■ サーバーワークスブログ サーバーワークスエンジニアブログ

בפרק הקודם, דיברנו על EBS - SNAPSHOT. הפעם, התארחנו במשרדי AWS, והבאנו שחקן חיזוק בדמותו של בועז זינימן (!), Technical Evangelist ב-AWS. בפרק זה, אבי יספר לנו מהו CloudTrail, ולמה אנו צריכים להשתמש בו, כאשר בנוסף - אבי יראה לנו בלייב איך ניתן ליצור אותו ב-Bucket של S3. לסיכום הנושא עם טאצ' אישי - בועז יחדד את המוטיבים של רכיב ה-CloudTrail ויספק תובנות על השימוש שלו בפועל.

Learn how WarnerMedia leveraged Amazon GuardDuty, AWS CloudTrail, and its own serverless inventory tool (Antiope) to root out cloud vulnerabilities, insecure behavior, and potential account compromise activities across a large number of accounts. We cover how WarnerMedia centralizes and automates its security tooling, offer detailed Splunk queries for GuardDuty and CloudTrail, and discuss how Antiope is used for vulnerability hunting. We cover the scaling issues incurred during a large enterprise merger. Leave this session with a strategy and an actionable set of detections for finding potential data breaches and account compromises.

AWS CloudTrail provides a wealth of information on your AWS environment. In addition, teams can use it to perform basic anomaly detection by adding state. In this talk, Travis McPeak of Netflix and Will Bengtson introduce a system built strictly with off-the-shelf AWS components that tracks CloudTrail activity across multi-account environments and sends alerts when applications perform anomalous actions. By watching applications for anomalous actions, security and operations teams can monitor unusual and erroneous behavior. We share everything attendees need to implement CloudTrail in their own organizations.

In this monster episode of AWS TechChat, Shane and Tom (yes he is back) come at you with a raft of short sharp and important updates that occurred in the month of July in the year 2019. They started the show with two Amazon CloudWatch updates. Amazon CloudWatch Anomaly Detection, which applies machine learning to continuously analyze a specific CloudWatch metrics determines a nominal baseline, and surfaces anomalies, all without user intervention before introducing you to Amazon CloudWatch Container Insights and as the sticker says, is a fully managed service to help monitor and troubleshoot containers. Both of these additions are not GA but get your hands dirty and have a play. They then pivoted by introducing you to a new service, Amazon EventBridge, which is a serverless event bus that routes real-time data streams from your applications and services to targets like AWS Lambda. EventBridge facilitates event-driven application development by simplifying the process of ingesting and delivering events across your application architecture, and by providing built-in security and error handling. What's more, there are built-in integrations from the likes of ZenDesk, Pager Duty, and more. On the Amazon Relational Database Service (RDS) front, we spoke of four updates. 1. Amazon RDS for Oracle Supports Oracle Application Express (APEX) Version 19.1 2. Amazon Aurora PostgreSQL Serverless has gone GA. 3. Amazon RDS for PostgreSQL supports new minor versions. 4. Amazon RDS introduces Compatibility Checks for Upgrades from MySQL 5.7 to MySQL 8.0. Another new feature - Amazon EC2 Instance Connect, introduces that ability to control Secure Shell (SSH) access to your instances using AWS Identity and Access Management (IAM) policies, plus with AWS CloudTrail events giving you a centralized way to audit your SSH connections. Finally, Tom snuck in some last-minute updates around Amazon AppStream 2.0 and Amazon WorkSpaces. Amazon AppStream 2.0 adding in support for Windows Server 2016 and Windows Server 2019 base images. Amazon WorkSpaces is now allowing you to copy your Amazon WorkSpaces Images across AWS regions. Speakers: Shane Baldacchino - Solutions Architect, ANZ, AWS Tom McMeekin - Solutions Architect, AWS Resources: Amazon CloudWatch https://aws.amazon.com/cloudwatch/ Amazon CloudWatch Anomaly Detection https://aws.amazon.com/about-aws/whats-new/2019/07/introducing-amazon-cloudwatch-anomaly-detection-now-in-preview/ Amazon CloudWatch Container Insights https://aws.amazon.com/about-aws/whats-new/2019/05/cloudwatch-container-insights-for-eks-and-kubernetes-preview/ Amazon EventBridge https://aws.amazon.com/eventbridge/ Amazon RDS for Oracle Supports Oracle Application Express (APEX) Version 19.1 https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-rds-oracle-supports-oracle-application-express-version-191/ Amazon Aurora with PostgreSQL Compatibility Supports Serverless https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-aurora-with-postgresql-compatibility-supports-serverless/ Amazon RDS for PostgreSQL supports new minor versions https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-rds-postgresql-supports-minor-version-112/ Amazon RDS introduces Compatibility Checks https://aws.amazon.com/about-aws/whats-new/2019/07/amazon_rds_introduces_compatibility_checks/ Introducing Amazon EC2 Instance Connect https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/ AWS Identity and Access Management (IAM) https://aws.amazon.com/iam/ AWS CloudTrail https://aws.amazon.com/cloudtrail/ Amazon AppStream 2.0 adds support for Windows Server 2016 and Windows Server 2019 https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-appstream-20-adds-support-for-windows-server-2016-and-windows-server-2019/ Amazon WorkSpaces now supports copying Images across AWS Regions https://aws.amazon.com/about-aws/whats-new/2019/06/amazon_workspaces_now_supports_copying_images_across_aws_regions/

