Tag Archives: announcements

Amazon Redshift enhances security by changing default behavior in 2025

2025-01-30 Yanzhu Ji

Post Syndicated from Yanzhu Ji original https://aws.amazon.com/blogs/security/amazon-redshift-enhances-security-by-changing-default-behavior-in-2025/

Today, I’m thrilled to announce that Amazon Redshift, a widely used, fully managed, petabyte-scale data warehouse, is taking a significant step forward in strengthening the default security posture of our customers’ data warehouses. Some default security settings for newly created provisioned clusters, Amazon Redshift Serverless workgroups, and clusters restored from snapshots have changed. These changes include disabling public accessibility, enabling database encryption, and enforcing secure connections.

Amazon Redshift already supports encryption in transit and at rest. Database encryption is crucial because it helps safeguard sensitive data from unauthorized access. Furthermore, restricting public access can be advantageous because it limits the threat surface and helps prevent unauthorized access to the database. By confining the Amazon Redshift cluster within the customer’s virtual private cloud (VPC), the cluster is isolated from the public internet, which significantly reduces the possibility of unauthorized parties discovering and accessing the data warehouse.

Enforcing secure connections is another essential security measure. This enforces encryption of communication between the applications and the database, reducing the risk of eavesdropping and man-in-the-middle exploits, which helps protect the confidentiality and integrity of the data being transmitted.

By implementing additional security defaults for newly created provisioned clusters, Serverless workgroups, and clusters restored from snapshots, Amazon Redshift helps customers adhere to best practices in data security without requiring additional setup, reducing the risk of potential misconfigurations.

These new security enhancements include three key changes:

Disabling public access by default – Public accessibility will be disabled by default for newly created or restored provisioned clusters. This means that the newly created clusters will be accessible only within your VPC and not accessible from the public internet. With this change, if you create a provisioned cluster from the AWS Management Console, then the cluster is created with public access disabled by default. Specifically, the PubliclyAccessible parameter will be set to false by default. This change will also be reflected in the CreateCluster and RestoreFromClusterSnapshot API operations and the corresponding console, AWS CLI, and AWS CloudFormation By default, connections to clusters will only be permitted from client applications within the same VPC. To access your data warehouse from applications in another VPC, you have to configure cross-VPC access.
If you still need public access, you must explicitly override the default and set the PubliclyAccessible parameter to true when you run the CreateCluster or RestoreFromClusterSnapshot API operations. With a publicly accessible cluster, we recommend that you always use security groups or network access control lists (network ACLs) to restrict access.
Enabling encryption by default – With this change, the ability to create unencrypted clusters will no longer be available in the Amazon Redshift console. When you use the console, CLI, API, or CloudFormation to create a provisioned cluster without specifying an AWS Key Management Service (AWS KMS) key, the cluster will automatically be encrypted with an AWS-owned key. The AWS-owned key is managed by AWS.
This update might impact you if you are creating unencrypted clusters by using automated scripts or using data sharing with unencrypted clusters. If you regularly create new unencrypted consumer clusters and use them for data sharing, review your configurations to verify that the producer and consumer clusters are both encrypted to reduce the chance that you will experience disruptions in your data-sharing workloads.
Enforcing secure connections by default – With this change, a new default parameter group named default.redshift-2.0 will be introduced for newly created or restored clusters, with the require_ssl parameter set to true by default. New clusters created without a specified parameter group will automatically use the default.redshift-2.0 parameter group. When you create a cluster through the console, the new default.redshift-2.0 parameter group will be automatically selected. This change will also be reflected in the CreateCluster and RestoreFromClusterSnapshot API operations, as well as in the corresponding console, AWS CLI, and AWS CloudFormation operations.
For customers who are using existing or custom parameter groups, the service will continue to honor the require_ssl value specified in your parameter group. However, we recommend that you update the require_ssl parameter to true in order to enhance the security of your connections. You continue to have the option to change the require_ssl value in your custom parameter groups as needed. You can follow the procedure in this topic in the Amazon Redshift Management Guide to configure security options for connections.

We recommend that all Amazon Redshift customers review their current configurations for this service and consider implementing the new security measures across their applications. These security enhancements could impact existing workflows that rely on public access, unencrypted clusters, or non-SSL connections. We recommend that you review and update your configurations, scripts, and tools to align with these new defaults.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Updated whitepaper available: Aligning to the NIST Cybersecurity Framework in the AWS Cloud

2025-01-29 Luca Iannario

Post Syndicated from Luca Iannario original https://aws.amazon.com/blogs/security/updated-whitepaper-available-aligning-to-the-nist-cybersecurity-framework-in-the-aws-cloud/

Today, we released an updated version of the Aligning to the NIST Cybersecurity Framework (CSF) in the AWS Cloud whitepaper to reflect the significant changes introduced in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, published in February 2024. This comprehensive update helps you understand how AWS services align with the enhanced framework and how you can use AWS capabilities to improve your cybersecurity posture.

The NIST CSF 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. The updated version introduces important changes, including the following:

A new “Govern” Core Function, emphasizing procedural and organizational activities that have an impact on the management of cybersecurity risk within organizations.
An expanded scope, beyond critical infrastructure, to help organizations of many sizes and sectors.
Enhanced guidance for privacy risk management and supply chain security.
Updated Categories and Subcategories that better reflect current cybersecurity challenges.

In accordance with the AWS Shared Responsibility Model, the whitepaper provides a detailed mapping of AWS services to the six CSF Core Functions: Govern (New), Identify, Protect, Detect, Respond, and Recover. Organizations can use this whitepaper to understand how AWS services align with NIST CSF 2.0 requirements, implement AWS solutions to help achieve their security objectives, use AWS capabilities for automated security operations, and build resilient architectures that support their cybersecurity strategies.

Security and compliance remain our top priorities at AWS. This updated whitepaper demonstrates our commitment to helping customers align with the latest security frameworks while protecting their data and resources in the AWS Cloud. The whitepaper also includes practical guidance for implementing AWS services and features that support the CSF outcomes, whether you’re just starting your cloud journey or looking to enhance your existing security posture.

To learn more about implementing NIST CSF 2.0 in your organization by using AWS services, contact your AWS account team or download the whitepaper.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Testing and evaluating GuardDuty detections

2025-01-28 Marshall Jones

Post Syndicated from Marshall Jones original https://aws.amazon.com/blogs/security/testing-and-evaluating-guardduty-detections/

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes Amazon Web Services (AWS) data sources and logs in your AWS environment. GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, file hashes, and machine learning (ML) models to identify suspicious and potentially malicious activity in your AWS environment. When GuardDuty identifies a potential security issue, it creates a GuardDuty finding that gives you information about what the potential security issue is, the resources involved, and contextualized information that’s key to remediating the issue. GuardDuty helps you monitor for the latest threats by continually expanding threat detection to emerging and common threats.

Whether you’re new to GuardDuty or are a long-time user, it’s recommended that you understand the different GuardDuty finding types and finding details and practice responding to them as suggested in the security pillar of AWS Well-Architected.

In this blog post, I dive deep into an open source tool for testing GuardDuty findings and then walk through three examples of how you can use this tool to test and improve your response to GuardDuty findings.

