I’m back from re:Invent and still trying to adjust my sleep schedule (I’m on the East Coast and go to bed early; 6 pm Las Vegas time is my biological clock’s bedtime).
This year was one of my favorite re:Invents. I got to meet old and new co-workers and hang out with a lot of Community Builders and AWS Heroes, talk to service teams about what they should do to make their products work more for the security 99%. I got to a couple of good chalk talks on GenAI and GenAI security, which will help inform my poking at that over the holidays.
As for announcements, in the last seven days, there were 195 things posted to AWS What’s New. These are the ones I care to follow up on.
For simplicity, we’ll break them down into:
- Security Features
- Cloud Governance & Costs
- Serverless Stuff
- GenAI & Bedrock
- Other nifty stuff that may only matter to me
- I just wanna Snark
Security Features
Security Hub
- Announcing new central configuration capabilities in AWS Security Hub
I was part of this beta and like where they’re going. It eliminates my pain point of managing controls in all regions and all accounts. - New from AWS: You can now customize security controls in AWS Security Hub
This is also a positive development - my threshold and risk tolerance are different from AWS. Being able to set my own log retention or number of AZs helps balance risk and cost. - Announcing major dashboard enhancements in AWS Security Hub
Some of the widgets hidden by default are very useful. The AMIs with the most findings was very helpful in retiring and recycling old systems. - Announcing new finding enrichment in AWS Security Hub
I’ll be honest, I’m not finding many new things here. However, my Security Hub deployment is limited due to its cost (and the cost of Config). - Request a Cyber Insurance Quote from an AWS Cyber Insurance Competency Partner
Given all my concerns about Security Hub being compliance and not risk-focused, I’m very concerned to see the Cyber Insurance industry leveraging this standard. I’m not saying it’s bad. I’m worried it will create perverse incentives to close finding for lower premiums based on AWS’s view of best practices rather than a company or cyber insurance underwriter.
I would be very disappointed in AWS if there were a nefarious motive behind this: findings that ding a company for not enabling AWS services regardless of whether they have a better third-party service enabled that SecHub can’t report on.
GuardDuty
- Introducing Amazon GuardDuty ECS Runtime Monitoring, including AWS Fargate
Fargate support is important since it’s tough for a third party to side-car that service (as it should be). - Amazon GuardDuty now supports runtime monitoring for Amazon EC2 (Preview)
I’m quite surprised there were no sessions on this topic. I guess because it’s Preview.
Amazon Inspector
- Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview
Here’s the key: instances that are so old they don’t have SSM running probably also have a ton of inspector findings. Expect a flood when you enable this. Then, kill the old stuff. It’s currently in preview in three regions (Virginia, Oregon, and Ireland) - Amazon Inspector enhances container image security by integrating with developer tools
This was Werner’s one-more-thing from his keynote. - Amazon Inspector expands AWS Lambda code scanning with generative AI powered remediation
Based on Werner’s keynote, it will probably just try and replace my functions with Rust.
Amazon Detective
Amazon Detective is a costly service, so I’ve avoided using it since the beta. However, I think it’s been a few years (four), and maybe it’s time to revisit it.
- Amazon Detective now supports log retrieval from Amazon Security Lake
- Amazon Detective announces investigations for IAM
- Amazon Detective supports security investigations for Amazon GuardDuty ECS Runtime Monitoring
- Amazon Detective introduces finding group summaries using generative AI
I’m actually concerned about anyone relying on GenAI to tell them, “Oh, this is fine. You have no evidence of breach”. This could get bad very fast. GenAI will tell me Crash Override is trying to hack my Gibson.
IAM Access Analyzer
I think it’s note worthy that while the original “is my bucket or queue public?” checks are free, IAM Access Analyzer is charging for these two new features:
- IAM Access Analyzer introduces custom policy checks powered by automated reasoning
You can expect to pay 2 cents per 10 API calls here. - IAM Access Analyzer now simplifies inspecting unused access to guide you toward least privilege
This one is a whopping $0.20 per role or user per month. This is totally worth it if it works.
