Hava Blog and Latest News

In Cloud Computing This Week [Feb 17th 2023]

Written by Team Hava | February 17, 2023



How is it half way through Feb already? Lot's of big moves happening at Hava. We shipped a new version of our self hosted deployment this week. Lots more exciting updates are emerging from our dev pipeline, so stay tuned.

Here's the weekly cloud round up of all things Hava, GCP, Azure and AWS for the week ending Friday Feb 17th 2023.

All the lastest Hava news can be found on our Linkedin Newsletter.

Of course we'd love to keep in touch at the other usual places. Come and say hello on:

Facebook.      Linkedin.     Twitter.

AWS Updates and Releases

Source: aws.amazon.com

Request tracing for customizations now available for AWS Control Tower Account Factory for Terraform

AWS Control Tower now provides you with the ability to trace a customization request through the entire AWS Control Tower Account Factory for Terraform (AFT) workflow. With AFT, Terraform customers can automate the creation of fully functional accounts that grant them access to all the resources they need to be productive.

This feature enhancement allows customers to track where their customizations are in the pipeline and enables them to identify and troubleshoot issues more easily.

With this enhancement, AFT now generates a unique tracing token for every customization request. This token passes through the AFT customization AWS Step Functions state machine, which logs the token during execution.

Customers have access to Amazon CloudWatch Logs Insights queries where they can search for a time-stamp range and retrieve the request token. As a result, customers can see payloads that accompany the token and trace their customization requests through the entire workflow.

AWS Control Tower offers a streamlined way to set up and govern a new, secure, multi-account AWS environment that’s based on AWS best practices. To learn more about AFT, visit Overview of AWS AFT, or see the AWS Control Tower User Guide. This feature is available in all regions where AWS Control Tower is available.

Amazon Pinpoint now supports SMS and voice spending metrics in Amazon CloudWatch

Amazon Pinpoint now helps customers determine the amount spent for SMS and voice activity during the current month by providing visibility to SMS and voice spend metrics through the Amazon CloudWatch console.

Amazon CloudWatch is a monitoring service for AWS cloud resources that you can use to collect and track metrics, collect and monitor log files, and set alarms. With Amazon CloudWatch, users can view their Amazon Pinpoint month to date SMS or voice spend metrics, as well as analyze historical trends.

In addition to viewing spend metrics, customers can create Amazon CloudWatch alarms that send a notification when the monthly SMS or voice spend exceeds a specified amount.

Customers can configure the alarm in the Amazon CloudWatch console to deliver notifications by sending them to an Amazon Simple Notification Service (SNS) topic.

AWS WAF Captcha adds support for ten additional languages

AWS WAF Captcha helps block unwanted bot traffic by requiring users to successfully complete challenges before their web requests are allowed to reach AWS WAF-protected resources. WAF Captcha challenges are simple for humans while remaining effective against bots.

Starting this week, AWS WAF Captcha is adding ten additional languages - Arabic, German, Spanish, French, Italian, Dutch, Japanese, Portuguese, Turkish, and Chinese (simplified) - and is designed to meet WCAG accessibility requirements.

AWS WAF Captcha uses the client browser language settings to select the language of the challenge, so there is no additional configuration needed. In addition, you will see a new option to change the Captcha page language, if needed.

Amazon Managed Grafana now supports network access control

Amazon Managed Grafana now supports inbound network access control that helps you to restrict user access to your Grafana workspaces. Amazon Managed Grafana is a fully managed service for Grafana, a popular open-source analytics platform that enables you to query, visualize, and alert on your metrics, logs, and traces.

With this launch, you have granular security controls over the rollout of Grafana workspaces by defining customer-managed prefix lists and VPC endpoints to help you restrict the inbound network traffic that can reach your Grafana workspaces. 

Amazon Managed Grafana supports two modes for user and host access of your Grafana workspace: open access and restricted access. Open access is the default access setting for Grafana workspaces when there are no VPC endpoints or managed prefix list restrictions to reach your Grafana workspace URL; however, users must still authenticate with the configured identity provider(s) in order to log in to the workspace.

Restricted access mode enables you to specify the inbound network traffic that is allowed to reach your workspace. To restrict access, you can configure prefix lists to specify IP address ranges from which users and hosts can reach your Grafana workspace.

You can also create an interface VPC endpoints to allow AWS resources such as Amazon EC2 instances to access the Amazon Managed Grafana API to manage resources, or you can use a VPC endpoint as part of limiting network access to your Amazon Managed Grafana workspaces.

Amazon Cognito identity pool data events are now available in AWS CloudTrail

Amazon Cognito identity pools now publishes data events to AWS CloudTrail logs. Customers now have greater visibility into access-related activities for both guest and authenticated users of their applications.

Administrators can now configure Amazon CloudWatch Alarms to monitor specific activity on Amazon Cognito identity pools and react based on automated workflows.

Customers can record data events in AWS CloudTrail and gain better insight into the identity providers leveraged by users to access AWS resources with Amazon Cognito identity pools. AWS CloudTrail may charge for recording data events. 

Amazon Cognito makes it easier to add authentication, authorization, and user management to your web and mobile apps. Amazon Cognito can also be used to obtain temporary, limited-privilege AWS credentials to access AWS resources.

Amazon Cognito scales to millions of users and supports sign-in with social identity providers such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via standards such as SAML 2.0 and OpenID Connect.

