Week 24 (10 Jun - 16 Jun)

Amazon RDS for SQL Server Supports Minor Version 2022 CU13

Published Date: 2024-06-12 17:00:00

A new minor version of Microsoft SQL Server is now available on Amazon RDS for SQL Server, providing performance enhancements and security fixes. Amazon RDS for SQL Server now supports the latest minor version of SQL Server 2022 across the Express, Web, Standard, and Enterprise editions. We encourage you to upgrade your Amazon RDS for SQL Server database instances at your convenience. You can upgrade with just a few clicks in the Amazon RDS Management Console or by using the AWS CLI. Learn more about upgrading your database instances from the Amazon RDS User Guide. The new minor version include SQL Server 2022 CU13 - 16.0.4125.3. The minor version is available in all AWS commercial regions where Amazon RDS for SQL Server databases are available, including the AWS GovCloud (US) Regions. Amazon RDS for SQL Server makes it simple to set up, operate, and scale SQL Server deployments in the cloud. See Amazon RDS for SQL Server Pricing for pricing details and regional availability. ?

Productionize Foundation Models from SageMaker Canvas

Published Date: 2024-06-12 17:00:00

Amazon SageMaker Canvas now supports deploying Foundation Models (FMs) to SageMaker real-time inference endpoints, allowing you to bring generative AI capabilities into production and consume them outside the Canvas workspace. SageMaker Canvas is a no-code workspace that enables analysts and citizen data scientists to generate accurate ML predictions and use generative AI capabilities. SageMaker Canvas provides access to FMs powered by Amazon Bedrock and SageMaker JumpStart, supports RAG-based customization, and fine-tuning of FMs. Starting today, you can deploy FMs powered by SageMaker JumpStart such as Falcon-7B, Llama-2, and more to SageMaker endpoints making it easier to integrate generative AI capabilities into your applications outside the SageMaker Canvas workspace. FMs powered by Amazon Bedrock can already be accessed using a single API outside the SageMaker workspace. By simplifying the deployment process, SageMaker Canvas accelerates time-to-value and ensures a smooth transition from experimentation to production. To get started, log in to SageMaker Canvas to access the FMs powered by SageMaker JumpStart. Select the desired model and deploy it with the appropriate endpoint configurations such as indefinitely or for a specific duration of time. SageMaker Inferencing charges will apply to deployed models. A new user can access the latest version by directly launching SageMaker Canvas from their AWS console. An existing user can access the latest version of SageMaker Canvas by clicking “Log Out” and logging back in.

AWS CloudTrail Lake announces AI-powered natural language query generation (preview)

Published Date: 2024-06-11 17:00:00

AWS announces generative AI-powered natural language query generation in AWS CloudTrail Lake (preview), enabling you to simply analyze your AWS activity events without having to write complex SQL queries. Now you can ask questions in plain English about your AWS API and user activity, such as “How many errors were logged during the past week for each service and what was the cause of each error?” or “Show me all users who logged in using console yesterday”, and AWS CloudTrail will generate a SQL query, which you can run as is or fine-tune to meet your use case. This new feature empowers users who are not experts in writing SQL queries or who don’t have a deep understanding of CloudTrail events. As a result, exploration and analysis of AWS activity in event data stores on CloudTrail Lake becomes simpler and quicker, accelerating compliance, security, and operational investigation. This feature is now available in preview in AWS US East (N. Virginia) at no additional cost. Please note that running the queries generated using this feature will result in CloudTrail Lake query charges. Refer to CloudTrail pricing for details. To learn more about this feature and get started, please refer to the documentation?or the AWS News Blog.

Amazon Connect now provides color coding for shift activities in agent scheduling

Published Date: 2024-06-11 17:00:00

Amazon Connect now provides color coding for shift activities in agent scheduling, enabling a simplified experience for contact center managers and agents. With this launch, you can now configure colors for agent shift activities, such as red for breaks and lunches, green for team meetings, and purple for trainings. With customizable colors, managers can quickly see how different activities are placed in agent schedules (e.g. is more than half the team doing a training at the same time, does the team meeting include everyone, etc.). This launch also simplifies the experience for agents as they can easily understand their schedule at-a-glance for the week without having to read through each scheduled activity. Customizable colors make day-to-day schedule management more efficient for managers and agents.