Simon guides you through lots of new features, services and capabilities that you can take advantage of. Including the new AWS Backup service, more powerful GPU capabilities, new SLAs and much, much more! Chapters: Service Level Agreements 0:17 Storage 0:57 Media Services 5:08 Developer Tools 6:17 Analytics 9:54 AI/ML 12:07 Database 14:47 Networking & Content Delivery 17:32 Compute 19:02 Solutions 21:57 Business Applications 23:38 AWS Cost Management 25:07 Migration & Transfer 25:39 Application Integration 26:07 Management & Governance 26:32 End User Computing 29:22 Links: Topic || Service Level Agreements 0:17 Amazon Kinesis Data Firehose Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-kinesis-data-firehose-announces-99-9-service-level-agreement/ Amazon Kinesis Data Streams Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-kinesis-data-streams-announces-99-9-service-level-agreement/ Amazon Kinesis Video Streams Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-kinesis-video-streams-announces-99-9-service-level-agreement/ Amazon EKS Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/-amazon-eks-announces-99-9--service-level-agreement-/ Amazon ECR Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-ecr-announces-99-9--service-level-agreement/ Amazon Cognito Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-cognito-announces-99-9-service-level-agreement/ AWS Step Functions Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-step-functions-announces-service-level-agreement/ AWS Secrets Manager Announces Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/AWS-Secrets-Manager-announces-service-level-agreement/ Amazon MQ Announces 99.9% Service Level Agreement | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-mq-announces-service-level-agreement/ Topic || Storage 0:57 Introducing AWS Backup | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-aws-backup/ Introducing Amazon Elastic File System Integration with AWS Backup | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-amazon-elastic-file-system-integration-with-aws-backup/ AWS Storage Gateway Integrates with AWS Backup - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-storage-gateway-integrates-with-aws-backup-to-protect-volume/ AWS Backup Integrates with Amazon DynamoDB for Centralized and Automated Backup Management | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-backup-integrates-with-amazon-DynamoDB-for-centralized-and-automated-backup-management/ Amazon EBS Integrates with AWS Backup to Protect Your Volumes | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-ebs-integrates-with-aws-backup-to-protect-your-volumes/ AWS Storage Gateway Volume Detach & Attach - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-storage-gateway-introduces-volume-detach-and-attach-feature-/ AWS Storage Gateway - Tape Gateway Performance | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-storage-gateway-announces-increased-throughput-performance-for-tape-gateway/ Amazon FSx for Lustre Offers New Options and Faster Speeds for Working with S3 Data | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-fsx-for-lustre-offers-new-options-and-faster-speeds/ Topic || Media Services 5:08 AWS Elemental MediaConvert Adds IMF Input and Enhances Caption Burn-In Support | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-elemental-mediaconvert-adds-imf-input-enhances-caption-burn-in-support/ AWS Elemental MediaLive Adds Support for AWS CloudTrail | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-elemental-medialive-adds-support-for-aws-cloudtrail/ AWS Elemental MediaLive Now Supports Resource Tagging | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-elemental-medialive-now-supports-resource-tagging/ AWS Elemental MediaLive Adds I-Frame-Only HLS Manifests and JPEG Outputs | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-elemental-medialive-add-i-frame-only-hls-manifest-and-jpeg-outputs/ Topic || Developer Tools 6:17 Amazon Corretto is Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-corretto-is-now-generally-available/ AWS CodePipeline Now Supports Deploying to Amazon S3 | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-codepipeline-now-supports-deploying-to-amazon-s3/ AWS Cloud9 Supports AWS CloudTrail Logging | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-cloud9-supports-aws-cloudtrail-logging/ AWS CodeBuild Now Supports Accessing Images from Private Docker Registry | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-codebuild-now-supports-accessing-images-from-private-docker-registry/ Develop and Test AWS Step Functions Workflows Locally | https://aws.amazon.com/about-aws/whats-new/2019/02/develop-and-test-aws-step-functions-workflows-locally/ AWS X-Ray SDK for .NET Core is Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-x-ray-net-core-sdk-generally-available/ Topic || Analytics 9:54 Amazon Elasticsearch Service doubles maximum cluster capacity with 200 node cluster support | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-elasticsearch-service-doubles-maximum-cluster-capacity-with-200-node-cluster-support/ Amazon Elasticsearch Service announces support for Elasticsearch 6.4 | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-elasticsearch-service-announces-support-for-elasticsearch-6-4/ Amazon Elasticsearch Service now supports three Availability Zone deployments | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-elasticsearch-service-now-supports-three-availability-zone-deployments/ Now bring your own KDC and enable Kerberos authentication in Amazon EMR | https://aws.amazon.com/about-aws/whats-new/2019/01/now_bring_your_own_kdc_and_enable_kerberos_authentication_in_amazon_emr/ Source code for the AWS Glue Data Catalog client for Apache Hive Metastore is now available for download | https://aws.amazon.com/about-aws/whats-new/2019/02/source-code-for-the-aws-glue-data-catalog-client-for-apache-hive-metatore-is-now-available-for-download/ Topic || AI/ML 12:07 Amazon Comprehend is now Integrated with AWS CloudTrail | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-comprehend-is-now-integrated-with-aws-cloudtrail/ Object Bounding Boxes and More Accurate Object and Scene Detection are now Available for Amazon Rekognition Video | https://aws.amazon.com/about-aws/whats-new/2019/01/object-bounding-boxes-and-more-accurate-object-and-scene-detection-are-now-available-for-amazon-rekognition-video/ Amazon Elastic Inference Now Supports TensorFlow 1.12 with a New Python API | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-elastic-inference-supports-tensorflow-1-12-with-a-python-api/ New in AWS Deep Learning AMIs: Updated Elastic Inference for TensorFlow, TensorBoard 1.12.1, and MMS 1.0.1 | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-deep-learning-amis-now-support-elastic-inference-for-tensorflow-tensorboard1-12-1-mms101/ Amazon SageMaker Batch Transform Now Supports TFRecord Format | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-sagemaker-batch-transform-now-supports-tfrecord-format/ Amazon Transcribe Now Supports US Spanish Speech-to-Text in Real Time | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-transcribe-now-supports-us-spanish-speech-to-text-in-real-time/ Topic || Database 14:47 Amazon Redshift now runs ANALYZE automatically | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-redshift-auto-analyze/ Introducing Python Shell Jobs in AWS Glue | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-python-shell-jobs-in-aws-glue/ Amazon RDS for PostgreSQL Now Supports T3 Instance Types | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-rds-postgresql-now-supports-t3-instance-types/ Amazon RDS for Oracle Now Supports T3 Instance Types | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-rds-for-oracle-now-supports-t3-instance-types/ Amazon RDS for Oracle Now Supports SQLT Diagnostics Tool Version 12.2.180725 | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-rds-oracle-now-supports-sqlt-diagnostics-tool-122180725/ Amazon RDS for Oracle Now Supports January 2019 Oracle Patch Set Updates (PSU) and Release Updates (RU) | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-rds-oracle-supports-jan-2019-oracle-psu/ Amazon DynamoDB Local Adds Support for Transactional APIs, On-Demand Capacity Mode, and 20 GSIs | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-dynamodb-local-adds-support-for-transactional-apis-on-demand-capacity-mode-and-20-gsis/ Topic || Networking & Content Delivery 17:32 Network Load Balancer Now Supports TLS Termination | https://aws.amazon.com/about-aws/whats-new/2019/01/network-load-balancer-now-supports-tls-termination/ Amazon CloudFront announces six new Edge locations across United States and France | https://aws.amazon.com/about-aws/whats-new/2019/02/cloudfront-feb2019-6locations/ AWS Site-to-Site VPN Now Supports IKEv2 | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-site-to-site-vpn-now-supports-ikev2/ VPC Route Tables Support up to 1,000 Static Routes | https://forums.aws.amazon.com/ann.jspa?annID=6554 Topic || Compute 19:02 Announcing a 25% price reduction for Amazon EC2 X1 Instances in the Asia Pacific (Mumbai) AWS Region | https://aws.amazon.com/about-aws/whats-new/2019/02/announcing-a-25-percent-price-reduction-for-amazon-ec2-x1-instances-in-the-asia-pacific-mumbai-aws-region/ Amazon EKS Achieves ISO and PCI Compliance | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-eks-achieves-iso-and-pci-compliance/ AWS Fargate Now Has Support For AWS PrivateLink | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-fargate-now-has-support-for-aws-privatelink/ AWS Elastic Beanstalk Adds Support for Ruby 2.6 | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-elastic-beanstalk-adds-support-for-ruby-26/ AWS Elastic Beanstalk Adds Support for .NET Core 2.2 | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-elastic-beanstalk-adds-support-for-net-core-22/ Amazon ECS and Amazon ECR now have support for AWS PrivateLink | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-fargate--amazon-ecs--and-amazon-ecr-now-have-support-for-aws/ GPU Support for Amazon ECS now Available | https://aws.amazon.com/about-aws/whats-new/2019/02/gpu-support-for-amazon-ecs-now-available/ AWS Batch now supports Amazon EC2 A1 Instances and EC2 G3s Instances | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-batch-now-supports-amazon-ec2-a1-instances-and-ec2-g3s-insta/ Topic || Solutions 21:57 Deploy Micro Focus Enterprise Server on AWS with New Quick Start | https://aws.amazon.com/about-aws/whats-new/2019/01/deploy-micro-focus-enterprise-server-on-aws-with-new-quick-start/ AWS Public Datasets Now Available from UK Meteorological Office, Queensland Government, University of Pennsylvania, Buildzero, and Others | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-public-datasets-now-available/ Quick Start Update: Active Directory Domain Services on the AWS Cloud | https://aws.amazon.com/about-aws/whats-new/2019/02/quick-start-update-active-directory-domain-services-on-aws/ Introducing the Media2Cloud solution | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-the-media2cloud-solution/ Topic || Business Applications 23:38 Alexa for Business now offers IT admins simplified workflow to setup shared devices | https://aws.amazon.com/about-aws/whats-new/2019/01/alexa-for-business-now-offers-it-admins-simplified-workflow-to-s/ Topic || AWS Cost Management 25:07 Introducing Normalized Units Information for Amazon EC2 Reservations in AWS Cost Explorer | https://aws.amazon.com/about-aws/whats-new/2019/02/normalized-units-information-for-amazon-ec2-reservations-in-aws-cost-explorer/ Topic || Migration & Transfer 25:39 AWS Migration Hub Now Supports Importing On-Premises Server and Application Data to Track Migration Progress | https://aws.amazon.com/about-aws/whats-new/2019/01/AWSMigrationHubImport/ Topic || Application Integration 26:07 Amazon SNS Message Filtering Adds Support for Multiple String Values in Blacklist Matching | https://aws.amazon.com/about-aws/whats-new/2019/02/amazon-sns-message-filtering-adds-support-for-multiple-string-values-in-blacklist-matching/ Topic || Management & Governance 26:32 AWS Trusted Advisor Expands Functionality With New Best Practice Checks | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-trusted-advisor-expands-functionality/ AWS Systems Manager State Manager Now Supports Management of In-Guest and Instance-Level Configuration | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-systems-manager-state-manager-now-supports-management-of-in-guest-and-instance-level-configuration/ AWS Config Increases Default Limits for AWS Config Rules | https://aws.amazon.com/about-aws/whats-new/2019/01/aws-config-increases-default-limits-for-aws-config-rules/ Introducing AWS CloudFormation UpdateReplacePolicy Attribute | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-aws-cloudformation-updatereplacepolicy-attribute/ Automate WebSocket API Creation in Amazon API Gateway Using AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/02/automate-websocket-api-creation-in-api-gateway-with-cloudformation/ AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet Enterprise Now Support AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/02/aws-opsworks-for-chef-automate-and-aws-opsworks-for-puppet-enter/ Find And Update Access Keys, Password, And MFA Settings Easily Using The AWS Management Console | https://aws.amazon.com/about-aws/whats-new/2019/01/my-security-credentials/ Amazon CloudWatch Agent Adds Support for Procstat Plugin and Multiple Configuration Files | https://aws.amazon.com/about-aws/whats-new/2019/01/amazon-cloudwatch-agent-adds-support-for-procstat-plugin-and-multiple-configuration-files/ Improve Security Of Your AWS SSO Users Signing In To The User Portal By Using Email-based Verification | https://aws.amazon.com/about-aws/whats-new/2019/01/email-based-verification-for-sso/ Topic || End User Computing 29:22 Introducing Amazon WorkLink | https://aws.amazon.com/about-aws/whats-new/2019/01/introducing-amazon-worklink/ AppStream 2.0 enables custom scripts before session start and after session termination | https://aws.amazon.com/about-aws/whats-new/2019/02/appstream-2-0-enables-custom-scripts-before-session-start-and-af/

