Issue 32 of AWS Cloud Security Weekly

(Summary of Issue 32 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-32)

This week TLDR i.e. 1 minutes version (For executives):

1. Amazon GuardDuty Runtime Monitoring protects clusters running in shared VPC.
2. Amazon RDS for Db2 now supports audit logging.
3. API Gateway now supports TLS 1.3.
4. Amazon AppStream 2.0 now supports administrative controls for limiting clipboard.
5. AWS Control Tower introduces APIs to register Organizational Units.

This week Long i.e. 5-10 minutes version (For architects & engineers):

1. Amazon GuardDuty Runtime Monitoring, designed to identify potential threats during runtime, now extends its protection to workloads operating within shared Virtual Private Clouds (VPCs) across all supported compute services. Shared VPCs enable multiple AWS accounts to deploy their application resources, such as Amazon EC2 instances, within collectively managed VPCs. This streamlines network management across various accounts, delivering cost advantages and reducing operational complexity by minimizing the number of VPCs to oversee. GuardDuty Runtime Monitoring utilizes a secure VPC endpoint to transmit the agent telemetry to the GuardDuty backend for threat detection and processing. With GuardDuty Runtime Monitoring, you can can effortlessly handle the security agent, including the establishment of the VPC endpoint and the installation, deployment, and updates of the agent, all without incurring additional costs.

2. Audit capabilities are now available for Amazon Relational Database Service (Amazon RDS) for Db2. Upon activation, Amazon RDS for Db2 securely preserves the audit logs in Amazon S3, aligning with extended data retention requirements. The configuration of audit log retention in Amazon S3, along with other auditing categories, can be conveniently managed through the option group using the rdsadmin.configure_db_audit stored procedure.

3. API Gateway has incorporated support for version 1.3 of the Transport Layer Security (TLS) protocol across its Regional REST, HTTP, and WebSocket endpoints. In this context, TLS 1.3 enhances performance and security by managing the encryption and decryption of TLS traffic directly within API Gateway, relieving application servers of this responsibility. The implementation of TLS 1.3 in API Gateway is optimized for efficiency and security, utilizing one round trip (1-RTT) TLS handshakes and exclusively endorsing ciphers that provide perfect forward secrecy. By leveraging TLS 1.3 with API Gateway as the central control point, developers can ensure secure communication between the client and the gateway, maintaining the confidentiality, integrity, and authenticity of their API traffic. Additionally, developers can take advantage of API Gateway's seamless integration with AWS Certificate Manager (ACM) to centrally deploy SSL certificates using TLS.

4. You now have enhanced control over the movement of data to and from users' Amazon AppStream 2.0 streaming sessions through the clipboard feature. It is possible to independently define the maximum number of characters (up to 20,971,520) allowed for transfer both into and out of the session via the clipboard. For instance, you can permit users to copy a maximum of 300 characters from their AppStream 2.0 session to their personal devices, while establishing a different limit of 100 characters for data movement from their personal device to AppStream 2.0, and vice versa. If desired, you still retain the option to completely disable the clipboard functionality. This new configuration provides customers with the flexibility to effectively manage data exfiltration.

5. AWS Control Tower users now have the capability to systematically expand governance to organizational units (OUs) through APIs. These newly introduced APIs facilitate the implementation of the AWS Control Tower baseline, encompassing optimal configuration settings, controls, and essential resources for effective AWS Control Tower governance. By activating a baseline on an OU, member accounts within that specific OU gain access to resources such as AWS IAM roles, AWS CloudTrail, AWS Config, AWS Identity Center, and are brought under the purview of AWS Control Tower governance. Prior to this update, the registration of OUs in the AWS Control Tower console was the only available method. With the introduction of these APIs, governance can be extended to OUs programmatically, enabling the automation of the OU provisioning workflow. Additionally, these APIs offer support for OUs that are already subject to AWS Control Tower governance, facilitating the re-registration of OUs after updates to the landing zone. Furthermore, the APIs provide compatibility with AWS CloudFormation, empowering customers to manage their OUs through infrastructure as code (IaC).