Other Security stuff
- Application Load Balancer can authenticate X.509 certificate based identities with Mutual TLS support
mTLS is a requirement for adoption for many use cases, so this is good. - AWS CloudTrail Lake data now available for zero-ETL analysis in Amazon Athena
With the pre:Invent pricing changes for CloudTrail Lake, this is another service I need to revisit. - AWS Backup now supports Amazon Elastic Block Store (EBS) Snapshots Archive
This is helpful if you have to retain backups for an extended period of time, but don’t want to pay for that in hot storage. - AWS Analytics simplify users’ data access across services with IAM Identity Center
More use of centralized identity stores tied to corporate HR systems, please. - AWS Secrets Manager now supports batch retrieval of secrets
- Amazon EKS introduces EKS Pod Identity
Ok, everyone, Pay Attention here. AWS has a new way to access and vend credentials in AWS. And since it’s Kubernetes-based, no one in your org will really understand it; they’ll just do it because it’s cool.
Christophe at DataDog has a great write up of how this works - Amazon S3 Access Grants integrate with identity providers to simplify data lake permissions
Here is another significant change to our security models. A new way to access data in AWS S3. Pay Attention here. - Introducing Amazon One Enterprise (Preview)
AWS moving into the physical security space is an interesting development.
Cloud Governance & Costs
- myApplications: One place to view and manage your applications on AWS
I’ve always used the AWS Account as the “accountability boundary” for security & finance. This offers another dimension to do that inside an account. The question is: how easy is this to implement at scale when you have tagging chaos? - Amazon Web Services announces Unified Billing and Cost Management console
Looking at this in my environment, this seems to be a helpful refresh. It’s reminding me to set up budgets and cost anomalies. I like having a service breakdown on the main page without launching Cost Explorer. - AWS Free Tier usage is now available through the GetFreeTierUsage API
I left the free tier long ago in my main PrimeHarbor org, but I sometimes set up new orgs for special projects. I need to adjust some of my cost-alerting tools to leverage this. - AWS Config now supports periodic recording: Efficiently scale your change tracking
I was excited to hear about this, but AWS Config has got to get on board with better delegated admin and cross-regional management capabilities. As I said in my Security Hub update, the limitations on AWS Config are a major reason why I don’t recommend Security Hub, and I find ControlTower to be a poor choice for smaller companies. - AWS Config launches generative AI-powered natural language querying (Preview)
I’d have rather gotten generative AI-power deployment of Config. - Introducing Cost Optimization Hub
Let’s see if it starts with “Turn off Config”. - Announcing the Cost and Usage Dashboard powered by Amazon QuickSight
Most of my cost analysis use cases these days have been supported by Cost Explorer. But with this, some of the AI stuff in QuickSight, and better identity center integrations, there may finally be an easy-to-use solution here. - Announcing Data Exports for AWS Billing and Cost Management
This will be a major capability for FinOps and maybe security teams looking to find unused resources and risks in their environments. - Announcing the new Amazon EFS Archive storage class
- Amazon CloudWatch Logs announces Infrequent Access log class
In many cases, lambda logs cost more than the lambda invocation & compute costs. I’m looking forward to trying this on my next project - Announcing the Amazon S3 Express One Zone storage class
This is also somewhat important to security folks- a new bucket type called an “S3 Directory Bucket” supports this.
Serverless stuff
- AWS CloudFormation introduces Git management of stacks
Back in 2015, I wrote cft-deploy because I wanted the ability to do better gitops with CloudFormation. I’ll be curious to see how much that I can deprecate now. - Amazon CloudWatch announces AI-powered natural language query generation (in preview)
ChatGPT failed me a number of times this fall trying to generate functional CWL queries. Let’s see if AWS AI can do better. - AWS Step Functions launches optimized integration for Amazon Bedrock
- AWS Step Functions launches support for HTTPS endpoints and a new TestState API
- AWS announces Amazon ElastiCache Serverless
GenAI & Bedrock
I first saw ChatGPT in action in the lounge on the way home from last year’s re:Invent. It was clear that re:Invent 2023 was always going to be the year of GenAI announcements.
- Announcing new AWS AI Service Cards - to advance responsible AI
Amazon’s GenAI products are so all over the map they have a service announcement to explain the services.
Amazon Q
Amazon Q is AWS’s answer to ChatGPT. It’s an interactive Large Language Model (LLM) that’s all over. It’s a widget in the Console, and it’s an enterprise solution, and it’s a chatbot in Slack. It’s an omnipotent practical joker that can tell you about un-released features. It might very well be an internal Sev 2.
