AWS has announced several updates and enhancements

AWS Control Tower – Security Hub Integration

This integration allows users to enable over 170 Security Hub detective controls that align with control objectives from AWS Control Tower. One notable feature is the drift detection capability, which notifies you when a control is disabled in Security Hub, resulting in a “Drifted” control state. This helps you monitor the deployment state of your controls and take appropriate actions to manage the security posture of your AWS Control Tower environment.

To take advantage of this drift detection capability and other updates, you’ll need to update your AWS Control Tower Landing Zone to version 3.2. This version also includes enhancements to the Region Deny control for multiple AWS services. You can refer to the Region deny control policy for a comprehensive list of allowed actions.

To use Security Hub controls within AWS Control Tower, you can access the AWS Control Tower control library. From there, you can enable any control originating from Security Hub directly within AWS Control Tower. This action will enable Security Hub on your behalf and create a new Service-Managed Standard within Security Hub. Once enabled, you can manage and evaluate these controls from AWS Control Tower. It’s worth noting that this integration is available in all Regions where AWS Control Tower is supported.

This integration between AWS Control Tower and AWS Security Hub provides users with a seamless way to enhance their security management capabilities.

OpsCenter Simplifies Cross-Account Management

AWS Systems Manager’s OpsCenter has introduced a simplified cross-account management feature for operational issues, known as OpsItems. This update enables AWS customers with a multi-account strategy to centrally create, view, and manage operational issues across all accounts within their AWS Organization. By configuring OpsCenter, customers can streamline the process with just a few clicks.

The adoption of multiple AWS accounts by customers has become common practice due to cost and security considerations. However, managing operational issues across these distributed accounts requires a centralized approach. With the new OpsCenter feature, customers can establish centralized management of operational issues by selecting a central account and specifying which accounts it can oversee. Once the configuration is in place, if any instance in the designated accounts experiences disk space limitations, an operator logged into the central account will be able to access diagnostic details such as disk usage trends, logs, and recent configuration changes. They can then execute a predefined runbook to increase the storage volume, all without the need to switch accounts.

This latest enhancement is accessible in all AWS Regions where Quick Setup, a feature of AWS Systems Manager, is available for AWS Organizations.

AWS Local Zones: Manila Expansion

AWS Local Zones are now available in Manila, Philippines, allowing users to leverage the power of AWS for applications that require low latency or local data processing. AWS Local Zones were initially announced in early 2022 with plans to launch them in over 30 metro areas across 27 countries outside of the US.

Apart from Manila, AWS Local Zones are also available in several other international metro areas, including Auckland, Bangkok, Buenos Aires, Copenhagen, Delhi, Helsinki, Hamburg, Kolkata, Lagos, Muscat, Perth, Querétaro, Lima, Santiago, Taipei, and Warsaw. In the United States, AWS Local Zones are available in Atlanta, Boston, Chicago, Dallas, Denver, Houston, Kansas City, Las Vegas, Los Angeles, Miami, Minneapolis, New York City, Philadelphia, Phoenix, Portland, and Seattle.

The expansion of AWS Local Zones to these locations enables developers and businesses to deliver applications with enhanced performance and reduced latency by bringing AWS infrastructure closer to their end-users.

AWS Fault Tolerance Enhancements

AWS is continuously enhancing its services to improve the fault tolerance and resilience of customer deployments. The fault tolerance checks cover various AWS services, including Amazon MQ, EC2 NAT Gateway, and Amazon OpenSearch, and aim to ensure high availability and reliability.

The Amazon MQ fault tolerance checks specifically focus on ActiveMQ and RabbitMQ brokers, ensuring that they are configured for high availability. This is crucial for applications that rely on messaging queues for communication. By identifying any misconfigurations or potential points of failure, AWS Trusted Advisor can help improve the fault tolerance of Amazon MQ deployments.

The EC2 NAT Gateway fault tolerance check evaluates the configuration of NAT Gateways, checking if they are set up with Availability Zone (AZ) independence. This is important because AZ-independent NAT Gateways can provide redundancy and failover capabilities, ensuring continuous network connectivity for applications.