In this session, learn how LogMeIn moves quickly and stays secure through the power of automation on AWS. We walk through core AWS security building blocks, such as IAM, AWS CloudTrail, AWS Config, and Amazon CloudWatch. We dive deep into LogMeIn's approach for empowering developers on AWS while also meeting required security controls.

Enabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance automation using data events from Amazon S3 and AWS Lambda. Complete Title: AWS re:Invent 2018: [REPEAT 1] Augmenting Security Posture & Improving Operational Health with AWS CloudTrail (SEC323-R1)

It is update time! Simon shares a great selection of new things for customers - what will be your favourite? Shownotes: Amazon Polly Gives WordPress a Voice! - AWS Machine Learning Blog | https://aws.amazon.com/blogs/machine-learning/amazon-polly-gives-wordpress-a-voice/ Amazon Polly New Phonation Tag Enables You to Create Softer Speech | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-polly-new-phonation-tag-enables-you-to-create-softer-speech/ Amazon Connect Adds Speech Synthesis Markup Language Support for Amazon Lex Chatbots | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-connect-adds-speech-synthesis-markup-language-support-for-amazon-lex-chatbots/ Announcing Responses Capability in Amazon Lex and SSML Support in Text Response | https://aws.amazon.com/about-aws/whats-new/2018/02/announcing-responses-capability-in-amazon-lex-and-ssml-support-in-text-response/ Now Export and Import your Amazon Lex Chatbot Schema | https://aws.amazon.com/about-aws/whats-new/2018/02/now-export-and-import-your-amazon-lex-chatbot-schema/ Amazon DynamoDB Now Supports Server-Side Encryption at Rest | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-dynamodb-now-supports-server-side-encryption-at-rest/ Amazon DynamoDB Accelerator (DAX) Releases SDKs for Python and .NET, Support for T2 Instances, and now available in the Asia Pacific (Singapore) and Asia Pacific (Sydney) Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-dynamodb-accelerator-dax-releases-sdks-for-python-and-dot-net-support-for-t2-instances-and-now-available-in-the-asia-pacific-singapore-and-asia-pacific-sydney-regions/ Amazon Cognito Simplifies User Migration | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-cognito-simplifies-user-migration/ Amazon ECS Adds New Endpoint to Access Task Metrics and Metadata | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-ecs-adds-new-endpoint-to-access-task-metrics-and-metadata/ AWS Fargate Supports Container Workloads Regulated By ISO, PCI, SOC, and HIPAA | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-fargate-supports-container-workloads-regulated-by-iso-pci-soc-and-hipaa/ Target Tracking Available for Container Service Auto Scaling in Amazon ECS Console | https://aws.amazon.com/about-aws/whats-new/2018/02/target-tracking-available-for-container-service-auto-scaling-in-amazon-ecs-console/ AWS Shield now Integrated with AWS CloudTrail | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-shield-now-integrated-with-aws-cloudtrail/ Amazon GameLift Introduces Backfill Functionality to FlexMatch, the Dynamic Matchmaking Service for Multiplayer Experiences | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-gamelift-introduces-backfill-functionality-to-flexmatch-the-dynamic-matchmaking-service-for-multiplayer-experiences/ Amazon GameLift FleetIQ and Spot Instances Reduce Costs by up to 90% | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-gamelift-fleetiq-and-spot-instances-reduce-costs-by-up-to-90-percent/ New AWS Direct Connect sites land in Paris and Taipei | https://aws.amazon.com/about-aws/whats-new/2018/02/new-aws-direct-connect-sites-land-in-paris-and-taipei/ Inter-Region VPC Peering is Now Available in Nine Additional AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/inter-region-vpc-peering-is-now-available-in-nine-additional-aws-regions/ Longer Format Resource IDs are Now Available in Amazon EC2 | https://aws.amazon.com/about-aws/whats-new/2018/02/longer-format-resource-ids-are-now-available-in-amazon-ec2/ AWS AppSync Adds new GraphQL Functionality and Removes Whitelist Approvals from Preview | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-appsync-adds-new-graphql-functionality-and-removes-whitelist-approvals-from-preview/ AWS AppSync Expands to Three New Regions, Adds API Key Extension Feature | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-appsync-expands-to-three-new-regions-adds-api-key-extension-feature/ AWS Config Adds Support for AWS WAF RuleGroups | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-config-adds-support-for-aws-waf-rulegroups/ New Products for Managed Rules on AWS WAF | https://aws.amazon.com/about-aws/whats-new/2018/02/new-products-for-managed-rules-on-aws-waf/ Amazon Inspector Now Supports Windows Server 2016 | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-inspector-now-supports-windows-server-2016/ AWS Trusted Advisor's S3 Bucket Permissions Check Is Now Free | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-trusted-advisors-s3-bucket-permissions-check-is-now-free/ Amazon EC2 Auto Scaling Adds Support for Service-Linked Roles | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-ec2-auto-scaling-adds-support-for-service-linked-roles/ Network Load Balancer now Supports Cross-Zone Load Balancing | https://aws.amazon.com/about-aws/whats-new/2018/02/network-load-balancer-now-supports-cross-zone-load-balancing/ Auto Scaling in Amazon SageMaker is now Available | https://aws.amazon.com/about-aws/whats-new/2018/02/auto-scaling-in-amazon-sagemaker-is-now-available/ AWS DeepLens Announces the Ability to Directly Import Models from Amazon SageMaker | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-deeplens-announces-the-ability-to-directly-import-models-from-amazon-sagemaker/ Introducing the Real-Time Insights on AWS Account Activity | https://aws.amazon.com/about-aws/whats-new/2018/02/introducing-the-real-time-insights-on-aws-account-activity/ AWS Serverless Application Repository Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-serverless-application-repository-now-generally-available/ Amazon AppStream 2.0 Now Supports Copying Images Across AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-appstream-2_0-now-supports-copying-images-across-aws-regions/ Amazon CloudWatch Events now Supports AWS Batch as an Event Target | https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-cloudwatch-events-now-supports-aws-batch-as-an-event-target/ AWS Service Catalog Announces AutoTags for Automatic Tagging of Provisioned Resources | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-service-catalog-announces-autotags-for-automatic-tagging-of-provisioned-resources/ AWS Service Catalog Launches Brand Your Console to Deliver a Customizable User Experience | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-service-catalog-launches-brand-your-console-to-deliver-a-customizable-user-experience/ AWS Storage Gateway Expands Automation with New CloudWatch Event, and Support for "Requester Pays" Buckets | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-storage-gateway-expands-automation-with-new-cloudwatch-event-and-support-for-requester-pays-buckets/ Amazon Redshift Spectrum Now Supports Scalar JSON and Ion Data Types | https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-redshift-spectrum-now-supports-scalar-json-and-ion-data-types/ PostgreSQL 10 now Supported in Amazon RDS | https://aws.amazon.com/about-aws/whats-new/2018/02/postgresql-10-now-supported-in-amazon-rds/ AWS GovCloud (US) Region Adds Third Availability Zone | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-govcloud-us-region-adds-third-availability-zone/ AWS Snowball Now Available in AWS Singapore Region | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-snowball-now-available-in-aws-singapore-region/

