264: AWS Audit Manager: Because even AI needs a Babysitter!

June 21, 2024 tcp.fm 01:20:5792.6 mb 0 Comments
Cloud Pod Header
tcp.fm
264: AWS Audit Manager: Because even AI needs a Babysitter!
Loading
/
AWS Audit Manager Featured
80 / 100
Powered by Rank Math SEO

Welcome to episode 264 of the Cloud Pod Podcast – where the forecast is always cloudy! Justin, Jonathan, Ryan (and eventually) Matthew are all on hand this week  – and *announcement noise* this week it’s the return of the Cloud Journey Series! There’s also a lot of news from Re:inforce, a ground-breaking partnership between Oracle and Google Cloud, and updates to GKE. The guys also look ahead to Finops ‘24. 

Titles we almost went with this week:

  • ✍️First, AI came for Writers/Artists, then it came for Developers, and now it comes for Security… What’s Next? 
  • 🤝Amazon Reinforces my Lack of Interest in Attending – JPB rl
  • 🦠Object Storage Malware protection, everyone, please copy it!
  • 💏Amazon is the last man out in Oracle next-gen partnerships
  • 💔Dear Google, A partnership with Oracle is not Groundbreaking when Azure already did it
  • 💾AWS Announces some “We finally got around to it feature updates”
  • 💂Protect your S3 buckets from themselves with Amazon Guard Duty
  • 🤖The CloudPod and AI play Guess Who? with IAM Access Analyzer.

A big thanks to this week’s sponsor:

We’re sponsorless! Want to reach a dedicated audience of cloud engineers? Send us an email, or hit us up on our Slack Channel and let’s chat! 

AWS 

01:04 Simplify risk and compliance assessments with the new common control library in AWS Audit Manager  

  • AWS Audit Manager is introducing a common control library that provides common controls with predefined and pre-mapped AWS data sources. 
  • This makes it easy for the GRC teams to use the common control library to save time when mapping enterprise controls into Audit Manager for evidence collection, reducing their dependence on IT teams. 
  • You can view the compliance requirements for multiple frameworks such as PCI or HIPAA, associated with the same common control in one place, making it easier to understand your audit readiness across multiple frameworks simultaneously. 
  • Interested in pricing? You can find that info here

01:37 📢 Ryan – “It’s the dream! Automated evidence generation. And now with the context of known frameworks. Yeah; because that’s always the challenge, you know, are the last step of the translation – this is the control. Hey, we need all these controls to do this level of compliance.”

04:36 Centrally manage member account root email addresses across your AWS Organization

  • 2017 Justin is really digging all these quality-of-life features coming out, and we like to think that AWS has just finally gotten to our pile of feature requests from back then.  
  • This week, it’s now easier for AWS Organizations customers to centrally manage the root email address of member accounts across their organization using the CLI, SDK and Organizations Console.  
  • They had previously made it possible to update primary and alternative contact information and enable AWS regions for their accounts. However you would still need to log in as the root account, not any longer, as the SDK, CLI and Organization console have been updated to allow this to be done at the org level.  
  • The API will require customers to verify the new root email address using a one-time password to ensure that you are using an accurate email address for the member accounts. The root email address will not change until the new email is verified. 
  • We would like it to require the old address to be verified too to prevent an attack vector. So let’s get on that AWS. 

05:50 📢 Jonathan – “At least they separated the AWS logins from the Amazon .com logins so you couldn’t have somebody ordering pairs of shoes on your AWS bill.”

08:33 Amazon EC2 instance type finder capability is generally available in AWS Console

  • AWS is announcing the ability to filter EC2 instance type finder, enabling you to select the ideal Amazon EC2 Instance types for your workload.  Using ML to help customers make quick and cost-effective selections, such as types, before provisioning workloads.  
  • This is done by using the Management Console, specifying your workload requirements and getting recommendations.  
  • The finder is integrated into Q, so you can use natural language to specify requirements and get instance family suggestions. 
  • This doesn’t seem very complicated… We think AI might become shorthand for many relatively simple logic trees, but it is overkill for the need. 

