In Cloud Computing This Week [May 5th 2023]

AWS Security Hub, a cloud security posture management service that performs security best practice checks, aggregates alerts, and facilitates automated remediation, now features a detailed history of changes that have occurred for each finding in your environment. This view provides an immutable trail of changes, indicating what fields were changed, by whom, and when. You can now get more visibility into the changes made to your findings over time, making it easier to identify and investigate any suspicious or unauthorized changes.

From the Security Hub console, navigate to the History tab within a specific finding to view a chronological list of all changes that have been made to the finding. The transparency of finding history helps you identify potential security risks more quickly and take proactive steps to mitigate them.

Security Hub is available globally and is designed to give you a comprehensive view of your security posture across your AWS resources. With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services and over 65 AWS Partner Network (APN) solutions. You can also continuously monitor your environment using automated security checks based on industry best practice standards.

Amazon VPC IP Address Manager (IPAM) makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. Amazon VPC IPAM is now available in two additional Regions: Asia Pacific (Hyderabad), and Asia Pacific (Jakarta).

Amazon VPC IPAM allows you to easily organize your IP addresses based on your routing and security needs and set simple business rules to govern IP address assignments. Using IPAM, you can automate IP address assignment to VPCs, eliminating the need to use spreadsheet-based or homegrown IP address planning applications, which can be hard to maintain and time-consuming.

Amazon VPC IPAM automatically tracks critical IP address information, eliminating the need to manually track or do bookkeeping for IP addresses. IPAM retains your IP address monitoring data (up to a maximum of three years), which you can use to do retrospective analysis and audits for your network security and routing policies.

AWS are excited to announce the availability of ml.inf2 and ml.trn1 family of instances on Amazon SageMaker for deploying machine learning (ML) models for Real-time and Asynchronous inference. You can use these instances on SageMaker to achieve high performance at a low cost for generative artificial intelligence (AI) models, including large language models (LLMs) and vision transformers.

In addition, you can use SageMaker Inference Recommender to help you run load tests and evaluate the price-performance benefits of deploying your model on these instances.

ml.inf2 and ml.trn1 instances are powered by AWS Inferentia2 and Trainium accelerators respectively.

• You can use ml.inf2 instances to run your ML applications on SageMaker for text summarization, code generation, video, and image generation, speech recognition, and more. ml.inf2 instances offer up to 384 GB of shared accelerator memory for performant generative AI inference.
• ml.trn1 instances are similar to ml.inf2 instances but has 512 GB of shared accelerator memory; you can use these instances to deploy even larger models on SageMaker. In addition, these instances have up to 8 TB of local NVMe solid state drive (SSD) storage for fast workload access to large datasets and models.

ml.inf2 instances are available for model deployment on SageMaker in US East (Ohio) and ml.trn1 instances in US East (N. Virginia).

This week, AWS announces support for Reject action in stream exception policy of AWS Network Firewall to improve performance of latency-sensitive applications. AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs.

Previously, you could configure Drop or Continue actions in the stream exception policy to specify how Network Firewall should handle traffic when a network connection breaks midstream. The Drop action means Network Firewall drops all subsequent traffic in the session going through the firewall.

This means the TCP session remains open until the TCP timeout expires. The Continue action means Network Firewall rebalances the traffic among the available backend firewall hosts and continues to apply firewall rules without session initialization context. This impacts the behavior of the rules that depend on TCP session context.

Starting this week, you can configure Reject action in stream exception policy to handle midstream TCP connections. When a backend firewall host detects a midstream TCP connection, it drops the packet and sends a TCP reset (RST) to notify the sender and receiver that the TCP connection has been closed. The sender can then immediately establish a new TCP connection without waiting for a TCP timeout.

Amazon Managed Streaming for Apache Kafka (Amazon MSK) now supports Apache Kafka version 3.4.0 for new and existing clusters. Apache Kafka 3.4.0 includes several bug fixes and new features that improve performance. Key features include a fix to improve stability to fetch from the closest replica.

Amazon MSK will continue to use and manage Zookeeper for quorum management in this release. For a complete list of improvements and bug fixes, see the Apache Kafka release notes for 3.4.0.

Amazon MSK is a fully managed service for Apache Kafka and Kafka Connect that makes it easier for you to build and run applications that use Apache Kafka as a data store. Amazon MSK is 100% compatible with Apache Kafka, which enables you to quickly migrate your existing Apache Kafka workloads to Amazon MSK with confidence or build new ones from scratch.

With Amazon MSK, you can spend more time innovating on streaming applications and less time managing Apache Kafka clusters. To learn how to get started, see the Amazon MSK Developer Guide.

We are excited to announce that Amazon EMR on EKS now supports vertical autoscaling, a feature to automatically tune the memory and CPU resources of EMR Spark Applications to adapt to the needs of the provided workload, offering a simplified mechanism for customers to tune resources, enhance reliability and optimize costs. Amazon EMR on EKS enables customers to run open-source big data frameworks such as Apache Spark on Amazon EKS without having to manage application provisioning themselves.