The Single AZ Application Check is another fault tolerance check that assesses whether an application is deployed in only one Availability Zone. Deploying applications in a single AZ can introduce a single point of failure, making the application vulnerable to disruptions if that AZ experiences issues. AWS Trusted Advisor can help identify such scenarios and provide recommendations to distribute the application across multiple AZs for improved fault tolerance.

Lastly, the Amazon OpenSearch check focuses on the configuration of OpenSearch domains. It verifies if there are at least three data nodes, which is essential for achieving high availability in OpenSearch deployments. Having multiple data nodes ensures redundancy and fault tolerance for search and analytics workloads.

It’s important to note that the Amazon MQ checks are available in all commercial and AWS GovCloud (US) Regions, while the other fault tolerance checks are limited to commercial regions.

AWS Premium Support customers can access these fault tolerance checks either through the AWS Trusted Advisor Console or via the AWS Support API. These checks provide valuable insights and recommendations to optimize costs, enhance performance, strengthen security, and improve fault tolerance in AWS environments.

New ENA Express Instance Support

AWS Systems Manager has introduced auto-update support for the EC2 launch agents on Windows, Linux, and Mac in Quick Setup. Previously, customers had to manually install and upgrade their EC2 launch agents using available documentation. However, with this new feature, customers can now enable automatic upgrades with just a few clicks in the AWS Management Console. This allows them to receive the latest bug fixes, security patches, and feature updates for their EC2 launch agents across accounts and Regions within their Organization.

To ensure that their EC2 fleet is regularly updated with the latest minor version of the EC2 launch agent, customers can simply choose the option “Update the EC2 launch agent once every 30 days” in Host Management Quick Setup. By selecting this option, the EC2 launch agent installed on their Windows, MacOS, or Linux EC2 instances will be automatically upgraded whenever a new minor version becomes available.

Furthermore, for customers who wish to install and periodically update the latest EC2Launch v2 agent on their Windows EC2 instances, they can do so by selecting this package in Distributor Quick Setup.

This new auto-update support simplifies the process of keeping EC2 launch agents up to date, ensuring that customers have the latest improvements and security enhancements without the need for manual intervention.

Kinesis to Redshift Integration

Amazon Kinesis Data Firehose now offers the capability to deliver streaming data to Amazon Redshift Serverless, providing a more streamlined process for ingesting, transforming, and delivering real-time data into Amazon Redshift Serverless. This eliminates the need to build and manage your own data ingestion and delivery infrastructure.

Kinesis Data Firehose is a fully managed service that automatically adjusts its throughput to handle the volume of your data, eliminating the need for ongoing administration. By leveraging this integration, you can easily load streaming data into Amazon Redshift Serverless with just a few clicks.

Amazon Redshift Serverless enables you to run analytics and scale your operations without the need to provision and manage data warehouse clusters. With Amazon Redshift Serverless, various users such as data analysts, developers, and data scientists can utilize the power of Amazon Redshift to gain insights from data within seconds. The pricing model for Amazon Redshift Serverless is based on the compute resources utilized during the workload, and you can seamlessly integrate it with your existing analytics and business intelligence applications without making any modifications.

By configuring your Amazon Redshift Serverless instance to be publicly accessible, you can take advantage of its simplicity and start utilizing Amazon Kinesis Data Firehose to reliably load real-time streams into your analytics environment.

New Job Schedulers for EMR on EKS

The addition of Volcano and Apache Yunikorn as job schedulers for running EMR on EKS with Spark operator and spark-submit brings some exciting capabilities to the table. With Amazon EMR on EKS, customers can now leverage open-source big data frameworks like Apache Spark on the Amazon EKS platform.

By using a custom job scheduler for Spark jobs, customers gain the ability to finely manage capacity and provision pods faster at scale. While the default Kubernetes scheduler handles pod placement based on constraints such as available capacity, resource requests and limits, and node affinity, it lacks scheduling based on jobs. With the introduction of Apache Yunikorn and Volcano, customers now have the option to schedule EMR on EKS Spark jobs with Spark operator and spark-submit.