Adversaries automate. Who says the good guys can't as well? By combining AWS offerings like AWS CloudTrail, Amazon Cloudwatch, AWS Config, and AWS Lambda with the power of Amazon Alexa, you can do more security tasks faster, with fewer resources. Force multiplying your security team is all about automation! Last year, we showed off penetration testing at the push of an (AWS IoT) button, and surprise-previewed how to ask Alexa to run Inspector as-needed. Want to see other ways to ask Alexa to be your cloud security sidekick? We have crazy new demos at the ready to show security geeks how to sling security automation solutions for their AWS environments (and impress and help your boss, too).

How do you get your security and compliance team to embrace the cloud? "Getting to Yes" with Vanguard's Security, Legal, and Compliance Teams was a key factor to the organization's journey to the cloud. Maintaining a high level of assurance is solvable when using an iterative, agile approach. Vanguard is taking existing on-premises controls, plus cloud frameworks such as NIST, CSA, etc., to develop the right set of cloud controls that provide maximum security without sacrificing business agility. In this session, we cover: Vanguard's approach to developing appropriate controls for its cloud deployments; key considerations and best practices when implementing controls; leveraging the AWS Cloud Adoption Framework and the four security perspectives to map controls appropriately; and the various AWS services (IAM, Amazon VPC, AWS KMS, and AWS CloudTrail) that we leveraged. We also cover the iterative and agile approach we are taking by embracing DevSecOps principles.      

Expedia uses Amazon Elasticsearch Service (Amazon ES) for a variety of mission-critical use cases, ranging from log aggregation to application monitoring and pricing optimization. In this session, the Expedia team reviews how they use Amazon ES and Kibana to analyze and visualize Docker startup logs, AWS CloudTrail data, and application metrics. They share best practices for architecting a scalable, secure log analytics solution using Amazon ES, so you can add new data sources almost effortlessly and get insights quickly.   

Agility is the cornerstone of the DevOps movement. Developers are working to continuously integrate and deploy (CI/CD) code to the cloud, to ensure applications are seamlessly updated and current. But what about secure? Security best practices and compliance are now the responsibility of everyone in the development lifecycle, and continuous security is a critical component of the ongoing deployment process. Discover how to incorporate security best practices into your current DevOps operations, gain visibility into compliance posture, and identify potential risks and threats in your AWS environment. We demonstrate how to leverage the CIS AWS Foundation Benchmarks within Sumo to trigger alerts from your AWS CloudTrail and Amazon CloudWatch log when risks or violations occur, such as unauthorized API calls, IAM policy changes, AWS Config configuration changes, and many more.   Session sponsored by Sumo Logic

As organizations move their workloads to the cloud, companies must take steps to protect and audit their private and confidential information. This session focuses on Amazon S3 best practices and using AWS CloudTrail Data Events to help better protect data residing within Amazon S3. The session includes a demonstration to show how CloudTrail, in combination with other AWS services, can help with Amazon S3 governance and compliance requirements.

AWS enables companies to build innovative cloud applications combining technologies like Alexa, AWS IoT, and AWS Lambda with enterprise-scale, microservice backends. After these applications move into production, there are teams responsible for monitoring all components and providing insights needed to optimize the customer experience. In this session, we share an easy-to-apply framework to build all components successfully to get the answers needed to run and improve every application, no matter how complicated. First, we lay the foundation with powerful tools in the AWS ecosystem like Amazon CloudWatch, AWS CloudTrail, and AWS X-Ray. Then, we complement these insights with approaches for monitoring frontend web and mobile performance and behavior, eventually extending into IoT devices. Finally, we show how to derive actionable insights from all the gathered data and integrate it into enterprise-grade monitoring platforms. Session sponsored by Dynatrace

In this episode Simon gets you caught up on some useful new services including those to help you with ETL, Migration and Data Leakage protection! Shownotes: AWS Glue: https://aws.amazon.com/blogs/aws/launch-aws-glue-now-generally-available/ AWS CloudHSM: https://aws.amazon.com/blogs/aws/aws-cloudhsm-update-cost-effective-hardware-key-management/ AWS Macie: https://aws.amazon.com/blogs/aws/launch-amazon-macie-securing-your-s3-buckets/ AWS IAM Console: https://aws.amazon.com/about-aws/whats-new/2017/07/the-aws-iam-console-now-remembers-your-preferences-for-table-column-selections-and-policy-viewing-and-editing/ AWS Migration Hub: https://aws.amazon.com/blogs/aws/aws-migration-hub-plan-track-enterprise-application-migration/ Amazon EFS Encryption at Rest: https://aws.amazon.com/blogs/aws/new-encryption-at-rest-for-amazon-elastic-file-system-efs/ AWS Batch and CloudFormation: https://aws.amazon.com/about-aws/whats-new/2017/08/aws-batch-adds-support-for-aws-cloudformation/ AWS SAM Local: https://aws.amazon.com/blogs/aws/new-aws-sam-local-beta-build-and-test-serverless-applications-locally/ EC2 Systems Manager Maintenance Windows: https://aws.amazon.com/blogs/mt/maintenance-windows-support-for-new-task-types-using-amazon-ec2-systems-manager/ AWS CloudTrail in Amazon Lex: https://aws.amazon.com/about-aws/whats-new/2017/08/aws-cloudtrail-integration-is-now-available-in-amazon-lex/