Overview

If you want to learn more about GuardDuty, you can read about the finding types in this AWS documentation. However, customers often want realistic findings in their environment to understand what a finding looks like and to practice responding hands on. While you can use GuardDuty to create sample findings in your environment, these findings are approximations populated with placeholder values and look different from real findings. Additionally, you cannot practice remediation with these findings because they’re not tied to actual resources in your account. This can be helpful if you only want to see what details are in a finding, but if you want to practice a real-world scenario, these sample findings might not be adequate.

To address this use case and provide customers with a secure and reliable way to test the threat detection capabilities of GuardDuty, the GuardDuty service team launched an open source project called GuardDuty Tester. The GuardDuty Tester creates infrastructure in your environment to simulate different security issues so that you can test GuardDuty findings that mirror actual security issues that you might encounter, such as crypto mining or a reverse shell being created on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The GuardDuty Tester was originally released in 2018 as an AWS CloudFormation template and was focused more on testing investigation workflows than on a wide range of finding types. AWS has since released an updated version that uses the AWS Cloud Development Kit (AWS CDK) to make the infrastructure code easier to read and expanded the test coverage to over 100 unique finding types and resource combinations.

The ability to create findings across different resource types such as Amazon EC2, Amazon Simple Storage Service (Amazon S3), and Amazon Elastic Kubernetes Service (Amazon EKS) is a valuable resource for your security team, allowing them to simulate various types of threats with isolated infrastructure so that you don’t need to compromise your deployed workloads to improve response actions and techniques. Remember that the GuardDuty Tester doesn’t cover every possible scenario, but is instead focused on threat intelligence and rules-based findings. Anomaly-based findings, which require learning about how you operate your environment, aren’t included in the GuardDuty Tester.

Getting started with the GuardDuty Tester

The GuardDuty Tester is deployed by using the AWS CDK to create the required infrastructure and scripts to generate the GuardDuty findings. For safety, AWS recommends that you deploy the GuardDuty Tester in a nonproduction environment in an account that’s used specifically for this purpose. This way, your security team can differentiate between test GuardDuty findings and findings for other workloads that they’re monitoring.

In this post, I won’t walk through configuring the GuardDuty Tester because this is already documented in the GuardDuty documentation. Instead, I will go over what you need to know about the GuardDuty Tester and some of the benefits.

Figure 1 shows the GuardDuty Tester architecture, which includes the resources necessary to create GuardDuty findings for various protection plans such as Amazon S3 buckets, Amazon EC2 instances, and an Amazon EKS cluster. The tester also deploys a dedicated GuardDuty Tester instance where you will run the scripts needed to create the GuardDuty findings.

Figure 1: GuardDuty Tester architecture

The GuardDuty Tester provides key features including:

A wide range of threat scenario simulations: Resources that the GuardDuty Tester can create findings for include Amazon S3, AWS Identity and Access Management (IAM), Amazon Elastic Container Service (Amazon ECS) for both Amazon EC2 and AWS Fargate hosted workloads, Amazon EKS, and AWS Lambda and covers over 105 threat scenarios. This includes GuardDuty runtime monitoring as well as other GuardDuty protection plans.
Access through AWS Systems Manager: The GuardDuty Tester provides secure access by using Systems Manager to minimize open ports to the internet and allowing access only through Systems Manager.
Modular scripts: With an expanded library of tests available, the GuardDuty Tester accepts user parameters to set the scope of the tests to run, which gives you greater flexibility for different testing scenarios.

Setting up the GuardDuty Tester environment is straightforward and requires only a few commands. As outlined in the documentation and the README file in the repository, there are a number of prerequisites to set up the stack. These prerequisites include Python 3+, git, the AWS Command Line Interface (AWS CLI), AWS Systems Manager Session Manager plugin, npm, Docker, and a subscription to Kali Linux image for Amazon EC2. You will have to subscribe to the Kali Linux instance in AWS Marketplace, but will be charged for the instance only while the GuardDuty Tester is deployed. After these prerequisites are met, you can clone the repository, install the packages, and deploy the GuardDuty Tester to your AWS account.

Deploying the GuardDuty Tester can take 20–30 minutes, but if you’re following along with this post, I assume that you have deployed the GuardDuty Tester into your environment and have started your Systems Manager session as stated on Part A of Step 3 – Run tester scripts in the GuardDuty documentation. Now, I will dive into the first testing example.

Manual investigation

The first test use case is about getting familiar with what GuardDuty findings look like and the details that a finding gives you. This might be one of your first steps after turning on GuardDuty, or this might be an activity that you perform to help new team members understand GuardDuty findings.

To start a manual investigation:

Run the following command in your Systems Manager session to view the GuardDuty Tester options.
```
Python3 guardduty_tester.py --help
```
Run the following command in your Systems Manager session to create the first test finding.
```
Python3 guardduty_tester.py - -ec2 - -runtime only - -tactics impact
```
Before creating the findings, the GuardDuty Tester prompts you to confirm that it’s allowed to change GuardDuty settings in the environment. For example, if you’ve chosen to create findings related to the GuardDuty runtime monitoring feature but don’t have this feature enabled, the GuardDuty Tester will enable it for the tests and then disable it after testing is complete.

Note: This will start the 30-day trial of the enabled features in this account, in this AWS Region, even if the feature is disabled after testing is complete. More information about GuardDuty pricing and free trials can be found on the GuardDuty pricing page.
After choosing y which indicates “yes”, the GuardDuty Tester reports the number of domain reputation findings it’s expecting. Figure 2 shows an example of the expected findings. You can learn more about domain reputation findings in the GuardDuty finding documentation.

Figure 2: Generated GuardDuty findings in the console
After the GuardDuty Tester is finished, wait a few minutes and then go to the AWS Management Console for GuardDuty to see the findings. In this example, there are four new GuardDuty findings as expected from step 4 and shown in Figure 3. With the findings generated, you can start your manual investigation.

Figure 3: GuardDuty finding details

In the preceding figure, you can see some of the finding details presented—such as the action type and the process information—that can help you quickly identify what trigger started the suspicious communication. From here, I encourage you to use this finding to practice your runbooks for investigation and response. For example, you might start with validating and triaging the finding before moving into evidence collection and remediation. If you don’t have incident response runbooks already built, you can use this finding as an example to get started. There are multiple open source examples such as AWS incident response playbooks and AWS customer response playbook. A runbook will help your team evaluate the information provided in the GuardDuty finding and understand what else they need to know about your specific environment to properly respond to the finding. For example, in the finding, you will have resource and actor information but not things such as who is the account owner or point of contact for security for that account.

Creating alerts

The next use case highlights how to create alerts based on GuardDuty findings. When setting up alerting automation with tools such as Amazon Simple Notification Service (Amazon SNS) and Slack, you should create a finding using the GuardDuty Tester to test that you’ve configured your alert correctly. See Creating custom responses to GuardDuty findings for information about creating alerts with either of these tools. Figure 4 shows a sample EventBridge rule that will send GuardDuty findings to SNS.

Figure 4: EventBridge rule to send GuardDuty findings to SNS

For this post, I assume that you’ve already configured an Amazon EventBridge rule and Amazon SNS alert.