These are the announcements:
- AWS announces Amazon Q (Preview)
- Announcing Amazon Q expert capabilities for AWS (Preview)
- AWS Announces Amazon Q is available in preview on the AWS Console Mobile App
- AWS Chatbot now supports Amazon Q conversations in Microsoft Teams and Slack
- Amazon Q offers help to optimize EC2 instance type selection (preview)
- Amazon Q in QuickSight simplifies data exploration with Generative BI capabilities (Preview)
There is honestly nothing in the Q family (and let’s face it, this is like SageMaker or CloudWatch, a ton of products rolled under a single name for confusion marketing purposes) that is worth the hassle or risk.
From what I can gather from docs, There are three versions of Q: Amazon Q (For Business Use), Amazon Q (For AWS Builder Use) and Amazon Q in Connect.
There are two Q Boto3 services: Q Connect and Q Business.
The AWS IAM Service Authorization Reference lists three IAM prefixes: q for Amazon Q (For AWS Builder Use), qbusiness for Amazon Q (For Business Use), and wisdom for Amazon Q in Connect
These can be blocked via SCP.
GenAi Coding
- Announcing new enhancements to Amazon CodeWhisperer
- Introducing the Amazon CodeCatalyst Enterprise Tier
Bedrock
- Knowledge Bases for Amazon Bedrock is now generally available
- Amazon Titan Image Generator foundation model in Amazon Bedrock now available in preview
- Safeguard generative AI applications with Guardrails for Amazon Bedrock (Preview)
I will be curious how well thought out and effective these Guardrails end up being. I don’t think humans fully understand the systemic vulnerabilities in GenAI, so I question how well the rockstars at AWS can defend it. - Boost generative AI application development with Agents for Amazon Bedrock
In AI, Agency is the ability of the model to take an action in the real world. That may be to call an API to get more data or execute a lambda to trigger a global thermonuclear war (this is why you use Secrets Manager!). Number 8 in the OWASP Top 10 for LLM is Excessive Agency. Given all the buzz, hyper, and massive mistakes, security professionals really need to pay attention to Bedrock or block it via SCP. - Continued pre-training in Amazon Bedrock now available in preview
Model Availability
Models are the “code” in these GenAI systems. They are trained on large data sets for a generic purpose. GPT-3 and GPT4 from OpenAI are also models.
- Evaluate, compare, and select the best FMs for your use case in Amazon Bedrock (Preview)
- Meta Llama 2, Cohere Command Light, and Amazon Titan FMs can now be fine-tuned in Amazon Bedrock
- Amazon Titan Text models - Express and Lite - now generally available in Amazon Bedrock
- Claude 2.1 foundation model from Anthropic is now generally available in Amazon Bedrock
- Llama 2 70B foundation model from Meta is now available in Amazon Bedrock
- Stable Diffusion XL 1.0 foundation model from Stability AI is now generally available in Amazon Bedrock
I know nothing about these models other than Stable Diffusion does images, and it means I can use AWS rather than Discord to create the cool images I keep seeing on the internet.
Vector Database enhancements for your models
Vector Databases are how models “read” your internal private data. By making your data available via Vector search, the models can return results based on their generic training data in addition to your proprietary data.
- AWS announces vector search for Amazon DocumentDB
- AWS announces vector search for Amazon MemoryDB for Redis (Preview)
- Vector engine for Amazon OpenSearch Serverless now generally available
Other nifty stuff that may only matter to me
- Amazon WorkSpaces Thin Client is now generally available
I’ve had mixed results with WorkSpaces. Dropping $200 on a device that might not work well is eh…
I just wanna Snark
- Announcing preview of AMB Access Polygon, serverless access to Polygon blockchain
Wait what? Who let a blockchain announcement in? This year is all about GenAI. - Announcing AWS Console-to-Code (Preview) to generate code for console actions
I saw this in action. It doesn’t warrant being in the GenAI section. It only supports one small part of the Console. It hallucinates CFT resource types that never existed and properties that aren’t part of any known resource type. It was truly sad, and way below the service quality I’d expect from AWS. - Announcing the general availability of AWS re:Post Private
My first question is, “But why?".
That’s it. My time in Vegas was long, and I’m glad to be home. Pro-tip for anyone doing sales dinners - the Sphere has club-level boxes, and sunday night only two were being used.