Amazon Cognito identity pools events in AWS CloudTrail are now available in all commercial regions where Amazon Cognito identity pools are available. Pricing for AWS CloudTrail can be found here.

To learn more about this feature, visit the Amazon Cognito documentation page. To get started, visit the Amazon Cognito home page.

Amazon MQ adds AWS Key Management Service (AWS KMS) support for RabbitMQ brokers

Amazon MQ now supports the AWS Key Management Service (AWS KMS) to create and manage keys for at-rest encryption of customer data for RabbitMQ brokers. Amazon MQ handles the encryption and decryption seamlessly, so you don’t have to change your applications to access your data.

When you create a broker, you can now select the KMS key used to encrypt your data from the following three options: a KMS key in the Amazon MQ service account, a KMS key in your account that Amazon MQ creates and manages, or a KMS key in your account that you create and manage.

In addition to encryption at rest, all data transferred between Amazon MQ and client applications is securely transmitted using TLS/SSL.

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easier to set up and operate message brokers in the cloud. Message brokers allow different software systems–often using different programming languages, and on different platforms–to communicate and exchange information.

With Amazon MQ, you can use industry standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket. You can move from any message broker that uses these standards to Amazon MQ because you don’t have to rewrite any messaging code in your applications.

Amazon Elastic File System (Amazon EFS) is now available in the AWS Asia Pacific (Hyderabad) region

Customers can now create file systems using Amazon Elastic File System (Amazon EFS) in the AWS Asia Pacific (Hyderabad) Region.

Amazon EFS is designed to provide serverless, fully elastic file storage that lets you share file data without provisioning or managing storage capacity and performance. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files.

Because Amazon EFS has a simple web services interface, you can create and configure file systems quickly and easily. The service is designed to manage file storage infrastructure for you, meaning that you can avoid the complexity of deploying, patching, and maintaining complex file system configurations. 

AWS WAF Fraud Control - Account Takeover Protection now allows inspection of origin responses

AWS WAF Fraud Control - Account Takeover Protection (ATP) can now inspect origin responses, giving customers additional protection against brute force and credential stuffing attacks on their login pages.

Until today, ATP rules were limited to inspecting incoming login requests against a stolen credentials database, analyzing requests seen over time for username and password traversals, and then aggregating this data based on unique identifiers, such as IP address or session ID.

With this release, ATP managed rules can now also inspect application response data and block login attempts based on customer-defined login failure conditions. This capability helps to protect against brute force attacks involving non-compromised credentials.

You can specify success or failure conditions based on HTTP status codes, HTTP headers, or the body of responses as well as JSON strings. For example, you can configure ATP to inspect responses that include the HTTP response code 200 (success condition) or 401 (failure condition).

You can configure ATP to use these response conditions as additional signals to aggregate the number of failed login attempts per session or per IP address. Once a predefined threshold for failed logins per device is reached, ATP can block subsequent requests as a defense against brute force attacks.

AWS strongly recommend integrating with the application integration SDK for the most effective use of the ATP rule group.

Amazon EC2 X2iedn instances now available in Asia Pacific (Osaka) region

Starting this week, memory optimized Amazon EC2 X2iedn instances are available in Asia-Pacific(Osaka) region. X2iedn instances are powered by 3rd generation Intel Xeon Scalable Processors and delivers improvements in performance, price performance, and cost per GiB of memory compared to previous generation X1e instances.

X2iedn instances have a memory to vCPU ratio of 32:1 and are great fit for memory-intensive workloads such as databases and analytics, and big data processing engines. X2iedn instances are SAP-certified for running Business Suite on HANA, SAP S/4HANA, Data Mart Solutions on HANA, Business Warehouse on HANA, SAP BW/4HANA, and SAP NetWeaver workloads on any database. You can view the certification data for X2iedn on the Certified and Supported SAP HANA Hardware Directory.

X2iedn instances offer up to 80 Gbps bandwidth and 260K IOPS for Amazon Elastic Block Store (Amazon EBS), and are designed to meet the reliability needs of mission-critical workloads.

X2iedn is available in six different virtualized sizes, xlarge, 2xlarge, 4xlarge, 8xlarge, 16xlarge, 24xlarge and 32xlarge and as a bare metal instance. The X2iedn instance is built on the AWS Nitro System that offloads many of the traditional virtualization functions to dedicated hardware, delivering high performance, high availability, and highly-secure cloud instances. 

AWS Trusted Advisor fault tolerance check for Amazon MemoryDB for Redis is now available in 4 additional regions

The AWS Trusted Advisor fault tolerance check for Amazon MemoryDB for Redis is now generally available in 4 new regions: Asia Pacific (Hong Kong), Europe (Milan), China (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD). With this launch, the AWS Trusted Advisor fault tolerance check for MemoryDB is now available in all regions where MemoryDB is generally available. 

AWS Trusted Advisor evaluates customers’ AWS accounts with automated best practice checks and provides cloud optimization recommendations to reduce costs, improve performance, increase security, and monitor service quotas. 

The fault tolerance check for Amazon MemoryDB Multi-AZ Clusters alerts customers when they're running in a Single-AZ configuration and provides recommendations on how to enable Multi-AZ with automatic failover in their MemoryDB clusters.

By enabling Multi-AZ with automatic failover, customers benefit from minimal administrative intervention, improved fault tolerance, and enhanced availability of their Redis clusters. For more information, see Minimizing downtime in MemoryDB with Multi-AZ.

