This week's roundup of all the cloud news.
Hi folks, this week, we've read all the cloud computing news from the big three; AWS, Azure and GCP again, so you don't have to.
Here at Hava we continued to improve and refine our AWS Infrastructure Diagram automation as well as the Azure and GCP variants.
Amazon Fraud Detector now GA
Amazon Fraud Detector is now generally available to all AWS customers.
Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities, such as the creation of fake accounts or online payment fraud. Amazon Fraud Detector uses machine learning (ML) and 20 years of fraud detection expertise from AWS and Amazon.com to automatically identify potentially fraudulent activity so you can catch more online fraud faster.
Amazon Fraud Detector handles the heavy lifting of ML for you - in just a few clicks you can create a fraud detection model, with no prior machine learning experience required.
Amazon Elasticsearch now supports Tableau and Excel Integration
Amazon Elasticsearch Service now facilitates connecting Amazon ES with two of the most powerful business intelligence and data visualization applications, Tableau and Microsoft Excel. To achieve this, AWS this week introduced Amazon ES- Tableau integration and the Amazon ES- Excel integration in Open Distro for Elasticsearch SQL Engine on Amazon Elasticsearch Service.
Open Distro for Elasticsearch SQL Engine on Amazon Elasticsearch Service allows the use of Structured Query Language (SQL) to manifest search results in a tabular format with documents represented as rows, fields as columns, and indexes as table names, respectively, in the WHERE clause. It is powered by Open Distro for Elasticsearch, an Apache 2.0 licensed distribution of Elasticsearch. One of the key features of this engine is the Open Database Connectivity (ODBC) driver to help connect Amazon ES to various business intelligence (BI) and analytics applications. AWS have expanded the capabilities of the ODBC driver via new integrations with business intelligence (BI) and data visualization applications such as Tableau and Microsoft Excel.
S3 features now available in the AWS toolkits for Visual Studio Code
Using the AWS Toolkit for VS Code, AWS customers can now access Simple Storage Service (S3) resources and CloudWatch Logs in their account using the AWS Explorer view in the code editor. S3 integration makes it easy for customers to access S3 buckets and S3 objects in those buckets without leaving the VS Code interface. All CRUD (create, read, update, delete) operations for S3 can be performed: Creating objects in buckets, adding folders to buckets, deleting objects, and viewing the contents of objects.
The AWS Toolkit for VS Code is an open-source plugin that lets you leverage the integrated development environment (IDE) for the creation, debugging, and deployment of software applications on Amazon Web Services. The AWS Toolkit extension shows resources in your AWS account through the AWS Explorer view. This interface option enables you to interact with an array of AWS services to carry out tasks such as viewing S3 resources, opening CloudWatch logs, and invoking Lambda functions.
AWS Codebuild now supports parallel and coordinated builds
AWS CodeBuild now supports the execution of concurrent and coordinated builds of a project with “Batch” builds. Batch builds support the configuration and ordering of build executions with either a configuration list, configuration matrix, or a dependency-graph of build definitions. They’re intended for customers targeting different platforms or executing builds that depend on each other to produce artifacts.
Before Batches, executing a group of builds involved configuring separate projects or build executions and then orchestrating them using technologies such as AWS Lambda or AWS Step Functions service integration for CodeBuild. Now, with Batch Builds, customers can configure a single project for multiple build executions and rely on CodeBuild to perform the orchestration.
AWS Firewall Manager now supports centralized AWS WAF Logs
AWS Firewall Manager (FMS) now allows you to configure logging on your AWS WAF web ACLs centrally using an FMS policy. When you set up an FMS policy for AWS WAF, you can now enable logging on web ACLs for all the in-scope accounts and have the logs centralized under a single account.
After you enable centralized logging, logs from each web ACL are delivered to a single storage destination of your choosing through Kinesis Data Firehose. The logs provide information such as timestamp, AWS resource name, action taken by AWS WAF, and request details.