In this episode Simon discusses the importance of re-visiting Services to ensure you reduce the amount of undifferentiated heavy lifting you have in your architecture. Then he covers a raft of updates big and small. Shownotes: AWS and Ionic: https://aws.amazon.com/about-aws/whats-new/2017/05/mobile-web-and-hybrid-application-with-exported-mobile-hub-project-for-deploying-apps-and-mobile-backend/ Amazon QuickSight updates: https://aws.amazon.com/blogs/big-data/visualize-big-data-with-amazon-quicksight-presto-and-apache-spark-on-amazon-emr/ AWS Schema Conversion Tool updates: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-schema-conversion-tool-exports-from-sql-server-to-amazon-redshift/ AWS CloudFormation support for AWS WAF on ALB: https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/ AWS CloudTrail with S3 Data Events: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-cloudtrail-adds-data-event-delivery-to-amazon-cloudwatch-logs/ Auto Scaling Resource-Level Permissions: https://aws.amazon.com/about-aws/whats-new/2017/05/introducing-auto-scaling-resource-level-permissions/ AWS CodeDeploy Updates: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-codedeploy-adds-file-handling-support/ New Amazon S3 Console: https://aws.amazon.com/about-aws/whats-new/2017/05/announcing-the-availability-of-the-new-amazon-s3-console/ Amazon Athena adds API/CLI Support: https://aws.amazon.com/about-aws/whats-new/2017/05/amazon-athena-adds-api-cli-aws-sdk-support-and-audit-logging-with-aws-cloudtrail/ AWS X-Ray AWS Lambda Request Tracing GA: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-x-ray-makes-aws-lambda-request-tracing-generally-available/

From announcements to service updates, hosts Dr. Pete and Russ bring you another packed episode of AWS TechChat. In this episode, they take you through the announcement of new edge locations, updates to Amazon QuickSIght, AWS CloudTrail, AWS Marketplace, Amazon WorkMail, Amazon EMR, Amazon RDS, AWS Schema Conversion Tool, AWS Organizations, Elastic Load Balancing, AWS Deep Learning, Amazon Simple Queue System (SQS), Amazon Chime, AWS Lambda and introduce, AWS and Ionic’s Mobile Web and Hybrid Application on GitHub.

Today's health care systems generate massive amounts of protected health information (PHI) — patient electronic health records, imaging, prescriptions, genomic profiles, insurance records, even data from wearable devices. In this session, UPMCe dives deep into two efforts: Their 'Data Liberation Project' — a next-gen petabyte-scale software solution that provides responsible management of PHI within their own environments as well as externally, and “Neutrino” a real time medical document aggregator which utilizes natural language processing techniques to unlock hidden value from unstructured narratives. UPMC Enterprises (UPMCe), a division of University of Pittsburgh Medical Center, builds technology and invests in health care companies, from new startups to large established partners, with an eye toward revolutionizing healthcare. They embody the startup mentality with a focus on innovation and creating new data-heavy applications—all in support of new spin-off companies, furthering economic development, and disrupting healthcare. Join us to learn how they do security management and governance using Amazon S3, Amazon EC2, AWS Config, AWS CloudTrail, and other Amazon services help UPMCe think big about healthcare data in the public sector.

With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and will cover solutions for account structure, user configuration, provisioning, networking and operation automation. This solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and Amazon Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Additionally, Philips will explain their cloud journey and how they have applied their guiding principles when building their landing zone.

When D2L first moved to the cloud, we were concerned about being locked-in to one cloud provider. We were compelled to explore the opportunities of the cloud, so we overcame our perceived risk, and turned it into an opportunity by self-rolling tools and avoiding AWS native services. In this session, you learn how D2L tried to bypass the lock but eventually embraced it and opened the cage. Avoiding AWS native tooling and pure lifts of enterprise architecture caused a drastic inflation of costs. Learn how we shifted away from a self-rolled 'lift' into an efficient and effective 'shift' while prioritizing cost, client safety, AND speed of development. Learn from D2L's successes and missteps, and convert your own enterprise systems into the cloud both through native cloud births and enterprise conversions. This session discusses D2L’s use of Amazon EC2 (with a guest appearance by Reserved Instances), Elastic Load Balancing, Amazon EBS, Amazon DynamoDB, Amazon S3, AWS CloudFormation, AWS CloudTrail, Amazon CloudFront, AWS Marketplace, Amazon Route 53, AWS Elastic Beanstalk, and Amazon ElastiCache.