To test alerts:

Run the following command in your Systems Manager session to create a privileged container finding.
```
Python3 guardduty_tester.py - -finding ‘PrivilegedEscalation:Kubernetes/PrivilegedContainer’
```
Shortly after creating this finding, you should see an SNS alert based on the finding type.

Figure 5: SNS notification from a GuardDuty finding

If you’ve configured the alert correctly, you will see an email similar to Figure 5. The email demonstrates that SNS notifications were successfully configured and tested using the GuardDuty Tester. If this is a new finding, you will receive this SNS notification shortly after the GuardDuty Tester generates the finding, but if this is an updated finding, then the timing will be based on the notification frequency configured in the account.

There are many ways that customers consume GuardDuty findings in their environments. Whether you’re using Amazon SNS or another mechanism such as a chat application, ticketing system, or a security information and event management (SIEM) solution, you can use this example of an EventBridge rule and the GuardDuty Tester to test out your notification pipeline.

Automated response

For the third use case, I show you how to create an automated action based on a GuardDuty finding. In this example, I create a finding based on an EC2 instance connecting to a Bitcoin mining domain, then based on this finding, I use Lambda to tag the instance to assist with identification during that investigation steps that follow. Although this is a simple example, it shows you what you can do by combining EventBridge rules and Lambda functions. If you want to create an automated response for GuardDuty runtime monitoring findings that requires making a host-level modification, you can use EventBridge rules with AWS Systems Manager Run Command to run commands locally on a host to remediate a security issue.

Start by creating a Lambda function that will take a GuardDuty event delivered by EventBridge, pull out the instance ID information, and then use that as a parameter in the create_tags API call. See the following example code.

import json
import boto3
import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    try:
        # Extract the necessary information from the GuardDuty finding
        instance_id = event['detail']['resource']['instanceDetails']['instanceId']
        account_id = event['detail']['accountId']
        region = event['detail']['region']

        # Create an EC2 client
        ec2 = boto3.client('ec2', region_name=region)

        # Add the "infected" and "cryptomining" tag value pair to the instance
        ec2.create_tags(
            Resources=[instance_id],
            Tags=[
                {
                    'Key': 'infected',
                    'Value': 'cryptomining'
                }
            ]
        )

        logger.info(f"Tagged instance {instance_id} with 'infected=cryptomining' in account {account_id} and region {region}")
        return {
            'statusCode': 200,
            'body': 'Instance tagged successfully'
        }
    except Exception as e:
        logger.error(f"Error tagging instance {instance_id}: {str(e)}")
        return {
            'statusCode': 500,
            'body': f"Error tagging instance: {str(e)}"
        }

Next, I create an EventBridge rule specific to the Bitcoin mining finding that I want to test, shown in Figure 6. The target is the Lambda function that I just created.

Figure 6: EventBridge rule for crypto mining GuardDuty finding

Now that the EventBridge rule is in place with the Lambda function as the target, I can use the GuardDuty Tester to trigger a Bitcoin mining finding and test my solution with the following command.

Python3 guardduty_tester.py - - finding ‘CryptoCurrency:EC2/BitcoinTool.B!DNS’

After the finding is generated, I go to my EC2 instance, where there’s a new instance tag with a key of infected and a value of cryptomining, shown in Figure 7.

Figure 7: Updated tags after automated response

Although this is a general example, you can use the same approach across various actions that you might take in response to a GuardDuty finding and then test them using the GuardDuty Tester. Examples include using Lambda to add logic in AWS WAF, a network access control list (network ACL), or AWS Network Firewall to block suspicious traffic, or use Systems Manager Run Command to end a malicious process that’s running on a host.

Conclusion

The updated GuardDuty Tester represents a significant advancement in helping organizations validate and gain confidence in GuardDuty threat detection. The GuardDuty Tester now provides more comprehensive coverage of GuardDuty runtime monitoring and protection plans across various AWS services.

By using the GuardDuty Tester and following the use cases in this post, you can proactively assess your threat detection readiness, identify potential gaps, and implement necessary measures to help you fortify your AWS environments against evolving cyber threats.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Announcing upcoming changes to the AWS Security Token Service global endpoint

2025-01-28 Palak Arora

Post Syndicated from Palak Arora original https://aws.amazon.com/blogs/security/announcing-upcoming-changes-to-the-aws-security-token-service-global-endpoint/

AWS launched AWS Security Token Service (AWS STS) in August 2011 with a single global endpoint (https://sts.amazonaws.com), hosted in the US East (N. Virginia) AWS Region. To reduce dependency on a single Region, STS launched AWS STS Regional endpoints (https://sts.{Region_identifier}.{partition_domain}) in February 2015. These Regional endpoints allow you to use STS in the same Region as your workloads, which improves both performance and reliability.

However, many customers and third-party tools continue to call the STS global endpoint, and as a result, these customers don’t get the benefits of STS Regional endpoints. To help improve the resiliency and performance of your applications, we are making changes to the STS global endpoint, with no action required from customers. These changes will be released in the coming weeks.

In this blog post, we discuss the upcoming changes to the STS global endpoint and their benefits, and provide our recommendation on which STS endpoint to use going forward.

Upcoming changes to the STS global endpoint

The changes being made to the STS global endpoint will help enhance resiliency and improve performance. Today, all the requests to the STS global endpoint are served by the US East (N. Virginia) Region. Starting in early 2025, requests to the STS global endpoint will be automatically served in the same Region as your AWS deployed workloads. For example, if your application calls sts.amazonaws.com from the US West (Oregon) Region, your calls will be served locally in the US West (Oregon) Region instead of being served by the US East (N. Virginia) Region.

With this change, requests to the STS global endpoint will be served locally if your request originated from AWS Regions that are enabled by default.¹ However, requests to the STS global endpoint will continue to be served in US East (N. Virginia) Region if your request originated from opt-in Regions or if you used STS from outside AWS, such as in your on-premises network or data centers.

We will gradually roll out this change to AWS Regions that are enabled by default by mid-2025, starting with the Europe (Stockholm) Region.

We’ve taken the following measures to help avoid disruptions to your existing processes:

AWS CloudTrail logs for requests made to the STS global endpoints will be sent to the US East (N. Virginia) Region. CloudTrail logs for requests handled by STS Regional endpoints will continue to be logged to their respective Region in CloudTrail, even if the requests are served locally.
CloudTrail logs for operations performed by the STS global and Regional endpoints will have the additional fields endpointType and awsServingRegion to clarify which endpoint and Region served the request.
Requests made to the sts.amazonaws.com endpoints will have a value of us-east-1 for the aws:RequestedRegion condition key, regardless of which Region served the request.
Requests handled by the sts.amazonaws.com endpoints will not share a request quota with the Regional STS endpoints.

^{1. In addition, for your requests to be served locally, your DNS request for sts.amazonaws.com must be handled by an Amazon DNS Server in Amazon Virtual Private Cloud (Amazon VPC).}

Our recommendation

We continue to recommend that you use the appropriate STS Regional endpoints whenever possible. If you’re using STS from outside AWS, such as in your on-premises networks or data centers, we recommend you use the STS Regional endpoint that is hosted in the same Region as the AWS resource that you need STS credentials to access. If you’re building in opt-in Regions such as Asia Pacific (Hong Kong) or Asia Pacific (Jakarta), we recommend that you use the STS endpoint from the opt-in Region that is hosting your workload. By following the steps in the blog post How to use Regional AWS STS endpoints, you can identify workloads that are still using the global STS endpoint and get insights into how to reconfigure them when required.