This feature makes it easier to enable logging for AWS WAF across multiple accounts and web ACLs through a single FMS policy. This feature will be supported for Firewall Manager policies configured for the latest version of AWS WAF.
AWS Cloud Map now allows registration by EC2 Instance ID
You can now register Amazon EC2 instances in AWS Cloud Map by providing EC2 instance identifiers instead of the IP address when using HTTP namespaces. AWS Cloud Map is a cloud resource discovery service. Using AWS Cloud Map, you can define custom names for your application resources, such as Amazon EC2 instances, Amazon ECS tasks, Amazon S3 buckets, or any other cloud resource.
Your application can then discover the location and metadata of cloud resources associated with these custom names via AWS SDK or by making authenticated API calls.
Previously, to register Amazon EC2 instances in AWS Cloud Map, you had to provide IP addresses on registration API calls. Now you can simplify registration of Amazon EC2 instances in AWS Cloud Map by submitting the EC2 identifiers instead of IP addresses. AWS Cloud Map will automatically return the private IP addresses of registered Amazon EC2 instances when you make discovery API calls.
AWS Security Hub launches 7 new automated security controls
AWS Security Hub has released 7 new automated security controls for the AWS Foundational Security Best Practices standard and 12 new controls to their Payment Card Industry Data Security Standard (PCI DSS).
The new controls for the Foundational Security Best Practices standard are:
- Amazon S3 buckets should require requests to use Secure Socket Layer;
- Amazon SageMaker notebook instances should not have direct internet access;
- AWS Database Migration Service replication instances should not be public;
- Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT;
- AWS Auto scaling groups associated with a load balancer should use load balancer health checks;
- Stopped EC2 instances should be removed after a specified time period; and Amazon VPC flow logging should be enabled in all VPCs.
The new automated controls for PCI DSS include 2 controls for Amazon EC2, 2 for AWS Systems Manager, 1 for Amazon Elastic Load Balancing, 1 for AWS Database Migration Service, 1 for Amazon SageMaker, 2 for Amazon S3, 1 for Amazon GuardDuty, and 2 for AWS IAM.
AWS Systems Manager Quick Setup now integrates with AWS Organisations
AWS Systems Manager Quick Setup now integrates with AWS Organizations to allow you to easily enable visibility and control of your instances across AWS accounts and Regions. Now, with just a few clicks, you can enable operations best practices across your organization, such as patch compliance scanning and instance inventory collection.
With this launch you can use Quick Setup to automate your Systems Manager instance setup across your organization or for specific organization units, using your AWS Organizations master account.
You can also keep your SSM Agents up to date across your organization. You can then easily enable best practice capabilities across your AWS accounts and Regions, such as scanning for patches, collecting software inventory, and installing and configuring the Amazon CloudWatch agent.
These best practices provide continuous visibility into the security and compliance of your instances from the time they are launched. Once enabled, you can automatically view your compliance against these best practices across your organization from the Systems Manager operations dashboard, Explorer.
Systems Manager Quick Setup support for AWS Organizations is available in US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), and South America (São Paulo) AWS Regions.
Amazon VPC Resources now support Tag on Create
You can now add tags to your Amazon Virtual Private Cloud (VPC) resources while creating the resource. These resources are VPCs, Subnets, Network Interfaces, Security Groups, Network ACLs, Route Tables, Internet Gateways, Egress-only Internet Gateways, DHCP Option Sets and VPC Peering Connections.
Tags are simple key-value pairs that you can assign to resources to easily organize, search, and identify resources, create cost allocation reports, and control access to resources. By tagging resources at the time of creation, you can eliminate the need to run custom tagging scripts after resource creation.
https://aws.amazon.com/about-aws/whats-new/2020/07/amazon-vpc-resources-support-tag-on-create/
Azure Portal enables easy deployment and management of Windows Virtual Desktop
In April 2020, Azure released the public preview of Azure portal integration which made it easier to deploy and manage Windows Virtual Desktop. They also announced a new audio/video redirection (A/V redirect) capability that provided seamless meeting and collaboration experience for Microsoft Teams.