09:25 📢 Ryan – “Jonathan and I were scheming in our cynical ways before the show, trying to figure out what’s the angle here? And I’m like, of course Amazon’s going to steer you to the largest, most expensive instance. And Jonathan’s like, no, no, it’s much more insidious.”

15:43 Amazon ECS on AWS Fargate now allows you to encrypt ephemeral storage with customer-managed KMS keys     

  • You can now use CMK keys in KMS to encrypt data stored in Fargate Task Ephemeral Storage.  
  • Ephemeral storage is a temporary space in Fargate that stores temporary data.  Previously, it was encrypted using AWS-owned keys. 

15:48 📢 Ryan – “Fantastic, except for I don’t want to manage my own keys unless my customers absolutely make me.”

Re:Inforce

16:22 AWS Audit Manager extends generative AI best practices framework to Amazon SageMaker

  • First out of the gate for Re:inforce… AI. DUH.
  • AWS Audit Manager now includes an AI best practice framework on AWS Audit Manager.  
  • This framework simplifies evidence collection and enables you to continually audit and monitor the compliance posture of your generative AI workloads through 100 standard controls which are preconfigured to implement best practice requirements.  
    • Some examples include gaining visibility into potential PII data that may not have been anonymized before being used in training models, validating that MFA is enforced to gain access to datasets, and periodically testing backup versions of customized models to ensure they are reliable before a system outage, among many others. 

18:10 Simplify AWS CloudTrail log analysis with natural language query generation in CloudTrail Lake (preview)

  • You can now use generative AI powered natural language query generation in AWS CloudTrail Lake, which is a managed data lake for capturing, storing, accessing, and analyzing AWS cloud trail activity logs to meet compliance, security and operational needs. 
  • Queries like “tell me how many database instances are deleted without a snapshot” or “How many errors were logged during the past month for each service and what was the cause of each error?”

09:25 📢 Ryan – “I mean, that said, having spent countless hours generating Athena queries and indexing, you know, this, I love this feature because this is really where I think generative AI is as helpful as that sort of last translation layer.”

21:05 Introducing Amazon GuardDuty Malware Protection for Amazon S3

  • Amazon is announcing the general availability of Amazon GuardDuty Malware Protection for S3, an expansion of GuardDuty malware protection to detect malicious files uploaded to selected S3 buckets.  
  • Previously, malware protection only scanned EBS volumes attached to EC2 and Container workloads. 
  • Guarduty Malware scanning uses multiple AWS developed and industry-leading third party malware scanning engines to provide malware detection without degrading the scale, latency and resiliency profile of Amazon S3. 
  • Unlike many existing tools, this managed solution from GuardDuty does not require you to manage your own isolated data pipelines or compute infrastructure in each AWS account and region where you want malware analysis. 
  • You can configure post scan actions in Guard Duty, such as object tagging, to inform downstream processing, or consume the scan status information provided through Amazon Eventbridge to implement isolation of malicious uploaded objects. 
  • S3 objects will get a predefined tag such as NO_THREATS_FOUND, THREATS_FOUND, UNSUPPORTED, ACCESS_DENIED, FAILED.
  • You can find the results of the scan in the GuardDuty console. 
  • Pricing is based on GB volume of the objects scanned and number of objects evaluated per month.  Comes with a limited AWS free tier,  which includes 1000 requests and 1GB each month, pursuant to conditions for the first 12 months of account creation for new AWS accounts, or until June 11, 2025 for existing AWS accounts. 
    • $0.60 per GB scanned and 0.215 per 1k objects evaluated. 

22:37 📢 Jonathan – “It’s not terrible. But the kind of kicker about this though is that the types of organizations that would want to pay for something like that are the types of organizations that would want client -side encryption or something else which would completely prevent GuardDuty from scanning any of the objects that got uploaded.”

