pre:Invent 2021

2021/11/25

re:Play 2019 - the last time I attended any sort of social gathering

Welcome to the American Thanksgiving holiday, which for us cloud peeps is the quiet period between pre:Invent and re:Invent. Traditionally the run up to AWS re:Invent is chock full of feature releases (and some product releases) that don’t merit mention in Andy Adam’s or Werner’s keynotes.

Last year I was busy with a new job, hiring a new team, and helping to launch a streaming service. This year I have another new job (same company, new role), and did have time. But folks liked my 2020 pre:Invent post so I figured I’d do another one while the turkey is in the smoker.

There were 234 announcements in November (down from 279 last year). Again is the break down of number of announcements by day for the last 30 days:

Announcements By Date

Here are the 27 I thought interesting. Rather that review these by date (which is what you get from the AWS Feed), I thought I’d categorize them into useful buckets.

TL;DR There is a lot here, but the biggest surprise I cover in the Closing section.

Announcing usability improvements in the navigation bar of the AWS Management Console

Announced On: Nov 23, 2021

Today, we launched usability improvements for the navigation bar in the AWS Management Console. The improvements include a customizable favorites bar, updates to the services menu, and visual updates for consistency and accessibility. The new favorites bar appears when you have selected at least one service as a favorite in the services menu. It also supports an unlimited number of favorites that can be organized with drag and drop. The updated services menu groups services by category and provides an A to Z listing of all services.

I’ll lead off with one of my favorite announcements, which is the return of favorities in the topbar of the console. In a rare move AWS took away that functionality a few years ago, but now it’s back. I don’t have all the same capabilities to only show icons, or to re-order, but this is still a welcome change

Watch out for these

AWS Lambda now supports cross-account container image pulling from Amazon Elastic Container Registry

Announced On: Nov 4, 2021

AWS Lambda now allows you to create or update your functions with container images stored in anAmazon ECR repository in a different AWS account than that of your AWS Lambda function. Previously, you could only access container images stored in an Amazon ECR repository in the same AWS account as your AWS Lambda functions. If you used a centralized account for your Amazon ECR repositories, you needed to copy your container images into an Amazon ECR repository in the same account as your Lambda function. You can now simplify this workflow by accessing the container image stored in an Amazon ECR repository in a different account.

Anything that says “cross-account” should be a red flag for a security team, as that means someone could accidentally make your data public. Now that your developers can pull in images from some random ECR, you also need to worry about supply-chain issues.

Amazon Athena announces cross-account federated query

Announced On: Nov 12, 2021

If you have data in sources other than Amazon S3, you can use Amazon Athena federated query to analyze the data in-place or build pipelines that extract and store data in Amazon S3. Until today, querying this data required the data source and its connector to use the same AWS account as the user querying the data. Athena now supports cross-account federated query to enable teams of analysts, data scientists, and data engineers to query data stored in other AWS accounts.

I’ll admit, this is the first I’ve heard of Athena supporting data other than S3.

You can now securely connect to your Amazon MSK clusters over the internet

Announced On: Nov 22, 2021

Amazon Managed Streaming for Apache Kafka(Amazon MSK) now offers an option to securely connect to Amazon MSK clusters over the internet. By enabling public access, authorized clients external to a private Amazon Virtual Private Cloud (VPC) can stream encrypted data in and out of specific Amazon MSK clusters. You can enable public access for MSK clusters at no additional cost, but standard AWS data transfer costs for cluster ingress and egress apply.

Before you could only connect to them insecurely I guess. This is a way for developers to bypass having to talk to the network team to setup access to stuff. Defense in Depth says you should try and ride RFC1918 space as much as possible.

Announcing preview of Amazon Linux 2022

Announced On: Nov 22, 2021

Today, we are announcing the public preview ofAmazon Linux 2022(AL2022), Amazon’s new general purpose Linux for AWS that is designed to provide a secure, stable, and high-performance execution environment to develop and run your cloud applications. Starting with AL2022, a new Amazon Linux major version will be available every two years and each version will be supported for five years. Customers will also be able to take advantage of quarterly updates via minor releases and use the latest software for their applications. Finally, AL2022 provides the ability to lock to a specific version of the Amazon Linux package repository giving customers control over how and when they absorb updates.

Just as you popped a bottle of Champaign to celebrate the deprecation of the last Amazon Linux 1 machine in your environment, start spinning up the project to deprecate Amazon Linux 2!

In all seriousness, this version looks to be a lot more secure-by-default.