This week they announced that both the Azure portal integration and A/V redirect in Microsoft Teams are now generally available.
NFS 3.0 support for Azure Blob storage in preview
According to Microsoft, many enterprise and organizations are moving their data to Microsoft Azure Blob storage for its massive scale, security capabilities, and low total cost of ownership. At the same time, they continue running many apps on different storage systems using the Network File System (NFS) protocol. Companies that use different storage systems due to protocol requirements are challenged by data silos where data resides in different places and requires additional migration or app rewrite steps.
To help break down these silos and enable customers to run NFS-based applications at scale, Azure are announcing the preview of NFS 3.0 protocol support for Azure Blob storage. Azure Blob storage is the only storage platform that supports NFS 3.0 protocol over object storage natively (no gateway or data copying required), with object storage economics, which is essential for our customers.
https://azure.microsoft.com/en-us/blog/nfs-30-support-for-azure-blob-storage-is-now-in-preview/
Google introduces Cloud Armour Managed Protection Plus, Named IP Lists and new RFI, LFI & RCE WAF Rules
Cloud Armor Managed Protection Plus leverages the edge of Google’s network, as well as a set of products and services from across Google Cloud, to help protect your applications from DDoS attacks and targeted exploit attempts.
With Managed Protection, you can now benefit from the same scale and expertise Google employs to protect your applications and mission critical services from malicious activity on the internet.
Named IP Lists, now in beta, are Google-curated rule sets containing a pre-configured list of IP addresses that can be referenced and reused across policies and projects. They’re starting with providing Named IP Lists that have source IP ranges for common upstream service providers that many of our users would want to allow through their Cloud Armor security policies.
As part of our effort to expand the scope of the pre-configured WAF rules to all Cloud Armor customers, we are making RFI, LFI, and RCE rules available as a beta. Collectively, these rules contain industry standard signatures from the ModSecurity core Rule Set to help mitigate the Command Injection class vulnerabilities while enhancing the out-of-the-box coverage for OWASP Top 10 vulnerabilities as well.
GCP Private Service Connect
This week Google were excited to announce Private Service Connect in alpha, which allows you to connect and consume first- and third-party as well as customer-owned services easily and privately. It creates service endpoints in consumer VPCs that provide private connectivity and policy enforcement, allowing you to easily connect services across different networks and organizations.
Private Service Connect abstracts the underlying infrastructure for both the teams consuming and delivering services, making it easier for you to use value-added services. With Private Service Connect, traffic stays private and secure over Google’s global network
https://cloud.google.com/blog/products/networking/introducing-private-service-connect
Upcoming Events: 
Best Practices in deploying stateless containers on EC2 Spot - How to save up 90% of EC2 Costs - Webinar
Thu 6th August 11:00am - 12:30PM Aust EST
Are you a builder looking for ways to accelerate your modernisation of your workloads at a lower cost? Find out how to save 90% of your EC2 compute costs by using container services like Amazon ECC/EKS, Fargate and Kubernetes.
In this webinar, you will hear from AWS experts on integrate Amazon EC2 Spot into your workloads with minimal engineering effort to save up to 90% of your compute costs plus deep dive into best practices for deploying stateless containers. Join your fellow developer peers and connect with AWS with a live Q&A plus get hands-on with our virtual demos, built to enable you to implement change and acceleration in your business.
https://pages.awscloud.com/deploying-stateless-containers-ec2-spot.html
AWS Container Day at KubeCon
Start off your KubeCon 2020 with AWS at Container Day on August 17th. In this full-day virtual event, AWS will cover how Amazon EKS makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS. Virtual sessions throughout the day will consist of technical deep dives, product demos, and product announcements. The AWS Kubernetes team will be streaming on Twitch all day, ready to answer your questions.
To attend the event and live chat with session presenters and AWS experts, register here.
AWS will be hosting Container Day on August 19th and 24th in APAC and EMEA-friendly timezones if you can’t make it on August 17th. To attend the APAC day on August 19th, register here. To attend the EMEA day on August 24th, register here. These additional events will be rebroadcasts, but our experts will be moderating live to chat and answer questions!