AWS Trusted Advisor fault tolerance check for Amazon ElastiCache for Redis is now available in all regions

The AWS Trusted Advisor fault tolerance check for Amazon ElastiCache for Redis is now generally available in 14 additional regions: AWS GovCloud (US-West), AWS GovCloud (US-East), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Melbourne), Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Europe (Milan), Europe (Spain), Europe (Zurich), Middle East (Bahrain), Middle East (UAE), China (Beijing, operated by Sinnet), and China (Ningxia, operated by NWCD).

With this launch, the Trusted Advisor fault tolerance check for ElastiCache for Redis is now available in all AWS regions. AWS Trusted Advisor evaluates customers’ AWS account with automated best practice checks and provides cloud optimization recommendations to reduce costs, improve performance, increase security, and monitor service quotas. 

The fault tolerance check for Amazon ElastiCache Multi-AZ Clusters alerts customers when they're running in a Single-AZ configuration and provides recommendations on how to enable Multi-AZ with automatic failover in their ElastiCache clusters.

By enabling Multi-AZ with automatic failover, customers benefit from minimal administrative intervention, improved fault tolerance, and enhanced availability of their Redis clusters. For more information, see Minimizing downtime in ElastiCache with Multi-AZ.

Amazon Fraud Detector(AFD) launched AFD-Lists to optimize fraud prevention strategies

This week, Amazon Fraud Detector (AFD) announces the launch of AFD Lists feature. Lists allows you to reference a set of values in your AFD rules. Fraud risk teams commonly maintain lists of attributes, such as IP, email address, and devices fingerprints to allow/deny transaction as part of their fraud prevention and detection strategy.

With Lists, an organization can dynamically update these lists in real time, without re-publishing the rule.

Customers can take advantage of AFD's Lists feature by using a list of attribute values in a rule for specific actions, for example, blocking a payment from a known fraudster IP Address. Similarly, a list can be leveraged in an override rule to allow a payment to go through.

A list can contain up to 100,000 values, and can be of AFD supported variable-types such as email-address, IP-address, phone number, card-BIN, etc.

Amazon Fraud Detector (AFD) is a fully managed service that makes it easy to identify potentially fraudulent online activities, such as the creation of fake accounts or online payment fraud.

Using ML under the hood and based on over 20 years of fraud detection expertise from AFD automatically identifies potentially fraudulent activity in milliseconds—with no ML expertise required.

Amazon EC2 Dedicated Hosts now support automated maintenance on rare degradation

You now have the automated host maintenance feature available for your Amazon EC2 Dedicated Hosts. With automated host maintenance, in the rare event of degradation of a dedicated host, AWS will automatically reboot the EC2 instances running on it onto a newly allocated dedicated host during a scheduled maintenance event, to reduce your application’s downtime and offload undifferentiated heavy-lifting of host maintenance.

AWS regularly monitors the health of your hosts and the instances running on them. With automated host maintenance, in the rare event of a degradation or for planned EC2 maintenance, AWS will notify you, allocate a new host, and schedule a maintenance event for two weeks later to give you time to prepare.

During the maintenance event, AWS will reboot your instances on the replacement host and notify you if an instance cannot be moved. Along with reviewing the event details on the EC2 Events page or the AWS Health Dashboard, you can change the order of instance reboot or reschedule the event.

EC2 Dedicated Hosts simplify bringing your existing software licenses and workloads requiring a dedicated physical server to the cloud. Using your eligible software licenses that are bound to VMs, sockets, or physical cores on EC2 instances running on dedicated hosts, drives flexibility and cost-efficiency for your business.

In addition, with dedicated hosts you get the entire capacity of the physical server to launch different instance sizes and exercise granular placement control based on your business needs.

AWS Network Firewall now supports tag-based resource groups

AWS Network Firewall now supports tag-based resource groups to simplify management of your firewall rules. AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs.

With this launch, you can tag and filter AWS resources to centrally manage and reference sets of resources in your stateful firewall rules, instead of manually updating your rule groups every time you make changes to a set of resources.

Starting this week, you can organize and tag your EC2 instances and elastic network interfaces (ENI) as a resource group and reference the tag in your AWS Network Firewall rule groups.

Referencing tags for resource groups within AWS Network Firewall rule groups ensures your firewall rules are applied consistently as your resources change. Previously you needed to manually update individual firewall rules as you added, deleted, or modified your resources, which is time-consuming and hard to maintain.

Now AWS Network Firewall automatically updates your rule group with the IP addresses and CIDR ranges of the resources in the resource groups.

There is no additional cost to use tag-based resource groups in AWS Network Firewall. This feature is supported in all AWS Regions where AWS Network Firewall is available today, including the AWS GovCloud (US) Regions. For more information on availability, please see the AWS Region table.

Announcing increased AWS Resource Access Manager default quota values

AWS Resource Access Manager (AWS RAM) now supports higher default quotas to help you scale your resource sharing. AWS RAM helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with AWS Identity and Access Management (IAM) roles and users for supported resource types.

For each AWS Region in an account, you can now share up to 25,000 resources and share resources with up to 25,000 principals. Additionally, you can create up to 25,000 resource shares per AWS Region in an account. For each individual resource share, you can share up to 5,000 resources and share resources with up to 5,000 principals.