If you have feedback about this blog post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Building a culture of security: AWS partners with the BBC

2025-01-27 Carter Spriggs

Post Syndicated from Carter Spriggs original https://aws.amazon.com/blogs/security/building-a-culture-of-security-aws-partners-with-the-bbc/

Cybersecurity isn’t just about technology—it’s about people. That’s why Amazon Web Services (AWS) partnered with the BBC to explore the human side of cybersecurity in our latest article, The Human Side of Cybersecurity: Building a Culture of Security, available on the BBC website.

In the piece, we spotlight the AWS Security Guardians program and how it helps security enable your business, not slow it down. Through the program, teams are provided tools, resources, and guidance to help address security concerns at every step of development. This enables developers to make the right decisions and embed security deeper in their solutions. Using our approach with their Security Champions initiative, the Commonwealth Bank of Australia shared how the program has helped transform their company culture and give ownership of services and security directly to their teams.

AWS and the Commonwealth Bank sought to understand how they could foster a culture where employees not only understand security, but care about it. They both needed a way to support new technology innovation while reducing security remediation work. This challenge offered both companies an opportunity to try something new with their Security Champions programs, enabling security expertise to be distributed across their respective organizations, which created a scalable solution with measurable results.

Read the full article on the BBC website to discover how AWS and our customers are creating a better environment for our teams, colleagues, customers, and communities.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

2024 C5 Type 2 attestation report available with 179 services in scope

2025-01-27 Tea Jioshvili

Post Syndicated from Tea Jioshvili original https://aws.amazon.com/blogs/security/2024-c5-type-2-attestation-report-available-with-179-services-in-scope/

Amazon Web Services (AWS) is pleased to announce a successful completion of the 2024 Cloud Computing Compliance Controls Catalogue (C5) attestation cycle with 179 services in scope. This alignment with C5 requirements demonstrates our ongoing commitment to adhere to the heightened expectations for cloud service providers. AWS customers in Germany and across Europe can run their applications in the AWS Regions that are in scope of the C5 report with the assurance that AWS aligns with C5 criteria.

The C5 attestation scheme is backed by the German government and was introduced by the Federal Office for Information Security (BSI) in 2016. AWS has adhered to the C5 requirements since their inception. C5 helps organizations demonstrate operational security against common cybersecurity threats when using cloud services.

Independent third-party auditors evaluated AWS for the period of October 1, 2023, through September 30, 2024. The C5 report illustrates the compliance status of AWS for both the basic and additional criteria of C5. Customers can download the C5 report through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

AWS has added the following 10 services to the current C5 scope:

The following AWS Regions are in scope of the 2024 C5 attestation: Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), Europe (Spain), Europe (Zurich), and Asia Pacific (Singapore). For up-to-date information, see the C5 page of our AWS Services in Scope by Compliance Program.

AWS strives to continuously bring services into the scope of its compliance programs to help you meet your architectural and regulatory needs. If you have questions or feedback about C5 compliance, reach out to your AWS account team.

To learn more about our compliance and security programs, see AWS Compliance Programs. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

If you have feedback about this post, submit comments in the Comments section below.

AWS Weekly roundup: EventBridge, SNS FIFO, Amazon Corretto, Amazon Connect, Amazon Bedrock, and more

2025-01-27 Sébastien Stormacq

Post Syndicated from Sébastien Stormacq original https://aws.amazon.com/blogs/aws/aws-weekly-roundup-eventbridge-sns-fifo-amazon-corretto-amazon-connect-amazon-bedrock-and-more/

I counted about 40 new launches from AWS since last week – back to our normal rhythm of releases. Services teams are listening to your feedback and developing little (or big) changes that makes your life easier when working with our services. The ability to support multiple sessions in the AWS Console is my favorite one so far in 2025.

But our teams didn’t stop there, let’s look at the last week’s new announcements.

Last week’s launches

Beside the usual Regional expansion (new capabilities that are now available in a new Region), here are the launches that got my attention.

Amazon EventBridge announces direct delivery to cross-account targets – Amazon EventBridge is now able to deliver events to targets in another AWS account directly without having to send them to the default bus in the target account first. This will simplify so many architectures out there! It supports any target that supports resource-based policies, including AWS Lambda, Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), Amazon Kinesis, and Amazon API Gateway.

Amazon Corretto quaterly update – We announced quarterly security and critical updates for Amazon Corretto Long-Term Supported (LTS) and Feature Release (FR) versions of OpenJDK. Corretto 23.0.2, 21.0.6, 17.0.14, 11.0.26, 8u442 are now available for download. Amazon Corretto is a no-cost, multi-platform, production-ready distribution of OpenJDK. You can download the updates from the Corretto home page or just type apt-get or yum update.

High-throughput mode for Amazon SNS FIFO Topics – Amazon SNS now supports high-throughput mode for SNS FIFO topics, with default throughput matching SNS standard topics across all Regions. When you enable high-throughput mode, SNS FIFO topics will maintain order within message group, while reducing the deduplication scope to the message-group level. With this change, you can leverage up to 30K messages per second (MPS) per account by default in US East (N. Virginia) Region, and 9K MPS per account in US West (Oregon) and Europe (Ireland) Regions, and request quota increases for additional throughput in any Region.

Amazon Connect agent workspace now supports audio optimization for Citrix and Amazon WorkSpaces virtual desktops – Amazon Connect agent workspace now supports the ability to redirect audio from Citrix and Amazon WorkSpaces Virtual Desktop Infrastructure (VDI) environments to a customer service agent’s local device. Audio redirection improves voice quality and reduces latency for voice calls handled on virtual desktops, providing a better experience for both end customers and agents.

Amazon Redshift announces support for History Mode for zero-ETL integrations – This new capability enables you to build Type 2 Slowly Changing Dimension (SCD 2) tables on your historical data from databases, out-of-the-box in Amazon Redshift, without writing any code. History mode simplifies the process of tracking and analyzing historical data changes, allowing you to gain valuable insights from your data’s evolution over time.

Finally, Amazon Bedrock has its own set of announcements. First, for anyone investing in retrieval-augmented generation, Bedrock now support multimodal content with Cohere Embed 3 Multilingual and Embed 3 English models. This enables you to create embeddings to not only index text, but also images.

Second, read Luma AI’s Ray2 visual AI model now available in Amazon Bedrock. Luma Ray2 is a large-scale video-generation model capable of creating realistic visuals with fluid, natural movement. With Luma Ray2 in Amazon Bedrock, you can generate production-ready video clips with seamless animations, ultrarealistic details, and logical event sequences with natural language prompts, removing the need for technical prompt engineering. Ray2 currently supports 5- and 9-second video generations with 540p and 720p resolution.

And finally, Amazon Bedrock Flows announces preview of multi-turn conversation support. Amazon Bedrock Flows enables you to link foundation models (FMs), Amazon Bedrock Prompts, Amazon Bedrock Agents, Amazon Bedrock Knowledge Bases, Amazon Bedrock Guardrails and other AWS services together to build and scale pre-defined generative AI workflows. This week, the team announced preview of multi-turn conversation support for agent nodes in Flows. This capability enables dynamic, back-and-forth conversations between users and flows, similar to a natural dialogue.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Other AWS events
Check your calendar and sign up for upcoming AWS events.

