Podcasts about aws waf

Episode SummaryAWS Morning Brief for the week of March 11, 2024 with Corey Quinn. Links:Start your Engines! Announcing the 2024 AWS DeepRacer LeagueAccelerate no-code ML with a refreshed homepage in Amazon SageMaker CanvasAWS re:Post introduces re:Post Live How Accenture Accelerates Building a Secure Cloud Foundation Natively on AWS Accenture scored itself an S3 bucket negligence award Revolutionize Your Business with AWS Generative AI Competency PartnersAmazon RDS now supports io2 Block Express volumes for mission-critical database workloadsFree data transfer out to internet when moving out of AWS Unlocking Innovation: AWS and Anthropic push the boundaries of generative AI togetherThe benefits of running controlled substance databases with AWSIntroducing the AWS WAF traffic overview dashboard 

Welcome to the newest episode of The Cloud Pod podcast! Justin, Ryan and Matthew are your hosts this week as we discuss all the latest news and announcements in the world of the cloud and AI. Do people really love Matt's Azure know-how? Can Google make Bard fit into literally everything they make? What's the latest with Azure AI and their space collaborations? Let's find out! Titles we almost went with this week: Clouds in Space, Fictional Realms of Oracles, Oh My.  The cloudpod streams lambda to the cloud A big thanks to this week's sponsor:  Foghorn Consulting, provides top-notch cloud and DevOps engineers to the world's most innovative companies. Initiatives stalled because you have trouble hiring?  Foghorn can be burning down your DevOps and Cloud backlogs as soon as next week.

Last week in security news: Gain insights and knowledge at AWS re:Inforce 2023, InvalidClientTokenId, a repository of AWS customer breaches, and more!Links: If you're in New York City proper, I hope to see you tonight at 7PM at Vol de Nuit We're hiring an Account Exec to handle media sales for this very podcast. Should you be the person who refers the successful candidate, we'll give you a $3K USD referral fee. Nick Frichette has found an undocumented Amplify API and used it to leak AWS Account IDs. Friend of the newsletter Chris Farris has started an AWS security consulting practice. Gain insights and knowledge at AWS re:Inforce 2023  How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts InvalidClientTokenId: The security token included in the request is invalid error Someone is curating this repository of AWS customer breaches.

Links: Azure messed up a regular expression GitHub's blog has a piece on passwordless deployments to the cloud LastPass has now admitted that the attackers stole customers' backups and encryption key Deploy a dashboard for AWS WAF with minimal effort  Thinkst's free service now supports credit card tokens. precloud is a suite of dynamic tests for infrastructure as code. 

On The Cloud Pod this week, Amazon SWF launches a new console experience, Google acquires Mandiant, and Azure Space has some new products coming your way soon. Thank you to our sponsor, Foghorn Consulting, which provides top notch cloud and DevOps engineers to the world's most innovative companies. Initiatives stalled because you're having trouble hiring? Foghorn can be burning down your DevOps and Cloud backlogs as soon as next week. Episode Highlights ⏰  Amazon SWF just launched a new console experience for building distributed applications. ⏰ The Google acquisition of Mandiant (Mandoogle!) is finished. ⏰  Azure Space announced their next wave of products. Top Quote

　株式会社ラックは9月8日、Amazon Web Services（AWS）のWebアプリケーションファイアウォール（WAF）等に対応する「AIクラウドセキュリティ運用支援サービス」の提供を開始すると発表した。

On The Cloud Pod this week, the team chats cloud region wars to establish the true victor. Plus: AWS Storage Day offers a blockhead badge, all the fun of the Microsoft Dev Box, and Google sends people back to sleep with its Cloud Monitoring snooze alert policy. A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

On The Cloud Pod this week, the team gets skeptical on Prime Day numbers. Plus: AWS re:Inforce brings GuardDuty, Detective and Identity Center updates and announcements; Google Cloud says hola to Mexico with a new Latin American region; and Azure introduces its new cost API for EC and MCA customers. A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

This episode is about AWS Well Architected and specifically about the Operational Excellence Pillar. Who should be using AWS WAF from startups to enterprises. What are the biggest challenges when performing an AWS WAF Review? If you're interested in learning more check out the AWS WAF Website. Are you looking to attend an AWS Summit or maybe AWS re:invent, more information here! Well-Architected Framework: https://aws.amazon.com/architecture/well-architected/ OE Pillar: https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/welcome.html Operations Readiness Reviews Whitepaper: https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/operational-readiness-reviews-orrs.html DevOpsDays: https://devopsdays.org/ DevOps Meetups: https://www.meetup.com/find/?keywords=devops&source=EVENTS

This episode is about AWS Well Architected and specifically about the Operational Excellence Pillar. Who should be using AWS WAF from startups to enterprises. What are the biggest challenges when performing an AWS WAF Review? If you're interested in learning more check out the AWS WAF Website. Are you looking to attend an AWS Summit or maybe AWS re:invent, more information here! Well-Architected Framework: https://aws.amazon.com/architecture/well-architected/ OE Pillar: https://docs.aws.amazon.com/wellarchitected/latest/operational-excellence-pillar/welcome.html Operations Readiness Reviews Whitepaper: https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/operational-readiness-reviews-orrs.html DevOpsDays: https://devopsdays.org/ DevOps Meetups: https://www.meetup.com/find/?keywords=devops&source=EVENTS

Безопасность одна из важнейших задач для AWS, но стоить вопрос как именно защитить веб приложения. В этом выпуске мы подробно обсудили: - От чего защищаемся? И что такое OWASP Top 10 - Защита сетевого периметра с использованием AWS Network Firewall и AWS Firewall Manager, Security Groups - Что такое WAF? - Как он работает. - Какие WAF правила выбрать и как. На каком уровне модели OSI работает WAF, и каким сервисам можно его подключать. - Где лучше включать WAF на уровне CDN (CloudFront) или на уровне ALB? - Стоит ли защищать статический контент? - Как часто клиенты пишут свои WAF правила? И что такое WCU, и сколько правил стоит применять для своего приложения. - WAF и капча — как это работает. - Защита от DDoS - Шаг назад и разобрали что такое DoS и причем тут rate limiter - Какие типы атак бывают DoS/DDoS - Различие AWS Shield и AWS Shield Advanced. - Еще рекомендации, что вы можете сделать, чтобы защититься от DDoS. Полезные ссылки - AWS WAF - AWS Shield - Automatic application layer DDoS mitigatio - reInvent2021 Если у вас есть вопросы, предложения темы, пишите мне в Linkedin - https://www.linkedin.com/in/vedmich/ или телеграмм https://t.me/VictorVedmich

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00​] Intro[00:01:24​] Announcing the general availability of AWS Backup for Amazon S3https://aws.amazon.com/about-aws/whats-new/2022/02/general-availability-aws-backup-amazon-s3/[00:03:21​] AWS Firewall Manager now supports versioning for AWS WAF managed rule grouphttps://aws.amazon.com/about-aws/whats-new/2022/02/aws-firewall-manager-waf-rule-group/[00:04:02​] AWS Launches Discourse Forum/Community for QuickSighthttps://community.amazonquicksight.com/t/troubleshoot-analysis-titles-and-subtitles-failed-to-load-narrative-editor/1776[00:05:20​] Introducing auto-adjusting budgetshttps://aws.amazon.com/about-aws/whats-new/2022/02/auto-adjusting-budgets/[00:06:31​] cloudposse/terraform-aws-s3-bucket adds AWS Provider v4 supporthttps://github.com/cloudposse/terraform-aws-s3-bucket/releases/tag/0.48.0[00:07:30​] GitHub Opens Advisory Database to contributionshttps://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/[00:09:20​] Other[00:10:19] Amazon EKS Release calendarhttps://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar[00:11:54] Waxing philosophical: DevOps sometimes feels like building sandcastles[00:17:49​] Why is it a best-practice from a compliance/ops standpoint to put all s3 buckets into their own AWS project?[00:24:57​] Is anyone using AWS SSM Session manager to enable devs to connect to a staging RDS instance, and NOT using ssh keys/connections managed through SSM?[00:34:23​] How do you build the observability model at the app level?[00:43:47​] I'm looking for examples to build a VPC without internet connection without losing connection to ECR, S3 and DynamoDB. Do you have any suggestions?[00:52:16] Terraform wirenodes  https://github.com/jbraswell/terraform-wireguard[00:55:52​] Outro #officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show (https://cloudposse.com/office-hours/)

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00​] Intro[00:01:30​] Terraform AWS Provider v4.0.0 released (with breaking changes)https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.0.0[00:05:47​]  Set up Tracing on GitHub Actions Workflows using Datadoghttps://docs.datadoghq.com/continuous_integration/setup_pipelines/github/#compatibility[00:07:32​] HTTP/3: Everything you need to know about the next-generation web protocolhttps://portswigger.net/daily-swig/http-3-everything-you-need-to-know-about-the-next-generation-web-protocol[00:09:23​] Include diagrams in your Markdown files with Mermaid (With example)https://github.blog/2022-02-14-include-diagrams-markdown-files-mermaid/https://github.com/mermaid-js/mermaid#flowchart-docs---live-editor[00:17:10​] Embed SVGs in GitHub Markdownhttps://github.blog/changelog/2022-01-21-allow-to-upload-svg-files-to-markdown/[00:18:38​] Amazon Elastic File System Update – Sub-Millisecond Read Latencyhttps://aws.amazon.com/blogs/aws/amazon-elastic-file-system-update-sub-millisecond-read-latency/[00:20:09​] 1Password for SSH & Git (Beta)https://developer.1password.com/docs/ssh/[00:22:08​] Observation: The rise of the specialized cloud[00:26:30] AWS WAF ruleset for credential stuffing[00:28:19​] Has anyone found a tool that can facilitate mass migration of data from one tier of Glacier to the other? [00:31:14​] What are people doing in the wild with respect to pinning for ACM generated certificates?[00:35:33​] What is the recommended way for EKS pods to CRUD on S3 buckets?[00:37:27​] Is there a way to basically do AWS IPAM, but just in TF?[00:43:07​] Has anyone had to deal with uploading and offloading child accounts. I had like over 50 accounts to create on New Relic and i had to manually add this accounts on the UI[00:46:37​] In your centralized logging system (ELK/Loki), How do you deal with a spike of logs that overwhelms your pipeline? [00:52:26​] Giving the infra deploy pipeline full admin in AWS vs fine-grained permissions that seem more secure but troublesome to manage[00:57:08​] Outro #officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show (https://cloudposse.com/office-hours/)

Protect your open source project from supply chain attacks - https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html?m=1This blog post walks through the quiz questions, answers, and options for prevention, and can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks.Trojan Source Attacks - https://trojansource.codes/Some vulnerabilities are invisible - rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. The attack is to use control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. An Opinionated Guide on How to Reverse Engineer Software, Part 1 - https://margin.re/media/an-opinionated-guide-on-how-to-reverse-engineer-software-part-1.aspx"This is an opinionated guide. After 12 years of reverse engineering professionally, I have developed strong beliefs on how to get good at RE."​AppSec Things to Watch in 2022 - https://www.securityjourney.com/post/appsec-things-to-watch-in-2022It's that time of the year again when everyone under the sun comes up with predictions. We're not fans of predictions, so instead, we give you Security Journey's Application Security Things to Watch in 2022.AWS WAF's Dangerous Defaults - https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/Any malicious payload that starts after the 8KB limit in a POST request will completely bypass your WAF unless you've explicitly added a rule to block any POST request greater than 8KB in size. Even the simplest SQL injection, the legendary '1=1' can fly right by.

After a very long delay, our September 2021 episode finally drops. Recorded in early October Arjen, JM, and Guy discuss how September finally has a fair number of interesting announcements again and of course point out everything that wasn't great as well. As a headsup, our October and November episodes will be released over the next 2 weeks. News Finally in ANZ Amazon Textract announces reduced pricing of up to 32% on AnalyzeDocument and DetectDocumentText requests in eight global AWS Regions Ability to customize reverse DNS for Elastic IP addresses now available in additional regions for Virtual Private Cloud customers Amazon ElastiCache for Redis now supports auto scaling in 17 additional public regions In the Works – AWS Region in New Zealand | AWS News Blog Serverless AWS Lambda Functions Powered by AWS Graviton2 Processor – Run Your Functions on Arm and Get Up to 34% Better Price Performance | AWS News Blog Cross-account event discovery for Amazon EventBridge schema registry AWS Amplify announces command hooks to execute custom scripts when running Amplify CLI commands Containers Amazon Managed Service for Prometheus Is Now Generally Available with Alert Manager and Ruler | AWS News Blog Amazon EKS Anywhere – Now Generally Available to Create and Manage Kubernetes Clusters on Premises | AWS News Blog Amazon EKS Connector is now in public preview AWS RoboMaker now supports container images in simulation Amazon ECR adds the ability to replicate individual repositories to other regions and accounts Amazon ECR Public adds the ability to launch containers directly to AWS App Runner EC2 & VPC Instances Amazon EC2 now offers Global View on the console to view all resources across regions together New – Amazon EC2 VT1 Instances for Live Multi-stream Video Transcoding | AWS News Blog Amazon EC2 T3 instances are now supported on EC2 Dedicated Hosts in multiple AWS Regions AWS Compute Optimizer Now Helps Customers Understand Impact of Migrating to Graviton2-based Instances AWS Marketplace launches aliases for all single AMI products Amazon EC2 Hibernation adds support for Red Hat Enterprise Linux 8, CentOS 8, and Fedora 34 AWS announces availability of Microsoft Windows Server 2022 images on Amazon EC2 VPC IPv6 endpoints are now available for the Amazon EC2 Instance Metadata Service, Amazon Time Sync Service, and Amazon VPC DNS Server Amazon Virtual Private Cloud (VPC) customers can now resize their prefix list Amazon VPC Routing Enhancements Allow You to Inspect Traffic Between Subnets In a VPC | AWS News Blog Amazon VPC Announces New Routing Enhancements to Make It Easy to Deploy Virtual Appliances Between Subnets In a VPC Amazon EC2 announces increases for instance network bandwidth Application Load Balancer-type Target Group for Network Load Balancer | Networking & Content Delivery Other AWS Elastic Beanstalk supports Dynamic Instance Type Selection Amazon EC2 Fleet instant mode now supports targeted Amazon EC2 On-Demand Capacity Reservations Dev & Ops Dev Amazon Managed Grafana Is Now Generally Available with Many New Features | AWS News Blog EC2 Image Builder supports Amazon EventBridge notifications Amazon CodeGuru Reviewer adds new inconsistency detectors AWS CDK releases v1.117.0 - v1.120.0 with improved support for Amazon Kinesis Firehose, Amazon CloudFront, Amazon Cognito, and more AWS CodeBuild now supports a small ARM machine type Amazon CodeGuru Reviewer enhances security findings generated by GitHub Action by adding severity fields and CWE tags Amazon Corretto 17 is now generally available AWS Device Farm announces support for testing web apps on Microsoft Edge browser Ops New for AWS CloudFormation – Quickly Retry Stack Operations from the Point of Failure | AWS News Blog AWS Systems Manager enables additional application management capabilities AWS Systems Manager Change Calendar now supports third-party calendar imports, giving you a more holistic view of events AWS Managed Services (AMS) now offers a catalog of operational offerings with Operations on Demand Amazon CloudWatch Application Insights and AWS Systems Manager Application Manager combine to offer an integrated application management experience Amazon CloudWatch Application Insights adds account application auto-discovery and new health dashboard ADOT New for AWS Distro for OpenTelemetry – Tracing Support is Now Generally Available | AWS News Blog AWS Distro for OpenTelemetry adds support for Amazon ECS in Amazon CloudWatch Container Insights and metrics support for AWS Lambda applications in Amazon Managed Prometheus (Preview) Security ACM Private CA now supports the Online Certificate Status Protocol (OCSP) IAM Access Analyzer helps you generate fine-grained policies that specify the required actions for more than 50 services Amazon Macie adds support for selecting managed data identifiers WAF AWS Firewall Manager now supports AWS WAF log filtering AWS WAF now offers in-line regular expressions AWS Firewall Manager now supports AWS WAF rate-based rules Detective Amazon Detective offers Splunk integration Amazon Detective supports S3 and DNS finding types, adds finding details Data Storage & Processing Opensearch Amazon Elasticsearch Service Is Now Amazon OpenSearch Service and Supports OpenSearch 1.0 | AWS News Blog OpenSearch Dashboards Notebooks, a new visual reporting feature, now available on Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) now supports Data Streams with OpenSearch 1.0 to simplify management of time-series data Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) now supports Index Transforms Migrating to OpenSearch with CloudFormation – One Cloud Please Databases Amazon Aurora now supports AWS Graviton2-based T4g instances Amazon Aurora now supports AWS Graviton2-based X2g instances Amazon Aurora Serverless v1 supports configurable autoscaling timeout Amazon RDS now supports X2g instances for MySQL, MariaDB, and PostgreSQL databases. Amazon RDS now supports T4g instances for MySQL, MariaDB, and PostgreSQL databases. Amazon RDS now supports R5b instances for MySQL and PostgreSQL databases AQUA is now available for Amazon Redshift RA3.xlplus nodes New full-text search non-string indexing capabilities for Amazon Neptune Announcing general availability of Amazon RDS for MySQL and Amazon Aurora MySQL databases as new data sources for federated querying Amazon Redshift announces the next generation of Amazon Redshift Query Editor Storage New – Amazon EFS Intelligent-Tiering Optimizes Costs for Workloads with Changing Access Patterns | AWS News Blog How to Accelerate Performance and Availability of Multi-region Applications with Amazon S3 Multi-Region Access Points | AWS News Blog AWS SIGv4 and SIGv4A — shufflesharding.com Amazon S3 Intelligent-Tiering – Improved Cost Optimizations for Short-Lived and Small Objects | AWS News Blog New – Amazon FSx for NetApp ONTAP | AWS News Blog Amazon EBS direct APIs now supports creating 64 TB EBS Snapshots MSK Introducing Amazon MSK Connect – Stream Data to and from Your Apache Kafka Clusters Using Managed Connectors | AWS News Blog Amazon MSK now supports running multiple authentication modes and updates to TLS encryption settings Other Now authenticate Amazon EMR Studio users using IAM-based authentication or IAM Federation, in addition to AWS Single Sign-On Now auto-terminate idle EMR clusters to lower cost AI & ML SageMaker Amazon SageMaker Model Registry now supports Inference Pipelines Amazon SageMaker now supports M5d, R5, and P3dn instances for SageMaker Studio Notebooks Amazon SageMaker now supports inference endpoint testing from SageMaker Studio Amazon SageMaker Autopilot now generates additional metrics for classification problems Other Extract custom entities from documents in their native format with Amazon Comprehend Amazon Comprehend announces model management and evaluation enhancements Optimize your Amazon Forecast model with the accuracy metric of your choice Other Cool Stuff Announcing custom widgets for CloudWatch dashboards Amazon CloudWatch request metrics for Amazon S3 Access Points now available Amazon CloudWatch Application Insights adds support for Microsoft SQL Server FCI and FSx storage Amazon Monitron launches a new ethernet gateway device Amazon Pinpoint now supports encrypted SNS topics for inbound SMS Amazon Braket introduces verbatim compilation for quantum circuits AWS ParallelCluster now supports cluster management through Amazon API Gateway Amazon SES now supports emails with a message size of up to 40MB AWS announces General Availability of the Amazon GameLift Plug-in and AWS CloudFormation Templates for Unity AWS Ground Station announces Licensing Accelerator New – Amazon Genomics CLI Is Now Open Source and Generally Available | AWS News Blog Connect Amazon Connect Wisdom is now generally available Contact Lens for Amazon Connect adds support for 8 languages Amazon Connect Chat now supports passing a customer display name and contact attributes through the chat user interface Amazon Connect Customer Profiles adds product purchase history to personalize customer interactions Amazon Connect Voice ID is now generally available Amazon Connect now offers, in Public Preview, high-volume outbound communications for calls, texts, and emails IoT AWS IoT Device Management announces new fleet monitoring enhancements AWS IoT Device Defender announces Audit One-Click AWS IoT Device Defender now supports Detect alarm verification states Sponsors CMD Solutions Silver Sponsors Cevo Versent