Amazon Kinesis Data Streams for Amazon DynamoDB now supports AWS CloudFormation for Global Tables

Amazon Kinesis Data Streams for Amazon DynamoDB now supports AWS CloudFormation for DynamoDB global tables, which means you can enable streaming to an Amazon Kinesis data stream on your DynamoDB global tables with CloudFormation templates.

By streaming your DynamoDB data changes to a Kinesis data stream, you can build advanced streaming applications with Amazon Kinesis services. For example, Amazon Kinesis Data Analytics reduces the complexity of building, managing, and integrating with Apache Flink and provides built-in functions to filter, aggregate, and transform streaming data for advanced analytics.

You also can use Amazon Kinesis Data Firehose to take advantage of managed streaming delivery of DynamoDB table data to other AWS services such as Amazon OpenSearch Service, Amazon Redshift, and Amazon S3.

Global tables build on the global Amazon DynamoDB footprint to provide you with a fully managed, multi-Region, and multi-active database that delivers fast, local, read and write performance for massively scaled, global applications. Global tables replicate your DynamoDB tables automatically across your choice of AWS Regions.

AWS Resource Access Manager is now available in the AWS Asia Pacific (Melbourne) Region

Starting this week, AWS Resource Access Manager (AWS RAM) is available for use in the AWS Asia Pacific (Melbourne) Region.

AWS RAM helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs), and with AWS Identity and Access Management (IAM) roles and users for supported resource types.

For more information, visit the AWS RAM product page, and see the AWS Region Table for complete regional availability information.

Database Activity Streams now supports Amazon RDS for SQL Server

Database Activity Streams (DAS) now supports Amazon RDS for SQL Server to provide a near real-time stream of database activities for auditing and compliance purposes. You can integrate DAS with your monitoring tools in order to monitor and set alarms for auditing the database activity.

You can also connect Amazon Kinesis Data Stream to Amazon Kinesis Data Firehose to save stream logs in a user readable format to S3 . You can enable DAS with only a few clicks in the AWS Console to provide safeguards for your databases and help you meet compliance and regulatory requirements. 

To get started, your Database Administrator specifies the audit policies on a server or a database using the provided DAS objects. Then your Security Administrator starts DAS on your Amazon RDS for SQL Server database instance and provides an AWS Key Management Service (KMS) key for encryption.

The collection, transmission, storage and processing of database activity is managed outside your database, providing access control independent of your database users and admins. Your database activity is encrypted and then asynchronously sent to an Amazon Kinesis data stream provisioned on behalf of your Amazon RDS for SQL Server DB instance.

You can use AWS Identity and Access Management (IAM) to enable, disable, and modify DAS permissions in order to achieve separation of duties between security administrators and DBAs.

You can learn more about Amazon RDS Database Activity Streams for SQL Server in this database blog. To use DAS, you need to pay for Amazon Kinesis Data Streams and Amazon KMS. Pricing for Amazon Kinesis Data Streams is available here. Pricing for Amazon KMS is available here.   

ENA Express now supports 15 new EC2 Instances

ENA Express now supports 15 new instances including: C6i.32xlarge, C6i.metal, C6id.32xlarge, C6id.metal, M6i.32xlarge, M6i.metal, M6id.32xlarge, M6id.metal, R6i.32xlarge, R6i.metal, R6id.32xlarge, R6id.metal, i4i.32xlarge, i4i.metal, and im4gn.16xlarge. Customers using these instances today can now enable ENA Express with a simple configuration.

ENA Express is a networking feature that uses the AWS Scalable Reliable Datagram (SRD) protocol to improve network performance in two key ways: higher single flow bandwidth and lower tail latency for network traffic between EC2 instances. SRD is a proprietary protocol that delivers these improvements through advanced congestion control, multi-pathing, and packet reordering directly from the Nitro card. 

Enabling ENA Express is as easy as a single command or console toggle for your EC2 instances’ network configuration. Using the SRD protocol, ENA Express increases the maximum single flow bandwidth of EC2 instances from 5 Gbps up to 25 Gbps, and it can provide up to 85% improvement in P99.9 latency for high throughput workloads.

ENA Express works transparently to your applications with TCP and UDP protocols. When configured, ENA Express works between any two supported instances in an Availability Zone. ENA Express detects compatibility between your EC2 instances and establishes an SRD connection when both communicating instances have ENA Express enabled.

Once a connection is established, your traffic takes advantage of SRD and its performance benefits. Detailed monitoring for these SRD connections is also available through ethtool metrics available in the latest Amazon Linux AMI. 

Organizations-related condition keys for IAM policies now available in AWS China Regions

AWS Identity and Access Management (IAM) now supports the ability to refine permissions policies based on the organizational unit (OU) or organization ID in AWS Organizations of the principal or resource for IAM policies in the AWS China (Beijing) region, operated by Sinnet, and the AWS China (Ningxia) region, operated by NWCD. With these new IAM capabilities, you now can author IAM policies to enable your principals to access only resources inside specific OUs, or organizations.

The new capabilities include condition keys for the IAM policy language called aws:PrincipalOrgID, aws:PrincipalOrgPaths, aws:ResourceOrgID, and aws:ResourceOrgPaths. The new keys support a wide variety of services and actions, so you can apply similar controls across different use cases.

For example, consider an Amazon Simple Storage Service (Amazon S3) bucket policy that you want to restrict access to principals associated with AWS accounts inside of your organization. Now, you can use the aws:PrincipalOrgID condition and set the value to your organization ID in the condition element of your policy.