Amazon Virtual Private Cloud (VPC) customers can now create IPv6-only subnets and EC2 instances

Announced On: Nov 23, 2021

Starting today, Amazon Virtual Private Cloud (VPC) allows you to create IPv6-only subnets in your dual-stack VPCs and launch EC2 instances built onNitro System in these subnets. The launch of IPv6-only subnets allows customers to scale their deployments on AWS by not requiring any IPv4 addressing in the subnet. With a /64 IPv6 CIDR assignment to the subnet, it accommodates approximately 18 quintillion IP addresses for applications.

If all your security tooling is built around IPv4, be aware IPv6 may start appearing in your cloud environment. My race to see if I can retire before I have to learn IPv6, which was created practically at the start of my career, just got more competitive.

AWS Systems Manager Fleet Manager now provides console based access to Windows instances with enhanced security protocols

Announced On: Nov 23, 2021

Fleet Manager, a feature in AWS Systems Manager (SSM) that helps IT Admins streamline and scale their remote server management processes, now enables a console-based management experience for Windows instances. This new feature provides customers a full graphical interface to setup secure connections to and manage Windows instances. You no longer need to install additional software, set up additional servers, or open direct inbound access to ports on the instance.

Be aware of this new potential Cloud-To-Ground Pivoting technique. IAM, least-privilege and secure credential management is important ya’ll.

Amazon SQS Announces Server-Side Encryption with Amazon SQS-managed encryption keys (SSE-SQS)

Announced On: Nov 23, 2021

Amazon Simple Queue Service(SQS) now provides managed server-side encryption using SQS owned encryption keys (SSE-SQS) to protect sensitive data. SSE-SQS helps you build security-sensitive applications to support your encryption compliance and regulatory requirements.

Finally, an easy-button for check-box encryption in SQS. Get your company’s auditors and compliance wonks off your back and check the box. Too bad it doesn’t seem to support existing SQS or I’d be writing a fast-fix when I get back from re:Invent.

AWS App Runner supports GitHub Actions to build and deploy applications

Announced On: Nov 24, 2021

AWS App Runner now supports GitHub Actions to build and deploy applications. GitHub Actions provide a way to implement complex orchestration and CI/CD functionality directly in GitHub by initiating a workflow on any GitHub event. If you have your source code in a GitHub repository, you can use GitHub Actions to enable App Runner to build a Docker image based on the language runtime and to deploy your application based on the generated image. For supported runtimes on App Runner, refer to the documentation. If you already have a container image of your application in a GitHub repository, you can use GitHub Actions to directly use the image to deploy your application on App Runner.

GitHub Actions scare me, because the easy path is to embed long-term IAM Access Keys as a secret in GitHub. Also PTSD from things I can’t talk about.

I’ve moved from InfoSec into a cloud governance role (yeah, I need to do a blog post on that someday), so here are some interesting announcements related to my new role:

AWS Control Tower now supports concurrent operations for detective guardrails

Announced On: Nov 10, 2021

AWS Control Tower now supports concurrent operations for detective guardrails to help expedite guardrail management. You can now enable multiple detective guardrails without needing to wait for individual guardrail operations to complete. AWS Control Tower provides customers with out-of-the-box preventive and detective guardrails that you can deploy to increase your security, operational, and compliance posture.

Everytime I look at ControlTower there is some major issue about it that makes me go “who uses this half-cooked turkey?” If you’re one of those unfortunate people this may make your life better.

You can now submit multiple operations for simultaneous execution with AWS CloudFormation StackSets

Announced On: Nov 19, 2021

Today,AWS CloudFormation StackSetsannounces the capability to execute multiple operations for simultaneous execution. StackSets extends the functionality of CloudFormation stacks by letting you create, update, or delete stacks across multiple AWS accounts and Regions with a single operation. You can now submit more than one operation per stack set to be executed concurrently. This capability will enable you to reduce overall processing times with StackSets. Additionally, you can avoid the overhead of building logic to batch and queue operations submitted to StackSets.

Ok, Delegated Admin Stacksets are my new favorite things about managing a large organization. That they’ve fixed some scaling issue excites me.

Amazon EventBridge cross-Region support now expands to more Regions

Announced On: Nov 22, 2021

Amazon EventBridge expands support to all Regions, except for AWS GovCloud (US) and China, as a destination for its cross-Region event bus as a target functionality launched in April’2021 (initially launched with 3 destination Regions - US East (N. Virgina), US West (Oregon) and Europe(Ireland)). This will allow customers to consolidate events in one central Region from any Region. This makes it easier for customers to centralize their events for auditing and monitoring purposes or replicate events from source to destinations Regions to help synchronize data across Regions.

No more deploying automations in every region! Once of the big things I needed CloudFormation stacksets for!