EMR Spark allows users to configure the amount of Memory and CPU cores that it will utilize. However, tuning these values has until now been a manual process for customers that can be complex. For instance, too little memory can result in out-of-memory exceptions but allocating too much can result in over-spending on idle resources. Vertical autoscaling automatically scales the memory and CPU allocated to an EMR Spark application based on its real-time and historic resource utilization. This simplifies the process of tuning resources and optimizing costs for an application while helping improve its reliability.

To learn more about this feature, please visit the AWS Big Data Blog post: Improve reliability and reduce costs of your Apache Spark workloads with vertical autoscaling on Amazon EMR on EKS. Refer to the Using vertical autoscaling with Amazon EMR Spark jobs section of the EMR on EKS documentation for additional details.Vertical autoscaling is supported on Amazon EMR on EKS 6.10 release and later, and available in all regions where Amazon EMR on EKS is currently available.

AWS are excited to announce the addition of self-hosted Jupyter notebooks as another mechanism to run interactive workloads via managed endpoints. Amazon EMR on EKS enables customers to run open-source big data frameworks such as Apache Spark on Amazon EKS. Amazon EMR on EKS customers setup and use a managed endpoint (available in preview) to run interactive workloads using an integrated development environments (IDEs) such as EMR Studio.

AWS Customers currently rely on EMR Studio to run Jupyter notebooks for their interactive Spark workloads, which provides a managed notebooks solution without having to worry about customizing the execution environment where they run. With self-hosted Jupyter notebooks, customers that require such customization now have a choice of where they control the notebook execution environment, with the flexibility to decide where it runs and the ability to change how to access it, helping them meet their specific business needs.  

Zonal shift for Amazon Route 53 Application Recovery Controller is now available in all standard AWS Regions. 

Zonal shift is a capability in Route 53 ARC that helps you quickly recover from application failures in an Availability Zone (AZ) by shifting traffic away from the AZ. You can start a zonal shift for a load balancer in the AWS Management Console, or you can use the AWS CLI or an SDK to start a zonal shift.

When the affected AZ has recovered, you can cancel the zonal shift to allow traffic to return to the AZ. Zonal shift is available for Application Load Balancers and Network Load Balancers with cross-zone load balancing turned off. 

With this update, zonal shift for Amazon Route 53 Application Recovery Controller is now also available in the US West (N. California), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Canada (Central), Europe (London), Europe (Milan), Europe (Paris), Europe (Spain), Middle East (Bahrain), Europe (Zurich), Middle East (UAE), and South America (São Paulo) AWS Regions. Previously, zonal shift was available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Jakarta), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), and Europe (Stockholm) AWS Regions. 

AWS VSS application-consistent backups now allows customers to take application-consistent backups while PowerShell Logging is enabled. AWS VSS application-consistent backups now incorporates a parallel processing ability that enables its EC2 Windows customers achieve successful VSS backups in a broader range of environments.

With this launch, customers will see improved compatibility between VSS and applications such as antivirus and application monitoring that require PowerShell logging to be enabled. 

Volume Shadow Copy Service or VSS is a Microsoft technology that allows application data to be backed up while applications are still running, by coordinating between user applications that update data on disk and those that back up applications.

AWS VSS application-consistent backups enables customers to take application-consistent snapshots of their Amazon EC2 Windows instances and associated Elastic Block Store volumes. Customers can continue to use the VSS solution on AWS through AWS Systems Manager Run Command or through AWS Backup console. 

AWS Resilience Hub has expanded support for AWS Trusted Advisor and applications using Amazon DynamoDB. Resilience Hub provides a single place to define, validate, and track the resilience of your applications so that you can avoid unnecessary downtime caused by software, infrastructure, or operational disruptions.

As many variables can impact the resilience of your applications, preparing and protecting them from disruption should be continuous. When you use AWS Trusted Advisor with Resilience Hub, you can now receive a notification when an application has not been assessed in the previous 30 days. The notification prompts you to reassess the application to understand if any changes have occurred that would impact its resilience.

For applications using Amazon DynamoDB, Resilience Hub now provides a new set of alarms that alert you to resilience risks for on-demand and provisioned capacity modes and global tables. To access the new alarms, you may need to update the AWS Identity and Access Management (IAM) policy of the role you are using.

The new capabilities are available in all of the AWS Regions where Resilience Hub is supported. See the AWS Regional Services List for the most up-to-date availability information.

This week, AWS announced the general availability of AWS CodePipeline in the AWS GovCloud (US-East) Region.

AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process when there is a code change, based on the release model you define.

AWS Elemental MediaConvert now supports video passthrough for mezzanine video formats. You can now run MediaConvert jobs that preserve the original video essence without re-encoding for intra-frame-only video formats such as AVC Intra, Apple ProRes, VC3, and JPEG2000.