AWS CloudTrail, Amazon CloudWatch Events, AWS Identity & Access Management (IAM), Trusted Advisor, AWS Config Rules, other services? In this session, we will help you use existing and recently launched services to automate configuration governance so that security is embedded in the development process. We outline four easy steps (Control, Monitor, Fix, and Audit) and demonstrate how different services can be used to meet your governance needs. We will showcase real-life examples and you can take home a blog post with code examples and the full source code for scripts and tooling that AWS professional services have built using these services.

In this session, we’ll show how customers can use management tools to standardize the creation of AWS resources and then govern these resources through the lifecycle. By using AWS CloudFormation and AWS Service Catalog to provision resources at scale, AWS Config to audit any changes to the configuration of these resources, Amazon CloudWatch to monitor the health of these resources, and AWS CloudTrail to audit who or what made API calls to these resources, customers can automate and scale the administration of their infrastructure on AWS. They can even go one step further and automate compliance checking and remediation by using AWS Config rules and Amazon CloudWatch Events. We will demo how this is possible by looking at some common use cases.

In a rapidly changing IT environment, detecting and responding to new threats is more important than ever. This session shows you how to build a predictive analytics stack on AWS, which harnesses the power of Amazon Machine Learning in conjunction with Amazon Elasticsearch Service, AWS CloudTrail, and VPC Flow Logs to perform tasks such as anomaly detection and log analysis. We also demonstrate how you can use AWS Lambda to act on this information in an automated fashion, such as performing updates to AWS WAF and security groups, leading to an improved security posture and alleviating operational burden on your security teams.

Is your IT environment getting bigger and more complex than your compliance team can handle? Get a peek under the hood of how the AWS Compliance team manages and automates security assurance and compliance in the AWS environment. We’ll tell you what we’re doing to automate controls, match up huge data sets to validate compliance, how we perform game day simulations of entire region outages, and how we manage our ever-present external audits. With each example, we’ll give you some ideas on how to use AWS services to manage the security and compliance of your AWS and on-prem environments. In this session, Chad Woolf, Director of Risk and Compliance for AWS, and Sara Duffer, Director of Security Assurance Automation discusses how the AWS Compliance team uses AWS services like Amazon Inspector, Amazon CloudWatch Logs, AWS CloudTrail, and AWS Config to manage risk, compliance, and audit in the massive scale of the AWS IT environment.

GxP is an acronym that refers to the regulations and guidelines applicable to life sciences organizations that make food and medical products such as drugs, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. The term GxP encompasses a broad range of compliance-related activities such as Good Laboratory Practices (GLP), Good Clinical Practices (GCP), Good Manufacturing Practices (GMP), and others, each of which has product-specific requirements that life sciences organizations must implement based on the 1) type of products they make and 2) country in which their products are sold. When life sciences organizations use computerized systems to perform certain GxP activities, they must ensure that the computerized GxP system is developed, validated, and operated appropriately for the intended use of the system. For this session, co-presented with Merck, services such as Amazon EC2, Amazon CloudWatch Logs, AWS CloudTrail, AWS CodeCommit, Amazon Simple Storage Service (S3), and AWS CodePipeline will be discussed with an emphasis on implementing GxP-compliant systems in the AWS Cloud.

This session enables security operators to automate governance and implement use cases addressed by AWS services such as AWS CloudTrail, AWS Config Rules, Amazon CloudWatch Events, and Trusted Advisor. Based on the nature of vulnerabilities, internal processes, compliance regimes, and other priorities, this session discusses the service to use when. We also show how to detect, report, and fix vulnerabilities, or gain more information about attackers. We dive deep into new features and capabilities of relevant services and use an example from an AWS customer, Siemens AG, about how to best automate governance and scale. A prerequisite for this session is knowledge of security and basic software development using Java, Python, or Node.

This session is intended for customers seeking to build out a comprehensive plan around data integrity in the cloud. Information governance, system validation, PHI and PII records come with their own set of regulatory considerations - and by using tools such as AWS CloudFormation, Amazon Virtual Private Cloud, Directory Service, AWS SDKs, RDS, AWS CloudTrail, and Amazon CloudWatch portions of the governance burden can be lifted, offloaded, or partnered around. A look at the top ten data integrity controls will be considered, including a customer presentation featuring an example of a regulated quality management system. Finally, the physical import/export tool Snowball's addition to the AWS Business Associate Agreement (BAA) program will be discussed, along with the practical application and security implications of chain of custody.

Objectives - Recognize and implement secure practices for optimum cloud deployment and maintenance â?? AWS shared responsibility model, AWS administration and security services, AWS CloudTrail â?? Ingress vs. egress filtering, and which AWS services and features fit â?? CloudWatch Logs

Security in the cloud is something everyone needs to be considerate of. AWS CloudTrail provides customers with a powerful capability to understand what is happening in their account, and to take action as appropriate.