Links: The internet is now on fire:https://www.engadget.com/log4shell-vulnerability-log4j-155543990.html Blog post:https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/ Expecting to be down for weeks:https://www.darkreading.com/attacks-breaches/kronos-suffers-ransomware-attack-expects-full-restoration-to-take-weeks- Update for the Apache Log4j2 Issue:https://aws.amazon.com/security/security-bulletins/AWS-2021-006/ Log4Shell Vulnerability Tester at log4shell.huntress.com:https://log4shell.huntress.com/ TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: It seems like there is a new security breach every day. Are you confident that an old SSH key or a shared admin account isn't going to come back and bite you? If not, check out Teleport. Teleport is the easiest, most secure way to access all of your infrastructure. The open-source Teleport Access Plane consolidates everything you need for secure access to your Linux and Windows servers—and I assure you there is no third option there. Kubernetes clusters, databases, and internal applications like AWS Management Console, Yankins, GitLab, Grafana, Jupyter Notebooks, and more. Teleport's unique approach is not only more secure, it also improves developer productivity. To learn more, visit goteleport.com. And no, that's not me telling you to go away; it is, goteleport.com.Corey: I think I owe the entire internet a massive apology. See, last week I titled the episode, “A Somehow Quiet Security Week.” This is the equivalent of climbing to the top of a mountain peak during a violent thunderstorm, then waving around a long metal rod. While cursing God.So, long story short, the internet is now on fire due to a vulnerability in the log4j open-source logging library. Effectively, if you can get an arbitrary string into the logs of a system that uses a vulnerable version of the log4j library, it will make outbound network requests. It can potentially run arbitrary code.The impact is massive and this one's going to be with us for years. WAF is a partial solution, but the only real answer is to patch to an updated version, or change a bunch of config options, or disallow affected systems from making outbound connections. Further, due to how thoroughly embedded in basically everything it is—like S3; more on that in a bit—a whole raft of software you run may very well be using this without your knowledge. This is, to be clear, freaking wild. I am deeply sorry for taunting fate last week. The rest of this issue of course talks entirely about this one enormous concern.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: if you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they've opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial' button on the homepage and use the promo code, ‘CLOUD' when checking out. That's C-L-O-U-D. Like loud—what I am—with a C in front of it. They've got a free trial, too, so you'll get seven days to try it out to make sure it really is a good fit. You've got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Cloudflare has a blog post talking about the timeline of what they see as a global observer of exploitation attempts of this nonsense. They're automatically shooting it down for all of their customers and users—to be clear, if you're not paying for a service you are not its customer, you're a marketing expense—and they're doing this as part of the standard service they provide. Meanwhile AWS's WAF has added the ruleset to its AWSManagedRulesKnownBadInputsRuleSet—all one word—managed rules—wait a minute; they named it that? Oh, AWS. You sad, ridiculous service-naming cloud. But yeah, you have to enable AWS WAF, for which there is effectively no free tier, and configure this rule to get its protection, as I read AWS's original update. I'm sometimes asked why I use CloudFlare as my CDN instead of AWS's offerings. Well, now you know.Also, Kronos, an HR services firm, won the ransomware timing lottery. They're expecting to be down for weeks, but due to the log4shell—which is what they're calling this exploit: The log4shell problem—absolutely nobody is paying attention to companies that are having ransomware problems or data breaches. Good job, Kronos.Now, what did AWS have to say? Well, they have an ongoing “Update for the Apache Log4j2 Issue” and they've been updating it as they go. But at the time of this recording, AWS is a Java shop, to my understanding.That means that basically everything internet-facing at AWS—which is, you know, more or less everything they sell—has some risk exposure to this vulnerability. And AWS has moved with a speed that can only be described as astonishing, and mitigated this on their managed services in a timeline I wouldn't have previously believed possible given the scope and scale here. This is the best possible argument to make for using higher-level managed services instead of building your own things on top of EC2. I just hope they're classy enough not to use that as a marketing talking point.And for the tool of the week, the Log4Shell Vulnerability Tester at log4shell.huntress.com automatically generates a string and then lets you know when that is exploited by this vulnerability what systems are connecting to is. Don't misuse it obviously, but it's great for validating whether a certain code path in your environment is vulnerable. And that's what happened last week in AWS Security, and I just want to say again how deeply, deeply sorry I am for taunting fate and making everyone's year suck. I'll talk to you next week, if I live.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00​] Intro[00:01:31​] AWS outage =) What's your theory?https://aws.amazon.com/premiumsupport/technology/pes/[00:04:00​] AWS WAF adds support for CloudWatch Log and logging directly to S3 buckethttps://aws.amazon.com/about-aws/whats-new/2021/12/awf-waf-cloudwatch-log-s3-bucket/[00:04:30​] AWS announces Construct Hub general availabilityhttps://aws.amazon.com/about-aws/whats-new/2021/12/aws-construct-hub-availability/[00:08:28​] Amazon DevOps Guru for RDS Aurora to Detect, Diagnose, and Resolve Issueshttps://aws.amazon.com/blogs/aws/new-amazon-devops-guru-for-rds-to-detect-diagnose-and-resolve-amazon-aurora-related-issues-using-ml/[00:10:48​] Summary of re:Invent Announcements and this one, and security announcementshttps://acloudguru.com/blog/engineering/aws-reinvent-2021-the-biggest-announcementshttps://aws.amazon.com/blogs/aws/top-announcements-of-aws-reinvent-2021/https://venturebeat.com/2021/12/03/the-top-12-security-announcements-at-aws-reinvent-2021/[00:17:50​] Cloud Posse API Gateway Module  and AWS Airflow WIPhttps://github.com/cloudposse/terraform-aws-api-gatewayhttps://github.com/cloudposse/terraform-aws-mwaa[00:19:27​] Service Mesh options? [00:36:24​] AWS AppSync service — gotchas, pitfalls, etc.[00:39:18] Pain using Terraform to apply helm charts instead of helmfile [00:46:15​] Outro #officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show (https://cloudposse.com/office-hours/)

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/[00:00:00​] Intro[00:04:00​] AWS Proton Adds Terraform for infrastructure provisioninghttps://aws.amazon.com/about-aws/whats-new/2021/11/aws-proton-terraform-infrastructure/[00:05:55​] AWS Proton introduces Git management of infrastructure as code templateshttps://aws.amazon.com/about-aws/whats-new/2021/11/aws-proton-git-infrastructure-code-templates/[00:10:43] Amazon Linux 2022https://aws.amazon.com/linux/amazon-linux-2022/?amazon-linux-whats-new.sort-by=item.additionalFields.postDateTime&amazon-linux-whats-new.sort-order=desc[00:12:11​] Announcing Pull Through Cache Repositories for ECR and terraform provider support cominghttps://aws.amazon.com/blogs/aws/announcing-pull-through-cache-repositories-for-amazon-elastic-container-registry/https://github.com/hashicorp/terraform-provider-aws/issues/21951[00:17:10​] AWS EMR Serverless in previewhttps://aws.amazon.com/about-aws/whats-new/2021/11/amazon-emr-serverless-preview/[00:19:06​] AWS Control Tower introduces Terraform account provisioning and customization (with weird modules)https://aws.amazon.com/about-aws/whats-new/2021/11/aws-control-tower-terraform/https://github.com/aws-ia/terraform-aws-control_tower_account_factory[00:23:58​] AWS Karpenter v0.5 Now Generally Availablehttps://aws.amazon.com/about-aws/whats-new/2021/11/aws-karpenter-v0-5/[00:28:45​] AWS WAF adds support for Captcha (e.g. like Cloudflare)https://aws.amazon.com/about-aws/whats-new/2021/11/aws-waf-captcha-support/[00:33:45​] Has anyone migrated an existing organisation into control tower? How did it go? @Alex Jurkiewicz [00:34:45​] I wanna open a discussion regarding tagging/labeling conventions that are used company wide. And what tags do you guys use ? @Sherif Abdel-Naby[00:48:06​] I have some nested providers that I'm moving to the root module. My approach is to replace the nested providers in the state file, with the root-level providers, which seems to be working.  Any advice, suggestions? @Eric Berg[00:52:17​] Outro #officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show (https://cloudposse.com/office-hours/)

Links: Entirely optional for attackers: https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/ Worst Case: https://www.tbray.org/ongoing/When/202x/2021/10/08/The-WOrst-Case Are looking to change that: https://www.theregister.com/2021/10/11/cyan_zero_day_legislative_project/ Introducing Security at the Edge: https://aws.amazon.com/blogs/security/introducing-the-security-at-the-edge-core-principles-whitepaper/ Password reuse: https://www.hypr.com/password-reuse/ TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter. Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud observability; it's more than just hipster monitoring.Corey: I must confess, I didn't expect to see an unpatched AWS vulnerability being fodder for this podcast so early in the security lifespan here, but okay. Yes, yes, before I get letters, it's not a vulnerability as AWS would define it, but it's a pretty crappy default that charges customers money while giving them a false sense of security.Past that, it's going to be a short podcast this week, and that's just fine by me because the point of it is, “The things you should know as someone who has to care about security.” On slow news weeks like last week that means I'm not here to give you pointless filler. Onward.Now, AWS WAF is expensive and apparently, as configured by default, entirely optional for attackers. Only the first 8KB of a request are inspected by default. That means that any malicious payload that starts after the 8KB limit in a POST request will completely bypass AWS WAF unless you've explicitly added a rule to block any POST request greater than 8KB in size, which you almost assuredly have not done. Even their managed rule that addresses size limits only kicks in at 10KB. This is—as the kids say—less than ideal.I had a tweet recently that talked about the horror of us-east-1 being globally unavailable for ages. Tim Bray took this and ran with the horrifying concept in a post he called, “Worst Case.” It's really worth considering things like this when it comes to disaster and continuity planning. How resilient are our apps and infrastructure really when all is said and done? What dependencies do we take on third parties who in turn rely on the same infrastructure that we're trying to guard against failure from?An unfortunate reality is that many cybersecurity researchers don't have much in the way of legal protections; some folks are looking to change that through legislation. Here's some good advice: if a security researcher reports a vulnerability to you or your company in good faith, perhaps not acting like a raging jackhole is an option that's on the table. Bug bounties are hilariously small; they could make many times as much money by selling vulnerabilities to the highest bidder. Instead they're reporting bugs to you in good faith. Word spreads. If you're a hassle to deal with, other researchers won't report things to you in the future. “Be a nice person,” is surprisingly undervalued when it comes to keeping yourself and your company out of trouble.Now, only one interesting thing came out of the mouth of AWS horse last week in a security context, and it's a Core Principles whitepaper: “Introducing Security at the Edge.” Setting aside entirely the fact that neither contributor to this has the job title of “EdgeLord,” I like it. Rather than focusing on specific services—although of course there's some of that because vendors are going to vendor—it emphasizes how to think about the various considerations of edge locations that aren't deep within hardened data centers. “How should I think about this problem,” is the kind of question that really deserves to be asked a lot more than it is.and lastly, let's end up with a tip of the week. If you have a multi-cloud anything, ensure that credentials are not shared between two cloud providers. I'm talking about passwords, keys, et cetera. This is a step beyond the standard password reuse warning of not using the same password for multiple accounts. Think it through; if one of your providers happens to be Azure, and they Azure up the security yet again, you really don't want that to grant an attacker or other random Azure customers access to your AWS account as well, do you? I thought not.Corey: This episode is sponsored in part by Liquibase. If you're anything like me, you've screwed up the database part of a deployment so severely that you've been banned from ever touching anything that remotely sounds like SQL at least three different companies. We've mostly got code deployment solved for, but when it comes to databases, we basically rely on desperate hope, with a rollback plan of keeping our resumes up to date. It doesn't have to be that way. Meet Liquibase. It's both an open-source project and a commercial offering. Liquibase lets you track, modify, and automate database schema changes across almost any database, with guardrails that ensure you'll still have a company left after you deploy the change. No matter where your database lives, Liquibase can help you solve your database deployment issues. Check them out today at liquibase.com. Offer does not apply to Route 53.Corey: And that is what happened last week in AWS security. I have been your host, Corey Quinn, and if you remember nothing else, it's that when you don't get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