Video passthrough enables you to use MediaConvert for tasks like trimming content, changing audio tracks, and changing output containers without re-compressing video. Leaving the video unprocessed often results in faster job completion times and lower costs compared to equivalent jobs which transcode the video.

This week, AWS are excited to announce the launch of the customizable dashboard feature on the AWS Batch console, providing a single view that displays resource metrics based on your specific needs. This feature allows you to redesign and target different types of widgets in your preferred order, making it easier to troubleshoot issues using widgets such as job logs, job queue metrics, etc. You can also add a container insights widget to track your compute environment utilization. 

Batch has added single job queue metrics, job logs, and container insights widgets to the Batch console dashboard. These widgets are added in addition to the previous widget set namely the job queue overview, jobs overview, and compute environment overview. There are a total of six widget types and you can have up to ten widgets of your choice in the dashboard at a given time. 

Amazon Kendra is an intelligent search service powered by machine learning, enabling organizations to provide relevant information to customers and employees, when they need it.

This week, AWS are excited to announce that Amazon Kendra now supports query suggestions seeded from indexed content, allowing you to provide a document-centric query auto-completion experience to your end-users.

Amazon Kendra query suggestions can help your users type their search queries faster and guide their experience by suggesting auto-completed queries as they type their query in the search box. So in addition to auto-completing queries based on popular user queries (already supported), you can now suggest queries based on document fields such as title, file name, author name, etc.

This allows, for instance, your end-users to quickly narrow down their search for documents based on titles they may partially remember, or find documents from a specific author by entering a few letters in the search box, and clicking on the suggested author name suggested below the search box.

This week, Amazon OpenSearch Service announces Multi-AZ with Standby, a new deployment option that enables 99.99% availability and consistent performance for business-critical workloads. With Multi-AZ with Standby, OpenSearch Service domains are resilient to potential infrastructure failures, such as a node or an Availability Zone (AZ) failure. Multi-AZ with Standby also ensures OpenSearch Service domains follow recommended best practices, simplifying configuration and management.

When Multi-AZ with Standby is enabled, OpenSearch Service reserves nodes in one of the AZs as standby; these nodes do not serve search requests and are primarily used for failover. Amazon OpenSearch Service monitors the underlying infrastructure for failures, and when a failure is identified, automatically promotes the standby nodes to active in less than a minute.

OpenSearch Service continues to serve indexing and search requests, and any impact is limited to the time it takes to perform the failover. With Multi-AZ with Standby, there is no re-distribution of data or resources during a failure, thereby ensuring that cluster performance is unaffected during a failover.

When creating or updating an existing Managed Cluster, customers can enable the Multi-AZ with Standby deployment option using the AWS Console, command line interface (CLI), or the AWS software development kit (AWS SDK). Multi-AZ with Standby is available for OpenSearch versions 1.3 and above. For information on Multi-AZ with Standby for Amazon OpenSearch Service, please see documentation.

Starting this week, you can use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards to authenticate users into Amazon WorkSpaces through your self-managed Active Directory (AD) and AWS Directory Service AD Connector in the AWS GovCloud (US-East) Region. Additionally, you can now use the AWS Management Console to configure smart card authentication with AWS Directory Service. 

When enabled, users select their smart card at the WorkSpaces login screen and enter a PIN to authenticate, instead of using a username and password. From there, the Windows or Linux virtual desktop uses the smart card to authenticate with Active Directory from the native desktop operating system.

Smart card support is available on WorkSpaces when using  the WorkSpaces Streaming Protocol (WSP). With AWS Directory Service and Amazon WorkSpaces with WSP, users can use smart cards to authenticate into a WorkSpaces instance (pre-session authentication) or into protected applications from within a WorkSpaces instance (in-session authentication).

Amazon Relational Database Service (RDS) for PostgreSQL now supports the pgvector extension to store embeddings from machine learning (ML) models in your database and to perform efficient similarity searches. Embeddings are numerical representations (vectors) created from generative AI that capture the semantic meaning of text input into a large language model (LLM). pgvector can store and search embeddings from Amazon Bedrock, Amazon SageMaker, and more.

By using pgvector on Amazon RDS, you can simply set up, operate, and scale databases for your ML-enabled applications. The pgvector extension allows you to build ML capabilities into your e-commerce, media, health applications, and more to find similar items within a catalog. For example, a streaming service can use pgvector to provide a list of film recommendations similar to the one you just watched.

The pgvector extension is available on all database instances in Amazon RDS running PostgreSQL 15.2 and higher in all AWS Regions, including the AWS GovCloud (US) Regions.

Amazon WorkSpaces is now available in the AWS GovCloud (US-East) Region, an isolated AWS Region designed to host sensitive data and regulated workloads in the cloud for customers who have U.S. federal, state, or local government security and compliance requirements.