AWS Summits season is starting! I’m already working with the local team to prepare content for the Summits in Paris and London. Summits are free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Stay updated by visiting the official AWS Summit website and sign up for notifications to learn when registration opens for events in your area.

AWS GenAI Lofts are collaborative spaces and immersive experiences that showcase AWS expertise in cloud computing and AI. They provide startups and developers with hands-on access to AI products and services, exclusive sessions with industry leaders, and valuable networking opportunities with investors and peers. Find a GenAI Loft location near you, and don’t forget to register.

Browse all upcoming AWS led in-person and virtual events here.

That’s all for this week. Check back next Monday for another Weekly Roundup!

— seb

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

Luma AI’s Ray2 video model is now available in Amazon Bedrock

2025-01-23 Channy Yun (윤석찬)

Post Syndicated from Channy Yun (윤석찬) original https://aws.amazon.com/blogs/aws/luma-ai-ray-2-video-model-is-now-available-in-amazon-bedrock/

As we preannounced at AWS re:Invent 2024, you can now use Luma AI Ray2 video model in Amazon Bedrock to generate high-quality video clips from text, creating captivating motion graphics from static concepts. AWS is the first and only cloud provider to offer fully managed models from Luma AI.

On January 16, 2025, Luma AI introduced Luma Ray2, the large–scale video generative model capable of creating realistic visuals with natural, coherent motion with strong understanding of text instructions. Luma Ray2 exhibits advanced capabilities as a result of being trained on Luma’s new multi-modal architecture. It scales to ten times compute of Ray1, enabling it to produce 5 second or 9 second video clips that show fast coherent motion, ultra-realistic details, and logical event sequences with 540p and 720p resolution.

With Luma Ray2 in Amazon Bedrock, you can add high-quality, realistic, production-ready videos generated from text in your generative AI application through a single API. Luma Ray2 video model understands the interactions between people, animals, and objects, and you can create consistent and physically accurate characters through state-of-the-art natural language instruction understanding and reasoning.

You can use Ray2 video generations for content creation, entertainment, advertising, and media use cases, streamlining the creative process, from concept to execution. You can generate smooth, cinematic, and lifelike camera movements that match the intended emotion of the scene. You can rapidly experiment with different camera angles and styles and deliver creative outputs for architecture, fashion, film, graphic design, and music.

Let’s take a look at the impressive video generations by Luma Ray2 that Luma has published.

Get started with Luma Ray2 model in Amazon Bedrock
Before getting started, if you are new to using Luma models, go to the Amazon Bedrock console and choose Model access on the bottom left pane. To access the latest Luma AI models, request access for Luma Ray2 in Luma AI.

To test the Luma AI model in Amazon Bedrock, choose Image/Video under Playgrounds in the left menu pane. Choose Select model, then select Luma AI as the category and Ray as the model.

For video generation models, you should have an Amazon Simple Storage Service (Amazon S3) bucket to store all generated videos. This bucket will be created in your AWS account, and Amazon Bedrock will have read and write permissions for it. Choose Confirm to create a bucket and generate a video.

I will generate a 5-second video with 720P and 24 frames per second with 16:9 aspect ratio for my prompt.

Here is an example prompt and generated video. You can download it stored in the S3 bucket.
a humpback whale swimming through space particles

Here are another featured examples to demonstrate Ray2 model.

Prompt 1: A miniature baby cat is walking and exploring on the surface of a fingertip

Prompt 2: A massive orb of water floating in a backlit forest

Prompt 3: A man plays saxophone by @ziguratt

Prompt 4: Macro closeup of a bee pollinating

To check out more examples and generated videos, visit the Luma Ray2 page.

By choosing View API request in the Bedrock console, you can also access the model using code examples in the AWS Command Line Interface (AWS CLI) and AWS SDKs. You can use luma.ray-v2:0 as the model ID.

Here is a sample of the AWS CLI command:

aws bedrock-runtime invoke-model \
    --model-id luma.ray-v2:0 \
    --region us-west-2 \
    --body "{\"modelInput\":{\"taskType\":\"TEXT_VIDEO\",\"textToVideoParams\":{\"text\":\"a humpback whale swimming through space particles\"},\"videoGenerationConfig\":{\"seconds\":6,\"fps\":24,\"dimension\":\"1280x720\"}},\"outputDataConfig\":{\"s3OutputDataConfig\":{\"s3Uri\":\"s3://your-bucket-name\"}}}"
     invoke-model-output.txt

You can use Converse API examples to generate videos using AWS SDKs to build your applications using various programming languages.

Now available
Luma Ray2 video model is generally available today in Amazon Bedrock in the US West (Oregon) AWS Region. Check the full Region list for future updates. To learn more, check out the Luma AI in Amazon Bedrock product page and the Amazon Bedrock Pricing page.

Give Luma Ray2 a try in the Amazon Bedrock console today, and send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.

— Channy

CCN releases guide for Spain’s ENS landing zones using Landing Zone Accelerator on AWS

2025-01-23 Tomás Clemente Sánchez

Post Syndicated from Tomás Clemente Sánchez original https://aws.amazon.com/blogs/security/ccn-releases-guide-for-spains-ens-landing-zones-using-landing-zone-accelerator-on-aws/

Spanish version »

The Spanish National Cryptologic Center (CCN) has published a new STIC guide (CCN-STIC-887 Anexo A) that provides a comprehensive template and supporting artifacts for implementing landing zones that comply with Spain’s National Security Framework (ENS) Royal Decree 311/2022 using the Landing Zone Accelerator on AWS. Spain’s ENS establishes a common framework of basic principles and requirements of security for Spanish public sector organizations and their service providers, including supply chain providers. Over the years, the collaboration between Amazon Web Services (AWS) and the CCN has resulted in the publication of eight secure configuration guides (Series STIC 887) that provide comprehensive advice on the configuration of AWS services to align with the ENS. The guide CCN-STIC-887 Anexo A is the last addition to this series.

The centerpiece of this new guide is the ENS template for the Landing Zone Accelerator on AWS (LZA ENS). A landing zone serves as the initial setup of an organization’s cloud account or environment, including the implementation of security controls, access management, and compliance frameworks. The Landing Zone Accelerator on AWS is a powerful open source tool created by AWS for organizations that want to quickly customize and automate implementation of landing zones that align with AWS best practices and with regulatory compliance frameworks. This tool provides a comprehensive solution that, managed entirely by code, automatically configures over 35 AWS services using a simplified set of configuration files to manage and govern a multi-account environment, helping customers with highly regulated workloads and complex compliance requirements.

The CCN-STIC-887 Anexo A guide focuses on helping organizations implement landing zones that meet ENS security requirements from the ground up. It offers detailed instructions and templates for establishing a landing zone—the foundational infrastructure required for a secure, well-managed cloud environment—and a control matrix to demonstrate compliance with ENS controls.