To get in touch with the event team, please reach out to awscontainerday@amazon.com.
Agenda
| 8:00 AM – 8:20 AM | Keynote Bob Wise, GM of Kubernetes at AWS |
| 8:20 AM – 8:40 AM | EKS Roadmap & Vision Nathan Taber, Sr Product Manager, EKS |
| 8:40 AM – 9:00 AM | AWS Controllers for Kubernetes: The AWS universe of services, now Kubeified! Jay Pipes, Principal Open Source Engineer, Kubernetes |
| 9:00 AM – 9:20 AM | Kubernetes Networking on AWS Mike Stefaniak, Sr Product Manager, EKS |
| 9:20 AM – 9:40 AM | Application Networking on Service Mesh Shubha Rao, Principal Product Manager, App Mesh |
| 9:40 AM – 10:00 AM | AWS Inferentia on EKS Mike Stefaniak, Sr Product Manager, EKS |
| 10:00 AM – 10:20 AM | Saying Goodbye to YAML Engineering with the CDK for Kubernetes Nathan Taber, Sr Product Manager, EKS Elad Ben-Israel, Principal Software Engineer, SDKs |
| 10:20 AM – 11:30 AM | Live Containers on the Couch – Q&A |
| 11:30 AM – 11:50 AM | Customizing Managed Nodes groups Jesse Butler, Senior Developer Advocate |
| 11:50 AM – 12:10 PM | Bottlerocket: an Open Source Container Host OS Justin Haynes, Software Development Manager |
| 12:10 PM – 12:30 PM | CloudWatch Container Insights now monitors Prometheus Metrics Sudeeptha Jothiprakash, Principal Product Manager, Cloudwatch |
| 12:30 PM – 12:50 PM | Persistent File Storage for Amazon EKS with Amazon EFS Will Ochandarena, Principal Product Manager, EFS |
| 12:50 PM – 1:10 PM | Running Arm nodes with AWS Graviton on Amazon EKS Michael Hausenblas, Sr Developer Advocate |
| 1:10 PM – 2:00 PM | Live Containers on the Couch – Q&A |
| 2:00 PM – 2:20 PM | Security Best Practices Jeremy Cowan, Principal Containers Specialist SA |
| 2:20 PM – 2:40 PM | CIS Benchmark Paavan Mistry, Sr Developer Advocate |
| 2:40 PM – 3:00 PM | EKS and Fargate, better together Massimo Re Ferre, Principal Developer Advocate |
| 3:00 PM – 3:45 PM | Final Q&A and Closing Remarks |
Google Cloud Next OnAir
Google's 9 Week Digital Event kicks off on July 14th with diverse topics being covered each week. The remaining include:
| Security | August 4th |
| Data Analytics | August 11th |
| Data Management and Databases | August 18th |
| Application Modernization | August 25th |
| Cloud AI | September 1st |
| Business Application Platform | September 8th |
Full Information and Session times here: https://cloud.withgoogle.com/next/sf
Azure Virtual Events
Microsoft have a full schedule of Virtual Events
A full list including session times and details are here : https://azure.microsoft.com/en-us/community/events/
AWS Events:
AWS events are pretty fluid at the moment, with most in-person events being cancelled or postponed. There are a number that have been taken online and full details can be found here: https://aws.amazon.com/events/
Thanks for reading again this week, we hope you found something useful.
hava.io allows users to visualise their AWS, GCP and Azure cloud environments in interactive diagram form including unique infrastructure, security and container views. hava.io continuously polls your cloud configuration and logs changes in a version history for later inspection which helps with issue resolution and provides history of all configs for audit and compliance purposes.
If you haven't taken a hava.io free trial to see what the GCP, Azure and AWS automated diagram generator can do for your workflow, security and compliance needs - please get in touch.
You can reach us on chat, email sales@hava.io to book a callback or demo.