Amazon SES now provides custom values in the Feedback-ID header

Published Date: 2024-06-11 17:00:00

Today, Amazon Simple Email Service (SES)?released a new feature to give customers control over parts of the auto-generated Feedback-ID header in messages sent through SES. This feature provides additional details to help customers identify deliverability trends. Customers can use products like PostMaster Tools by Gmail to see complaint rates by identifiers of their choice, such as sender identity or campaign ID. This makes it easier to track deliverability performance associated with independent workloads and campaigns, and accelerates troubleshooting when diagnosing complaint rates. Previously, SES automatically generated a Feedback-ID header when sending emails on behalf of SES customers. This Feedback-ID helps customers track their deliverability performance, such as complaint rates, at the AWS account level. Now SES includes up to two custom values in the Feedback-ID header, which customers can pass to SES during sending. Customers specify message tag values for either “ses:feedback-id-a” or “ses:feedback-id-b” (or both), and SES automatically includes these values as the first and second fields in the Feedback-ID header (respectively). This gives even more granularity when viewing deliverability metrics in tools such as PostMaster Tools by Gmail. SES supports fine grained Feedback-ID in all AWS regions where SES is available. For more information, see the documentation for SES event publishing.

AWS Audit Manager generative AI best practices framework now includes Amazon SageMaker

Published Date: 2024-06-11 12:00:00

Available today, the AWS Audit Manager generative AI best practices framework now includes Amazon SageMaker in addition to Amazon Bedrock. Customers can use this prebuilt standard framework to gain visibility into how their generative AI implementation on SageMaker or Amazon Bedrock follows AWS recommended best practices and start auditing their generative AI usage and automating evidence collection. The framework provides a consistent approach for tracking AI model usage and permissions, flagging sensitive data, and alerting on issues. This framework includes 110 controls across areas such as governance, data security, privacy, incident management, and business continuity planning. Customers can select and customize controls to structure automated assessments. For example, customers seeking to mitigate known biases before feeding data into their model can use the ‘Pre-processing Techniques’ control to require evidence of validation criteria including documentation of data augmentation, re-weighting, or re-sampling. Similarly, customers can use the 'Bias and Ethics Training' control to upload documentation demonstrating that their workforce is trained to address ethical considerations and AI bias in the model.

AWS IAM Access Analyzer now offers policy checks for public and critical resource access

Published Date: 2024-06-11 12:00:00

AWS Identity and Access Management (IAM) Access Analyzer guides customers toward least privilege by providing tools to set, verify, and refine permissions. IAM Access Analyzer now extends custom policy checks to proactively detect nonconformant updates to policies that grant public access or grant access to critical AWS resources ahead of deployments. Security teams can use these checks to streamline their IAM policy reviews, automatically approving policies that conform with their security standards and inspecting more deeply when policies don’t conform. Custom policy checks use the power of automated reasoning to provide the highest levels of security assurance backed by mathematical proof. Security and development teams can innovate faster by automating and scaling their policy reviews for public and critical resource access. You can integrate these custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines, GitHub, and VSCode. Developers can create or modify an IAM policy, and then commit it to a code repository. If custom policy checks determine that the policy adheres to your security standards, your policy review automation lets the deployment process continue. If custom policy checks determine that the policy does not adhere to your security standards, developers can review and update the policy before deploying it to production.

AWS Identity and Access Management now supports passkey as a second authentication factor

Published Date: 2024-06-11 12:00:00

AWS Identity and Access Management (IAM) now supports passkeys for multi-factor authentication to provide easy and secure sign-ins across your devices. Based on FIDO standards, passkeys use public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords. IAM now allows you to secure access to AWS accounts using passkeys for multi-factor authentication (MFA) with support for built-in authenticators, such as Touch ID on Apple MacBooks and Windows Hello facial recognition on PCs. Passkeys can be created with a hardware security key or with your chosen passkey provider using your fingerprint, face, device PIN, and they are synced across your devices to sign-in with AWS. AWS Identity and Access Management helps you securely manage identities and control access to AWS services and resources. MFA is a security best practice in IAM that requires a second authentication factor in addition to the user name and password sign-in credentials. Passkey support in IAM is a new feature to further enhance MFA usability and recoverability. You can use a range of supported IAM MFA methods, including FIDO-certified security keys to harden access to your AWS accounts. This feature is available now in all AWS Regions, except in the China Regions. To learn more about using passkeys in IAM, get started by visiting the launch blog post and Using MFA in AWS documentation. To learn more:

• Read more about how AWS will enhance MFA requirements in 2024

AWS Cloud WAN introduces Service Insertion to simplify security inspection at global scale