On The Cloud Pod this week, Justin may be out but the cloud stops for no one. Also, AWS announces a New Zealand region, GCP releases GKE Backup, and Azure Functions 4.0 is now in public preview.  A big thanks to this week's sponsors: Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. JumpCloud, which offers a complete platform for identity, access, and device management — no matter where your users and devices are located.  This week's highlights

July and August were very boring months for announcements, so Arjen, JM, and Guy decided to discuss them both in a single episode. They also decided to record before the month actually ended, which doesn't really behoove them as they missed out on a couple of actually interesting announcements. So those will be discussed in our September episode. News Finally in Sydney Amazon ml.Inf1 instances are now available on Amazon SageMaker in 4 additional AWS Regions Amazon RDS Cross-Region Automated Backups Regional Expansion AWS Directory Service now supports smart card authentication with AD Connector for Amazon WorkSpaces in 5 additional AWS Regions Serverless Lambda AWS Lambda adds support for Python 3.9 AWS Lambda now supports Amazon MQ for RabbitMQ as an event source Amplify AWS Amplify launches new full-stack CI/CD capabilities Complete guide to full-stack CI/CD workflows with AWS Amplify | Front-End Web & Mobile AWS Amplify CLI adds support for storing environment variables and secrets accessed by AWS Lambda functions AWS Amplify allows you to mix and match authorization modes in DataStore AWS Amplify now supports Sign in with Apple Announcing Amplify Geo (Developer Preview) for AWS Amplify Other Amazon API Gateway now supports mutual TLS with certificates from third-party CAs and ACM Private CA Simplify CI/CD configuration for serverless applications and your favorite CI/CD system — Public Preview AWS AppSync now supports custom authorization with AWS Lambda for GraphQL APIs Containers Amazon EKS and EKS Distro now support Kubernetes version 1.21 Amazon EKS now supports Kubernetes 1.21 | Containers Amazon EKS managed node groups now supports parallel node upgrades Amazon EKS now supports Multus Amazon ECS supports additional configurations for scheduled and event-driven tasks AWS Cloud Map supports configuring negative caching for DNS queries AWS App Mesh Constructs for AWS CDK are now generally available AWS Private Certificate Authority introduces integration with Kubernetes Amazon VPC CNI plugin increases pods per node limits EC2 & VPC Instances Introducing new Amazon EC2 G4ad instance sizes New – Amazon EC2 M6i Instances Powered by the Latest-Generation Intel Xeon Scalable Processors | AWS News Blog Amazon EC2 customers can now use ED25519 keys for authentication during instance connectivity operations Amazon EC2 Hibernation adds support for C5d, M5d, and R5d Instances Amazon Virtual Private Cloud (VPC) customers can now assign IP prefixes to their EC2 instances Assigning prefixes to Amazon EC2 network interfaces - Amazon Elastic Compute Cloud Amazon EC2 now supports custom time windows for Scheduled Events Auto Scaling Amazon EC2 Auto Scaling enhances Instance Refresh with configuration checks, Launch Template validation, and Amazon EventBridge notifications Amazon EC2 Auto Scaling now lets you control which instances to terminate on scale-in Other Amazon EC2 adds Resource Identifiers and Tags for VPC Security Group Rules Amazon CloudFront announces new APIs to locate and move alternate domain names (CNAMEs) AWS Elastic Beanstalk supports Capacity Rebalancing for Amazon EC2 Spot Instances AWS lowers data processing charges for AWS PrivateLink AWS IoT Core for LoRaWAN now supports VPC endpoints AWS IoT Core now supports VPC Endpoints Dev & Ops Dev Tooling EC2 Image Builder now supports parameters in components for creating custom images AWS Cloud9 introduces new features to browse CloudWatch Logs, S3, and use EC2 instance profiles Introducing AWS App Runner integration in the AWS Toolkit for VS Code Amazon CodeGuru Profiler adds recommendation support for Python applications Amazon CodeGuru Profiler extends visualizations capability with a new compare option for application profile Amazon CodeGuru Profiler announces new automated onboarding process for AWS Lambda functions CodeBuild Supports Publicly Viewable Build Results AWS AppConfig now enables customers to compare two application configuration versions AWS App2Container now supports containerization of complex multi-tier Windows applications CDK/CloudFormation Announcing CDK Pipelines GA, CI/CD for CDK Apps AWS CDK releases v1.111.0 - v1.116.0 with updates for unit testing and CDK Pipelines support AWS CloudFormation now supports more stacks per AWS account You can now import your AWS CloudFormation stacks into a CloudFormation stack set Systems Manager AWS Systems Manager Application Manager now supports full lifecycle management of AWS CloudFormation templates and stacks Now view inventory and patch compliance of stopped instances using AWS Systems Manager AWS Systems Manager Automation now supports upgrade of SQL Server 2012 AWS Systems Manager OpsCenter launches operational insights to identify duplicate items and event sources with unusual activity Now enable auto-approval of change requests and expedite changes with AWS Systems Manager Change Manager AWS Systems Manager Change Manager now supports AWS IAM roles as approvers AWS Systems Manager Fleet Manager now offers report generation for Managed Instances Other AWS Control Tower announces improvements to guardrail naming and descriptions Announcing Amazon CloudWatch cross account alarms Amazon CloudWatch Synthetics supports visual monitoring Amazon CloudWatch Logs now supports Usage Metrics Security AWS Firewall Manager now supports central monitoring of VPC routes for AWS Network Firewall AWS Shield Advanced no longer requires AWS WAF logging for web-application layer event response AWS Certificate Manager provides expanded usage of imported ECDSA and RSA Certificates Amazon QLDB supports customer managed KMS keys AWS Control Tower now provides support for KMS Encryption AWS Security Hub adds 10 new controls to its Foundational Security Best Practices standard for enhanced cloud security posture monitoring AWS License Manager now supports Delegated Administrator AWS WAF now offers managed rule group versioning AWS Security Hub adds 18 new controls to its Foundational Security Best Practices standard and 8 new partners for enhanced cloud security posture monitoring Data Storage & Processing AWS DataSync can now copy system access control lists (SACLs) to Amazon FSx for Windows File Server Amazon Lightsail now offers object storage for storing static content Amazon Data Lifecycle Manager launches new console experience Announcing availability of Red Hat Enterprise Linux with Microsoft SQL Server for Amazon EC2 Amazon Neptune now supports the openCypher query language Amazon RDS Proxy can now be created in a shared Virtual Private Cloud (VPC) Amazon RDS for SQL Server now supports Automatic Minor Version Upgrades Introducing Amazon MemoryDB for Redis – A Redis-Compatible, Durable, In-Memory Database Service | AWS News Blog AWS Transfer Family expands compatibility for FTPS/FTP clients and increases limit for number of servers Amazon ElastiCache for Redis now supports auto scaling EBS AWS Announces General Availability of Amazon EBS io2 Block Express Volumes Amazon Elastic Block Store now supports idempotent volume creation AWS CloudTrail now supports logging of data events for Amazon EBS direct APIs Athena Amazon Athena adds parameterized queries to improve reusability and security Amazon Athena announces data source connector for Power BI S3 AWS Storage Gateway adds support for AWS Privatelink for Amazon S3 and Amazon S3 Access Points Amazon S3 Access Points aliases allow any application that requires an S3 bucket name to easily use an access point Amazon S3 on Outposts supports direct access for applications running outside the Outposts VPC Amazon S3 on Outposts now supports sharing across multiple accounts Amazon EMR now supports Amazon S3 Access Points to simplify access control Redshift Amazon Redshift simplifies the use of JDBC/ODBC with authentication profile Cross-Account Data Sharing for Amazon Redshift | AWS News Blog Redshift spatial performance enhancements and new spatial functions Glue AWS Glue Studio now provides data previews during visual job authoring AWS Glue DataBrew now supports writing prepared data directly into JDBC-supported destinations AWS Glue DataBrew adds the ability to specify which data quality statistics are generated for your datasets AWS Glue DataBrew now supports numerical format transformations AWS Glue DataBrew now supports writing prepared data into AWS Lake Formation-based AWS Glue Data Catalog S3 tables Snow Family AWS Snowball Edge Storage Optimized devices now supports high performance NFS data transfer AWS Snow Family now enables you to remotely monitor and operate your connected Snowcone devices AWS Snowball now supports multicast streams and routing by providing instances with direct access to external networks AWS Snowcone now supports multicast streams and routing by providing instances with direct access to external networks AI & ML Amazon Textract announces improvements to detection of handwritten text, digits, dates, and phone numbers Amazon Textract announces specialized support for automated processing of invoices and receipts Announcing Model Variable Importance for Amazon Fraud Detector AWS customers can now view all the labels supported by Amazon Rekognition Amazon Neptune ML is now generally available with support for edge predictions, automation, and more Amazon EC2 Inf1 instances now supports TensorFlow 2 SageMaker Amazon announces new AWS Deep Learning Containers to deploy Hugging Face models faster on Amazon SageMaker Amazon SageMaker Pipeline introduces a automatic hyperparameter tuning step Amazon SageMaker Autopilot and Automatic Model Tuning now support more refined access control using Condition Key Policies Amazon SageMaker now supports M5d, R5, P3dn, and G4dn instances for SageMaker Notebook Instances Amazon SageMaker Pipelines now supports invoking AWS Lambda Functions Amazon SageMaker notebook instance now supports Amazon Linux 2 Introducing Amazon SageMaker Asynchronous Inference, a new inference option for workloads with large payload sizes and long inference processing times Kendra Announcing Amazon Kendra Smaller Units and Price Drop Amazon Kendra releases Web Crawler to enable web site search Amazon Kendra releases Principal Store for secure search Amazon Kendra releases WorkDocs Connector Other Cool Stuff IoT AWS IoT SiteWise is expanding its transforms and formula expressions capabilities AWS IoT SiteWise Edge now generally available AWS SiteWise now supports custom time intervals for metric aggregations Announcing support for new Timestamp function, PreTrigger function and ability to write nested expressions within aggregation functions (SiteWise) Announcing support for exporting data from AWS IoT SiteWise to Amazon S3 The rest The Amazon Chime SDK adds media capture pipelines to enable capture of meeting video, audio, and content streams Amazon AppStream 2.0 adds support for real-time audio-video using a web browser AWS Now Allows Customers To Pay For Their Usage in Advance AWS Organizations increases quotas for tag policies AWS DeepRacer announces DeepRacer LIVE races Amazon HealthLake is now Generally Available Introducing AWS for Health Introducing Amazon Route 53 Application Recovery Controller | AWS News Blog CloudFormation templates for Amazon Route 53 Application Recovery Controller (ARC) - GitHub Amazon CloudWatch adds support for trimmed mean statistics Amazon WorkSpaces now offers web access with WorkSpaces Streaming Protocol (WSP) Amazon WorkSpaces Renews Windows Desktop Experience with Windows Server 2019 bundles and 64-bit Microsoft Office 2019 Fully customizable action space now available in AWS DeepRacer Console Sponsors CMD Solutions Silver Sponsors Cevo Versent

Links: WTF? Microsoft makes fixing deadly OMIGOD flaws on Azure your job: https://www.theregister.com/2021/09/17/microsoft_manual_omigod_fixes/ Travis CI flaw exposed secrets of thousands of open source projects: https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/ How to Build Strong Security Guardrails in the AWS Cloud With Minimal Effort: https://markn.ca/2021/how-to-build-strong-security-guardrails-in-the-aws-cloud-with-minimal-effort/ Introduction to OWASP Top 10 2021: https://owasp.org/Top10/ AWS SIGv4 and SIGv4A: https://shufflesharding.com/posts/aws-sigv4-and-sigv4a Inside Figma: getting out of the (secure) shell: https://www.figma.com/blog/inside-figma-getting-out-of-the-secure-shell/ AWS Firewall Manager now supports AWS WAF rate-based rules: https://aws.amazon.com/about-aws/whats-new/2021/09/aws-firewall-manager-waf-rate-based-rules/ How to automate incident response to security events with AWS Systems Manager Incident Manager: https://aws.amazon.com/blogs/security/how-to-automate-incident-response-to-security-events-with-aws-systems-manager-incident-manager/ New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers: https://aws.amazon.com/blogs/security/new-standard-contractual-clauses-now-part-of-the-aws-gdpr-data-processing-addendum-for-customers/ Protect your remote workforce by using a managed DNS firewall and network firewall: https://aws.amazon.com/blogs/security/protect-your-remote-workforce-by-using-a-managed-dns-firewall-and-network-firewall/ AWS Security Hub Automated Response and Remediation: https://github.com/awslabs/aws-security-hub-automated-response-and-remediation Checkov: https://github.com/bridgecrewio/checkov TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live. It gives you fake AWS API credentials, for example, and the only thing that these things do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary weeks ahead.Corey: Oh, for th—this is the third episode of the Last Week in AWS slash AMB: Security Edition, and instead of buying a sponsorship like a reasonable company, Microsoft Azure is once again forcing me to talk about their cloud instead, via completely blowing it when it comes to security. Again. Not only did they silently install an agent onto virtual machines in Azure that add a handful of trivially exploitable vulnerabilities, it's also apparently your job to fix it for them. I have to confess, I take Azure a lot less seriously than I did a month ago.Now, let's dive in here. Speaking of terrible things, it's honestly difficult for me to imagine a company screwing the pooch harder than TravisCI did this month. They had a bug that started leaking private credentials into public build logs; this is bad. They fixed it; this is good. And then only begrudgingly disclosed it in a buried release with remarkably little public messaging; this is unfathomable. At this point, if you're using TravisCI, get the hell off of it. Mistakes happen to every vendor. The ones that try to hide their mistakes are absolutely not companies you can trust.If you put up a slide deck and accompanying notes entitled How to Build Strong Security Guardrails in the AWS Cloud With Minimal Effort, I'm probably going to take a look at it because strong guardrails are important and minimal effort is critical if you expect it to actually get done. If you're also my longtime friend Mark Nunnikhoven, then I'm going to default to treating it as gospel because Mark frankly does not miss when it comes to AWS concepts explained in an easily approachable way. Security has got to be aligned with the way engineers work within your environment. Remember, it's not that hard to spin up a new AWS account on someone's corporate credit card; you absolutely do not want to incentivize that behavior.Corey: I periodically say the OWASP Top 10, which is a list of the most critical security risks for applications on the web, has not meaningfully changed in ten years. Well, apparently it just did. It's worth reviewing the changes; broken configurations top the list. The Open Web Application Security Project—OWASP—is a foundation that's remained surprisingly free of capture by security vendors. It's a good starting point to frame your risk exposure and what to think about.AWS VP and Distinguished Engineer Colm MacCárthaigh has an article on AWS's new signing protocol, along with the differences between AWS SIGv4 and SIGv4A. As a quick primer, all requests to AWS are signed for authentication reasons. The new SIGv4A isn't region-locked—and the recent release of the S3 Multi-Region Access Points is why it makes it a bit of a problem—there's no key exchange, and it's more computationally expensive. You don't really need to know the details as a practitioner, but you should be aware that AWS very much does put stupendous thought into this, and they sweat the details something fierce. This is why we trust cloud providers like AWS, and Google Cloud, and absolutely not Azure.Figma has a great post up, talking about how they stopped using SSH via bastion host and started using Systems Manager Session Manager instead. Bad name, wonderful service. More to the point, what I like about this post isn't just the, “Here's how the technology works,” parts, but also dives into the nuts and bolts of how they handled the migration without stopping work for folks. Communicating changes like this is tricky; don't lose sight of that.Now, from the mouth of AWS horse itself, let's dive in. AWS Firewall Manager now supports AWS WAF rate-based rules. This is pretty awesome if for no other reason than it's aware both of multiple regions as well as multiple accounts.An awful lot of security services that are both first and third-party alike tend to go for addressing only one of those at best. Anything that lets you manage things centrally in a holistic way when it comes to security is generally going to be a win, but you also don't want a giant single point of failure. It's a bit of a balancing act, but that's why our field needs us. It's why they pay us.How to automate incident response to security events with AWS Systems Manager Incident Manager. And I'm genuinely torn on this. I like automation, but it strikes me as a way to end up automating the responses to fairly common things rather than addressing the actual cause so you get fewer false alarms. You really don't want the security pager going off frequently, if for no other reason than you'll be training the people carrying it to ignore it.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That's goteleport.com.Corey: AWS is harping about its New Standard Contractual Clauses now part of the AWS GDPR Data Processing Addendum for customers, blah, blah, blah—look, if you have compliance obligations, here's what you do. Check the documents in AWS Artifact, reach out to your account manager for additional resources, and whatever you do, do not attempt to YOLO it yourself from first principles. AWS has piles and piles of documents ready and waiting to satisfy regulators and auditors alike. I tried to do it myself once, and a financial institution attempted to set up a tour of us-east-one. Trust me when I say you don't want to go down that path.Protect your remote workforce by using a managed DNS firewall and network firewall. Look, the post can safely be discarded; it's chock full of complexity lurking deep in the weeds, but I bring it up instead so that you think for a moment about the threat model of a remote workforce, read as most of them these days. Does having a DNS firewall protect against threats that they're likely to encounter? Does a network firewall make sense in a zero-trust world? Consider those things in the context of your environment rather than in the context of a company that has things it needs to sell you. Good decisions are rarely sourced from vendors.A couple of tools as well. Automating response and remediation is one of those delicate balances. The unimaginatively named AWS Security Hub Automated Response and Remediation GitHub repo has ways to handle this but it's going to be super easy to automate away things that really shouldn't be automated. You are definitely going to want to think through edge and corner cases.And lastly, I tripped over checkov last week. It analyzes your Terraform slash CloudFormation slash whatever configurations for various misconfigurations. It caught a couple of things that I've been ignoring for a while, and while it missed another couple of problems in my environment, it's definitely going to be something I integrate into my deployment pipelines in the future, once I have deployment pipelines. That's checkov—C-H-E-C-K-O-V—open-source projects. Take a look. I'm a fan.And that's what happened to the world of AWS security last week. Enjoy not having to care about the rest of it.Corey: I have been your host, Corey Quinn, and if you remember nothing else, it's that when you don't get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Editionwith the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcasts, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