These new schedulers offer a range of features that can be beneficial for users. Gang scheduling, for example, allows for the grouping of related tasks to improve performance. Queue management helps prioritize and manage job queues effectively. Preemption enables the interruption of low-priority jobs to make room for high-priority ones. Fair-share scheduling ensures equitable resource allocation across different jobs, promoting efficiency.

Overall, the integration of Apache Yunikorn and Volcano as job schedulers for EMR on EKS Spark jobs provides enhanced scheduling throughput and optimized capacity, enabling customers to better manage and utilize their resources.

Enhanced Verified Access Logging

AWS Verified Access now offers enhanced logging capabilities, facilitating the process of creating and resolving application access policies. Verified Access enables you to establish secure access to your corporate applications based on zero-trust principles. By leveraging end-user context, such as user groups and device risk scores, obtained from third-party identity and device security services, you can define access policies. As of today, you have the ability to log all end-user context received from these third-party services, streamlining the policy creation and troubleshooting process.

Verified Access logs all access attempts made to your applications, providing insights into the evaluation outcomes of the associated policies, whether they were approved or denied. Previously, the logs only contained limited end-user context, such as the user’s name, email address, and device operating system. If, for example, you created an access policy to allow users with *@example.com email addresses, and Verified Access denied a user’s request, you could refer to the logs to verify the email address provided by your identity service. However, when troubleshooting policies that required additional end-user context beyond the limited set, you had to collect information from your third-party services separately, as Verified Access did not log this information. With the introduction of this new functionality, you can now log all the end-user context received from third-party identity and device security services, eliminating the need to retrieve this information from different sources. The detailed context available in the logs can be utilized to validate, troubleshoot, and expedite the process of creating access policies.

AWS Verified Access now offers improved logging functionality, allowing you to log comprehensive end-user context from third-party services. This enhancement simplifies the process of authoring and troubleshooting application access policies, enabling you to leverage detailed information from the logs to validate and expedite policy creation.

IPv6 Support in EKS

Starting from version 1.13 of the Amazon Virtual Private Cloud Container Network Interface (VPC CNI), Amazon Elastic Kubernetes Service (EKS) allows clusters in IPv4 address space to connect with endpoints in IPv6 address space. This feature enables customers to operate services in environments that consist of both IPv4 and IPv6 networks, facilitating the migration to IPv6-only services.

By natively supporting this capability in Amazon VPC CNI, the burden of managing dual-stack cluster configurations is reduced, and operational challenges associated with maintaining application compatibility with dual-stack networking are alleviated.

Kubernetes cluster administrators often find themselves operating in environments where both IPv4 and IPv6 networks coexist. In such scenarios, it is necessary to enable legacy IPv4 endpoints to connect to services running on IPv6 clusters, and vice versa. With EKS support for IPv6, the Amazon VPC CNI plugin already provides support for egress-only IPv4.

With the recent launch, pods in IPv4 clusters can communicate with IPv6 endpoints without the need for additional components like dual-stack application load balancers or network address translators. Moreover, the native support for IPv6 egress in Amazon VPC CNI reduces the operational overhead for network engineers, as they no longer have to maintain complex traffic routing configurations to operate services across both IPv4 and IPv6 address spaces or rely on third-party plugins.

Internet Monitor Expansion: All Regions

The Amazon CloudWatch Internet Monitor is now available in all standard AWS Regions. The Internet Monitor is a feature within Amazon CloudWatch that enables you to monitor the performance and availability metrics of your AWS-hosted applications between your applications’ end users and the internet. It offers the advantage of reducing the time taken to diagnose internet issues from days to minutes and provides recommendations for improving the end users’ experience.

The Internet Monitor publishes internet measurements to CloudWatch Logs and CloudWatch Metrics. Additionally, you have the option to publish these measurements to Amazon S3. Furthermore, health events are sent to Amazon EventBridge, allowing you to set up notifications and stay informed about the status of your application.

With this recent update, the Internet Monitor is now accessible in the following AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Osaka), Europe (Spain), Europe (Zurich), and Middle East (UAE). For more detailed information regarding Regional support, you can refer to the Supported AWS Regions section in the Internet Monitor User Guide.