AWS announces new AWS Direct Connect location in Ashburn, Virginia

This week, AWS announced the opening of a new AWS Direct Connect location within the Digital Realty data center in Ashburn, Virginia. By connecting your network to AWS at this location, you gain private, direct access to all public AWS Regions (except those in China), AWS GovCloud Regions, and AWS Local Zones.

The new location is the thirty-seventh in North America and offers dedicated 1 Gbps, 10 Gbps, and 100 Gbps connections, with optional MACsec encryption available at 10 Gbps and 100 Gbps speeds.

The Direct Connect service enables you to establish a private, physical network connection between AWS and your data center, office, or colocation environment. These private connections can provide a more consistent network experience than those made over the public internet.

Using the Direct Connect SiteLink feature, you can send data between Direct Connect locations to create private network connections between the offices and data centers in your global network.

Amazon GameLift now supports publishing events to encrypted Amazon SNS topics

Amazon GameLift can now publish events to Amazon Simple Notification Service (Amazon SNS) topics that have server-side encryption (SSE) enabled, for additional protection of events that carry sensitive data. Amazon GameLift is a fully managed solution that allows you to manage and scale dedicated game servers for session-based multiplayer games.

With this release, customers can now enable server-side encryption to receive player matchmaking and game session queue notifications from the GameLift service.  

Notifications can be used to monitor the status of game placement requests as well as player matchmaking events within GameLift. With this release, GameLift customers can increase security on any sensitive player data included in these notifications by publishing to an encrypted Amazon SNS topic.

When you publish messages to encrypted topics, Amazon SNS immediately encrypts your messages. The encryption takes place on the server, using a 256-bit AES-GCM algorithm and an encryption key managed by the AWS Key Management Service (AWS KMS). Amazon SNS encrypted topics work with both customer managed keys and AWS managed keys.

Amazon GameLift events on Amazon SNS encrypted topics are available in regions: US East (Ohio and N. Virginia), US West (N. California and Oregon), Africa (Cape Town), Asia Pacific (Hong Kong, Mumbai, Seoul, Singapore, Sydney, Osaka, and Tokyo), Canada (Central), Europe (Frankfurt, Ireland, London, Milan, Paris, and Stockholm), Middle East (Bahrain), South America (São Paulo), AWS China (Beijing) Region, operated by Sinnet, and AWS China (Ningxia) Region, operated by NWCD, and now available in 8 Local Zones in Chicago, Houston, Dallas, Kansas City, Denver, Atlanta, Los Angeles, and Phoenix.

Amazon EventBridge event buses supports enhanced integration with AWS Service Quotas

Amazon EventBridge event buses now supports enhanced integration with AWS Service Quotas. Previously, you could use the AWS Service Quotas page to view the default quotas, applied quotas, and also request quota increases for Amazon EventBridge.

Now, with enhanced integration, your quota increase requests for limits such as PutEvents transactions-per-second, number of rules, and invocations per second among others will be processed within one business day or faster, enabling you to respond quickly to changes in usage. 

Amazon EventBridge event buses are a serverless event router that enables you to create scalable event-driven applications by routing events between your own applications, third-party SaaS applications, and other AWS services.

You can set up routing rules to determine where to send your events, allowing for application architectures to react to changes in your systems as they occur. Event buses makes it easier to build event-driven applications by facilitating event ingestion, delivery, security, authorization, and error handling.

Amazon EventBridge event buses enhanced integration with AWS Service Quotas is now available in all AWS Regions where Amazon EventBridge and AWS Service Quotas are available, including the AWS GovCloud (US) Regions, at no additional costs.

Workspot announces Cloud PCs powered by Amazon WorkSpaces Core

This week, Workspot announced Workspot Cloud PCs powered by Amazon WorkSpaces Core. You can now provision, deploy, and manage Workspot Cloud PCs powered by Amazon WorkSpaces Core directly from Workspot Control: your single global administration console.

You can also use your existing security, PC management tools, and Security Event and Incident Management (SIEM) solutions seamlessly extending your current desktop management processes to your new Cloud PCs. 

Workspot is an enterprise SaaS platform for delivering Cloud PCs and GPU cloud workstations for many industries, including AEC, financial services, legal, life sciences, healthcare, manufacturing, education and more.

Cloud PCs and workstations are placed in the cloud region nearest each end user for best performance.

Amazon GuardDuty now available in AWS Asia Pacific (Hyderabad) Region

Amazon GuardDuty is now available in the Asia Pacific (Hyderabad) Region. You can now continuously monitor and detect security threats in this additional region to help protect your AWS accounts, workloads, and data.

Customers across many industries and geographies use Amazon GuardDuty, including more than 90% of AWS’s 2,000 largest customers. GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts, EC2 workloads, access keys, EKS clusters, and data stored in Amazon S3 and Amazon Aurora.

GuardDuty can identify unusual or unauthorized activity like crypto-currency mining, access to data stored in S3 from unusual locations, or unauthorized access to Amazon Elastic Kubernetes Service (EKS) clusters. GuardDuty Malware Protection adds file scanning for workloads utilizing Amazon Elastic Block Store (EBS) volumes to detect the presence of malware.

GuardDuty continually evolves its techniques to identify indicators of compromise, such as updating machine learning (ML) models, adding new anomaly detections, and growing integrated threat intelligence to identify and prioritize potential threats.