23:52 IAM Access Analyzer Update: Extending custom policy checks & guided revocation

  • Amazon is extending IAM Access Analyzer more powerful, by extending custom policy checks and adding easy access to guidance that will help you to fine-tune your IAM policies. Both of the new features are built on Custom Policy Checks and the Unused Access Analysis launched in 2023.
    • New Custom Policy Checks – Use the power of automated reasoning. The new checks help you detect policies that grant access to specific, critical AWS resources or any type of public access. 
    • Both of the checks are designed to be used ahead of deployment, possibly as part of our CI/CD pipeline, and will help you proactively detect updates that do not conform to your organization’s security practices and policies. 
    • Guided revocation – IAM access analyzer now gives you guidance that you can share with your developers so that they can revoke permissions that grant access that is not actually needed. 
    • This included unused roles, roles with unused permissions, unused access keys for IAm users, and unused passwords or IAM users. 

24:43 📢 Justin- “And I’m really disappointed that they didn’t announce AI for IAM.

Because if any place I would want IAM with AI, it would be, or AI would be with IAM. If I could get the letters right.”

26:08 AWS adds passkey multi-factor authentication (MFA) for root and IAM users  

Passkeys enhance security and usability as AWS expands MFA requirements   

  • You can now use passkeys to the list of supported MFA for your root and IAM users. 
  • In addition, they will enforce MFA on root users, starting with the most sensitive one the root of your management account in AWS organization.  The plan is to roll out this change to other accounts during the rest of the years.
  • Passkey is the general term used for the credentials created for FIDO2 authentication. 
  • A Passkey is a pair of crypto keys generated on your client device when you register for a service or a website.  The key pair is bound to the web service domain and unique for each one. 

27:54 📢 Justin – “It’s interesting. It’s really old technology, which is really funny. I mean, it’s like GVG things where the website provides you with something which is encoded or encrypted with your public key and you have to decrypt it and send it back again. And that’s been around for decades. It’s just funny that it’s only just getting to be adopted by the mainstream, like the dark web websites have been using this kind of technology for logins forever.”

29:59 AWS Cloud WAN introduces Service Insertion to simplify security inspection at global scale 

  • AWS is announcing service insertion, a new feature of AWS Cloud WAN that simplifies the integration of security and inspection services into cloud-based global networks. Using this feature, you can easily steer your global network traffic between Amazon VPCs, AWS regions, on-premises locations, and the Internet via security appliances or inspection services using central Cloud WAN policy or the AWS management console. 
  • Customers deploy inspection services or security appliances such as firewalls, IDS/IPS and secure web gateways to inspect and protect their global cloud WAN traffic.  With Service Insertion, customers can easily steer multi-region or multi-segment network traffic to security appliances or services without having to create and manage complex routing configurations or third party automation tools. 
  • Using service insertion, you can define your inspection and routing intent in a central policy document and your configuration is consistently deployed across your Cloud WAN network. 

31:27 📢 Matthew – “Yeah, so they probably use something like a gateway load balancer and then from there out, because then the whole point of the gateway load balancer is really for like ISVs to leverage to solve that problem that you’re talking about.”

31:43 Amazon CloudWatch Application Signals for application monitoring (APM) is generally available 

  • AWS announces the GA of Amazon CloudWatch Application Signals, an OpenTelemetry (OTeL) compatible application performance monitoring feature in Cloudwatch that makes it easy to automatically instrument and track application performance against their most important business or SLO for applications on AWS.  
  • With no manual effort, no custom code, and no custom dashboards, Application signals provide service operators with a pre-built, standardized dashboard showing the most important metrics for application performance – volume, availability, latency, faults and errors for each of their apps on AWS. 

GCP

33:15 Introducing GKE Compliance: Maintain clusters and workloads against industry standards  

  • GKE is announcing a game changing feature for GKE Enterprise customers. Built-in, fully managed GKE compliance within GKE Posture Management.  Now achieving and maintaining compliance for your K8 cluster is easier than ever before. 
  • With GKE compliance, you can easily assess your GKE clusters and workloads against industry standards, benchmark and control frameworks. Including:
    • CIS Benchmark for GKE, Pod Security Standards (PSS)
  • It also gives you a handy centralized dashboard to make your reporting easy, updated every 30 minutes. 