For a list of regions where WorkSpaces is available, see the AWS Region Table. With this launch, you can now use Amazon WorkSpaces cloud desktops to help address data sovereignty requirements without the cost and complexity of building on-premises Virtual Desktop Infrastructure (VDI).

Amazon WorkSpaces is a fully managed desktop virtualization service for Windows, Amazon Linux, and Ubuntu that allows you to access resources from any supported device. You can add or remove WorkSpaces to meet your dynamic workforce's needs and still provide end users with a more responsive experience.

Amazon WorkSpaces pricing provides monthly subscription or hourly metering options per virtual desktop instances. See Amazon WorkSpaces Pricing for more information.

Starting today, Bring Your Own IP (BYOIP) is available in Asia Pacific (Hyderabad) Region.

BYOIP allows you to bring your own IPv4 and IPv6 addresses to AWS and advertise them on the internet. You can create Elastic IP addresses from your BYOIPv4 addresses and use them with AWS resources, such as EC2 instances, Network Load Balancers, and NAT gateways.

The Elastic IP addresses you create from BYOIPv4 addresses work in the same way as Elastic IP addresses you get from AWS. The BYOIPv6 addresses also work in the same way as AWS provided IPv6 addresses. For example, you can associate these IPv6 addresses to subnets, Elastic Network Interfaces (ENI), and EC2 instances within your VPC. Additionally, you can use your BYOIPv6 for private connectivity to your on-premises networks by advertising them over AWS Direct Connect.

This week, AWS announced the opening of a new AWS Direct Connect location within the EdgeConnex PHX01 data center in Phoenix, Arizona. By connecting your network to AWS at the new location, you gain private, direct access to all public AWS Regions (except those in China), AWS GovCloud Regions, and AWS Local Zones.

The new location is the second in Phoenix, the 35th Direct Connect location in the United States, and offers dedicated 10 Gbps and 100 Gbps connections, with optional MACsec encryption available.

The Direct Connect service enables you to establish a private, physical network connection between AWS and your data center, office, or colocation environment. These private connections can provide a more consistent network experience than those made over the public internet.

Using the Direct Connect SiteLink feature, you can send data between Direct Connect locations to create private network connections between the offices and data centers in your global network.

This week, AWS CloudFormation has expanded the availability of AWS CloudFormation Hooks to the Middle East (Dubai) and Asia Pacific (Jakarta) Regions. With this launch, customers can deploy Hooks in these newly supported AWS Regions to help keep resources secure and compliant.

AWS CloudFormation Hooks is a feature that allows customers to invoke custom logic to automate actions or inspect resource configurations prior to a create, update or delete CloudFormation stack operation. With AWS CloudFormation Hooks, customers can now validate resource properties and send a warning, or prevent the provisioning operation to help them keep resources secure and compliant.

AWS AppSync is a fully managed service that enables developers to build scalable, performant APIs that connect applications to data and events. Today, we announce the general availability of Private API support for AWS AppSync. With Private APIs, you can now create GraphQL APIs that can only be accessed from your Amazon Virtual Private Cloud (“VPC”).

With AppSync Private APIs, you need to only configure your API as “private” and AppSync will automatically limit access to your API’s GraphQL and realtime subscription endpoints to interface VPC Endpoints in a shared AWS account. Traffic to a Private API uses connections that are designed to be secure and does not leave the Amazon network.

Amazon Web Services (AWS) is announcing the general availability of of Push Notifications for the AWS Console Mobile Application. You can now use AWS User Notifications to create actionable push notifications from AWS services, such as CloudWatch, to be delivered to your mobile device when a resource requires your attention.

You can then receive push notifications, and learn more about events while on-the-go without needing to return to your computer. If you want to see more detail about a notification from your device’s lock screen, you can simply tap the notification, authenticate, and be directed to the relevant details screen inside the app.

The Console Mobile App lets users view and manage a select set of resources to stay informed and connected with their AWS resources while on-the-go. The login process supports biometrics authentication (on supported devices), making access to AWS resources simple, secure, and quick.

AWS Network Firewall now allows you to override the Suricata HOME_NET variable making it easy to use AWS managed rule groups in firewalls that are deployed in a centralized deployment model. Managed rule groups are collections of predefined, ready-to-use rules that AWS writes and maintains for you.

The Suricata HOME_NET variable of the managed rule group has the Classless Inter-Domain Routing (CIDR) range which is inspected by the AWS Network Firewall. Previously, you were unable to override HOME_NET variable as it used the CIDR ranges of VPC where the firewall is deployed.

If your firewall uses a central inspection VPC, AWS Network Firewall populates HOME_NET with CIDR ranges of the inspection VPC, instead of the application (spoke) VPCs which you want to filter. 

Starting today, you can override the HOME_NET variable in firewall policy to include the CIDR ranges of all the VPCs that you want to inspect. This allows you to protect your application VPCs using managed rule groups in centralized firewall deployment.