Key components covered in the STIC 887H guide include:

Logging and monitoring: LZA ENS performs a default and scaled activation of the necessary logging and monitoring services required to meet ENS monitoring requirements in AWS services (such as AWS CloudTrail, Amazon CloudWatch, AWS Security Hub, and Amazon GuardDuty).
Access control: LZA ENS implements the management of identity and access management methods and policies at scale, which are aligned with the access control requirements of the ENS in a centralized manner using AWS IAM Identity Center.
Asset management: By default, LZA ENS activates inventory functions and resource and inventory tagging policies (for example, AWS Config) that support ENS asset management controls in the services.
Network topology: LZA ENS can be used to deploy a centralized network topology in accordance with ENS network security controls.
Cryptography: The encryption service activation capabilities built into LZA ENS can help organizations align with ENS data protection standards through mandatory encryption at rest, enforcement mechanisms with AWS Key Management Service (AWS KMS), and monitoring mechanisms to detect unencrypted data and communications with AWS Config rules.
Compliance and data residency: LZA ENS includes control policies to promote the use of AWS services with the ENS High certification and to provide processing on AWS in accordance with customers’ data residency requirements.

Organizations that require specific customizations to fully meet the requirements of the ENS can use LZA ENS to quickly modify and add customized security controls and then execute the scaled deployment of these controls to their accounts in the landing zone. One of the customizations included in LZA ENS is the integration of the open source security tool Prowler with Security Hub as an automated auditing tool with the objective of providing an up-to-date view of compliance with ENS controls. In addition, by providing a base designed for security and the flexibility to add custom controls, LZA ENS can support the process of achieving and maintaining compliance with the ENS in the AWS Cloud environment.

The CCN-STIC-887 Anexo A guide represents an important step forward in standardizing secure cloud deployments for Spanish public sector organizations and those working with government entities. This publication demonstrates the AWS commitment to support organizations in their secure cloud adoption journey while maintaining compliance with national security standards.

Spanish version

CCN publica la guía para las Zonas de Aterrizaje del ENS con AWS Landing Zone Accelerator

El Centro Criptológico Nacional de España (CCN) ha publicado una nueva guía STIC (CCN-STIC-887 Anexo A) que proporciona una plantilla de código y material de soporte para implementar zonas de aterrizaje (o landing zones) que cumplan con el Esquema Nacional de Seguridad del Real Decreto 311/2022 (ENS) mediante el Landing Zone Accelerator on AWS. El ENS establece un marco común de principios básicos, requisitos y medidas de seguridad para las organizaciones del sector público español y sus prestadores de servicios, incluyendo la cadena de suministro. A lo largo de los años, la colaboración entre Amazon Web Services (AWS) y el CCN se ha traducido en la publicación de ocho guías de configuración segura (serie STIC 887) que proporcionan consejo sobre la configuración de los servicios de AWS para alinearse con el ENS. La guía CCN-STIC-887 Anexo A es la última incorporación a esta serie.

La pieza central de la nueva guía es la plantilla ENS para el AWS Landing Zone Accelerator (LZA ENS). Una zona de aterrizaje (landing zone) sirve como la configuración inicial del entorno en la nube de una organización, e incluye la implementación inicial de controles de seguridad, la administración del acceso y los marcos de cumplimiento. El AWS Landing Zone Accelerator es una potente herramienta de código abierto creada por AWS para las organizaciones que desean implementar de forma rápida, segura, personalizada y automatizada zonas de aterrizaje alineadas con las prácticas recomendadas de AWS, así como con marcos de conformidad. Esta herramienta proporciona una solución integral que, mediante código, configura automáticamente más de 35 servicios de AWS con un conjunto simplificado de archivos de configuración para administrar y gobernar un entorno multicuenta, lo que ayuda a los clientes con cargas de trabajo altamente reguladas y requisitos de cumplimiento normativo.

La guía CCN-STIC-887 Anexo A se centra específicamente en ayudar a las organizaciones a implementar desde cero zonas de aterrizaje que cumplan con los requisitos de seguridad del ENS. Ofrece instrucciones y plantillas detalladas para establecer una zona de aterrizaje – la infraestructura básica necesaria para un entorno de nube seguro y bien administrado – así como una matriz de control para demostrar el cumplimiento de los controles del ENS.

Los componentes clave incluidos en la guía STIC 887H incluyen:

Registro y monitoreo: LZA ENS realiza una activación por defecto y a escala de los servicios de registro y monitoreo necesarios en AWS (como AWS CloudTrail, Amazon CloudWatch, AWS Security Hub, y AWS GuardDuty) para cumplir con los requisitos de monitoreo del ENS.
Control de acceso: LZA ENS implementa los métodos y políticas de administración de identidades y accesos a escala, que se alinean con los requisitos de control de acceso del ENS de manera centralizada mediante AWS IAM Identity Center..
Administración de activos: De forma predeterminada, el LZA ENS activa las funciones de inventario y las políticas de etiquetado de recursos e inventario (por ejemplo AWS Config) que soportan los controles de administración de activos del ENS.
Topología de red: LZA ENS se puede utilizar para implementar una topología de red centralizada de acuerdo con los controles de seguridad de red ENS.
Criptografía: las capacidades de activación de cifrado integradas en la LZA ayudan a organizaciones a alinearse con los estándares de protección de datos del ENS mediante el cifrado obligatorio en reposo, los mecanismos de aplicación con AWS Key Management Service (AWS KMS) y los mecanismos de supervisión para detectar datos y comunicaciones no cifrados con las reglas de AWS Config.
Cumplimiento y residencia de datos: LZA ENS incluye políticas de control para promover el uso de los servicios de AWS con la certificación del ENS Alto y realizar el procesamiento en AWS de acuerdo con los requisitos de residencia de datos del cliente.

Las organizaciones que requieren personalizaciones específicas para cumplir plenamente los requisitos del ENS pueden usar el LZA ENS para modificar rápidamente y añadir fácilmente controles de seguridad personalizados y ejecutar la implementación a escala de estos controles en sus cuentas de la zona de aterrizaje. Una de las personalizaciones que hemos incluido en el LZA ENS es la integración de Prowler con AWS Security Hub como una herramienta de auditoría automatizada, con el objetivo de proporcionar una visión actualizada del cumplimiento de los controles ENS de una manera fácil y eficaz. Además, al proporcionar una base diseñada para la seguridad y la flexibilidad de agregar controles personalizados, LZA ENS puede ayudar durante el proceso de obtener la conformidad con el ENS en el entorno de nube de AWS.

La guía CCN-STIC-887 Anexo A representa un importante paso adelante en la estandarización de las implementaciones seguras en la nube para las organizaciones del sector público español. Esta publicación demuestra el compromiso de AWS de apoyar a las organizaciones en su proceso de adopción segura de la nube, manteniendo al mismo tiempo el cumplimiento de las normas de seguridad nacionales.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

AWS Weekly Roundup: New AWS Mexico (Central) Region, simultaneous sign-in for multiple AWS accounts, and more (January 20, 2025)

2025-01-20 Esra Kayabali

Post Syndicated from Esra Kayabali original https://aws.amazon.com/blogs/aws/aws-weekly-roundup-new-aws-mexico-central-region-simultaneous-sign-in-for-multiple-aws-accounts-and-more-january-20-2025/

As winter maintains its hold over where I live in the Netherlands, rare moments of sunlight become precious gifts. This weekend offered one such treasure—while cycling along a quiet canal, golden rays broke through the typically gray Dutch sky, creating a perfect moment of serenity. These glimpses of brightness feel particularly special during January, when daylight can be scarce in our corner of Europe. As we move deeper into 2025, the third week of the new year brings both reflection and forward momentum. While global conversations swirl around technological advancements, it’s these small, personal moments that remind us to pause and appreciate the simple pleasures among our rapidly evolving world.