Amazon S3 Lifecycle further optimizes storage cost savings with new actions and filters

Announced On: Nov 23, 2021

You can now set Amazon S3 Lifecycle rules to limit the number of versions of an object to retain to achieve greater storage savings, and to choose objects to move to other storage classes based on size to optimize your lifecycle transitions. S3 Lifecycle helps you optimize your storage costs by transitioning or expiring your objects as they get older or are replaced by newer versions. You can use these Lifecycle configurations for your whole bucket, or for a subset of your objects by filtering by prefixes, object tags, or object size.

If you’re monthly S3 bill is more than the cost of your house, these settings could be useful.

EC2 Image Builder enables sharing Amazon Machine Images (AMIs) with AWS Organizations and Organization Units

Announced On: Nov 24, 2021

Now on EC2 Image Builder, customers can share their Amazon Machine Images (AMIs) with AWS Organizations and Organizational Units (OUs)in the image distribution phase of their build process. As their organization structure changes, customers no longer have to manually update AMI permissions for individual AWS accounts in their organization. Customers can create OUs within AWS Organizations and manage AMI permissions for AWS accounts within those OUs.

You can finally retire that lambda that shares AMIs to the output of aws organizations list-accounts

Announcing General Availability of Enterprise On-Ramp

Announced On: Nov 24, 2021

Amazon Web Services (AWS) has announced the general availability of Enterprise On-Ramp, a new Support tier designed for production and business-critical needs to help customers that are starting their cloud journey and need expert guidance to grow and optimize on cloud. With Enterprise On-Ramp, customers can solve cloud-related challenges with 24/7 access to AWS experts whether by phone or live chat, share their screen, and get support to improve issue resolution and eliminate the frustration of back-and-forth emails.

If you’re not yet an Enterprise, you are Enterprise-ish. AWS has a new support plan for you. No word on pricing, but I couldn’t talk about Enterprise pricing with out violating a slew of NDAs so…. You don’t get dedicated TAMs, you get a pool of TAMs. My enterprise TAMs are worth their weight in gold, so getting access to a pool puts you at least in the silver category.

AWS Graviton

It’s also worth pointing out that there were at least 11 announcements related to expanded availability of Graviton instance types and services in the last month. Save 15% - 20% by dumping the Intel branding tax. I wonder if Intel is sponsoring re:Play this year.

New Security tools

AWS Backup adds an additional layer for backup protection with the availability of AWS Backup Vault Lock

Announced On: Oct 8, 2021

Today, AWS Backup announced the availability of AWS Backup Vault Lock. This new feature enhances customers’ ability to protect backups from inadvertent or malicious actions. It helps customers implement safeguards that ensure they are storing their backups using a Write-Once-Read-Many (WORM) model.

This wasn’t a pre:Invent announcement, but worth calling out. You can now protect your AWS Backup recovery points from deletion during an account compromise. Note, if you set this up and don’t have expiration set right on your backups, finance is going to have an unpleasant surprise.

AWS Secrets Manager increases secrets limit to 500K per account

Announced On: Nov 2, 2021

AWS Secrets Manager now supports a limit of up to 500,000 secrets per account per region, up from 40,000 secrets in the past. This simplifies secrets management for software as a service (SaaS) or platform as a service (PaaS) applications that rely on unique secrets for large numbers of end customers.

That’s a lot of secrets. I can’t fathom how few customers this impacts.

Amazon RDS now supports cross account KMS keys for exporting RDS Snapshots

Announced On: Nov 3, 2021

Amazon Relational Database Service (Amazon RDS) now offers the ability to specify an AWS Key Management Service (KMS) customer managed key (CMK) from a different account when exporting an Amazon RDS Snapshot to Amazon S3. This option helps customers organize and consolidate their KMS keys by eliminating the need to create keys in each account that has snapshots.

KMS is a PITA for sharing snapshots. This should make it easier. It also makes it easier for an attacker to meet their GDPR obligations when exfiltrating data from your account. Might be worth a CloudTrail detection here.

AWS Backup adds support for Amazon Neptune and Amazon DocumentDB

Announced On: Nov 8, 2021

AWS Backup announces the addition ofAmazon Neptune to its portfolio of supported services. This is a new functionality in AWS Backup that allows you to create automated periodic snapshots of Amazon Neptune clusters using your centralized data protection policy across the supported AWS services for database, storage, and compute. AWS Backup announces support forAmazon DocumentDB (with MongoDB compatibility), allowing you to centrally manage data protection of your DocumentDB clusters along with other supported AWS services for database, storage, and compute.

The AWS Backup Team has been busy with Vault Lock and now more services.