There is no additional charge to use this feature. You can override the Suricata HOME_NET variable in firewall policy using the Amazon VPC Console, AWS CLI, or the Network Firewall API. This feature is available in all AWS Regions where AWS Network Firewall is available.

Amazon Web Services (AWS) is announcing the general availability of AWS User Notifications, a new service that enables you to centrally setup and view notifications from AWS services, such as AWS Health events, Amazon CloudWatch alarms, or Amazon EC2 instance state changes, in a consistent, human-readable format.

You can view notifications across accounts, regions, and services in a Console Notifications Center, and configure delivery channels where you want to receive these notifications, like email, AWS Chatbot, and AWS Console Mobile App. Notifications include URLs to direct to resources on the AWS Console, where you can take take additional actions.

With User Notifications, you specify which events you want to be notified about, and in which channels. Any user with User Notifications permissions can enable notifications for use cases like CloudWatch alarm state changes, and Health events.  For example, email jane@example.com whenever an EC2 instance in region IAD or FRA with tag ‘production’ changes state to “stopped”. In addition, you can aggregate multiple events into a single notification for an easy top-level view. 

Configuring and viewing notifications in the Console Notifications Center is offered at no additional cost.

Amazon WorkSpaces Core is now available in the AWS GovCloud (US-East) Region and AWS GovCloud (US-West) Region. These are isolated AWS Regions designed to host sensitive data and regulated workloads in the cloud for customers who have U.S. federal, state, or local government security and compliance requirements. For a list of regions where WorkSpaces is available, see the AWS Region Table. 

Amazon WorkSpaces Core provides cloud-based, fully managed virtual desktop infrastructure (VDI) accessible to third-party VDI management solutions via API.

Amazon Aurora Serverless v2, the next version of Aurora Serverless, is now available in 26 regions including AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions.

Aurora Serverless is an on-demand, automatic scaling configuration for Amazon Aurora. Aurora Serverless v2 scales instantly to support even the most demanding applications. It adjusts capacity in fine-grained increments to provide just the right amount of database resources for an application’s needs. You don’t need to manage database capacity, and you only pay for the resources consumed by your application.

Aurora Serverless v2 provides the full breadth of Amazon Aurora capabilities, including Multi-AZ support, Global Database, Performance Insights, and read replicas. Amazon Aurora Serverless v2 is ideal for a broad set of applications.

For example, enterprises that have hundreds of thousands of applications, or software as a service (SaaS) vendors that have multi-tenant environments with hundreds or thousands of databases, can use Aurora Serverless v2 to manage database capacity across the entire fleet.

AWS is pleased to announce an enhancement to the AWS Well-Architected (WA) Tool integration with AWS Service Catalog AppRegistry (AR). This integration allows customers to now filter their AWS Trusted Advisor checks based on resources defined within application, helping surface the most relevant checks in the Well-Architected console.

In addition to adding an application to an existing workload in WA, customers can also view their workload ARN, workload name, and medium and high risk counts per application within the AppRegistry Console, making it easier to see which applications have Well-Architected reviews associated with them.

Amazon Rekognition content moderation is a deep learning-based feature that can detect inappropriate, unwanted, or offensive images and videos, making it easier to find and remove such content at scale. Starting today, Amazon Rekognition content moderation comes with an improved model for image and video moderation that significantly improves the detection of explicit, violence, and suggestive content.

AWS Customers can now detect explicit and violence content with higher accuracy to improve the end-user experience, protect their brand identity, and ensure that all content complies with their industry regulation and policies.

This update is now available in all AWS regions supported for Amazon Rekognition Content Moderation. To try the new model, visit the Amazon Rekognition console for image and video moderation. To learn more, read the Amazon Rekognition Content Moderation documentation.

You can now use Amazon Simple Notification Service (SNS) message data protection in five additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), and Middle East (UAE).

Amazon SNS message data protection is a set of capabilities that leverage pattern matching, machine learning models, and content policies to help security and engineering teams facilitate real-time data protection in their applications that use Amazon SNS to exchange high volumes of data.

With message data protection for Amazon SNS, you can discover and protect certain types of personally identifiable information (PII) and protected health information (PHI) data that is in motion between your applications. This can help support your compliance objectives, for example, with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Privacy Regulation (GDPR), Payment Card Industry Data Security Standard (PCI-DSS), and Federal Risk and Authorization Management Program (FedRAMP).

Message data protection enables topic owners to define and apply data protection policies that scan messages in real-time for sensitive data to provide detailed audit reports of findings, block message delivery, and de-identify data within a payload via redaction or masking.

Amazon Inspector now allows customers to search its vulnerability intelligence database if any of the Inspector scanning types is activated. With this expanded capability, customers can retrieve the details for any vulnerability stored in Inspector vulnerability database and covered by Inspector’s scanning engine by simply providing a Common Vulnerability and Enumerations (CVE) ID, for example, “CVE-2023-1264“. This allows customers to confirm the CVEs covered by Inspector scanning engine and do preliminary research on a CVE. Inspector customers can access the search capabilities using both Inspector console and APIs.