Let’s look at the last week’s new announcements.

Last week’s launches
Here are the launches that got my attention.

AWS Mexico (Central) Region – In February 2024, we announced plans to expand infrastructure in Mexico, and we’ve now launched the AWS Mexico (Central) Region with three Availability Zones and API code mx-central-1. This marks the first AWS infrastructure Region in Mexico and adds to our growing presence in Latin America. The new Region provides you with local workload management, data storage capabilities, enhanced performance with lower latency, and robust security standards. It features advanced cloud technologies, including cutting-edge artificial intelligence and machine learning (AI/ML) capabilities with purpose-built processors, comprehensive security capabilities with support for 143 security standards and compliance certifications. With this launch, AWS now spans 114 Availability Zones within 36 geographic Regions.

AWS Management Console now supports simultaneous sign-in for multiple AWS accounts – Using multi-session capability in the AWS Management Console, you can now sign-in to multiple AWS accounts and manage your resources in a single browser. You can sign in to up to 5 sessions and this can be any combination of root, AWS Identity and Access Management (IAM), or federated roles in different accounts or in the same account. You can scale your applications using multiple accounts following AWS best-practice guidelines. You can use accounts for different environments, such as development, testing, and production, and compare resource configurations and status across multiple accounts for troubleshooting application issues and other application related jobs.

Introducing new larger sizes on Amazon EC2 Flex instances – We’re announcing the general availability of two new larger sizes (12xlarge and 16xlarge) on Amazon Elastic Compute Cloud (Amazon EC2) Flex (C7i-flex and M7i-flex) instances. The new sizes expand the EC2 Flex portfolio, providing additional compute options to scale up existing workloads or run larger-sized applications that need additional memory. These instances are powered by custom 4th Gen Intel Xeon Scalable processors, which are available only on AWS, and offer up to 15% better performance over comparable x86-based Intel processors used by other cloud providers. Flex instances are the easiest way to get price performance benefits and lower prices for a majority of compute-intensive and general-purpose workloads. They deliver up to 19% better price performance than comparable previous generation instances and are a great first choice for applications that don’t fully utilize the compute resources. Flex instances are ideal for web and application servers, batch processing, enterprise applications, databases, and more. For compute-intensive and general-purpose workloads that need even larger instance sizes (up to 192 vCPUs and 768 GiB memory) or continuous high CPU usage, you can use Amazon EC2 C7i and M7i instances.

Announcing AWS User Notifications general availability on AWS CloudFormation – You can use AWS User Notifications to configure notifications to be sent using the AWS Management Console Notifications Center, email, AWS Chatbot, or mobile push notifications to the AWS Console Mobile App to keep you informed about important events such as Amazon CloudWatch alarms. With this capability, you can define notification configurations as part of your infrastructure-as-code (IaC) practices and specify notification configurations for specific resource types within your AWS CloudFormation templates. For example, you can set up notifications to trigger when an Amazon EC2 Auto Scaling group scales out, an Elastic Load Balancing (ELB) load balancer is provisioned, or an Amazon Relational Database Service (Amazon RDS) database is modified. You have granular control over which events will trigger notifications and who should receive them.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

We launched existing services and instance types in additional Regions:

Amazon EC2 M8g instances are now available in AWS Europe (Stockholm) – These instances offer larger instance sizes with up to three times more vCPUs and memory compared to Graviton3 based Amazon M7g instances. AWS Graviton4 processors are up to 40% faster for databases, 30% faster for web applications, and 45% faster for large Java applications than AWS Graviton3 processors.
AWS announces new AWS Direct Connect location and expansion in Querétaro, Mexico – The Direct Connect service helps you establish a private, physical network connection between AWS and your data center, office, or colocation environment. These private connections can provide a more consistent network experience than those made over the public internet.
Amazon EC2 C7i-flex instances are now available in AWS GovCloud (US-West) Region – These instances expand the EC2 Flex instances portfolio to provide the easiest way for you to get price performance benefits for a majority of compute intensive workloads.
AWS Backup now supports organization-wide reports in AWS GovCloud (US) Regions – You can use AWS Backup Audit Manager to generate aggregated cross-account and cross-Region reports on your data protection policies and retrieve operational data about your backup and recovery activities.
Amazon OpenSearch Serverless is now available in Asia Pacific (Hong Kong) Region – OpenSearch Serverless is a serverless deployment option for Amazon OpenSearch Service that makes it simple to run search and analytics workloads without the complexities of infrastructure management.
AWS Backup is now available in Asia Pacific (Thailand) Region – Using AWS Backup, you can centrally create and manage backups of your application data, protect your data from inadvertent or malicious actions with immutable recovery points and vaults, and restore your data in the event of a data loss incident.
Amazon GuardDuty is now available in Asia Pacific (Malaysia) Region – You can now use this additional Region to continually monitor and detect anomalous behavior, security threats, and sophisticated multistage attack sequences targeting your AWS accounts to help protect your AWS accounts, workloads, and data.
Amazon EC2 R8g instances are now available in additional Regions – Amazon EC2 R8g instances are ideal for memory-intensive workloads such as databases, in-memory caches, and real-time big data analytics.
Amazon EC2 I8g instances are now available in Europe (Frankfurt) Region – I8g instances offer the best performance in Amazon EC2 for storage-intensive workloads.
Amazon S3 Tables are now available in five additional AWS Regions – Amazon S3 Tables deliver the first cloud object store with built-in Apache Iceberg support and the easiest way to store tabular data at scale. S3 Tables are specifically optimized for analytics workloads, resulting in up to three times faster query performance through continual table optimization compared to unmanaged Iceberg tables, and up to ten times higher transactions per second compared to Iceberg tables stored in general purpose S3 buckets.

Other AWS events
Check your calendar and sign up for upcoming AWS events.

AWS Summits are free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Stay updated by visiting the official AWS Summit website and sign up for notifications to learn when registration opens for events in your area.

Browse all upcoming AWS led in-person and virtual events here.

That’s all for this week. Check back next Monday for another Weekly Roundup!

— Esra

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

AWS achieves HDS certification for 24 AWS Regions

2025-01-14 Tea Jioshvili

Post Syndicated from Tea Jioshvili original https://aws.amazon.com/blogs/security/aws-achieves-hds-certification-for-24-aws-regions/

Amazon Web Services (AWS) is pleased to announce a successful completion of the Health Data Hosting (Hébergeur de Données de Santé, HDS) certification audit, and renewal of the HDS certification for 24 AWS Regions.

The Agence du Numérique en Santé (ANS), the French governmental agency for health, introduced the HDS certification to strengthen the security and protection of personal health data. By achieving this certification, AWS demonstrates our continuous commitment to adhere to the heightened expectations for cloud service providers.

