This article will give you the latest news on AWS security updates, solutions, and other cool stuff published in October 2022. The latest edition of the "AWS Cloud Security Roundup" blog series is now available. This month, we cover the following topics: regional updates, Identity and Access Management (IAM), Detective, and additional changes. Also, see our previous general cloud security update posts.
Enjoy this article? Subscribe to receive the latest news about cloud security here 📫
🌏 Regional updates
- GuardDuty is now available in the Middle East UAE (me-central-1) region
- Resource Access Manager is now available in the Middle East UAE (me-central-1) region
- The latest feature releases and announcements for Security Hub are now published through SNS in AWS GovCloud (US)
🔐 Identity and Access Management (IAM)
- Identity Center now supports customized session lengths (up to 7 days)
- Identity Center default quotas are increased. Up to 2.000 permissions, 100.000 users, 100.000 groups, and 3.000 applications/accounts are now supported
- Access Analyzer now generates custom policies based on CloudTrail activities (up to 90 days) of a certain IAM role
- Access Analyzer now validates role trust policies
- Access Analyzer now validates cross-account access for SNS topics, ECR repositories, EBS volume snapshots, EFS file systems, RDS DB snapshots, and RDS DB cluster snapshots.
How to use Access Analyzer for trust policies in AWS IAM
At the beginning of October AWS added the IAM Access Analyzer functionality to validate role trust policies directly in the AWS console. It guides you through adding each policy element, like actions or conditions, and provides context-specific documentation. To make your policies even more secure,…
Alexander Hose
How to generate custom policies using AWS IAM Access Analyzer
When you build applications and solutions, you want to restrict access to other AWS services. Typically, you would use IAM policies and roles to accomplish this task. However, managing these policies can get quite complicated. Luckily, AWS recently introduced several new features for the IAM Access…
Alexander Hose
️🕵️♂️ Detective
- Search is supporting case insensitivity now
- Related GuardDuty findings are now grouped
🆕 Additional changes
- New AWS Managed Microsoft AD directories now run on Windows Server 2019. All older directories will be updated automatically starting in March 2023
- AWS Lambda now supports the parameters and secrets extension for the Secrets Manager & Systems Manager Parameter Store
- Amazon Cognito now offers user pool deletion protection. This is enabled by default for all new user pools
- After the release of the Primary Contact Information API, AWS Organizations now enables users to manage this information for their accounts directly in the console
- AWS Private Certificate Authority now offers short-lived certificates
- AppStream 2.0 now supports certificate-based authentication for fleets, which are joined to Active Directory
- AWS WAF now enables bot control and the challenge action for protection against targeted bots (us-east-1, us-west-1, eu-west-1, eu-west-3, ap-southeast-2)
AWS Lambda extensions - Understanding how to read parameters and secrets
During mid of October, AWS released the AWS Parameters and Secrets Lambda Extension. It makes it easier to retrieve parameters or secrets from the Systems Manager Parameter Store or AWS Secrets Manager. As the lambda function makes requests to different AWS services, we need to adjust the execution…
Alexander Hose
How to secure Amazon Cognito using deletion protection
AWS recently introduced deletion protection for Amazon Cognito. This is mainly useful if you are using the DeleteUserPool API as it immediately deleted a user pool in the past, even production resources. Deletion protection is automatically enabled for all new user pools by default. For existing use…
Alexander Hose
Member discussion