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure across your entire AWS Organization. Once activated, Amazon Inspector automatically discovers all of your Amazon Elastic Compute Cloud (EC2) instances, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions, at scale, and continuously monitors them for known vulnerabilities, giving you a consolidated view of vulnerabilities across your compute environments.

Amazon Inspector also provides a highly-contextualized vulnerability risk score by correlating vulnerability information with environmental factors such as external network accessibility to help you prioritize the highest risks to address.

AWS Health now publishes service health events to Amazon EventBridge. Previously, you could receive only account-specific events on this channel. Now, you can also receive events about the overall health of AWS services. This enables you to get a full picture of service issues that might affect the performance of your applications. 

AWS Health provides ongoing visibility into the performance of your AWS resources and services. You can use AWS Health events to learn how service and resource changes might affect your applications running on AWS. Service health events provide information about overall service availability, reported publicly on the service health view of the AWS Health Dashboard.

You can use this feature to easily collect, filter, and deliver service health events directly to your teams, run workflows that integrate with tools of your choice, or automate responses to important health events. Additionally, AWS Health now supports setting up EventBridge rules in a backup AWS Region, enabling you to add an extra layer of resilience to your workflows.

You can create a rule in US West (Oregon), which serves as a backup for all other AWS Regions in the standard partition, to continue receiving event information even if your primary Region is affected by an operational issue. If your primary Region is US West (Oregon), the EventBridge endpoint in US East (N. Virginia) Region will serve as its backup.

Amazon Neptune is now available in the AWS Middle East (UAE) Region on engine versions 1.2.1.0 and later. You can now create Neptune clusters using R5, R5d, R6g, and T3 instance types in the AWS Middle East (UAE) Region.

Amazon Neptune is a fast, reliable, and fully managed graph database as a service that makes it easier to build and run applications that work with highly connected datasets. You can build applications using Apache TinkerPop Gremlin or openCypher on the Property Graph model, or using the SPARQL query language on the W3C Resource Description Framework (RDF).

Neptune also offers enterprise features such as high availability, automated backups, and network isolation to help customers quickly deploy applications to production.

Amazon Elastic File System (EFS) Replication is now available in 10 more AWS Regions: Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Europe (Milan), Europe (Spain), Europe (Zurich), Middle East (Bahrain), Middle East (UAE), in addition to the 19 AWS Regions and 2 AWS GovCloud (US) Regions where it was previously supported. With this launch, EFS Replication is available in all AWS Regions where EFS is supported.

Amazon EFS provides serverless, fully elastic file storage that makes it simple to set up and run file workloads in the cloud. Amazon EFS Replication enables you to easily maintain a separate, up-to-date copy of your file system for compliance, localized data access, and testing/development use cases.

You can automatically replicate data across AWS Regions, without needing to manually monitor and synchronize data changes. Before today, EFS Replication was available in 19 AWS Regions and 2 AWS GovCloud (US) Regions. Starting today, you can use EFS Replication in 10 additional AWS Regions, allowing you to easily replicate your file data in all AWS Regions where EFS is supported.

You can now use Amazon Simple Notification Service (SNS) FIFO topics in five additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich), and Middle East (UAE). You can use Amazon SNS FIFO topics, in combination with Amazon Simple Queue Service (SQS) FIFO queues, to build applications that require messages to be sent and processed in a strict sequence and without duplicates.  

Amazon SNS is a fully managed, reliable, and highly available pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications. Both Standard and FIFO topics support publishing messages in batch and fanning out messages to multiple subscriptions with high durability, filtering, encryption, and privacy, while FIFO topics provide the added benefit of ordering and deduplication of messages.

Using Amazon SNS FIFO topics and Amazon SQS FIFO queues together, you can build modern applications that leverage a publish/subscribe architecture without writing custom code for message ordering and deduplication.

Amazon GuardDuty Malware Protection adds a new capability that allows customers to initiate on-demand malware scans of Amazon Elastic Compute Cloud (Amazon EC2) instances, including instances used to host container workloads. Scans can be initiated using the GuardDuty console, or programmatically via the API, without the need to deploy security software and are designed to have no performance impact to running workloads.

When potential malware is identified, GuardDuty generates actionable security findings with information such as the threat and file name, the file path, the Amazon EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. This capability builds on the existing Malware Protection capability of GuardDuty-initiated scans that when enabled, automatically initiates a malware scan when GuardDuty detects suspicious behavior indicative of malware on the instance.

Customers across many industries and geographies use GuardDuty, including more than 90% of AWS’s 2,000 largest customers. GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. 

Starting this week, AWS Elemental MediaConnect supports failover for streams that have SRT caller or listener sources. You can configure SRT failover via the AWS Management Console, CloudFormation, the AWS CDK, or the MediaConnect API.