Published Date: 2024-06-11 12:00:00

Today AWS announces Service Insertion, a new feature of AWS Cloud WAN that simplifies the integration of security and inspection services into the Cloud WAN based global networks. Using this feature, you can easily steer your global network traffic between Amazon VPCs (Virtual Private Cloud), AWS Regions, on-premises locations, and Internet via security appliances or inspection services using central Cloud WAN policy or the AWS management console. Customers deploy inspection services or security appliances such as firewalls, intrusion detection/protection systems (IDS/IPS) and secure web gateways to inspect and protect their global Cloud WAN traffic. With Service Insertion, customers can easily steer multi-region or multi-segment network traffic to security appliances or services without having to create and manage complex routing configurations or third-party automation tools. Using service insertion, you define your inspection and routing intent in a central policy document and your configuration is consistently deployed across your Cloud WAN network. Service insertion works with both AWS Network Firewall and third-party security solutions, and makes it easy to perform east-west (VPC-to-VPC) and north-south (Internet Ingress/Egress) security inspection across multiple AWS Regions and on-premises locations across the globe.

Detect malware in new object uploads to Amazon S3 with Amazon GuardDuty

Published Date: 2024-06-11 12:00:00

Today, Amazon Web Services (AWS) announces the general availability of Amazon GuardDuty Malware Protection for Amazon S3. This expansion of GuardDuty Malware Protection allows you to scan newly uploaded objects to Amazon S3 buckets for potential malware, viruses, and other suspicious uploads and take action to isolate them before they are ingested into downstream processes. GuardDuty helps customers protect millions of Amazon S3 buckets and AWS accounts. GuardDuty Malware Protection for Amazon S3 is fully managed by AWS, alleviating the operational complexity and overhead that normally comes with managing a data-scanning pipeline, with compute infrastructure operated on your behalf. This feature also gives application owners more control over the security of their organization’s S3 buckets; they can enable GuardDuty Malware Protection for S3 even if core GuardDuty is not enabled in the account. Application owners are automatically notified of the scan results using Amazon EventBridge to build downstream workflows, such as isolation to a quarantine bucket, or define bucket policies using tags that prevent users or applications from accessing certain objects.

AWS IAM Access Analyzer now offers recommendations to refine unused access

Published Date: 2024-06-11 12:00:00

AWS Identity and Access Management (IAM) Access Analyzer guides customers toward least privilege by providing tools to set, verify, and refine permissions. IAM Access Analyzer now offers actionable recommendations to guide you to remediate unused access. For unused roles, access keys, and passwords, IAM Access Analyzer provides quick links in the console to help you delete them. For unused permissions, IAM Access Analyzer reviews your existing policies and recommends a refined version tailored to your access activity. As a central security team member, you can use IAM Access Analyzer to gain visibility into unused access across your AWS organization and automate how you rightsize permissions. Security teams set up automated workflows to notify their developers about new IAM Access Analyzer findings. Now, you can include step-by-step recommendations provided by IAM Access Analyzer to notify and simplify how developers refine unused permissions. This feature is offered at no additional cost with unused access findings and is a part of the growing Cloud Infrastructure Entitlement Management capabilities at AWS. The recommendations are available in AWS Commercial Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions. To learn more about IAM Access Analyzer unused access analysis:

• Read a blog post to learn about setting up unused access analysis
• Read more about utilizing unused access recommendations
• Learn more in the documentation

AWS Private CA introduces Connector for SCEP for mobile devices (Preview)

Published Date: 2024-06-11 12:00:00

AWS Private Certificate Authority (AWS Private CA) launches the Connector for SCEP, which lets you use a managed and secure cloud certificate authority (CA) to enroll mobile devices securely and at scale. Simple Certificate Enrollment Protocol (SCEP) is a protocol widely adopted by mobile device management (MDM) solutions for getting digital identity certificates from a CA and enrolling corporate-issued and bring-your-own-device (BYOD) mobile devices. With the Connector for SCEP, you use a managed private CA with a managed SCEP solution to reduce operational costs, simplify processes, and optimize your public key infrastructure (PKI). Additionally, the Connector for SCEP lets you use AWS Private CA with industry-leading SCEP-compatible MDM solutions including Microsoft Intune and Jamf Pro. The Connector for SCEP is one of three connector types offered for AWS Private CA. Connectors allow you to replace your existing CAs with AWS Private CA in environments that have an established native certificate distribution solution. This means that instead of using multiple CA solutions, you can utilize a single private CA solution for your enterprise. You benefit from comprehensive support, extending to Kubernetes, Active Directory, and, now, mobile devices. During the preview period, Connector for SCEP is available in the following AWS Regions: US East (N. Virginia). This feature is offered at no additional charge, you only pay for the AWS Private CAs and the certificates issued from them. To get started, see the Getting started guide?or go to the Connector for SCEP console.?