Programmatically manage enabled and disabled opt-in AWS Regions on AWS accounts

This week, AWS are making it easier for customers to view and manage enabled and disabled opt-in AWS Regions on their AWS accounts using the AWS Command Line Interface (CLI) and AWS Software Development Kit (SDK).

They previously released the Accounts SDK that enables customers to programmatically manage both primary and alternate contact information for their accounts. Starting today, customers can use the same SDK to additionally enable and disable opt-in AWS Regions, saving them the time and effort of doing it through the AWS Management Console.

Additionally, for customers using AWS Organizations, Organization administrators can now centrally manage the status of opt-in AWS Regions for all member accounts using the management account.

Amazon VPC Announces General Availability of Resource Map in AWS Management Console

Amazon VPC announces general availability of Resource Map, a tool that displays all your VPC resources and their connections in a visual format on a single page, providing you a clear understanding of your VPC architecture.

Resource map shows interconnections between resources within a VPC and the flow of traffic between subnets, NAT gateways, internet gateway and gateway endpoints. With resource map, you can better understand the architecture of your Amazon VPC, view the number of subnets, see which subnets are associated with which route tables, and observe which route tables have routes to NAT Gateways, internet gateways, and gateway endpoints, all in a single diagram.

Additionally, you can navigate directly to the displayed resources to make edits. Resource map makes it easier to identify any undesirable configurations, facilitates appropriate edits, and provides a visual representation of the changes in relation to other configurations within your Amazon VPC.

Amazon RDS for PostgreSQL now supports tcn extension

Amazon Relational Database Service (Amazon RDS) for PostgreSQL now supports the tcn extension which provides a trigger function that allows you to asynchronously notify listeners of changes to a table.

PostgreSQL extensions are libraries that supply extra functions, operators, or data types to the core database engine. tcn, or triggered change notification, is a function that generates NOTIFY events on changes to data in specified tables.

This is useful for applications that need to take action on data changes in near-real time such as updating displays of information or cached data. Please see the list of supported extensions in the Amazon RDS User Guide for specific versions.

Amazon RDS for PostgreSQL makes it simple to set up, operate, and scale PostgreSQL deployments in the cloud.

Amazon Elastic Container Service improves accuracy of Service Load Balancing

Amazon Elastic Container Service (Amazon ECS) has improved the accuracy of Elastic Load Balancing (ELB) for Amazon ECS services. Load balancing on Amazon ECS now more accurately routes traffic to running tasks as tasks will be deregistered from the ELB before they enter a stopped state.

Furthermore, with these improvements, Amazon ECS also helps your services running on the Fargate Spot capacity provider be more resilient to Spot termination notices.

Amazon ECS can be configured to integrate with ELB to distribute traffic evenly across the tasks in your service. Amazon ECS has improved its ability to properly de-register tasks from the load balancer’s target group, thereby reducing the potential for transient errors should traffic be routed to stopped tasks.

With this improvement a task is now deregistered from the ELB before the task enters a stopped state, leading to both improved accuracy for traffic routing and a material reduction in traffic routing errors experienced by Amazon ECS customers.

Additionally, Amazon ECS will now deregister your task running on Fargate Spot, if it receives a spot termination notice, before issuing a SIGTERM message to inform the task that it needs to stop. This improvement helps you manage spot interruption of tasks running on the Fargate Spot capacity provider more safely.


Google Cloud Releases and Updates
Source: cloud.google.com


AlloyDB for PostgreSQL

Continuous backup and recovery is in Preview. This feature protects your clusters from data-loss events by letting you recover their data from any moment within a configurable window.

Anthos Clusters on VMware


Anthos clusters on VMware 1.13.5-gke.27 is now available. To upgrade, see Upgrading Anthos clusters on VMware. Anthos clusters on VMware 1.13.5-gke.27 runs on Kubernetes 1.24.9-gke.2500.

The supported versions offering the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware are 1.14, 1.13, and 1.12.

  • Updated the Ubuntu image to ubuntu-gke-op-2004-1-13-v20230201 using node kernel version

  • Instead of ignoring snapshots files with empty content, AWS save their names in a new file named empty_snapshots.

During preflight checks and cluster diagnosis, AWS now skip PVs and PVCs that use non-vSphere drivers.

App Engine standard environment Go

The Go 1.20 runtime for App Engine standard environment is now available in preview.

Artifact Registry


Artifact Registry remote repositories and virtual repositories are now in Preview. These features help you to optimize your build and deployment workflows.

  • Remote repositories cache artifacts from external sources, including Docker Hub, Maven Central, PyPI, and the npm registry.
  • Virtual repositories provide a single access point to download artifacts from multiple remote or standard repositories. Each upstream repository has a set priority to protect against issues with dependency confusion.


The documentation for how to create and run a job has been split into the following pages:



You can now make a dataset and the tables in that dataset case-insensitive when you create a dataset or alter a dataset. This feature is generally available (GA).

In the Explorer pane, the resource corresponding to the focused tab is now selected. This feature is generally available (GA).

In the Explorer pane, you can now see all the resources in the searched resource's level by clicking Show more. This feature is generally available (GA).

You can now create materialized views over BigLake metadata cache-enabled tables to reference structured data stored in Cloud Storage. This feature is in preview.



The following supported default parsers have changed. Each is listed by product name and ingestion label, if applicable.