On The Cloud Pod this week, the team wishes there was something else on tap, not just NetApp. Also, AWS Storage Day has come and gone again, and Azure is springing into the enterprise cloud. A big thanks to this week's sponsors: Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. JumpCloud, which offers a complete platform for identity, access, and device management — no matter where your users and devices are located.  This week's highlights

Links: Enumeration vulnerability in AWS: https://twitter.com/donkersgood/status/1433148548565151748 Lacework Cloud Threat Report: https://info.Lacework.com/2021-cloud-threat-report.html High Availability WireGuard On AWS: https://www.procustodibus.com/blog/2021/02/ha-wireguard-on-aws/ How to improve visibility into AWS WAF with anomaly detection: https://aws.amazon.com/blogs/security/how-to-improve-visibility-into-aws-waf-with-anomaly-detection/ How US federal agencies can authenticate to AWS with multi-factor authentication: https://aws.amazon.com/blogs/security/how-us-federal-agencies-can-authenticate-to-aws-with-multi-factor-authentication/ Ransomware mitigation: Top 5 protections and recovery preparation actions: https://aws.amazon.com/blogs/security/ransomware-mitigation-top-5-protections-and-recovery-preparation-actions/ Top 10 security best practices for securing data in Amazon S3: https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-data-in-amazon-s3/ TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it's nobody in particular's job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these are empowered to do is alert you whenever someone attempts to use them. It's an awesome approach to detecting breaches. I've used something similar for years myself before I found them. Check them out. But wait, there's more because they also have an enterprise option that you should be very much aware of: canary.tools. Take a look at this: what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can even get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It's awesome. If you don't do something like this, instead you're likely to find out that you've gotten breached the very hard way. So, check it out. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You'll know which one of those you fall into. Take a look. I'm a big fan. More to come from Thinkst Canary in the weeks ahead.Corey: This is the inaugural episode of what is going to become a weekly feature, the AWS Morning Brief: Security Edition, where I do what I normally do: round up the news from Amazon's cloud ecosystem, pick the things that I find interesting and make fun of them, only in the security world. This is going to be things that the rest of us need to care about, not the things that AWS feels a content need to put out there, but no one in the trenches tends to read. If you don't work in security—by which I mean have the word security not in your job title—you're in the right place. Neither do I, but I still have to care. So, what happened last week? Well, let's dive in and we'll see how this show shapes up.We begin with the fact that there's a contingent of anti-cloud folks out there who make the argument that [the cloud is somehow insecure, unsafe for your data, and not something you should be doing 00:08:26]. I generally have little patience for those folks, but when Azure's Cosmos DB had a bug that allowed third parties unfettered and unlogged access to customer data, I'm hard-pressed to disagree with them. Events like this aren't good for anyone. Companies don't say things like, “Wow, as your security seems dicey, I'm going to use AWS or Google Cloud instead.” They say things instead, like, “Can't trust the cloud. Hey, Dewey, fire up your Motel Six loyalty card because you're about to spend the next nine months on the road building more company data centers for us.” Events like this weaken us all.The second volume of the Lacework Cloud Threat Report has been released, and one of the things I really appreciate about it is that it talks about what's actually going on in the wild, not invented theoretical threats that are designed to get you to shovel money into their product. I do not and will not condone the fear, uncertainty, and doubt—or FUD—marketing approach. There's a reason that The Duckbill Group's web pages are about how we help, not stuffed full of dire warnings about what might go wrong and blow the budget. If I can do it, so can the entire security industry. Nice job, Lacework, on that one.There was a [great screed on Twitter 00:08:26] last week on the perils of using AWS read-only managed policies. The gist of the argument is that AWS is always updating these things, and permissions that aren't included today may well be included tomorrow. Further, AWS does indeed have over-scoped permissions in managed policies. I gave a talk about one of them at re:Invent 2019. It's a good thing to be aware of. While managed policies are definitely convenient, even AWS claims its security policies all squarely on the customer side of the shared responsibility model. Well, when they screw theirs up, they claim that anyway.Luc van Donkersgoed recently found an enumeration vulnerability in AWS that allows users to determine valid account IDs and any IAM principles in it. AWS insists that this information is not sensitive and thus this doesn't constitute a vulnerability. I can see that viewpoint, but if it's true, why do AWS blog post screenshots always blur the account ID? Why isn't there an API to explicitly get the account ID for a given resource?The AWS documentation on account identifiers states that you shouldn't provide credentials to third parties; it doesn't say anything about account IDs. The messaging is, at a minimum, confusing. Until then, treat your AWS account ID as sensitive, I guess. There's not a lot of reason for third parties to need it. I just wish AWS would stop being misunderstood for long periods of time on this particular point.Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That's goteleport.com.Corey: [Imperva has a post 00:08:26] that, while it extolled the virtues of paying them money, it also alludes to the fact that a botnet attack that can hurl stupendous volumes of traffic is available for something like five bucks an hour. First, it turns out that revenge against things like the Managed NAT Gateway pricing page are way less money than I thought they were. Secondly, and more relevant to you folks than to me, is to have a plan [laugh] for what happens when some trash goblin decides that your company has displeased them and hurls a bunch of garbage traffic your way. Do a quick exploration of various options in this space—none of which I have recent enough experience with to endorse—and have a plan before you get a phone call from your boss, screaming that the website is down. Fix it, fix it, fix it, now.If you work at Facebook, this entire section doesn't apply to you since when your site is down, the internet is clearly better for it. There was a guide to High Availability WireGuard On AWS which was useful, and I'm not saying that from the perspective of explicitly running WireGuard per se, but more in terms of having single points of failure in things like the network that almost always stay up because the cloud is pretty good at things. Instead, this guide is primer, instead of focusing on WireGuard, how to think about your network risk exposure because I assure you there are security implications there.Now, what did AWS have to say on their blog? This is that time of the podcast. How to improve visibility into AWS WAF with anomaly detection, and the honest answer is to pay a partner.Look, I'm no happier about needing to drag third parties in to perform basic tasks on a potentially expensive AWS service than you are, but bolting together the monstrosity that AWS talks about in this post is not going to win you any friends. The biggest problem with a lot of these ‘build it from popsicle sticks' solutions is that they're complicated. Complexity is insecure just because you don't understand the various nuances that go into all the different parts, and that leads to security lapses.How US federal agencies can authenticate to AWS with multi-factor authentication. Because it's federal, you undoubtedly have to use a government-grade MFA device. They no doubt weigh 50 pounds, cost $40,000 a pop, and take 20 minutes to boot up before they can be used.Ransomware mitigation: Top 5 protections and recovery preparation actions. There's good advice in this article. They are also cross-sells to other AWS services in this article. And this is my entire problem with the way these articles are structured. The actually good advice gets dismissed as a sales pitch.And finally, Top 10 security best practices for securing data in Amazon S3. Some sales pitches, some good tips, and of course, encrypt your data in S3 without ever explaining why to do such a thing. Are people stealing discs out of AWS data centers? No? Okay, so that's off the table is a threat model.What precisely does encrypting data at rest buy you? That's said, it's not a hill worth dying on. Check the box, appease your auditor, and get on with doing the things that are important in your environment. And that's the point of this podcast: because you're not going to win those arguments, you'll spend a lot of time on it. I'm here to make your job easier.That is all the stuff that you need to be aware of that happened in AWS security last week. Well, that we know about. I'm sure something horrifying has happened that we will hear about in future weeks.Corey: I have been your host, Corey Quinn, and if you remember nothing else, it's that when you don't get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Edition.Announcer: This has been a HumblePod production. Stay humble.

On The Cloud Pod this week, it's been an interesting few days in the cloud, so the team members have made themselves comfortable with plenty of adult beverages to keep them going. Also, Elastic has forked everyone with its latest Elasticsearch move.                 A big thanks to this week's sponsors: Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. JumpCloud, which offers a complete platform for identity, access, and device management — no matter where your users and devices are located.  This week's highlights

Links: Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578? Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/ Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/ The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/ Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities Managed Private Cloud: It's all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html 100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/ Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/ Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-report NSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risks Ransomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It's an awesome approach. I've used something similar for years. Check them out. But wait, there's more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It's awesome. If you don't do something like this, you're likely to find out that you've gotten breached, the hard way. Take a look at this. It's one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That's canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I'm a big fan of this. More from them in the coming weeks.Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.This is why zero trust and cloud native applications and services go so well in these hard times. If you can't trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn't change your operations or exposure much if at all.Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn't a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applications supporting PCI.Top 5 Benefits of Cloud Infrastructure Security. Using the cloud doesn't make you more secure, but there are advantages that can make security more manageable in the cloud than it is in legacy data centers.The three most important AWS WAF rate-based rules. Sometimes ya just got to geek out. Also, your security person won't always be there to set up things like Web Application Firewalls with DDOS mitigation and other nifty security and compliance tools.Researchers Call for ‘CVE' Approach for Cloud Vulnerabilities. If there is a vulnerability in cloud service provider services, they should get a CVE like anyone else, right? After all, it's just software, which is what the CVE is supposed to track.I understand shining light on the problems to force cloud companies to fix them, but that is partly what the CVE system is for. If there are configurations that open gaping security holes, they need to be in CVE. Why do they want to make a new thing to replace a perfectly good thing?Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Jesse: Managed Private Cloud: It's all About Simplification. So, let's see if I understand this. Several article sources talk about the benefits of using private cloud citing the exact same benefits as using a public cloud service, except claiming it's more secure for finance and medical verticals. Hello folks, AWS Outposts anyone? The only difference is the shared responsibility model, except that now you have an outside agency managing everything. Neither are more or less secure than the other. They are different approaches to risk acceptance and mitigation.100 percent of companies experience public cloud security incidents. Despite the sensationally alluring feel of the headline, the real news from this is that moving to cloud operations exposes the horrible lack of processes around custom development and production management that most organizations have. Don't blame being in the cloud for your poor operations, just don't be stupid.Why cloud security is the key to unlocking value from hybrid working. [sigh]. Hybrid cloud, hybrid cars, hybrid corn, and now hybrid work. I haven't understood why it's so hard to understand that there are additional security concerns and either increased or displaced risk pushing workloads and data to the cloud. The only common answer I can think of is that security in general is full of theater and drama. Of course, there's more risk. Obfuscated risk is dangerous.Organizations Still Struggle to Hire & Retain Infosec Employees: Report. The extreme lack of trained and/or experienced cybersecurity talent underscores the importance of all of us knowing security well enough to mitigate most risks. Sure, having someone dedicated to the work is far superior to having security tacked onto the duties of others, but without the ability to fill those dedicated roles, someone has to keep the script kiddies and APTs out.NSA, CISA release Kubernetes Hardening Guidance. This is pure IT security gold. The spooks often hold secrets most of us haven't figured out, partially due to the immense resources they throw at cybersecurity. This report is 52 pages of great advice. Also, now everyone knows security issues in Kubernetes environments. Don't be stupid. Go read this now.HTTP/2 Implementation Errors Exposing Websites to Serious Risks. Black hat and other security conferences are famous for gloom and doom pronouncements that are just theoretical attacks that likely won't ever be practical in real-world production systems. However, this one may have some legs.Ransomware Gangs and the Name Game Distraction. With ransomware groups regularly getting international media attention, they're retreating to the shadows when the heat turns up on them. They will vanish from headlines, but they will simply rebrand and move forward as if they were a new group. This is why following Indicators Of Compromise, or IOCs, is more important than worrying about the exact behavior profile or name of a group.And now for the tip of the week. Don't lose overwritten file data. Use S3 versioning. Enabling versioning on your S3 buckets allows disaster recovery and an audit trail for changes in your data objects. The docs are fairly straightforward, as well. Check out the AWS doc section called: Using versioning in S3 buckets. And that's it for the week, folks. Securely yours, Jesse Trucks.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.

最新情報を "ながら" でキャッチアップ！ ラジオ感覚放送 「毎日AWS」 おはようございます、水曜日担当の福島です。 今日は 6/29に出たアップデートをピックアップしてご紹介 感想は Twitter にて「#サバワ」をつけて投稿してください！ ■ トークスクリプト https://blog.serverworks.co.jp/aws-update-2021-06-29 ■ UPDATE PICKUP AWS WAFは15の新しいテキスト変換をサポート Amazon ConnectにApple Business Chatを統合できるように ■ サーバーワークスSNS Twitter / Facebook ■ サーバーワークスブログ サーバーワークスエンジニアブログ

上週跟大家分享了資安的基本概念，包含資安三要素 - 機密性、完整性與可用性，同時也談了可以透過哪些方式來保護我們的資料安全。今天我們將進一步聊聊可以幫助提升應用程式安全的 AWS 服務 - AWS WAF! 一起來聽聽 Tina 講師聊聊如何應用 AWS WAF 吧！ 我有話要說：想聽什麼或建議，都可以偷偷跟我們說喔 閱讀更多：AWS WAF – Web 應用程式防火牆 Facebook｜Instagram｜Spotify｜Apple Podcast ｜Google Podcast ｜KKBOX Podcast

Cloud Posse holds public "Office Hours" every Wednesday at 11:30am PST to answer questions on all things related to DevOps, Terraform, Kubernetes, CICD. Basically, it's like an interactive "Lunch & Learn" session where we get together for about an hour and talk shop. These are totally free and just an opportunity to ask us (or our community of experts) any questions you may have. You can register here: https://cloudposse.com/office-hoursJoin the conversation: https://slack.cloudposse.com/Find out how we can help your company:https://cloudposse.com/quizhttps://cloudposse.com/accelerate/Learn more about Cloud Posse:https://cloudposse.comhttps://github.com/cloudpossehttps://sweetops.com/https://newsletter.cloudposse.comhttps://podcast.cloudposse.com/- - - 00:00:00​ Intro- - -00:01:30 Terraform Plan Remote Code Execution (RCE) is Trivialhttps://alex.kaskaso.li/post/terraform-plan-rce- - -00:07:22 Default Tags in the Terraform AWS Providerhttps://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider- - -00:13:00 AWS Announces General Availability of AWS App Runnerhttps://finance.yahoo.com/news/aws-announces-general-availability-aws-231000856.html- - -00:16:20 Easy trick to avoid many ransomware attackshttps://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/- - -00:18:09 GitHub Dependabot Now Supports HCL2 (E.g. Terraform 0.12 - 15)https://github.com/dependabot/dependabot-core/issues/1176?utm_campaign=weekly.tf&utm_medium=email&utm_source=Revue%20newsletter#issuecomment-841239564- - -00:26:45 Upvote please!  New resource: aws_securityhub_standards_control https://github.com/hashicorp/terraform-provider-aws/pull/14714- - -00:28:42 New AWS Load Balancer Controller 2.2 released- - -00:30:50 AWS WAF supports log filtering- - -00:32:21 Has anyone tried Boundary? - - -00:36:15 EKS images support Kubernetes 1.20 by default- - -00:37:45 Souin project review (reverse-proxy cache)- - -00:41:12 AWS open sources CloudFormation Guard- - -00:44:45 Cloud Posse Needs DevOps Contractors! Apply here: http://cloudposse.com/jobs- - -00:45:54 What is the best practice to get Terraform to pick up changes to modules? - - -00:46:48 driftctl project review - - -00:50:10 Terraform apply destructive after minor version bump?- - -00:55:07 Outro- - -#officehours,#cloudposse,#sweetops,#devops,#sre,#terraform,#kubernetes,#awsSupport the show (https://cloudposse.com/office-hours/)