You use SRT failover by adding two SRT sources to your flow in the same mode (both must be either caller or listener) with identical content. This works with either standard or VPC sources. In the event the primary source is interrupted, MediaConnect will switch to the secondary source after 500 milliseconds, ensuring the outputs on your MediaConnect flow continue to receive a stream. In addition to SRT sources, failover is supported with the Zixi push, RIST, RTP, and RTP-FEC source types.

AWS Local Zones is now available in Auckland, New Zealand. You can now use AWS Local Zones in Auckland to deliver applications that require single-digit millisecond latency or local data processing.

In early 2022, AWS announced plans to launch AWS Local Zones in over 30 metro areas across 27 countries outside of the US. In addition to Auckland, AWS Local Zones are also available in 15 metro areas outside of the US (Bangkok, Buenos Aires, Copenhagen, Delhi, Helsinki, Hamburg, Kolkata, Lagos, Muscat, Perth, Queretaro, Lima, Santiago, Taipei, and Warsaw). Local Zones are also available in 16 metro areas in the US (Atlanta, Boston, Chicago, Dallas, Denver, Houston, Kansas City, Las Vegas, Los Angeles, Miami, Minneapolis, New York City, Philadelphia, Phoenix, Portland, and Seattle).

AWS IoT Core, a managed cloud service that lets customers securely connect Internet of Things (IoT) devices the cloud and manage them at scale, announces support for Transport Layer Security (TLS) 1.3 through Configurable Endpoints. TLS 1.3 provides two major improvements in security and performance - it removes legacy features and older cipher suites in previous versions of TLS, and offers better performance through a simplified handshake process.

With this launch, AWS IoT customers can also use TLS 1.3 in AWS IoT Core Device Advisor, a fully managed test capability to help developers test their IoT devices for reliable and secure connectivity with AWS IoT Core.

With this launch, we are expanding the Configurable Endpoints feature, launched on 3/25/2021, so that customers can configure desired TLS version(s) to establish secure connections to AWS IoT Core and meet specific security compliance requirements.

The feature is backwards compatible, enabling IoT developers to connect both TLS 1.2 and TLS 1.3 capable devices to their respective endpoints. To configure TLS 1.3, customers can can navigate to the ‘settings’ section within the AWS IoT Console or use the CreateDomainConfiguration API to select the desired TLS policy.

Amazon Aurora Serverless v1 now supports PostgreSQL major version 13. PostgreSQL 13 includes improved functionality and performance from enhancements such as de-duplication of B-tree index entries, improved performance for queries that use partitioned tables, incremental sorting to accelerate data sorts, parallel processing of indexes with the VACUUM command, more ways to monitor activity within a PostgreSQL database, new security capabilities, and more. 

Aurora Serverless v1 also supports in-place upgrade from PostgreSQL 11 to 13. Instead of backing up and restoring the database to the new version, you can upgrade with just a few clicks in the AWS Management Console or using the latest AWS SDK or CLI. No new cluster is created in the process which means you keep the same endpoints and other characteristics of the cluster.

The upgrade completes in minutes and can be applied immediately or during the maintenance window. Your database cluster will be unavailable during the upgrade. Review the Aurora documentation to learn more.

This week, AWS are excited to announce AWS SimSpace Weaver Snapshots, a new feature that allows SimSpace Weaver developers to save the state of their simulations at a specific point in time.

SimSpace Weaver is a fully managed compute service that helps customers deploy large spatial simulations in the cloud. With SimSpace Weaver, developers can create seamless virtual worlds with millions of objects that can interact with each another in real time without ever worrying about managing the back-end infrastructure. 

Taking a snapshot in SimSpace Weaver is similar to taking a snapshot of a database. Snapshots save the data for every entity in the simulation to a snapshot file that is uploaded and stored in Amazon S3. To pick up where the simulation left off, provide the S3 URI of the snapshot in the Start Simulation API to launch a new simulation using that snapshot.

Snapshots can be used for backup and restore purposes to preserve the progress of your long-running simulations or used to launch various branching simulation scenarios from a specific point in time. Snapshots can be created from the AWS Management Console, via the AWS CLI, or directly from SimSpace Weaver applications.

Snapshots are now generally available in all SimSpace Weaver regions including US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Europe (Frankfurt), Europe (Ireland), and Europe (Stockholm).

AWS Security Hub has added four new integration partners to help customers with their cloud security posture monitoring. The additions of Trend Micro, Claroty, New Relic, and Metric Stream bring Security Hub to 91 integrations. 

Trend Micro sends findings from their Cloud One platform to Security Hub, helping enhance visibility of AWS and Cloud One event details. Claroty sends findings from their xDome product to Security Hub, giving customers visibility into security events related to their industrial, healthcare, enterprise, and extended Internet of Things environments. With findings from Security Hub in New Relic VM, customers can view security signals alongside performance telemetry in context across their application stack.