  • 1Password (ONEPASSWORD)
  • Atlassian Jira (ATLASSIAN_JIRA)
  • AWS GuardDuty (GUARDDUTY)
  • Azure AD Directory Audit (AZURE_AD_AUDIT)
  • Azure AD Organizational Context (AZURE_AD_CONTEXT)
  • Carbon Black (CB_EDR)
  • Cisco Stealthwatch (CISCO_STEALTHWATCH)
  • Cloudflare WAF (CLOUDFLARE_WAF)
  • CrowdStrike Detection Monitoring (CS_DETECTS)
  • CrowdStrike Falcon (CS_EDR)
  • Cybereason EDR (CYBEREASON_EDR)
  • DigitalArts i-Filter (DIGITALARTS_IFILTER)
  • F5 ASM (F5_ASM)
  • Google Chrome Browser Cloud Management (CBCM) (N/A)
  • Imperva (IMPERVA_WAF)
  • Imperva Database (IMPERVA_DB)
  • Linux Auditing System (AuditD) (AUDITD)
  • Microsoft AD FS (ADFS)
  • Microsoft Graph API Alerts (MICROSOFT_GRAPH_ALERT)
  • Mobileiron (MOBILEIRON)
  • Netskope Web Proxy (NETSKOPE_WEBPROXY)
  • Palo Alto Cortex XDR Events (PAN_CORTEX_XDR_EVENTS)
  • Palo Alto Networks Firewall (PAN_FIREWALL)
  • Samba SMBD (SMBD)
  • Sentinelone Alerts (SENTINELONE_ALERT)
  • SentinelOne Deep Visibility (SENTINEL_DV)
  • SentinelOne EDR (SENTINEL_EDR)
  • SonicWall (SONIC_FIREWALL)
  • Trend Micro AV (TRENDMICRO_AV)
  • VMware vCenter (VMWARE_VCENTER)
  • Windows DNS (WINDOWS_DNS)
  • Windows Event (WINEVTLOG)

For details about changes in each parser, see Supported default parsers.

Cloud Composer

Cloud Composer 1.20.6 and 2.1.6 release started on February 14, 2023. Get ready for upcoming changes and features as GCP roll out the new release to all regions. This release is in progress at the moment. Listed changes and features might not be available in some regions yet.

(Cloud Composer 2) The default version of Airflow is changed to 2.4.3.

(Cloud Composer 2) Fixed the problem where the Composer Agent Kubernetes workload generated warnings about failed pods during the environment creation.

Fixed environment upgrade checks that were failing for environments in some Cloud Composer 2 versions.

Cloud Functions

Cloud Functions has added support for a new runtime, Go 1.20, at the Preview release level.

Cloud Interconnect 

Dataplane v2 for Cloud Interconnect is fully available for customers using Dedicated Interconnect or Partner Interconnect in the following regions:

  • us-west1 (Oregon)
  • europe-west4 (Netherlands)

All new VLAN attachments that you create in these regions are automatically provisioned on Dataplane v2. Existing VLAN attachments for these regions can be migrated to Dataplane v2. You can migrate existing attachments yourself by re-creating the attachments, or you can request and schedule an assisted migration. Contact Google Cloud Support for assistance.

For the list of all regions that are Dataplane v2-enabled, see the Locations table (Dedicated Interconnect) or Supported service providers (Partner Interconnect).

Cloud Logging

Version 2.25.1 of the Ops Agent introduces health checks. When the Ops Agent starts, it performs a series of checks for conditions that prevent the agent from running correctly. If the agent detects one of the conditions, it writes a message to its health-check log and exits. For more information, see Find Ops Agent troubleshooting information.

Cloud Monitoring

Version 2.25.1 of the Ops Agent introduces health checks. When the Ops Agent starts, it performs a series of checks for conditions that prevent the agent from running correctly. If the agent detects one of the conditions, it writes a message to its health-check log and exits. For more information, see Find Ops Agent troubleshooting information.

The Ops Agent now provides Preview support for NVIDIA GPU metrics, including metrics reported from the NVIDIA Management Library (NVML) and the Data Center GPU Manager (DCGM).

When you install the GPU-enabled version of the Ops Agent, NVML metrics are collected automatically. DGCM metrics are available as a third-party integration. For information about configuring the integration, see NVIDIA Data Center GPU Manager. The reference document for Ops Agent metrics includes tables for the NVML metrics and the DCGM metrics.

You can now configure uptime checks to include a user-defined content-type header. For more information, see the customContentType field of the UptimeCheckConfig structure.

Cloud Run

You can now deploy public container images from Docker Hub to Cloud Run.

Cloud Spanner

The Cloud Spanner regional endpoints feature has been moved to a future release. It is not currently available.

As of this week, the list compute price for the following 9-replica Spanner multi-region configurations has been reduced: nam-eur-asia1 and nam-eur-asia3. For more details, see Cloud Spanner pricing.

Compute Engine

Preview: C3 VMs are now available in the following regions:

  • Council Bluffs, Iowa, North America : us-central1
  • Ashburn, Virginia, North America: us-east4
  • Eemshaven, Netherlands, Europe : europe-west4

Preview: You can now use a GPU-enabled Ops Agent to track GPU utilization and GPU memory usage rates for Linux virtual machine instances that have attached GPUs.

Through an available integration with NVIDIA's Data Center GPU Manager (DCGM), you can also track metrics such as Streaming Multiprocessor (SM) block utilization, SM occupancy, SM pipe utilization, PCIe traffic rate, and NVLink traffic rate.