Amazon ECS on AWS Fargate now allows you to encrypt ephemeral storage with customer-managed KMS keys

Published Date: 2024-06-10 21:20:00

Amazon Elastic Container Service (Amazon ECS) and AWS Fargate now allow you to use customer managed keys in AWS Key Management Service (KMS) to encrypt data stored in Fargate task ephemeral storage. Ephemeral storage for tasks running on Fargate platform version 1.4.0 or higher is encrypted with AWS owned keys by default. This feature allows you to add a self-managed security layer which can help you meet compliance requirements. Customers who run applications that deal with sensitive data often need to encrypt data using self-managed keys to meet security or regulatory requirements and also provide encryption visibility to auditors. To meet these requirements you can now configure a customer-managed KMS key for your ECS cluster to encrypt the ephemeral storage for all Fargate tasks in the cluster. You can manage this key and audit access like any other KMS key. Customers can use this feature to configure encryption for new and existing ECS applications without changes from developers.

Amazon CloudWatch Application Signals, for application monitoring (APM) is generally available

Published Date: 2024-06-10 19:00:00

Today, AWS announces the general availability of Amazon CloudWatch Application Signals, an OpenTelemetry (OTeL) compatible application performance monitoring (APM) feature in CloudWatch, that makes it easy to automatically instrument and track application performance against their most important business or service level objectives (SLOs) for applications on AWS. With no manual effort, no custom code, and no custom dashboards, Application Signals provides service operators with a pre-built, standardized dashboard showing the most important metrics for application performance – volume, availability, latency, faults, and errors – for each of their applications on AWS. By correlating telemetry across metrics, traces, logs, real-user monitoring, and synthetic monitoring, Application Signals enables customers to speed up troubleshooting and reduce application disruption. For example, an application developer operating a payment processing application can see if payment processing latency is spiking and drill into the precisely correlated trace contributing to the spike to establish cause in application code or dependency. Developers that use Container Insights to monitor container infrastructure, can further identify root cause such as a memory shortage or a high CPU utilization on the container pod running the application code causing the spike. Application Signals is generally available in 28 commercial AWS Regions, except CA West (Calgary) Region, AWS GovCloud (US) Regions and China Regions. For pricing, see Amazon CloudWatch pricing. Try Application Signals with the AWS One Observability Workshop sample application. To learn more, see documentation to enable Amazon CloudWatch Application Signals for Amazon EKS, Amazon EC2, native Kubernetes and custom instrumentation for other platforms. ?

Amazon Security Lake is now available in the the AWS GovCloud (US) Regions

Published Date: 2024-06-10 17:00:00

Amazon Security Lake is now available in the AWS GovCloud (US) Regions. You can now centralize security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your Amazon S3 account. Security Lake makes it easier to analyze security data, gain a more comprehensive understanding of security across your entire organization, and improve the protection of your workloads, applications, and data. Security Lake automates the collection and management of your security data across accounts and AWS Regions so that you can use your preferred analytics tools while retaining control and ownership over your security data. For more information about the AWS Regions where Security Lake is available, see the AWS Region table. You can enable your 15-day free trial of Amazon Security Lake with a single-click in the AWS Management console To get started, see the following list of resources:

• Democratizing Security Data with Amazon Security Lake and Industry Leaders for Improved Protection eBook
• Amazon Security Lake User Guide
• Amazon Security Lake console

Amazon RDS for PostgreSQL announces Extended Support minor 11.22-RDS.20240509

Published Date: 2024-06-10 17:00:00

Amazon Relational Database Service (RDS) for PostgreSQL announces Amazon RDS Extended Support minor version 11.22-RDS.20240509. We recommend that you upgrade to this version to fix known security vulnerabilities and bugs in prior versions of PostgreSQL. Amazon RDS Extended Support provides you more time, up to three years, to upgrade to a new major version to help you meet your business requirements. During Extended Support, Amazon RDS will provide critical security and bug fixes for your MySQL and PostgreSQL databases on Aurora and RDS after the community ends support for a major version. You can run your PostgreSQL databases on Amazon RDS with Extended Support for up to three years beyond a major version’s end of standard support date. Learn more about Extended Support in the Amazon RDS User Guide. You are able to leverage automatic minor version upgrades to automatically upgrade your databases to more recent minor versions during scheduled maintenance windows. Learn more about upgrading your database instances, including minor and major version upgrades, in the Amazon RDS User Guide. Amazon RDS for PostgreSQL makes it simple to set up, operate, and scale PostgreSQL deployments in the cloud. See Amazon RDS for PostgreSQL Pricing for pricing details and regional availability. Create or update a fully managed Amazon RDS database in the Amazon RDS Management Console. ?