MetricStream CyberGRC consumes Security Hub findings, helping customers manage, measure and mitigate cyber risk; gain visibility and quantified risk insights; prioritize cyber investments; and comply with IT policies with built in frameworks. 

Security Hub is available globally and is designed to give you a comprehensive view of your security posture across your AWS resources. With Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services and over 65 AWS Partner Network (APN) solutions. You can also continuously monitor your environment using automated security checks based on industry best practice standards.

AWS Compute Optimizer now supports inferred workload type filtering on Amazon EC2 instance recommendations. The inferred workload type feature utilizes Machine Learning and automatically detects the applications that might be running on your AWS resources.

By leveraging the inferred workload type filter, customers can easily pinpoint cost-saving opportunities based on the specific workload running on their EC2 instances. In addition, AWS Compute Optimizer now supports Microsoft SQL Server as an inferred workload type.

Starting this week, AWS customers can categorize cost-saving opportunities by supported inferred workload types. This means application owners, e.g. SQL Server database administrators can filter EC2 instance rightsizing recommendations that are running Microsoft SQL Server database workloads to find relevant savings opportunities.

With the improved workload visibility for recommendations, customers can identify relevant recommendations and take actions. Compute Optimizer also detects Nginx, Memchached, Amazon EMR, Apache Cassandra, Apache Hadoop, PostgresSql, Redis and Kafka workloads.

AWS Compute Optimizer now supports the ability to filter your rightsizing recommendations by tags. This includes tag keys, tag key and value pairs, or combinations of both. Tag filtering will be available on these rightsizing recommendations pages: Amazon Elastic Compute Cloud (EC2) instance types, Amazon Elastic Block Store (EBS) volumes, AWS Lambda functions, and Amazon Elastic Container Service (ECS) services on AWS Fargate.

With today’s launch, you can now filter the recommendations you see in the Compute Optimizer console by tags, or tag key:value pairs. Previously you had to export your recommendations or access them via API and filter them via name, region, the finding reason code (e.g. EC2 finding reasons), or join them with external data.

By filtering on commonly used tags for cost allocation or operational management purposes, such as business unit, or environment, you can easily identify rightsizing opportunities that fit your requirements.

Amazon SageMaker Data Wrangler reduces the time it takes to aggregate and prepare data for machine learning (ML) from weeks to minutes. With SageMaker Data Wrangler, you can simplify the process of data preparation and feature engineering, and complete each step of the data preparation workflow, including data selection, exploration, cleansing, and processing from a single visual interface.

Starting this week, you can use new capabilities of Amazon SageMaker Data Wrangler to prepare image data for labeling, training or inference. You can preview and import images from Amazon S3, use a variety of built-in image transforms to clean, standardize and improve quality of your image data.

These built-in transforms include resize, drop duplicates, rotation, flip, greyscale, enhance contrast, blur and add noise, etc. Data Wrangler also supports advanced use cases such as detecting outliers or extract texts from images using custom code and built-in code snippets. These code snippets include examples of how to utilize a pre-trained model using Amazon Sagemaker Jumpstart to perform advanced analysis or transformations by calling a pre-deployed model endpoint.

After you create a recipe on the sampled image data in the interactive mode, you can create a PySpark job via the visual interface to scale the processing on all the images in your dataset.  

Amazon Redshift ra3.xlplus instances are now available in the Middle East (UAE), Europe (Spain), Europe (Zurich), Asia Pacific (Hyderabad) and Asia Pacific (Jakarta) Regions. Amazon Redshift ra3 instances with Redshift Managed Storage (RMS) allow you to scale and pay for compute and storage independently for fast query performance and to optimize costs.

It also enables you to more securely and more easily share live data across Amazon Redshift clusters. Amazon Redshift ra3.16xlarge and ra3.4xlarge instances are already available in those regions. With this announcement, we will be launching ra3.xlplus instance types in those regions.

To upgrade your cluster to a ra3 cluster, you can take a snapshot of your existing Amazon Redshift cluster and restore it to an ra3 cluster, or do a resize from your existing cluster to a new ra3 cluster.

To learn more about Amazon Redshift ra3 nodes, see the Amazon Redshift RA3 feature page and the Amazon Redshift documentation for Amazon Redshift RA3. You can find more information on pricing by visiting the Amazon Redshift pricing page. For a complete list of AWS Regions where Redshift RA3 instances are available please consult the Redshift Cluster Management Guide.

Memory limits for second-generation runtimes have been increased to better support the growing memory utilization of many newer runtimes.

Application Integration

Application Integration is now available in the following locations:

• Melbourne (australia-southeast2)
• Finland (europe-north1)
• Paris (europe-west9)
• Madrid (europe-southwest1)
• Doha (me-central1)
• Tel Aviv (me-west1)

For more information about the supported locations, see Application Integration locations.

Container Optimised OS

 Fallback to installing compatible drivers when installer is invoked for certain GPU devices and incompatible drivers.