最新情報を "ながら" でキャッチアップ！ ラジオ感覚放送 「毎日AWS」 おはようございます、月曜日担当パーソナリティの篠﨑です。 今日は 4/16 に出たアップデートをピックアップしてご紹介。 感想は Twitter にて「#サバワ」をつけて投稿してください！ ■ トークスクリプト https://blog.serverworks.co.jp/aws-update-2021-05-17 ■ UPDATE PICKUP AWS WAFでログフィルタリングをサポート Amazon EMR 6.3できめ細かいデータアクセス制御のためにApatchRangerをサポート ■ サーバーワークスSNS Twitter / Facebook ■ サーバーワークスブログ サーバーワークスエンジニアブログ

最新情報を "ながら" でキャッチアップ！ ラジオ感覚放送 「毎日AWS」 おはようございます、水曜日担当パーソナリティの福島です。 今日は 3/30 に出たアップデートをピックアップしてご紹介。 感想は Twitter にて「#サバワ」をつけて投稿してください！ ■ トークスクリプト https://blog.serverworks.co.jp/everyday-aws-170 ■ AWS SSO + AzureAD連携のブログ https://blog.serverworks.co.jp/aws-sso-azuread ■ UPDATE PICKUP AWS WAFがカスタムレスポンスをサポート AWS WAFがカスタムヘッダー挿入をサポート AWS Security Hubが大阪リージョンで利用可能に AWS Configは、高度なクエリのページネーションをサポート Amazon DocumentDBがイベントサブスクリプションをサポート ■ サーバーワークスSNS Twitter / Facebook ■ サーバーワークスブログ サーバーワークスエンジニアブログ

re:Invent arrived, and with it came a lot of announcements. Some meh, some good, some great. In this episode Arjen, Jean-Manuel, Guy, and special guest star Rob will do their best to make sense of it. Or maybe they just make it more confusing? Who knows? Our brains can't really handle the number of announcements. Which is probably also why it took far too long to edit this episode. What's New Finally in ANZ In the Works – AWS Region in Melbourne, Australia | AWS News Blog Amazon EMR now provides up to 30% lower cost and up to 15% improved performance for Spark workloads on Graviton2-based instances Amazon Aurora Serverless v1 with PostgreSQL compatibility now available in eight additional regions Amazon SageMaker Studio is now expanded to AWS regions worldwide Serverless Lambda New for AWS Lambda – 1ms Billing Granularity Adds Cost Savings | AWS News Blog New for AWS Lambda – Functions with Up to 10 GB of Memory and 6 vCPUs | AWS News Blog New for AWS Lambda – Container Image Support | AWS News Blog Using Amazon CloudWatch Lambda Insights to Improve Operational Visibility | AWS News Blog AWS Lambda now supports batch windows of up to 5 minutes for functions with Amazon SQS as an event source AWS Lambda now supports Advanced Vector Extensions 2 (AVX2) Announcing Code Signing, a trust and integrity control for AWS Lambda EventBridge AWS Systems Manager Change Calendar integrates with Amazon EventBridge to enable automated actions based on calendar state changes Amazon EventBridge adds Server-Side Encryption (SSE) and increases default quotas Step Functions Amazon API Gateway now supports integration with Step Functions StartSyncExecution for HTTP APIs AWS Step Functions now supports Synchronous Express Workflows Amplify AWS Amplify announces new Admin UI Containers ECR Amazon Elastic Container Registry Public: A New Public Container Registry | AWS News Blog Amazon ECR announces cross region replication of images Fargate New – Fully Serverless Batch Computing with AWS Batch Support for AWS Fargate | AWS News Blog ECS Introducing Amazon ECS Anywhere | Containers Amazon ECS Announces the Preview of ECS Deployment Circuit Breaker Amazon ECS Cluster Auto Scaling now supports specifying a custom instance warm-up time Amazon ECS Capacity Providers Now Support Update Functionality Amazon ECS adds support for P4d instance types Amazon ECS Cluster Auto Scaling now offers more responsive scaling AWS Copilot CLI is now Generally Available EKS Amazon EKS Anywhere – Amazon Web Services Amazon EKS Distro: The Kubernetes Distribution Used by Amazon EKS | AWS News Blog Simplify running Apache Spark jobs with Amazon EMR on Amazon EKS Amazon EKS simplifies installation and management for Kubernetes cluster add-ons Amazon EKS adds built-in logging support for AWS Fargate Amazon EKS adds support for EC2 Spot Instances in managed node groups Amazon EKS Console Now Includes Kubernetes Resources to Simplify Cluster Management EC2 & VPC EBS New – Amazon EBS gp3 Volume Lets You Provision Performance Apart From Capacity | AWS News Blog Now in Preview – Larger & Faster io2 Block Express EBS Volumes with Higher Throughput | AWS News Blog AWS announces tiered pricing for input/output operations per second (IOPS) charges for Amazon Elastic Block Store (EBS) io2 volume, reducing the cost of provisioning peak IOPS by 15% Amazon EBS reduces the minimum volume size of Throughput Optimized HDD and Cold HDD Volumes by 75% AWS Compute Optimizer now supports Amazon EBS volume recommendations Instance Types New – Use Amazon EC2 Mac Instances to Build & Test macOS, iOS, iPadOS, tvOS, and watchOS Apps | AWS News Blog New EC2 M5zn Instances – Fastest Intel Xeon Scalable CPU in the Cloud | AWS News Blog Coming Soon – Amazon EC2 G4ad Instances Featuring AMD GPUs for Graphics Workloads | AWS News Blog Coming Soon – EC2 C6gn Instances – 100 Gbps Networking with AWS Graviton2 Processors | AWS News Blog EC2 Update – D3 / D3en Dense Storage Instances | AWS News Blog New – Amazon EC2 R5b Instances Provide 3x Higher EBS Performance | AWS News Blog   Other EC2 Amazon Machine Images (AMIs) now support tag-on-create and tag-based access control Amazon EC2 Auto Scaling now supports attaching multiple network interfaces at launch AWS Announcing Windows Server version 20H2 AMIs for Amazon EC2 Simplify EC2 provisioning and viewing cloud resources in the ServiceNow CMDB with AWS Service Management Connector for ServiceNow Networking New – VPC Reachability Analyzer | AWS News Blog Introducing AWS Transit Gateway Connect to simplify SD-WAN branch connectivity AWS Global Accelerator launches custom routing Dev & Ops New services Preview: AWS Proton – Automated Management for Container and Serverless Deployments | AWS News Blog AWS announces Amazon DevOps Guru in Preview, an ML-powered cloud operations service to improve application availability for AWS workloads Preview: Amazon Lookout for Metrics, an Anomaly Detection Service for Monitoring the Health of Your Business | AWS News Blog Code New for Amazon CodeGuru – Python Support, Security Detectors, and Memory Profiling | AWS News Blog Amazon CodeGuru Reviewer announces Security Detectors to help improve code security Amazon CodeGuru Profiler adds Memory Profiling and Heap Summary Amazon CodeGuru Reviewer announces CodeQuality Detector to help manage technical debt and codebase maintainability AWS CodeArtifact now supports NuGet Tools AWS IDE Toolkit now available for AWS Cloud9 Porting Assistant for .NET adds support for .NET 5 Other Announcing Modules for AWS CloudFormation Amazon CloudWatch Synthetics now supports canary scripts in Python with Selenium framework AWS Systems Manager now supports Amazon Virtual Private Cloud (Amazon VPC) endpoint policies Security New services AWS Audit Manager Simplifies Audit Preparation | AWS News Blog SSO New – Attribute-Based Access Control with AWS Single Sign-On | AWS News Blog AWS Single Sign-On enables administrators to require users to set up MFA devices during sign-in AWS Single Sign-On adds Web Authentication (WebAuthn) support for user authentication with security keys and built-in biometric authenticators Other AWS CloudTrail provides more granular control of data event logging through advanced event selectors AWS Security Hub adds open source tool integrations with Kube-bench and Cloud Custodian AWS Transfer Family supports AWS WAF for identity provider integrations AWS Secrets Manager now supports 5000 requests per second for the GetSecretValue API operation Data Storage & Processing Aurora Introducing the next version of Amazon Aurora Serverless in preview Introducing Amazon Aurora R6g instance types, powered by AWS Graviton2 processors, in preview (includes Sydney) Babelfish for Amazon Aurora PostgreSQL is Available for Preview Amazon Aurora PostgreSQL Integrates with AWS Lambda RDS Amazon RDS for Oracle supports managed disaster recovery (DR) with Amazon RDS Cross-Region Automated Backups PostgreSQL 13 now available in Amazon RDS Database preview environment Lakes Amazon HealthLake Stores, Transforms, and Analyzes Health Data in the Cloud | AWS News Blog Announcing preview of AWS Lake Formation features: Transactions, Row-level Security, and Acceleration S3 New – Amazon S3 Replication Adds Support for Multiple Destination Buckets | AWS News Blog Amazon S3 Update – Strong Read-After-Write Consistency | AWS News Blog Amazon S3 Replication adds support for multiple destinations in the same, or different AWS Regions Amazon S3 now delivers strong read-after-write consistency automatically for all applications Amazon S3 Bucket Keys reduce the costs of Server-Side Encryption with AWS Key Management Service (SSE-KMS) Amazon S3 Replication adds support for two-way replication EMR Amazon EMR Studio makes it easier for data scientists to build and deploy code Redshift AWS announces AQUA for Amazon Redshift (preview) Amazon Redshift introduces data sharing (preview) Amazon Redshift launches RA3.xlplus nodes with managed storage Amazon Redshift announces Automatic Table Optimization Amazon Redshift now includes Amazon RDS for MySQL and Amazon Aurora MySQL databases as new data sources for federated querying (Preview) Amazon Redshift launches the ability to easily move clusters between AWS Availability Zones (AZs) DynamoDB You now can use Amazon DynamoDB with AWS Glue Elastic Views to combine and replicate data across multiple data stores by using SQL – available in limited preview You now can use a SQL-compatible query language to query, insert, update, and delete table data in Amazon DynamoDB Glue Announcing Amazon Elasticsearch Service support for AWS Glue Elastic Views Announcing AWS Glue Elastic Views Preview AWS Glue now supports workload partitioning to further improve the reliability of Spark applications Other Amazon FSx for Lustre now enables you to grow storage on your file systems with the click of a button Introducing Amazon Managed Workflows for Apache Airflow (MWAA) AI & ML Sagemaker :allthethings: Amazon SageMaker Simplifies Training Deep Learning Models With Billions of Parameters | AWS News Blog Amazon SageMaker JumpStart Simplifies Access to Pre-built Models and Machine Learning Solutions | AWS News Blog New – Store, Discover, and Share Machine Learning Features with Amazon SageMaker Feature Store | AWS News Blog New – Profile Your Machine Learning Training Jobs With Amazon SageMaker Debugger | AWS News Blog New – Amazon SageMaker Pipelines Brings DevOps Capabilities to your Machine Learning Projects | AWS News Blog Amazon SageMaker Edge Manager Simplifies Operating Machine Learning Models on Edge Devices | AWS News Blog New – Managed Data Parallelism in Amazon SageMaker Simplifies Training on Large Datasets | AWS News Blog Introducing Amazon SageMaker Data Wrangler, a Visual Interface to Prepare Data for Machine Learning | AWS News Blog Amazon SageMaker JumpStart Simplifies Access to Pre-built Models and Machine Learning Solutions | AWS News Blog New – Amazon SageMaker Clarify Detects Bias and Increases the Transparency of Machine Learning Models | AWS News Blog Amazon SageMaker Model Monitor now supports new capabilities to maintain model quality in production Introducing two new libraries for managed distributed training on Amazon SageMaker Edge New – Amazon Lookout for Equipment Analyzes Sensor Data to Help Detect Equipment Failure | AWS News Blog Amazon Lookout for Vision – New ML Service Simplifies Defect Detection for Manufacturing | AWS News Blog AWS Panorama Appliance: Bringing Computer Vision Applications to the Edge | AWS News Blog Introducing Amazon Monitron, an end-to-end system to detect abnormal equipment behavior AI Services Amazon Kendra adds Google Drive connector Amazon Kendra launches incremental learning Amazon Kendra launches connector library Announcing Amazon Forecast Weather Index – automatically include local weather to increase your forecasting model accuracy Added ML Amazon announces Amazon Neptune ML: easy, fast, and accurate predictions for graphs AWS announces Amazon Redshift ML (preview) Other Cool Stuff Regions/Zones Announcing new AWS Wavelength Zone in Las Vegas Announcing Preview of AWS Local Zones in Boston, Houston, and Miami Braket PennyLane on Braket + Progress Toward Fault-Tolerant Quantum Computing + Tensor Network Simulator | AWS News Blog Amazon Braket tensor network simulator supports 50-qubit quantum circuits Amazon Braket now supports manual qubit allocation Connect Contact Lens for Amazon Connect launches real-time contact center analytics to detect customer issues on live calls Amazon Connect Wisdom provides contact center agents the information they need to quickly solve customer issues Amazon Connect Customer Profiles for a unified view of your customers to provide more personalized service Amazon Connect Voice ID provides real-time caller authentication for more secure calls Amazon Connect Tasks makes it easy to prioritize, assign, track, and automate contact center agent tasks Amazon Connect Chat now supports Apple Business Chat (Preview) Quicksight Introducing Amazon QuickSight Q: ask questions about your data and get answers in seconds Amazon QuickSight launches new session capacity pricing options, embedding without user management and a developer portal for embedded analytics Other Announcing Unified Search in the AWS Management Console Amazon WorkSpaces Streaming Protocol now Generally Available New – SaaS Lens in AWS Well-Architected Tool | AWS News Blog The Amazon Chime SDK now supports messaging AWS Batch now has integrated Amazon Linux 2 support Nanos Amazon WorkDocs now supports Dark Mode on Android Sponsors Gold Sponsor Innablr Silver Sponsors AC3 CMD Solutions DoIT International

בפינה זו, נגיש לכם אחת לשבוע מידע על העבודה היומיומית בסביבת ענן מנקודת המבט שלנו. והפעם: פרק מיוחד על ההתמודדות של חברות ויחידים בזמן הקורונה. בפרק הקודם, בועז חוזר לצוות עם אריאל ואבי כאשר נבין מהו שירות ה - AWS WAF ואיך הוא עוזר לנו בפרק זה, דיברנו על היבטי הקורונה בהיבטים רבים, חיי היום יום, חוסר המוכנות של ספקיות וארגונים ואיך אפשר להתמודד עם המצב על ידי צמצום משאבים וניהול חכם יותר של משאבים.

בפינה זו, נגיש לכם אחת לשבוע מידע על העבודה היומיומית בסביבת ענן מנקודת המבט שלנו. והפעם: הגנה על אתר האינטרנט שלנו. בפרק הקודם, אריאל ואבי הדגימו use case עבור פירוק מונוליט בענן והמעבר ל-Microservices. בפרק זה, בועז חוזר לצוות עם אריאל ואבי כאשר נבין מהו שירות ה - AWS WAF ואיך הוא עוזר לנו באבטחה, לדוגמא להגדיר גישה רק עבור מדינה או כתובת IP ספציפית. כמו כן, בועז יסביר על איך לסרוק את התוכן הזדוני שמגיע אלינו לאתר.

