DNS Permissions & Payment Cryptography On AWS

Amazon Route 53 DNS Permissions:

The release of a new feature in AWS GovCloud (US) Regions for Route 53. This feature allows customers in the AWS GovCloud (US-East and US-West) Regions to define AWS Identity and Access Management (IAM) policies for individual or groups of DNS record sets within a Route 53 private hosted zone.

With this feature, DNS administrators can have direct ownership and control over specific resource record sets, reducing the need for a central team to manage changes on behalf of multiple teams. This can help save time and minimize operational risks.

The permissions for DNS resource record sets can be defined at different levels, such as individual resource record sets, all resource record sets of a specific record type (e.g., A, MX, CNAME), or resource record sets matching a specified domain name prefix string.

Additionally, if you need guidance on IAM and how to get started, you can consult the “Getting started with IAM” documentation in the IAM documentation.

AWS Payment Cryptography Service:

AWS Payment Cryptography is a new service introduced by Amazon Web Services (AWS) that aims to simplify the implementation of cryptography operations for securing data in payment processing applications. It specifically focuses on debit, credit, and stored-value cards, aligning with payment card industry (PCI), network, and American National Standards Institute (ANSI) standards and rules.

With AWS Payment Cryptography, financial service providers and processors have the opportunity to migrate their payments-specific cryptography and key management functions from on-premises hardware security modules (HSMs) to the cloud. This elastic service provides an alternative to physical HSMs, offering scalability and flexibility.

One of the key features of AWS Payment Cryptography is the streamlined payment key management it provides. The service offers capabilities such as key generation, electronic import and export, and automated key management tasks like storing, rotating, backing up, and recovering keys. By handling these aspects, AWS Payment Cryptography assists in meeting compliance requirements related to key management and physical HSM infrastructure.

Moreover, AWS Payment Cryptography integrates with other AWS tools for enhanced functionality. This includes integration with AWS Identity and Access Management (IAM) for authorization purposes and AWS CloudTrail for auditing.

As of today, AWS Payment Cryptography is available in the US East (N. Virginia) and US West (Oregon) regions, allowing customers in those regions to leverage the benefits of this service.

New AWS Security Controls:

AWS Control Tower has expanded its library by adding 10 new AWS Security Hub detective controls. These controls are specifically designed to target services such as Amazon API Gateway, AWS CodeBuild, Amazon Elastic Compute Cloud (EC2), Amazon Elastic Load Balancer (ELB), Amazon Redshift, Amazon SageMaker, and AWS WAF. By implementing these controls, you can achieve various control objectives such as establishing logging and monitoring, limiting network access, encrypting data at rest, and enhancing your overall governance posture.

With the addition of these new controls, AWS Control Tower now offers a total of over 170 detective controls from AWS Security Hub. These controls are pre-configured by AWS and can be easily applied to your AWS environment. They enable you to scale your business and adopt new AWS workloads and services while maintaining a high level of security. Additionally, AWS Control Tower provides proactive controls that block non-compliant resources before they are provisioned and preventive controls that prevent actions leading to policy violations. By combining these preventive, proactive, and detective controls, you can effectively monitor the security of your multi-account AWS environment and ensure it aligns with best practices, such as the AWS Foundational Security Best Practices standard.

The new AWS Security Hub detective controls in AWS Control Tower are available in all AWS Regions where AWS Control Tower is supported. You can deploy these controls either through the AWS Management Console or by using the AWS Control Tower control APIs. For a comprehensive list of AWS Regions where AWS Control Tower is available.

This expansion of AWS Control Tower’s capabilities provides you with more tools to manage and secure your AWS environment efficiently.

New R6id Instances Available:

Starting today, customers can now access Amazon Elastic Compute Cloud (Amazon EC2) R6id instances in the AWS Asia Pacific (Mumbai, Seoul, Singapore) and Europe (London) regions. These instances are equipped with 3rd generation Intel Xeon Scalable Ice Lake processors, boasting an all-core turbo frequency of 3.5 GHz and offering up to 7.6 TB of local NVMe-based SSD block-level storage.

R6id instances are built on the AWS Nitro System, which combines dedicated hardware and a lightweight hypervisor to provide the majority of the host hardware’s compute and memory resources directly to your instances. This results in improved performance and security. Customers can leverage the high-speed, low-latency local storage to enhance the performance of various applications such as video encoding, image manipulation, media processing, data logging, distributed web-scale in-memory caches, in-memory databases, and real-time big data analytics.

These instances are now generally available in the following regions: US East (Ohio, N. Virginia), US West (Oregon), Asia Pacific (Mumbai, Seoul, Singapore, Tokyo, Sydney), Europe (Frankfurt, Ireland), and AWS GovCloud (US-West).

Customers have the flexibility to purchase these new instances through different pricing models, including Savings Plans, Reserved Instances, On-Demand Instances, and Spot Instances. To get started, you can visit the AWS Command Line Interface (CLI) and AWS SDKs. For more detailed information, you can visit the R6id product pages

Please note that this information is accurate as of my knowledge cutoff in September 2021. It’s always a good idea to refer to the official AWS( APIs for SQS) website for the most up-to-date and accurate information regarding the availability and features of Amazon EC2 instances.