Amazon CloudWatch announces AI-Powered natural language query generation

Published Date: 2024-06-10 17:00:00

Amazon CloudWatch announces the general availability of natural language query generation powered by generative AI for Logs Insights and Metrics Insights. This feature enables you to quickly generate queries in context of your logs and metrics data using plain language. By simplifying the query generation process, you can accelerate gathering insights from your observability data without needing extensive knowledge of the query language. Query Generator simplifies your CloudWatch Logs and Metrics Insights experience through natural language querying. You can ask questions in plain English, such as "Show me the 10 slowest Lambda requests in the last 24 hours" or "Which DynamoDB table is most throttled" and it will generate the appropriate queries or refine any existing queries in the query window, as well as now, automatically adjust the time ranges for queries that require data within a specified period. It also provides line-by-line explanations of the generated code, helping you learn query syntax. This feature is now supported in US East (N. Virginia), US West (Oregon), and Asia Pacific (Tokyo) To access the feature, click on "Query generator" in the CloudWatch Logs Insights or Metrics Insights console pages. In the help panel, select "Info" for more information. There is no charge for using Query generator. Any queries executed in Logs Insights or Metrics Insights are subject to standard CloudWatch pricing. To learn more about Query generator in CloudWatch Logs Insights or Metrics Insights, visit our getting started guide. ?

AWS CloudFormation accelerates dev-test cycle with adjustable timeouts for custom resources

Published Date: 2024-06-10 17:00:00

AWS CloudFormation launches a new property for custom resources called ServiceTimeout. This new property allows customers to set a maximum timeout for the execution of the provisioning logic in a custom resource, enabling faster feedback loops in dev-test cycles. CloudFormation custom resources allow customers to write their own provisioning logic in CloudFormation templates and have CloudFormation run the logic during a stack operation. Custom resources use a callback pattern where the custom resource must respond to CloudFormation within a timeout of 1 hour. Previously, this timeout value was not configurable, so code bugs in the customer's custom resource logic resulted in long wait times. With the new ServiceTimeout property, customers can set a custom timeout value, after which CloudFormation fails the execution of the custom resource. This accelerates feedback on failures, allowing for quicker dev-test iterations. The new ServiceTimeout property is available in all AWS Regions where AWS CloudFormation is available. Refer to the AWS Region table for details. Refer to the custom resources documentation to learn more about the ServiceTimeout property. ?

Amazon EC2 M6in and M6idn instances are now available in Asia Pacific (Mumbai)

Published Date: 2024-06-10 17:00:00

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M6in and M6idn instances are?available in AWS Regions Asia Pacific (Mumbai), Canada (Central). These sixth-generation network optimized instances, powered by 3rd Generation Intel Xeon Scalable processors and built on the AWS Nitro System, deliver up to 200Gbps network bandwidth, 2x more network bandwidth, and up to 2x higher packet-processing performance over comparable fifth-generation instances. Customers can use M6in and M6idn instances to scale the performance and throughput of network-intensive workloads such as high-performance file systems, distributed web scale in-memory caches, caching fleets, real-time big data analytics, and Telco applications such as 5G User Plane Function.

M6in and M6idn instances are available in 10 different instance sizes including metal, with up to 128 vCPUs and 512 GiB of memory. They deliver up to 100 Gbps of Amazon Elastic Block Store (EBS) bandwidth and up to 400K IOPS, the highest Amazon EBS performance across EC2 instances. M6in and M6idn instances offer Elastic Fabric Adapter (EFA) networking support on 32xlarge and metal sizes. M6idn instances offer up to 7.6 TB of high-speed, low-latency instance storage. With this regional expansion, M6in and M6idn instances are available in the following AWS Regions: US East (Ohio, N. Virginia), US West (N. California, Oregon), Europe (Ireland, Frankfurt, Spain, Stockholm), Asia Pacific (Mumbai, Singapore, Tokyo, Sydney), Canada (Central), and AWS GovCloud (US-West). Customers can purchase the new instances through Savings Plans, Reserved, On-Demand, and Spot instances. To learn more,?see M6in and M6idn instances page.