34:48 Boost developer productivity with new pipeline validation capabilities in Dataflow

  • Data Engineers building batch and streaming jobs in Dataflow, sometimes face a few challenges. Examples of such challenges include:
    • User errors in their Apache Beam code sometimes to go undetected until the job fails while it is already running, wasting engineering time and cloud resources
    • Fixing the initial set of errors that are highlighted after a job failure is no guarantee of future success. Subsequent submissions of the same job may fail and highlight new errors that require additional fixes.
  • To solve this, Google is announcing Pipeline validation capabilities in Data flow.
  • Now, when you submit the batch or streaming job, Dataflow pipeline validation performs dozens of checks to ensure that your job is error free and can run successfully.  
  • Once the validations are completed you are presented with a list of identified errors, along with the recommended fixes in a single pane of glass, saving you time you would have previously spent on iteratively fixing errors in your Apache Beam code. 

36:30 📢 Justin – “I’m just imagining every Jenkins pipeline or every CIC pipeline I’ve done where it’s like, okay, I built a pipeline. Now, how many commits does it take for me to get the pipeline to run?”

38:07 Move from always-on privileges to on-demand access with new Privileged Access Manager

  • Google is announcing Google Cloud built in PAM is now available for you to play with in preview.  
  • PAM helps you achieve the principle of least privilege by ensuring your principals or other high privilege users have an easy way to obtain precisely the access they need, only when required, and for no longer than required.  Pam helps mitigate the risks by allowing you to shift always-on standing privileges to on-demand privileged access with just-in-time (JIT), time-bound and approval- based access elevations.  

38:36 📢 Ryan – “I think that this is something that will change the way we structure permissions. It’s a great compromise from the old Windows style where you had your two accounts, you know, where you had everyone shared the same password between the two accounts, but you know, you had two so it was separate. It’s cool.”

42:45 Oracle and Google Cloud Announce a Groundbreaking Multi Cloud Partnership

  • Oracle and Google today announced a partnership that gives customers the choice to combine OCI and Google cloud technologies to help accelerate their application migrations and modernization.
  • Leverage Google Cloud’s Cross-Cloud Interconnect customers will be able to onboard in 11 global regions, allowing customers to deploy general purpose workloads with no cross-cloud data transfer charges.  Later this year, a new offering, Oracle Database@Google Cloud will be available with the highest level of Oracle database and network performance along with feature and pricing parity with OCI. 
  • Both companies will jointly go-to-market with Oracle Database@Google Cloud, benefitting enterprises globally and across multiple industries, inducing financial services, healthcare, retail, manufacturing and more. 
  • “Customers want the flexibility to use multiple clouds,” said Larry Ellison, Oracle Chairman and CTO. “To meet this growing demand, Google and Oracle are seamlessly connecting Google Cloud services with the very latest Oracle Database technology. By putting Oracle Cloud Infrastructure hardware in Google Cloud datacenters, customers can benefit from the best possible database and network performance.”      
  • “Oracle and Google Cloud have many joint enterprise customers,” said Sundar Pichai, CEO of Google and Alphabet. “This new partnership will help these customers use Oracle database and applications in concert with Google Cloud’s innovative platform and AI capabilities.”
  • Customers can benefit from:
  • Flexible options to simplify and help accelerate migrating their Oracle databases to Google Cloud, including compatibility with proven migration tools such as Oracle Zero-Downtime Migration.
  • A simplified purchasing and contracting experience via Google Cloud Marketplace that enables customers to purchase Oracle database services using their existing Google Cloud commitments and leverage their existing Oracle license benefits including Bring Your Own License (BYOL) and discount programs such as Oracle Support Rewards (OSR).
  • Unified customer experience and support from Google Cloud and Oracle.
  • The simplicity, security, and latency of a unified operating environment (datacenter) within Google Cloud to deploy the entire portfolio of Oracle database services including Oracle Exadata Database Service, Oracle Autonomous Database Service, MySQL Heatwave, Oracle Database Zero Data Loss Autonomous Recovery Service, Oracle GoldenGate, and Oracle Data Safe.
  • Connecting their Oracle data with Google’s industry-leading AI services including Vertex AI and Gemini foundation models to bring enterprise truth to AI applications and agents for customer service, employee services, creative studios, developer environments, and more.