In this session, we look at the timeline, analysis, and solution implemented for a sudden attack by spammers. Suddenly, the number of newly registered users in our system spiked. We could see that these new users were likely spammers. It was a more sophisticated attack than earlier, as traffic originated from everywhere; captchas and email verifications were bypassed. We already had some countermeasures in place, including a manual process for approval. We needed a quick and cost-effective solution. By using Amazon CloudFront, AWS WAF, Lambda@Edge, and some smarts, we permanently stopped 99% of the spammers within an hour.

In this session, we discuss how you can use AWS Marketplace to help secure your cloud adoption and your new workloads using industry-leading third-party solutions. A representative from Frame.io, a popular video review and collaboration platform, describes how the company uses AWS WAF with Fortinet Managed Rules for AWS WAF from AWS Marketplace to secure, enforce, automate security on AWS. Learn best practices for automating your security in the cloud with the shared responsibility model at AWS.

In this session, we walk through what you need to do to be prepared to respond to security incidents in your AWS environments. We start off with planning best practices, move through the configurations that will help deliver protective and detective controls, then finally show you how you can improve your response capability. Learn how AWS Organizations, AWS Identity and Access Management (IAM), Amazon GuardDuty, AWS Security Hub, AWS Lambda, AWS WAF, AWS Systems Manager, and AWS Key Management Service (AWS KMS) can help take you from protect and detect to respond and recover.

Strong adherence to architecture best practices and proactive controls is the foundation of web application security. These techniques allow developers to build applications that are more resilient. Specifically, a defense-in-depth strategy helps developers further reinforce an application, hot-patch its zero-day vulnerabilities, and protect its availability. In this session, learn about common security issues, including those described in the OWASP Top 10. Also learn how to build a layered defense using multi-layered perimeter security and development best practices. This session proposes a reference architecture that includes Amazon CloudFront, AWS WAF, and Application Load Balancer.

Overloading a software system occurs more often than expected, and the effects are difficult to deal with, including real-time web services halting and asynchronous systems building up backlogs. In this talk, we cover what AWS does to build reliable and resilient services, including avoiding modes and overload, performing bounded work, throttling at multiple layers, guarding concurrency, sending idempotent requests, applying backpressure and fairness in queueing, and performing shuffle sharding. We also discuss how separating concerns through service-oriented architectures helps reduce blast radius. As we explore these patterns, we discuss how they're embedded into the DNA of the AWS services that you use to build and operate serverless applications that are resilient to failure. We also discuss a number of AWS services, including AWS Lambda, Amazon API Gateway, AWS WAF, Amazon CloudWatch, and AWS X-Ray.

In this AWS TechChat - Application Security Edition, Shane chats with Gabe about all things application security, providing a crash course for the builder in all of us. They start the show with some level setting to set the scene, introducing the Top 10 OWASP (Open Web Application Security Project) before moving on to CVE's (Common Vulnerabilities and Exposures). They then move up the stack to Layer 7 and speak about AWS WAF, which is our web application firewall that helps protect your web applications from common web exploits and how you can use AWS WAF to mitigate against OWASP Top 10 risks as well as how you can leverage managed rule sets for common COTS (Commercial off-the-shelf) applications. Lastly, introducing Amazon Inspector - an automated security assessment service that helps shine a light on the security and compliance of applications deployed on Amazon EC2 by detecting CVE's and instance drift again CIS standards.

Simon takes you through the December updates to finish up 2018! Shownotes: Topic || Customer Engagement 0:23 Amazon Pinpoint Announces Event-Based Campaigns, Driving Personalization and Engagement | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-pinpoint-announces-event-based-campaigns-driving-personalization-and-engagement/ Amazon Pinpoint Announces a New Email Deliverability Dashboard to Help Customers Reach their Users' Inboxes | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-pinpoint-announces-a-new-email-deliverability-dashboard-to-help-customers-reach-their-users-inboxes/ Amazon Connect Adds New Contact API to Get Contact Attributes | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-connect-adds-new-contact-api-to-get-contact-attributes/ Topic || Storage 2:05 Amazon S3 Inventory adds Apache Parquet output format | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-s3-announces-parquet-output-format-for-inventory/ AWS Storage Gateway Increases File Gateway Performance - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-storage-gateway-announces-increased-throughput-and-adds-new-/ Topic || Networking & Content Delivery 3:32 Amazon Virtual Private Clouds can now be shared with other AWS Accounts | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-virtual-private-clouds-can-now-be-shared-with-other-aws-accounts/ Introducing AWS Client VPN to Securely Access AWS and On-Premises Resources | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/ New AWS Direct Connect locations in Silicon Valley and Stockholm | https://aws.amazon.com/about-aws/whats-new/2018/12/new-aws-direct-connect-locations-silicon-valley-stockholm/ Amazon CloudFront announces ten new Edge locations in North America, Europe, and Asia | https://aws.amazon.com/about-aws/whats-new/2018/12/cloudfront-dec2018-10-edge-locations/ Amazon API Gateway Simplifies Building Real-Time Two-Way Communication Applications with WebSocket APIs | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-api-gateway-launches-support-for-websocket-apis/ Amazon Route 53 Adds Alias Record Support For API Gateway and VPC Endpoints | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-route-53-adds-alias-record-support-for-api-gateway-and-vpc-endpoints/ Topic || Database 7:41 Introducing Workload Qualification Framework to Project Plan Your Database Migrations to AWS | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-workload-qualification-framework-to-plan-your-database-migration-projects/ AWS Database Migration Service Adds Support for Parallel Full Load and Enhanced LOB Migration | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-database-migration-service-adds-support-for-parallel-full-load/ Amazon RDS Enhances Automatic Minor Version Upgrades | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-enhances-auto-minor-version-upgrades/ Amazon RDS for PostgreSQL Now Supports R5 Instance Types | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-postgresql-now-supports-r5-instance-types/ Amazon RDS Supports Publishing PostgreSQL Log Files to Amazon CloudWatch Logs | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-supports-postgresql-logfiles-publish-to-amazon-cloudwatch-logs/ Amazon RDS Performance Insights Supports Counter Metrics for Aurora PostgreSQL | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-performance-insights-supports-counter-metrics-for-aurora-postgresql/ Amazon RDS for PostgreSQL Supports New Minor Versions 10.6, 9.6.11, 9.5.15, and 9.4.20 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-postgresql-supports-minor-version-106/ Amazon Aurora with PostgreSQL Compatibility Supports PostgreSQL 10.5 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-aurora-postgresql-supports-postgresql-105/ Amazon Aurora with PostgreSQL Compatibility Adds Query Plan Management | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-aurora-postgresql-compatibility-adds-query-plan-management/ Announcing the New Amazon DynamoDB Key Diagnostics Library | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-the-new-amazon-dynamodb-key-diagnostics-library/ Amazon DynamoDB Increases the Number of Global Secondary Indexes and Projected Index Attributes You Can Create Per Table | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-dynamodb-increases-the-number-of-global-secondary-indexes-and-projected-index-attributes-you-can-create-per-table/ Amazon DynamoDB Accelerator (DAX) Adds Support for DynamoDB Transactions | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-dynamodb-accelerator-adds-support-for-dynamodb-transactions/ Amazon MQ Now Supports ActiveMQ Minor Version 5.15.8 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-mq-now-supports-activemq-minor-version5-15-8/ Topic || Compute 14:13 Amazon ECR Console Version 2 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ecr-console-version-2/ Amazon ECR now allows Repository Tagging | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ecr-now-allows-repository-tagging/ Amazon EC2 Introduces Partition Placement Groups | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ec2-ntroduces-partition-placement-groups/ AWS Auto Scaling is Now Available in 8 more Regions Worldwide and Offers Predictive Scaling for Amazon EC2 | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-auto-scaling-is-now-available-in-8-more-regions-worldwide/ Amazon EC2 C5d, M5d, and R5d Instances are Now Available in Additional AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ec2-c5d-m5d-and-r5d-instances-are-now-available-in-additional-aws-regions/ AWS Fargate Platform Version 1.3 Adds Secrets Support | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-fargate-platform-version-1-3-adds-secrets-support/ Amazon EKS Adds Managed Cluster Updates and Support for Kubernetes Version 1.11 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-eks-adds-managed-cluster-updates-and-support-for-kubernetes/ AWS Server Migration Service Adds Support for Multi-Server Migration | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-server-migration-service-adds-support-for-multi-server-migration/ AWS Batch now supports Amazon EC2 C5n Instances Featuring 100 Gbps of Network Bandwidth | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-batch-now-supports-amazon-ec2-c5n-instances-featuring-100-gbps-of-network-bandwidth/ AWS Batch Now Supports Amazon EC2 P3dn Instances | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-batch-now-supports-amazon-ec2-p3dn-instances/ New AWS ParallelCluster Features | https://aws.amazon.com/about-aws/whats-new/2018/12/new-aws-parallelcluster-features/ New SAM PUBLISH Command Simplifies Publishing Applications to the AWS Serverless Application Repository | https://aws.amazon.com/about-aws/whats-new/2018/12/sam-publish-command-simplifies-publishing-apps-to-serverless-application-repository/ AWS Elastic Beanstalk Adds Tag-Based Permissions | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-elastic-beanstalk-adds-tag-based-permissions/ Topic || Developer Tools 20:39 AWS X-Ray Adds the Ability to Group Traces by Root Cause | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-xray-adds-the-ability-to-group-traces-by-root-cause/ AWS CodePipeline Supports VPC Endpoints | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-codepipeline-supports-vpc-endpoints/ AWS CloudFormation macros can now be used in templates with nested stacks | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-cloudformation-macros-can-now-be-used-in-templates-with-nest/ Quickly Create, Build, and Deploy Amazon Alexa Skills from AWS | https://aws.amazon.com/about-aws/whats-new/2018/12/quickly-create-build-and-deploy-amazon-alexa-skills-from-aws/ Topic || Machine Learning 22:07 Amazon Transcribe now supports speech-to-text in French, Italian, and Brazilian Portuguese | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-transcribe-now-supports-speech-to-text-in-french-italian-and-brazilian-portuguese/ Topic || Security, Identity and Compliance 22:27 AWS IAM Console Now Available In German, Portuguese, Spanish, Italian, and Traditional Chinese | https://aws.amazon.com/about-aws/whats-new/2018/12/iam-console-available-in-new-languages/ Automate AWS IAM Permissions Analysis Using the New IAM Access Advisor APIs | https://aws.amazon.com/about-aws/whats-new/2018/12/iam_access_advisor_apis/ Introducing Notifications for New Amazon GuardDuty Finding Types and Feature Releases | https://aws.amazon.com/about-aws/whats-new/2018/12/Introducing-Notifications-for-New-Amazon-GuardDuty-Finding-Types-and-Feature-Releases/ AWS Organizations Supports AWS License Manager Cross Account Sharing Capabilities | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-organizations-supports-aws-license-manager/ AWS Shield Adds Advanced DDoS Protection for AWS Global Accelerator | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-shield-adds-advanced-ddos-protection-for-aws-global-accelerator/ AWS Systems Manager Automation Now Supports at Scale Action | https://aws.amazon.com/about-aws/whats-new/2018/12/AWS-Systems-Manager-Automation-Now-Supports-at-Scale-Actions/ AWS Service Catalog – Integration with AWS Organizations | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-service-catalog-announces-integration-with-aws-organizations/ The AWS WAF Security Automations solution now includes a monitoring dashboard | https://aws.amazon.com/about-aws/whats-new/2018/12/the-aws-waf-security-automations-solution-now-includes-a-monitoring-dashboard/ Announcing rule group exception for Managed Rules for AWS WAF | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-rule-group-exception-for-managed-rules-for-aws-waf/ AWS Firewall Manager Available in Four Additional Regions | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-firewall-manager-now-available-in-four-more-regions/ Topic || Application Integration 26:59 Amazon SQS now Supports Amazon VPC Endpoints using AWS PrivateLink - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-sqs-vpc-endpoints-aws-privatelink/ Amazon MQ Introduces Network of Brokers Feature | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-mq-introduces-network-of-brokers-feature/ Topic || Desktop & App Streaming 27:27 AppStream 2.0 introduces APIs to simplify app entitlements and enable delivery of virtualized apps | https://aws.amazon.com/about-aws/whats-new/2018/12/appstream-2-0-introduces-apis-to-simplify-app-entitlements-and-e/ Topic || Analytics 28:10 Support for Spark 2.4.0, and Hue 4.3.0 on Amazon EMR release 5.20.0 | https://aws.amazon.com/about-aws/whats-new/2018/12/support-for-spark-240-hue-430-on-amazon-emr-release-5200/ Amazon Redshift now runs VACUUM DELETE automatically | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-redshift-automatic-vacuum/ Topic || Internet of Things 29:41 Introducing AWS CloudFormation Template Support for AWS IoT Analytics | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-aws-cloudformation-template-support-for-aws-iot-analytics/ AWS IoT Device Defender Adds Support for Two New Security Metrics | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-iot-device-defender-adds-support-for-two-new-security-metrics/ MediaTek MT7697H System on Chip is Qualified for Amazon FreeRTOS | https://aws.amazon.com/about-aws/whats-new/2018/12/mediatek-mt7697h-system-on-chip-qualified-amazon-freertos/ Topic || Other 30:35 Announcing Programmatic Access to AWS Pricing Information in China via the AWS Price List API | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-aws-price-list-api-availability-in-china/ Introducing the Media Services Application Mapper | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-the-media-services-application-mapper/ New Quick Start Deploys Varnish Cache Plus (VCP) on the AWS Cloud | https://aws.amazon.com/about-aws/whats-new/2018/12/new-quick-start-deploys-varnish-on-aws/ Announcing 15 Free Digital Training Courses on New AWS Services Launched at re:Invent 2018 | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-15-free-digital-training-courses-on-new-aws-services-launched-at-re-invent-2018/

Whether you are part of a large organization moving your applications to the cloud, or a new application owner just getting started, you always need a baseline security for your web applications. In addition, large organizations with common security requirements frequently need to standardize their security posture across many applications. With compliance initiatives, such as PCI, OFAC, and GDPR, there is a need to effectively manage this posture with minimal error. In this session, learn how to use services like AWS WAF, AWS Shield, and AWS Firewall Manager to deploy and manage rules and protections uniformly across many accounts and resources. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.

Join us for this advanced-level talk to learn about Pokemon's journey defending against DDoS attacks and bad bots with AWS WAF, AWS Shield, and other AWS services. We go through their initial challenges and the evolution of their bot mitigation solution, which includes offline log analysis and dynamic updates of badbot IPs along with rate-based rules. This is an advanced talk and assumes some knowledge of Amazon DynamoDB, Amazon Kinesis Data Firehose, Amazon Kinesis Data Analytics, AWS Firewall Manager, AWS Shield, and AWS WAF.