For more information, see Monitoring GPU performance on Linux VMs.

Tau T2A VMs now support secure boot.


Dialogflow CX added regional support for some system entities. The following system entities:

  • @sys.person
  • @sys.address
  • @sys.geo-city
  • @sys.geo-country
  • @sys.geo-state

are now available in the following regions for English (en), French (fr), Italian (it), German (de), and Spanish (es) languages:

  • europe-west1
  • europe-west2
  • europe-west3
  • northamerica-northeast1

ReCAPTCHA Enterprise

reCAPTCHA Enterprise account defender is now generally available (GA).

You can use this feature to detect and prevent account-related fraudulent activities.

Resource Manager

The organization restrictions feature has entered General Availability. The organization restrictions feature helps security administrators to prevent data exfiltration due to phishing or insider attacks. The organization restrictions feature restricts access only to resources in authorized Google Cloud organizations. For more information, see Introduction to organization restrictions.

Transcoder API

Validation checks added for segmentDuration and gopDuration for all video codecs as outlined in the documentation. This change was released earlier this month

Vertex AI Prediction

Pre-built PyTorch containers for serving predictions from PyTorch models is generally available (GA).

Vertex AI Matching Engine now supports Private Service Connect in Preview. To learn how to set up a a Private Service Connect instance, see Using Private Service Connect.


Microsoft Azure Releases And Updates
Source: azure.microsoft.com


Public preview: Serverless Hyperscale in Azure SQL Database

Automatically scale compute based on workload demand using serverless for Hyperscale in Azure SQL Database.

Generally Available: Azure Functions Linux Elastic Premium plan increased maximum scale-out limit

Maximum scale-out limits for Functions Linux Premium plans have been increased in several regions

Generally Available: Availability zones support for Azure Functions in new regions

 You can now use Availability Zones with Azure Functions in Norway East, South Africa North, Switzerland North, and UAE North.

Generally Available: Durable Functions support for .NET isolated model

 Durable Functions support for .NET 7.0 running in the isolated worker process is now generally available.


Public Preview: Azure Communication Services Chat for Bot Framework

Build conversational AI experiences with Azure Communication Services. Use virtual chat agents to manage growing customer service needs and provide in-chat intelligence with the help of smart assistants.

Public preview: Major version upgrade in Azure Database for PostgreSQL – Flexible Server

 Eliminate the need to set up new servers and complete manual upgrades with in-place major version upgrade for Azure Database for PostgreSQL – Flexible Server.

General availability: Encryption using CMK for Azure Database for PostgreSQL – Flexible Server

Use infrastructure encryption to add an additional layer of encryption for data at rest using customer-managed keys

Public preview: VBS enclaves for Always Encrypted in Azure SQL Database

VBS enclaves enable you with the flexibility to use Always Encrypted with secure enclaves in all Azure SQL Database offerings.


Public Preview: Jobs API to support bulk import in Azure Digital Twins

Public preview for bulk import support for Azure Digital Twins


Public preview: Cluster key index in Azure Cosmos DB for Apache Cassandra

Improve application performance by creating indexes on your cluster key index and run faster queries in Azure Cosmos DB for Apache Cassandra.


Azure SQL—General availability updates for mid-February 2023

General availability enhancements and updates released for Azure SQL in mid-February 20223

General availability: Azure Active Directory for Azure Database for PostgreSQL – Flexible Server

Use Azure Active Directory-based authentication methods using Azure Active Directory principals, managed identities, and groups to connect and access Azure Database for PostgreSQL - Flexible Server.

General availability: Improved geo-replication for Azure Cache for Redis

Utilize new functionality that makes passive geo-replication more seamless and transparent.


Public Preview: SDK type bindings

Azure Functions .NET isolated worker now supports blob triggers and input bindings.

Generally available: Azure Functions support for Python 3.10

You can now develop Python 3.10 apps locally and deploy them to all Azure Functions plans.

Public preview: Python 3.10 Support

Azure Static Web Apps now supports building and deploying full-stack Python 3.10 applications.

Public preview: Upgrade scheduler

Use the upgrade scheduler feature instead of the planned maintenance feature for more flexibility.

Public Preview: Import Jobs API Support in Azure Digital Twins

Public preview for bulk import support for Azure Digital Twins

Public preview: Azure Digital Twins connector for Microsoft Power Platform

Azure Digital Twins connector for Microsoft Power Platform in Public Preview


Have you tried Hava automated diagrams for AWS, Azure, GCP and Kubernetes.  Get back your precious time and sanity and rid yourself of manual drag and drop diagram builders forever.

Not knowing exactly what is in your cloud accounts, or those of your client's can be a worry. What exactly is running in there and what is it costing? What obsolete resources are you still being charged for? What legacy dev/test environments can be switched off? What open ports are inviting in hackers? You can answer all these questions with Hava.
Hava automatically generates accurate fully interactive cloud infrastructure and security diagrams when connected to your AWS, Azure, GCP accounts or stand alone K8s clusters. Once diagrams are created, they are kept up to date, hands free. 

When changes are detected, new diagrams are auto-generated and the superseded documentation is moved to a version history. Older diagrams are also interactive, so can be opened and individual resources inspected interactively, just like the live diagrams.
Check out the 14 day free trial here (No credit card required and includes a forever free tier):