Announcing general availability of AWS Resilience Hub

Announced On: Nov 10, 2021

Amazon Web Services (AWS) has announced the general availability ofAWS Resilience Hub, a new service that provides you with a single place to define, validate, and track the resilience of your applications so that you can avoid unnecessary downtime caused by software, infrastructure, or operational disruptions.

The subject of Werner’s keynote last year was on resiliency, and frankly after almost two years on pandemic it’s been a focus for everyone. I’ve not kicked the tires on this service, but I’m sure there will be some Breakout sessions at re:Invent on this topic.

AWS Security Hub adds three new FSBP controls and three new partners

Announced On: Nov 11, 2021

AWS Security Hub has released three new controls for its Foundational Security Best Practice standard (FSBP) to enhance customers’ Cloud Security Posture Management (CSPM). These controls conduct fully-automatic checks against security best practices for Elastic Load Balancing and AWS Systems Manager. If you have Security Hub set to automatically enable new controls and are already using AWS Foundational Security Best Practices, these controls are enabled by default. Security Hub now supports 162 security controls to automatically check your security posture in AWS.

If you’ve not checked out the AWS Foundational Security Best Practice standard you should. It’s way better than the CIS Benchmarks for AWS. This is useful to review even if you don’t use AWS Security Hub.

AWS CloudTrail announces Error Rate Insights

Announced On: Nov 11, 2021

AWS CloudTrail announces CloudTrail error rate Insights, a new feature ofCloudTrail Insights that enables customers to identify unusual activity in their AWS account based on API error codes and their rate.

Announcing general availability of AWS Elastic Disaster Recovery

Announced On: Nov 17, 2021

Today we are announcing the general availability of AWS Elastic Disaster Recovery(AWS DRS), a new service that enables organizations to minimize downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications. AWS Elastic Disaster Recovery is the recommended service for disaster recovery to AWS.

This is all based on their CloudEndure acquisition technology.

AWS Control Tower now supports nested organizational units

Announced On: Nov 18, 2021

We are excited to announce the support for AWS Organizations nested organizational units (OUs) in AWS Control Tower. An organization is an entity that you create to consolidate a collection of AWS accounts so that you can administer them as a single unit. Within each organization, you can create organizational units which help manage and govern groups of accounts in an organization. Nested OUs provide further customization between groups of accounts within OUs, giving you more flexibility when applying policies for different workloads or applications. For example, you can separate production workloads and non-production workloads within an OU. With support for nested OUs, you can now easily organize accounts in your Control Tower environment in a hierarchical, tree-like structure that best reflects your business needs.

Wait? It has been out for 2 and a half years and customers had to have a flat OU structure? I’m not sure this turkey was even half baked.

AWS Identity and Access Management now makes it more efficient to troubleshoot access denied errors in AWS

Announced On: Nov 18, 2021

To help you quickly troubleshoot your permissions in Amazon Web Services (AWS),AWS Identity and Access Management (IAM) now includes the policy type that’s responsible for the denied permissions in access denied error messages. Amazon Sagemaker, AWS Code Commit and AWS Secrets Manager are among the first AWS services that now offer this additional context, with other services following in the next few months. When you troubleshoot access-related challenges, the identified policy type in the access denied error message helps you to quickly identify the root cause and unblock your developers by updating relevant policies.

IAM is hard. Useful error messages will make it less hard.

AWS WAF adds support for Captcha

Announced On: Nov 24, 2021

AWS today announced AWS WAF Captcha to help block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. Captcha is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart and is commonly used to distinguish between robotic and human visitors to prevent activity like web scraping, credential stuffing, and spam. You can configure AWS WAF rules to require WAF Captcha challenges to be solved for specific resources that are frequently targeted by bots such as login, search, and form submissions. You can also require WAF Captcha challenges for suspicious requests based on the rate, attributes, or labels generated from AWS Managed Rules, such as AWS WAF Bot Control or the Amazon IP Reputation list. WAF Captcha challenges are simple for humans while remaining effective against bots. WAF Captcha includes an audio version and is designed to meet WCAG accessibility requirements.

What you can infer from this announcement is that Amazon is looking to get into the autonomous driving business, and your customers are going to help them do that. Either that, or this is how they’re going to make the next generation of AWS Rekognition work.

Closing

I usually have some interesting serverless stuff, but I guess it’s all embargoed till Vegas.

We do know that Lambda are about to be exposeable on the public Internet. This was found in Google’s cache after AWS published and then pulled it back: Lambda URL Config Authorization Settings

Choose this option to let your function code handle authentication is code for “here is a function with no authentication”.

If you’re going to be in Vegas I look forward to seeing 1/3rd of your faces again.