Simon takes you through lots of great new features and capabilities for customers, and also a special call out for listeners attending AWS re:Invent to get some AWS Podcast swag! Shownotes with timestamps: 1:42 Compute In the Works – AWS Region in Milan, Italy - AWS News Blog | https://aws.amazon.com/blogs/aws/in-the-works-aws-region-in-milan-italy/ AWS GovCloud (US-East) Now Open - AWS News Blog | https://aws.amazon.com/blogs/aws/aws-govcloud-us-east-now-open/ Amazon EC2 now offers On-Demand Capacity Reservations | https://aws.amazon.com/about-aws/whats-new/2018/10/Amazon-EC2-now-offers-On-Demand-Capacity-Reservations/ Introducing Amazon EC2 Instances Featuring AMD EPYC Processors | https://aws.amazon.com/about-aws/whats-new/2018/11/introducing_amazon_ec2_instances_featuring_amd_epyc_processors/ Amazon ECS-CLI Supports Private Registry Authentication | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-ecs-cli-supports-private-registry-authentication/ Amazon EKS now supports additional VPC CIDR blocks | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-eks-now-supports-additional-vpc-cidr-blocks/ AWS Serverless Application Model Supports Amazon API Gateway Authorizers | https://aws.amazon.com/about-aws/whats-new/2018/10/aws-sam-supports-amazon-api-gateway-authorizers/ 6:04 Cost Management Introducing the New AWS Budgets Console | https://aws.amazon.com/about-aws/whats-new/2018/10/introducing-the-new-aws-budgets-console/ AWS now Supports SEPA Direct Debit Payments in Europe | https://aws.amazon.com/about-aws/whats-new/2018/10/aws-sepa-support/ Amazon API Gateway Announces Tiered Pricing | https://aws.amazon.com/about-aws/whats-new/2018/11/api-gateway-announces-tiered-pricing/ AWS IoT Core Improves the Ability to Ingest Large Amounts of Device Data at a Lower Cost | https://aws.amazon.com/about-aws/whats-new/2018/11/aws-iot-core-improves-ability-to-ingest-large-amounts-of-data/ Access Reserved Instance Purchase Recommendations for All of Your Linked Accounts From a Central Location | https://aws.amazon.com/about-aws/whats-new/2018/11/central-location-for-accessing-ri-purchase-recommendations-for-all-accounts/ Monitor Your Amazon Elasticsearch Reserved Instance Utilization and Coverage Using AWS Budgets | https://aws.amazon.com/about-aws/whats-new/2018/11/monitor-your-amazon-elasticsearch-ri-using-aws-budgets/ Amazon EC2 Spot Console now Provides Access to Spot Savings Information | https://aws.amazon.com/about-aws/whats-new/2018/11/Amazon-EC2-Spot-Console-now-Provides-Access-to-Spot-Savings-Information/ 10:15 Machine Learning Amazon Translate now offers 113 new language pairs | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-translate-now-offers-113-new-language-pairs/ Amazon Polly Adds Italian and Castilian Spanish Voices, and Mexican Spanish Language Support | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-polly-adds-italian-and-castilian-spanish-voices-and-mexican-spanish-language-support/ Amazon Rekognition Announces More Accurate Object and Scene Detection, Can Now Locate Objects in Your Images | https://aws.amazon.com/about-aws/whats-new/2018/11/Amazon-rekognition-announces-more-accurate-object-and-scene-detection-can-now-locate-objects-in-your-images/ Amazon SageMaker Now Supports Pipe Mode for Datasets in CSV Format | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sagemaker-now-supports-pipe-mode-for-datasets-in-csv-form/ Amazon SageMaker Batch Transform Now Supports AWS KMS Based Encryption | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sagemaker-batch-transform-now-supports-aws-kms-based-encr/ Now Clone a Hyperparameter Tuning Job through the Amazon SageMaker Console | https://aws.amazon.com/about-aws/whats-new/2018/11/now-clone-a-hyperparameter-tuning-job-through-the-amazon-sagemak0/ Amazon SageMaker Now Supports Apache MXNet 1.3 and TensorFlow 1.11 | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sagemaker-now-supports-apache-mxnet-1-3-and-tensorflow-1-/ Amazon SageMaker Now Supports Incremental Learning for Image Classification and Object Detection Algorithms | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sagemaker-now-supports-incremental-learning-for-image-cla/ Amazon SageMaker Batch Transform Now Supports Amazon Virtual Private Cloud | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sagemaker-batch-transform-now-supports-amazon-virtual-pri/ Now Use Chainer 5.0 on AWS Deep Learning AMIs | https://aws.amazon.com/about-aws/whats-new/2018/11/chainer5-0_launch_deep_learning_ami/ Introducing Machine Learning for Telecommunication | https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-machine-learning-for-telecommunication/ 15:14 Storage Amazon EFS now Supports AWS VPN and Inter-Region VPC Peering | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-efs-now-supports-aws-vpn-and-inter-region-vpc-peering/ Amazon Elastic File System Now Supports 512 Locks per File | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-elastic-file-system-now-supports-512-locks-per-file/ Amazon S3 Management Console is Now Available in Five New Languages | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-s3-console-is-now-available-in-five-new-languages/ Amazon Data Lifecycle Manager adds support for copying EBS volume tags to EBS snapshots | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-data-lifecycle-manager-adds-support-for-copying-ebs-volume-tags-to-ebs-snapshots/ 16:23 Networking Announcing the general availability of Bring Your Own IP for Amazon Virtual Private Cloud | https://aws.amazon.com/about-aws/whats-new/2018/10/announcing-the-general-availability-of-bring-your-own-ip-for-amazon-virtual-private-cloud/ Amazon API Gateway Launches the Serverless Developer Portal | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-api-gateway-launches-the-serverless-developer-portal/ Amazon API Gateway Adds Support for AWS WAF | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-api-gateway-adds-support-for-aws-waf/ Amazon CloudFront announces six new Edge locations across North America, Europe, and Asia | https://aws.amazon.com/about-aws/whats-new/2018/11/cloudfront-nov6-launch/ Amazon Route 53 Releases Interactive Map for Traffic Flow Geoproximity Routing | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-route-53-releases-interactive-map-for-traffic-flow-geoproximity-routing/ 19:17 Databases Amazon ElastiCache Now Supports the Next Generation General-Purpose and Memory-Optimized Amazon EC2 M5 and R5 Nodes | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon_elasticache_now_supports_the_next_generation_general-purpose_and_memory-optimized_amazon_ec2_m5_and_r5_nodes/ New – Redis 5.0 Compatibility for Amazon ElastiCache - AWS News Blog | https://aws.amazon.com/blogs/aws/new-redis-5-0-compatibility-for-amazon-elasticache/ Amazon RDS Enables Stopping and Starting of Multi-AZ Database Instances | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-stop-and-start-of-multi-az-instances/ Amazon RDS for MySQL,MariaDB and PostgreSQL Now Supports Database Storage Size up to 32TiB | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-rds-mysql-mariadb-postgresql-32tib-support/ Amazon RDS now supports MySQL 8.0 | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-now-supports-mysql-8/ Amazon RDS now supports MariaDB 10.3 | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-now-supports-mariadb-10_3/ PostgreSQL 11 is Now Available in Amazon RDS Database Preview Environment | https://aws.amazon.com/about-aws/whats-new/2018/10/postgresql-11-available-in-rds-database-preview/ Amazon RDS for SQL Server Enhances Backup and Restore Capabilities | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-for-sql-server-enhances-backup-and-restore-capabilities/ Amazon RDS for Oracle Now Supports M5 Instance Types | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-rds-for-oracle-supports-m5-instances/ Amazon RDS Performance Insights is Generally Available on RDS for Oracle | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-performance-insights-is-generally-available-on-rds-for-oracle/ Amazon RDS for Oracle Now Supports Oracle Java | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-rds-for-oracle-now-supports-oracle-java/ Amazon RDS for Oracle Now Supports Extended Data Types | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-rds-for-oracle-now-supports-extended-data-types/ Amazon RDS Now Sends Events to Amazon CloudWatch Events | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-rds-now-sends-events-to-amazon-cloudwatch-events/ Amazon RDS for SQL Server Now Supports Always On Availability Groups | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-rds-for-sql-server-now-supports-alwayson-availability-groups/ Amazon Aurora with PostgreSQL Compatibility Supports IAM Authentication | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-aurora-postgresql-supports-iam-authentication/ 24:37 Management Tools New – CloudFormation Drift Detection - AWS News Blog | https://aws.amazon.com/blogs/aws/new-cloudformation-drift-detection/ New AWS CloudFormation Management Console Now Available | https://aws.amazon.com/about-aws/whats-new/2018/11/new-aws-cloudformation-management-console-now-available/ AWS CloudFormation coverage updates for Amazon Secrets Manager, Amazon API Gateway, Amazon RDS, Amazon Route53, Amazon Cloudwatch alarms and more | https://aws.amazon.com/about-aws/whats-new/2018/11/aws-cloudformation-coverage-updates-for-amazon-secrets-manager--/ Introducing AWS CloudFormation support for Amazon Data Lifecycle Manager policies | https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-cloudformation-support-for-amazon-data-lifecycle-manager-policies/ New Quick Start builds a CI/CD pipeline to test AWS CloudFormation templates using AWS TaskCat | https://aws.amazon.com/about-aws/whats-new/2018/10/new-quickstart-builds-cicd-pipeline-to-test-cloudformation-templates-using-taskcat/ Amazon CloudWatch Events Adds the Ability to Share Events Across All Accounts in an Organization | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-cloudwatch-events-adds-the-ability-to-share-events-across-all-accounts-in-an-organization/ Easily Monitor Security Events of Your AWS Managed Microsoft AD Using Amazon CloudWatch Logs | https://aws.amazon.com/about-aws/whats-new/2018/10/easily-monitor-security-events-of-your-aws-managed-microsoft-ad-using-amazon-cloudwatch-logs/ 27:41 Business Productivity Amazon WorkDocs Now Lets You Control IP Address Access to Your Site | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-workdocs-control-ip-address-access/ Alexa for Business now enables third party device makers to have their products be managed as shared devices | https://aws.amazon.com/about-aws/whats-new/2018/10/alexa-for-business-now-enables-third-party-device-makers-to-have/ Introducing Amazon AppStream 2.0 AWS CloudFormation Support and User Pool APIs | https://aws.amazon.com/about-aws/whats-new/2018/10/introducing-amazon-appstream-2-0-aws-cloudformation-support-and-/ Amazon WorkDocs Drive Now Available for Mac | https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-workdocs-drive-available-for-mac/ 28:30 Security AWS Firewall Manager Now Supports Multiple AWS WAF Rule Groups | https://aws.amazon.com/about-aws/whats-new/2018/10/firewall-manager-now-supports-multiple-aws-waf-rulegroups-per-policy/ AWS Single Sign-On Now Enables You to Optimize How Long You can Access AWS Accounts | https://aws.amazon.com/about-aws/whats-new/2018/10/aws-single-sign-on-now-enables-you-to-optimize-how-long-you-can-access-aws-accounts/ AWS Single Sign-On Adds More Pre-Integrated Business Applications | https://aws.amazon.com/about-aws/whats-new/2018/11/aws-single-sign-on-adds-more-pre-integrated-business-applications/ Amazon GuardDuty Optimizes AWS CloudTrail Analysis Reducing Cost for Customers | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-guardduty-optimizes-aws-cloudtrail-analysis-reducing-cost-for-customers/ Amazon Inspector Launches Agentless Network Assessments | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-inspector-launches-agentless-network-assessments/ Amazon Inspector Adds Amazon EC2 Instance Details to Security Findings | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-inspector-adds-amazon-ec2-instance-details-to-security-findings/ Centralized Logging Now Leverages Amazon Cognito for User Authentication | https://aws.amazon.com/about-aws/whats-new/2018/11/centralized-logging-now-leverages-amazon-cognito-for-user-authentication/ AWS Key Management Service Has a New Console Experience | https://aws.amazon.com/about-aws/whats-new/2018/11/aws-key-management-service-has-a-new-console-experience/ 32:13 Analytics Amazon QuickSight adds support for Top N Filters, Cascading Parameter Controls, and JSON Parsing | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-quickSight-now-supports-top-bottom-filters-cascading-parameter-controls-and-json-parsing-on-data-sources/ Amazon EMR now supports a public EMR artifact repository for Maven builds | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-emr-now-supports-a-public-EMR-artifact-repository-for-maven-builds/ Amazon EMR now supports G3, H1, and Z1d instances | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-emr-now-supports-g3-h1-z1d-instances/ Support for Flink 1.6.0, Zeppelin 0.8.0, and S3 Select with Hive and Presto on Amazon EMR release 5.18.0 | https://aws.amazon.com/about-aws/whats-new/2018/11/support-for-flink-160-zeppelin-080-and-s3-select-with-hive-and-presto-on-amazon-emr-release-5180/ Stream data from Microsoft Windows based services using the Amazon Kinesis Agent for Microsoft Windows | https://aws.amazon.com/about-aws/whats-new/2018/11/stream-data-from-microsoft-windows-based-services-using-the-amazon-kinesis-agent-for-microsoft-windows/ 33:36 Customer Engagement Amazon Pinpoint announces support for transactional emails and the addition of rich email analytics dashboards | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-pinpoint-announces-support-for-transactional-emails-and-t/ 34:33 Application Integration Amazon SQS FIFO Queues Now Available in Asia Pacific (Tokyo) and Asia Pacific (Sydney) Regions - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sqs-fifo-asia-pacific-tokyo-sydney/

Dr.Pete and Shane are back again with another episode of AWS TechChat! Tune in to find out more about price reductions and the latest AWS updates around Amazon EC2, AWS Storage Gateway, Multi Factor Authentication with Universal 2nd Factor (U2F), AWS Lambda, AWS WAF and Amazon Aurora.

It is update time! Simon shares a great selection of new things for customers - what will be your favourite? Shownotes: Amazon Polly Gives WordPress a Voice! - AWS Machine Learning Blog | https://aws.amazon.com/blogs/machine-learning/amazon-polly-gives-wordpress-a-voice/ Amazon Polly New Phonation Tag Enables You to Create Softer Speech | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-polly-new-phonation-tag-enables-you-to-create-softer-speech/ Amazon Connect Adds Speech Synthesis Markup Language Support for Amazon Lex Chatbots | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-connect-adds-speech-synthesis-markup-language-support-for-amazon-lex-chatbots/ Announcing Responses Capability in Amazon Lex and SSML Support in Text Response | https://aws.amazon.com/about-aws/whats-new/2018/02/announcing-responses-capability-in-amazon-lex-and-ssml-support-in-text-response/ Now Export and Import your Amazon Lex Chatbot Schema | https://aws.amazon.com/about-aws/whats-new/2018/02/now-export-and-import-your-amazon-lex-chatbot-schema/ Amazon DynamoDB Now Supports Server-Side Encryption at Rest | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-dynamodb-now-supports-server-side-encryption-at-rest/ Amazon DynamoDB Accelerator (DAX) Releases SDKs for Python and .NET, Support for T2 Instances, and now available in the Asia Pacific (Singapore) and Asia Pacific (Sydney) Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-dynamodb-accelerator-dax-releases-sdks-for-python-and-dot-net-support-for-t2-instances-and-now-available-in-the-asia-pacific-singapore-and-asia-pacific-sydney-regions/ Amazon Cognito Simplifies User Migration | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-cognito-simplifies-user-migration/ Amazon ECS Adds New Endpoint to Access Task Metrics and Metadata | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-ecs-adds-new-endpoint-to-access-task-metrics-and-metadata/ AWS Fargate Supports Container Workloads Regulated By ISO, PCI, SOC, and HIPAA | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-fargate-supports-container-workloads-regulated-by-iso-pci-soc-and-hipaa/ Target Tracking Available for Container Service Auto Scaling in Amazon ECS Console | https://aws.amazon.com/about-aws/whats-new/2018/02/target-tracking-available-for-container-service-auto-scaling-in-amazon-ecs-console/ AWS Shield now Integrated with AWS CloudTrail | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-shield-now-integrated-with-aws-cloudtrail/ Amazon GameLift Introduces Backfill Functionality to FlexMatch, the Dynamic Matchmaking Service for Multiplayer Experiences | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-gamelift-introduces-backfill-functionality-to-flexmatch-the-dynamic-matchmaking-service-for-multiplayer-experiences/ Amazon GameLift FleetIQ and Spot Instances Reduce Costs by up to 90% | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-gamelift-fleetiq-and-spot-instances-reduce-costs-by-up-to-90-percent/ New AWS Direct Connect sites land in Paris and Taipei | https://aws.amazon.com/about-aws/whats-new/2018/02/new-aws-direct-connect-sites-land-in-paris-and-taipei/ Inter-Region VPC Peering is Now Available in Nine Additional AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/inter-region-vpc-peering-is-now-available-in-nine-additional-aws-regions/ Longer Format Resource IDs are Now Available in Amazon EC2 | https://aws.amazon.com/about-aws/whats-new/2018/02/longer-format-resource-ids-are-now-available-in-amazon-ec2/ AWS AppSync Adds new GraphQL Functionality and Removes Whitelist Approvals from Preview | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-appsync-adds-new-graphql-functionality-and-removes-whitelist-approvals-from-preview/ AWS AppSync Expands to Three New Regions, Adds API Key Extension Feature | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-appsync-expands-to-three-new-regions-adds-api-key-extension-feature/ AWS Config Adds Support for AWS WAF RuleGroups | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-config-adds-support-for-aws-waf-rulegroups/ New Products for Managed Rules on AWS WAF | https://aws.amazon.com/about-aws/whats-new/2018/02/new-products-for-managed-rules-on-aws-waf/ Amazon Inspector Now Supports Windows Server 2016 | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-inspector-now-supports-windows-server-2016/ AWS Trusted Advisor's S3 Bucket Permissions Check Is Now Free | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-trusted-advisors-s3-bucket-permissions-check-is-now-free/ Amazon EC2 Auto Scaling Adds Support for Service-Linked Roles | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-ec2-auto-scaling-adds-support-for-service-linked-roles/ Network Load Balancer now Supports Cross-Zone Load Balancing | https://aws.amazon.com/about-aws/whats-new/2018/02/network-load-balancer-now-supports-cross-zone-load-balancing/ Auto Scaling in Amazon SageMaker is now Available | https://aws.amazon.com/about-aws/whats-new/2018/02/auto-scaling-in-amazon-sagemaker-is-now-available/ AWS DeepLens Announces the Ability to Directly Import Models from Amazon SageMaker | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-deeplens-announces-the-ability-to-directly-import-models-from-amazon-sagemaker/ Introducing the Real-Time Insights on AWS Account Activity | https://aws.amazon.com/about-aws/whats-new/2018/02/introducing-the-real-time-insights-on-aws-account-activity/ AWS Serverless Application Repository Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2018/02/aws-serverless-application-repository-now-generally-available/ Amazon AppStream 2.0 Now Supports Copying Images Across AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-appstream-2_0-now-supports-copying-images-across-aws-regions/ Amazon CloudWatch Events now Supports AWS Batch as an Event Target | https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-cloudwatch-events-now-supports-aws-batch-as-an-event-target/ AWS Service Catalog Announces AutoTags for Automatic Tagging of Provisioned Resources | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-service-catalog-announces-autotags-for-automatic-tagging-of-provisioned-resources/ AWS Service Catalog Launches Brand Your Console to Deliver a Customizable User Experience | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-service-catalog-launches-brand-your-console-to-deliver-a-customizable-user-experience/ AWS Storage Gateway Expands Automation with New CloudWatch Event, and Support for "Requester Pays" Buckets | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-storage-gateway-expands-automation-with-new-cloudwatch-event-and-support-for-requester-pays-buckets/ Amazon Redshift Spectrum Now Supports Scalar JSON and Ion Data Types | https://aws.amazon.com/about-aws/whats-new/2018/03/amazon-redshift-spectrum-now-supports-scalar-json-and-ion-data-types/ PostgreSQL 10 now Supported in Amazon RDS | https://aws.amazon.com/about-aws/whats-new/2018/02/postgresql-10-now-supported-in-amazon-rds/ AWS GovCloud (US) Region Adds Third Availability Zone | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-govcloud-us-region-adds-third-availability-zone/ AWS Snowball Now Available in AWS Singapore Region | https://aws.amazon.com/about-aws/whats-new/2018/03/aws-snowball-now-available-in-aws-singapore-region/