47:11 📢 Justin – “Honestly, Amazon would be in the best interest of their customers. If they say they’re customer focused and obsessed – would offer a database service from Oracle that they manage and care for, it would be a better, better experience.”

Azure

48:25 Announcing Advanced Container Networking Services for your Azure Kubernetes Service clusters 

  • Azure is adding on to the successful open sourcing of the Retina cloud native container networking observability platform, with a new offering called Advanced Container Networking service. It’s a suite of services built on top of existing networking solutions for AKS to address complex challenges around observability, security and compliance.  
  • The Advanced network observability is now available in public preview.
  • Advanced Container Networking Service is a suite of services built to significantly enhance the operational capabilities of AKS clusters. The suite is comprehensive and is designed to address the multifaceted and intricate needs of modern containerized applications. 
  • The service brings the power of Hubble’s control plane to both Cilium and Non-Cilium Linux data plans. It unlocks Hubble metrics, Hubble CLI and Hubble UI on your AKS clusters providing deep insights into your workload.

49:31 📢 Ryan – “I mean, this speaks to the root of why I don’t like Kubernetes in general, which is like, I like workloads where you’re delegating responsibility boundaries and isolating things. And this type of networking in suite is because you’re hosting multiple workloads and multiple different business entities and all kinds of things on your Kubernetes clusters. And so you need this visibility.”

Oracle

51:29  Announcing FOCUS support for OCI cost reports to make multi cloud FinOps easier

  • Ahead of the Finops X conference June 20th/21st, Oracle is announcing that they now support FOCUS in the OCI Cost Reports. 
  • OCI is proud not only to be a contributor to the 1.0 version of the spec but also announce the general availability of the supplemental cost reports to FOCUS schema.

**Any listeners going to FInops? Do you want stickers? Of course you do! Find Justin at Finops on the show floor!**

52:53 Behind the scenes: Touchless cloud region build 

  • Oracle is trying to convince me that their datacenter regions aren’t just semi trucks with a full blog post on how they build their cloud regions touchless. 
  • Much like serverless, somewhere someone touches it. 
  • Their “foundation section” they called “first mile activities… not helping out with the truck assumptions.
  • But overall it’s an infrastructure geek read about OCI infrastructure build out and if you’re curious about how a cloud provider does it this is an interesting read. 

Cloud Journey Series

56:10 5 myths about platform engineering: what it is and what it isn’t PLUS

5 more myths about platform engineering: how it’s built, what it does, and what it doesn’t    

  1. MYTH: A developer portal and an internal developer platform are the same thing
  2. MYTH: We don’t need an internal developer platform
  3. MYTH: Platform engineering is “just advanced DevOps”
  4. MYTH: Platform engineering is “just automation”
  5. MYTH: Platform engineering is just the latest fad
  6. MYTH: Platform engineering eliminates the need for infrastructure teams
  7. MYTH: Introducing platform engineering will dramatically impact staffing costs
  8. MYTH: Adopting platform engineering today will quickly solve all my biggest problems
  9. MYTH: You should apply platform engineering practices to every application
  10. MYTH: All cloud services map to platform engineering

Closing

And that is the week in the cloud! Visit  our website, the home of the Cloud Pod where you can join our newsletter, slack team, send feedback or ask questions at theCloud Pod.net or tweet at us with hashtag #theCloud Pod

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.