AWS DynamoDB Encryption Upgrade:

The AWS Database Encryption SDK is a new upgrade to the existing Amazon DynamoDB Encryption Client. It allows you to incorporate client-side encryption into your DynamoDB workloads. This means you can encrypt specific attribute values before storing them in your DynamoDB table, providing protection for sensitive data both during transit and when at rest. The encrypted data cannot be exposed unless decrypted by your application.

One of the key features of this release is the ability to search encrypted attributes without the need to decrypt the entire database in advance. This enables you to quickly find the required information for your application while maintaining the security of the encrypted data within the database.

With the AWS Database Encryption SDK, you can easily allow your customers to bring their own encryption key to your application. This gives them direct ownership and control over their data by managing the encryption key. The SDK is designed to support multi-tenancy, allowing you to use different encryption key providers across a single database table to securely isolate data.

By leveraging the AWS Key Management Service (KMS) in conjunction with the AWS Database Encryption SDK, you can enforce clear separation between authorized users who have access to specific encrypted attributes and those who do not. KMS key policies can be utilized to define these access controls.

The AWS Database Encryption SDK is compatible with Amazon DynamoDB and is currently available in Java as a developer preview on the aws-database-encryption-sdk-dynamodb-java GitHub repository. During this preview phase, AWS encourages users to evaluate the SDK, provide feedback, and explore the new features and improvements it offers. For more information, you can refer to the “What is AWS Database Encryption SDK” section in the developer guide.

Spot Instances: More Control:

Today, we are excited to announce a new feature for Amazon EMR. EMR now supports the price-capacity-optimized allocation strategy for Amazon EC2 Spot Instances when launching clusters with Instance Fleets. This feature gives you more control over how EMR selects instance types and Availability Zones to meet your capacity requirements.

The price-capacity-optimized allocation strategy considers both spare capacity availability and Spot Instance prices when making allocation decisions. This means you can run Spot Instances at a lower price and experience fewer interruptions

With this launch, EMR introduces the option to choose an allocation strategy for your Spot Instances. Previously, only the capacity-optimized allocation strategy was available. Now, you have four allocation strategies to choose from, allowing you to tailor them to the specific needs of your cluster workloads. The available strategies are price-capacity-optimized, capacity-optimized, lowest price, and diversified allocation.

These new options provide greater flexibility and control when using Amazon EC2 Spot Instances in your EMR clusters.

Quantum-Safe SFTP Security:

AWS Transfer Family now supports quantum-safe public-key exchange for SFTP (SSH File Transfer Protocol) file transfers. This new feature helps enhance the security of your file transfers by protecting them from potential threats posed by quantum computers in the future.

One such threat is the “harvest now, decrypt later” attack, where an attacker records the encrypted traffic today and waits for cryptographically relevant quantum computers to become available. With quantum-safe public-key exchange, your file transfers are better safeguarded against these types of attacks.

AWS Transfer Family is a fully managed service that supports various managed file transfer (MFT) workflows on AWS, including SFTP, AS2, FTPS, and FTP. The introduction of hybrid post-quantum (PQ) security policies allows for quantum-safe key exchange between SFTP servers and clients using PQ encryption algorithms.

By utilizing a hybrid PQ policy, your SFTP server maintains compatibility with standard connection options supported by most clients today. However, it can also take advantage of the most secure connection options when interacting with clients that support quantum-safe cryptography.

This quantum-safe key exchange feature is available in all AWS Regions where AWS Transfer Family is offered. To learn more about configuring hybrid PQ security policies to enable quantum-safe key exchange, you can refer to the AWS documentation.

APIs for Amazon Connect:

Amazon Connect has expanded its APIs to include three additional resources: prompts, quick connects, and hours of operation. These new APIs offer a convenient way to search for these resources within your Amazon Connect instance programmatically. You can now perform searches based on various criteria such as name, resource ID, description, or tags.

For example, if you want to find quick connects related to finance, you can search for quick connects with the keyword “finance” in their description. Similarly, if you have a specific group of prompt IDs, you can search for prompts matching those IDs. Additionally, you can search for hours of operation specific to a particular time zone.

When you make these search requests, the API will provide detailed information about the resources you are looking for, including their Amazon Resource Names (ARNs), status, and related resource IDs. This allows you to retrieve the necessary details and manage your Amazon Connect resources more effectively.

To get more information and understand the specifics of using these new search APIs, I recommend referring to the official API documentation provided by Amazon.

Archive and Replay Enhancements:

Amazon EventBridge Archive and Replay in the Europe (Spain), Europe (Zurich), and Asia Pacific (Hyderabad) AWS Regions. This update enhances event-driven applications by providing an easier way to replay past events, making them more durable and extensible. By leveraging Archive and Replay, developers can build applications that recover from errors more efficiently and validate new functionality with ease.

Archive and Replay is seamlessly integrated with the Amazon EventBridge serverless event bus. The event bus enables the creation of scalable event-driven applications by facilitating event routing between various applications, third-party SaaS applications, and AWS services. Routing rules can be set up on the event bus to determine the destinations for events, allowing application architectures to adapt to system changes in real time. Event buses simplify the development of event-driven applications by streamlining event ingestion, delivery, security, authorization, and error handling processes.

The availability of Amazon EventBridge Archive and Replay in these additional AWS Regions further expands the capabilities and options for developers and organizations looking to build robust and resilient event-driven architectures.