What is a WAF and why would you use it? Simon speaks with Sundar Jayashenkar (Senior Product Manager, AWS) to get into some detail. https://aws.amazon.com/waf/

Simon takes you through even more news from re:Invent 2017! Shownotes: Announcing Alexa for Business: Using Amazon Alexa’s Voice Enabled Devices for Workplaces - AWS News Blog | https://aws.amazon.com/blogs/aws/launch-announcing-alexa-for-business-using-amazon-alexas-voice-enabled-devices-for-workplaces/ AWS Lambda Doubles Maximum Memory Capacity for Lambda Functions | https://aws.amazon.com/about-aws/whats-new/2017/11/aws-lambda-doubles-maximum-memory-capacity-for-lambda-functions/ Set Concurrency Limits on Individual AWS Lambda Functions | https://aws.amazon.com/about-aws/whats-new/2017/11/set-concurrency-limits-on-individual-aws-lambda-functions/ AWS CloudTrail Adds Logging of Execution Activity for AWS Lambda Functions | https://aws.amazon.com/about-aws/whats-new/2017/11/aws-cloudtrail-adds-logging-of-execution-activity-for-aws-lambda-functions/ AWS Lambda Introduces Enhanced Console Experience | https://aws.amazon.com/about-aws/whats-new/2017/11/aws-lambda-introduces-enhanced-console-experience/ Get Ready for the AWS Serverless Application Repository - AWS News Blog | https://aws.amazon.com/blogs/aws/aws-serverless-app-repo/ Migrate Hyper-V VMs to AWS with AWS Server Migration Service | https://aws.amazon.com/about-aws/whats-new/2017/11/migrate-hyper-v-vms-to-aws-with-aws-server-migration-service/ AWS Cloud9 – Cloud Developer Environments - AWS News Blog | https://aws.amazon.com/blogs/aws/aws-cloud9-cloud-developer-environments/ Announcing New AWS Deep Learning AMI for Microsoft Windows | https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-new-aws-deep-learning-ami-for-microsoft-windows/ Amazon API Gateway Supports Endpoint Integrations with Private VPCs | https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-endpoint-integrations-with-private-vpcs/ Announcing Support for Inter-Region VPC Peering | https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-support-for-inter-region-vpc-peering/ Introducing Launch Templates for Amazon EC2 instances | https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-launch-templates-for-amazon-ec2-instances/ T2 Unlimited – Going Beyond the Burst with High Performance - AWS News Blog | https://aws.amazon.com/blogs/aws/new-t2-unlimited-going-beyond-the-burst-with-high-performance/ Introducing Spread Placement Groups for Amazon EC2 | https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-spread-placement-groups-for-amazon-ec2/ Amazon Lightsail adds load balancers with integrated certificate management | https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-lightsail-adds-load-balancers-with-integrated-certificate-management/ Keeping Time With Amazon Time Sync Service - AWS News Blog | https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/ Sign Up for the Preview of Amazon Aurora Multi-Master | https://aws.amazon.com/about-aws/whats-new/2017/11/sign-up-for-the-preview-of-amazon-aurora-multi-master/ In The Works – Amazon Aurora Serverless - AWS News Blog | https://aws.amazon.com/blogs/aws/in-the-works-amazon-aurora-serverless/ Over-the-air updates, access to local resources, and OPC-UA industrial protocol adapter now available on AWS Greengrass | https://aws.amazon.com/about-aws/whats-new/2017/11/over-the-air-updates-access-to-local-resources-and-opc-ua-industrial-protocol-adapter-now-available-on-aws-greengrass/ Ready-to-Use Managed Rules Now Available on AWS WAF | https://aws.amazon.com/about-aws/whats-new/2017/11/ready-to-use-managed-rules-now-available-on-aws-waf/

In this session, you learn how to adapt application defenses and operational responses based on your unique requirements. You also hear directly from customers about how they architected their applications on AWS to protect their applications. There are many ways to build secure, high-availability applications in the cloud. Services such as API Gateway, Amazon VPC, ALB, ELB, and Amazon EC2 are the basic building blocks that enable you to address a wide range of use cases. Best practices for defending your applications against Distributed Denial of Service (DDoS) attacks, exploitation attempts, and bad bots can vary with your choices in architecture.

You need a new approach to security for serverless applications. Classic approaches just don't make sense, because tools and process can only take you so far. You need a fresh look at what security means in these environments. Serverless applications let you focus on solving the problem at hand. Gone are most of the worries of traditional solutions. No more support code. No more building out infrastructure to deliver your application. This means you have to do less and get more in return. Classic operations fall by the wayside and you can scale your team in unprecedented ways. But what does this mean for security? No matter the design pattern, you're always responsible for your data, even if you're not running the underlying infrastructure. How do you make sure your data is safe and secure if you can't apply the usual set of security controls? In this session, we explore how serverless designs impact security. We look at how the right approach can modernize your security practice, streamline ops, and reduce your workload. This session introduces a step-by-step security process for serverless applications, using services like AWS WAF, IAM, Amazon CloudWatch, and others to build stronger applications. Session sponsored by Trend Micro Incorporated

Learn how Amazon.com continuously improves the availability and performance of its website with AWS. Gavin Jewell, Director of Amazon's Consumer Cloud Enablement group, will go in depth on how Amazon CloudFront helps them accelerate their website globally, and how it gives flexibility to apply various security measures at the edge. He will also explain how they are using services such as AWS Shield, AWS WAF, and Route 53. Lastly, we will explore Amazon.com's continuous and incremental re-architecture program that ensures their infrastructure is constantly updated to use AWS natively.

This session provides an overview of IPv6 and covers key aspects of AWS support for the protocol. We discuss Amazon S3 and S3 Transfer Acceleration, Amazon CloudFront and AWS WAF, Amazon Route 53, AWS IoT, Elastic Load Balancing, and the virtual private cloud (VPC) environment of Amazon EC2. The presentation assumes solid knowledge of IPv4 and these AWS services.

Your application is exposed to a variety of threats from common distributed attacks to sophisticated zero-day vectors. Learn how to architect beyond the region and take advantage of the AWS Edge Network and upgrade your security posture with easy to deploy solutions that scale.  At this session you will learn how to I ensure your application will withstand malicious threats and DDoS attacks, what role does architecture play in your security posture, and how professional services and partners like Flux7 can help.

Dow Jones, which produces the Wall Street Journal, engaged AWS Enterprise Support to plan for peak website usage during the United States presidential election in 2016. This preparation ensured that the Wall Street Journal website could scale to meet peak demands as election returns came in. They have since expanded their use of AWS services, including Lambda@Edge, AWS WAF, and AWS Shield.

Get a deep-dive planning and implementation analysis of Asurion's “All in AWS Edge” migration.   Jabez Abraham, Cloud Architect of Asurion, discusses their AWS edge location strategy including: Amazon CloudFront, AWS WAF, AWS Shield Advanced, and AWS Lambda@Edge, and engagement of partners.  Jabez shares premigration strategy, architectural reviews, A/B testing requirements, caching, and shielding of endpoints within the VPC, and partner engagements.

Joining Pete and Oli as a co-host from this episode is Dean Samuels, Solutions Architect Manager, HKT, AWS. In this latest episode, Pete and Dean round up the latest around Amazon CloudFront, AWS WAF, Amazon EC2 Spot, Windows Server for Amazon LightSail, Microsoft SQL Server for Amazon EC2, Lifecycle Policies for Amazon EC2 Container Registry, Amazon Database Migration Service, Amazon Redshift, Amazon DynamoDB Accelerator and Gluon, Application Load Balancer and AWS Marketplace.

cross account cloudwatch events Prepare for the OWASP Top 10 Web Vulnerabilities w/ AWS WAF archive items to s3 from dynamo using TTL cloudwatch dashboards api/cloudformation support new info to IAM console to follow best practices around inactive users is it possible to host facebook on AWS dropbox / aws

In this episode Simon discusses the importance of re-visiting Services to ensure you reduce the amount of undifferentiated heavy lifting you have in your architecture. Then he covers a raft of updates big and small. Shownotes: AWS and Ionic: https://aws.amazon.com/about-aws/whats-new/2017/05/mobile-web-and-hybrid-application-with-exported-mobile-hub-project-for-deploying-apps-and-mobile-backend/ Amazon QuickSight updates: https://aws.amazon.com/blogs/big-data/visualize-big-data-with-amazon-quicksight-presto-and-apache-spark-on-amazon-emr/ AWS Schema Conversion Tool updates: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-schema-conversion-tool-exports-from-sql-server-to-amazon-redshift/ AWS CloudFormation support for AWS WAF on ALB: https://aws.amazon.com/about-aws/whats-new/2017/05/cloudformation-support-for-aws-waf-on-alb/ AWS CloudTrail with S3 Data Events: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-cloudtrail-adds-data-event-delivery-to-amazon-cloudwatch-logs/ Auto Scaling Resource-Level Permissions: https://aws.amazon.com/about-aws/whats-new/2017/05/introducing-auto-scaling-resource-level-permissions/ AWS CodeDeploy Updates: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-codedeploy-adds-file-handling-support/ New Amazon S3 Console: https://aws.amazon.com/about-aws/whats-new/2017/05/announcing-the-availability-of-the-new-amazon-s3-console/ Amazon Athena adds API/CLI Support: https://aws.amazon.com/about-aws/whats-new/2017/05/amazon-athena-adds-api-cli-aws-sdk-support-and-audit-logging-with-aws-cloudtrail/ AWS X-Ray AWS Lambda Request Tracing GA: https://aws.amazon.com/about-aws/whats-new/2017/05/aws-x-ray-makes-aws-lambda-request-tracing-generally-available/

Whether you are building a secure ecommerce application or developing games, security is a key consideration when architecting your application. In this session, you will learn about edge termination of your end user requests and will dive deep into advanced protocols and ciphers, enforcing end-to-end HTTPS connections with AWS Certificate Manager, access control with AWS WAF.

In this series of 15-minute technical flash talks you will learn directly from Amazon CloudFront engineers and their best practices on debugging caching issues, measuring performance using Real User Monitoring (RUM), and stopping malicious viewers using CloudFront and AWS WAF.

In a rapidly changing IT environment, detecting and responding to new threats is more important than ever. This session shows you how to build a predictive analytics stack on AWS, which harnesses the power of Amazon Machine Learning in conjunction with Amazon Elasticsearch Service, AWS CloudTrail, and VPC Flow Logs to perform tasks such as anomaly detection and log analysis. We also demonstrate how you can use AWS Lambda to act on this information in an automated fashion, such as performing updates to AWS WAF and security groups, leading to an improved security posture and alleviating operational burden on your security teams.

Recently, AWS announced support for Internet Protocol version 6 (IPv6) for several AWS services, providing significant capabilities for applications and systems that need IPv6. This session provides an overview of IPv6 and covers key aspects of AWS support for the protocol. We discuss Amazon S3 and S3 Transfer Acceleration, Amazon CloudFront and AWS WAF, Amazon Route 53, AWS IoT, Elastic Load Balancing, and the virtual private cloud (VPC) environment of Amazon EC2. The presentation assumes solid knowledge of IPv4 and those AWS services.

Ian Ward, Platform and Security Engineer from Mapbox, discusses how the AWS global edge network helps improve the availability and performance of delivering hundreds of billions of map tiles to hundreds of millions of end users across the globe on mobile devices, in cars, and over the web. In this session, Ian shares insights on how Mapbox manages day-to-day edge operations using Amazon CloudFront logs, dashboards, and ad hoc queries, and how Mapbox has configured CloudFront with dozens of behaviors and origins to customize their content delivery. Mapbox has grown from using a single AWS region to using several regions, so Ian also explains how his team uses Amazon Route 53 and open source tools to simplify complexity around regional failover, and how Mapbox leverages AWS WAF to deter attacks and abuse.

As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.

Will it Lambda?!?!?! lambda chat follow-up / long polling cool lambda use case: Rate based backlisting ) Send us your crazy lambda projects: lambda@engineers.coffee AWS Config Rules Repository github services repository new recurring segment idea

This week in security news, we talk about Stagefright 2.0, how to root your very own Google OnHub, breaking SHA-1, and AWS WAF's. For a full list of stories, visit our wiki: http://wiki.securityweekly.com/wiki/index.php/Episode437#Stories_of_the_Week_-_7:00PM-8:00PMSecurity Weekly Web Site: http://securityweekly.comHack Naked Gear: http://shop.securityweekly.comFollow us on Twitter: @securityweekly

Interview with Dafydd Stuttard This week, we interview Dafydd Stuttard the creator of Burp Suite and the author of the Web Application hacker's Handbook. We talk about the source of the name "Burp" and the future of webapp scanning.   Security News - Facebook Sex tapes and rooting the OnHub This week in security news, we talk about Stagefright 2.0, how to root your very own Google OnHub, breaking SHA-1, and AWS WAF's. For a full list of stories, vist our wiki: http://wiki.securityweekly.com/wiki/index.php/Episode437#Stories_of_the_Week_-_7:00PM-8:00PM   Security Weekly Web Site: http://securityweekly.com Hack Naked Gear: http://shop.securityweekly.com Follow us on Twitter: @securityweekly