The following 24 Regions are in scope for this certification:

US East (Ohio)
US East (N. Virginia)
US West (N. California)
US West (Oregon)
Asia Pacific (Hong Kong)
Asia Pacific (Hyderabad)
Asia Pacific (Jakarta)
Asia Pacific (Mumbai)
Asia Pacific (Osaka)
Asia Pacific (Seoul)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Canada (Central)
Europe (Frankfurt)
Europe (Ireland)
Europe (London)
Europe (Milan)
Europe (Paris)
Europe (Stockholm)
Europe (Zurich)
Israel (Tel Aviv)
Middle East (UAE)
South America (São Paulo)

The HDS certification demonstrates that AWS provides a framework for technical and governance measures to secure and protect personal health data according to HDS requirements. Our customers who handle personal health data can continue to manage their workloads in HDS-certified Regions with confidence.

Independent third-party auditors evaluated and certified AWS on January 13^th, 2025. The HDS Certificate of Compliance demonstrating AWS compliance status is available on the Agence du Numérique en Santé (ANS) website and on AWS Artifact. AWS Artifact is a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

For up-to-date information, see the AWS Compliance Programs page and choose HDS.

AWS strives to continuously meet your architectural and regulatory needs. If you have questions or feedback about HDS compliance, reach out to your AWS account team.

If you have feedback about this post, submit comments in the Comments section below.

Now open — AWS Mexico (Central) Region

2025-01-14 Elizabeth Fuentes

Post Syndicated from Elizabeth Fuentes original https://aws.amazon.com/blogs/aws/now-open-aws-mexico-central-region/

In February 2024, we announced plans to expand Amazon Web Services (AWS) infrastructure in Mexico. Today, I’m excited to announce the general availability of the AWS Mexico (Central) Region with three Availability Zones and API code mx-central-1. This new AWS Region is the first AWS infrastructure Region in Mexico and adds to our growing presence in Latin America.

The AWS Region in Mexico represents a significant commitment to the country’s digital future. AWS is planning to invest more than $5 billion in Mexico over 15 years. This AWS Region will provide customers with advanced and secure cloud technologies, including cutting-edge artificial intelligence (AI) and machine learning (ML) capabilities with purpose-built processors, while supporting Mexico’s growing digital economy. With this effort, AWS will support an average of more than 7,000 full-time equivalent jobs annually in Mexico, adding more than $10 billion to Mexico’s gross domestic product (GDP). AWS has also launched a $300,000 AWS InCommunities Fund in Queretaro to help local groups, schools, and organizations initiate new community projects.

Palacio de Bellas Artes, Mexico City

The AWS Mexico (Central) Region provides organizations in Mexico with a new option to run their workloads and store data locally. Organizations that need data residency capabilities, enhanced performance with lower latency, or robust security standards can now use infrastructure located in Mexico.

AWS in Mexico
AWS has operated infrastructure in Mexico since 2020. The infrastructure includes seven Amazon CloudFront edge locations, AWS Outposts, and strategic offerings such as AWS Local Zones in Queretaro and AWS Direct Connect. These infrastructure offerings help customers run low-latency applications while maintaining secure connectivity.

Performance and Innovation
The AWS Mexico (Central) Region brings AWS infrastructure and services closer to local customers. With this new Region, AWS provides lower latency for customers in Mexico compared to using other AWS Regions. Customers will also be able to use our innovation in purpose-built processors, notably AWS Graviton, that delivers up to 40% better price performance compared to x86-based Amazon EC2 instances across diverse workloads.

This technological advantage extends to our cutting-edge AI and ML capabilities, including:

Advanced ML infrastructure with AWS Trainium and AWS Inferentia for scalable generative AI deployment.
Purpose-built processors optimized for cloud workloads to deliver best price-performance.

Security and Compliance
AWS provides comprehensive security capabilities with support for 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. All AWS customers own their data, choose where to store it, and decide if/when to move it. This means customers storing content in the AWS Mexico (Central) Region have the assurance that their content will not leave Mexico, unless they chose to move it.

AWS Customers in Mexico
Leading Mexican organizations are already achieving significant results with AWS. Companies such as Aeroméxico, Banco Santander Mexico, Cinépolis, Grupo Salinas, Kavak, Palace Resorts, and Vector Casa de Bolsa are running mission-critical workloads on AWS. Here are key examples:

BBVA, a leading multinational financial services company, is using AWS to accelerate its data-driven transformation. Using Amazon SageMaker and Amazon Bedrock, BBVA is empowering over 1,000 data scientists to build, train, and deploy machine learning models efficiently. This technology enables BBVA to explore advanced technologies and create innovative financial solutions, supporting their goal of becoming a true data and AI-driven digital organization.

Grupo Multimedios, a leading Mexican media group, is pioneering the use of generative AI, by implementing Amazon Bedrock for their media asset manager (MAM), reducing content research time by 88%, decreasing news generation time by 40%, and increasing content production by 70% (250 additional news items daily). As the fastest-growing media group embracing technological leadership, their AI implementation demonstrates a commitment to innovation while streamlining operations.

Bowhead Health, a digital healthcare company, is revolutionizing cancer research by using Amazon Bedrock to accelerate the research pipeline. The company has built a vast, de-identified dataset that’s ready for analysis without traditional recruitment barriers. Bowhead Health also delivers robust, real-world insights to drive faster breakthroughs in oncology drug development.

SkyAlert, an innovative technology company protecting millions in earthquake-prone areas, transformed its alert system by migrating to AWS in 2018. Before AWS, their system required 20 virtual machines and experienced significant delays during critical moments. Using AWS Lambda, AWS Fargate, and Amazon Pinpoint, they can now scale automatically and deliver messages to users quickly. With the opening of the AWS Mexico (Central) Region, SkyAlert anticipates further improvements to their services with local AWS infrastructure. As Santiago Cantú, Co-Founder of SkyAlert, explains, “The opening of the AWS Region in Mexico is an extremely important event for SkyAlert and for the security of those who trust us. Having local AWS infrastructure will improve our ability to deliver critical alerts, which potentially save lives, even faster and more reliably. This perfectly aligns with our mission to provide the most robust and advanced earthquake early warning system available. The new Region will allow us to take even greater advantage of AWS services, ensuring that we continue to be at the forefront of innovation in disaster preparedness.”

Building Skills Together
AWS has made significant investments in upskilling initiatives in Mexico including:

Training over 500,000 individuals in cloud technology since 2017.
Collaborating with the the Ministry of Economy to train 138,000 people in digital technology as of 2024.
Partnering with universities like Universidad Panamericana and Tec de Monterrey to teach digital skills.
Training programs with Canacintra for 20,000 Small and Medium Businesses (SMB) leaders.

AWS Commitment to Sustainability
Amazon is committed to reaching net-zero carbon across its business by 2040. A recent Accenture study shows that running workloads on AWS is up to 4.1 times more energy-efficient than on-premises environments. When workloads are optimized on AWS, the associated carbon footprint can be lowered by up to 99%. The AWS Mexico (Central) Region incorporates sustainable design practices, using air-cooling technology that eliminates the need for cooling water in operations. With this new Region, customers will also benefit from AWS sustainability efforts across its infrastructure. To learn more about sustainability at AWS, visit the AWS Cloud sustainability page.

Things to know
AWS Community in Mexico – The AWS Community in Mexico is one of the most vibrant in Latin America, with 26+ AWS Community Builders and 15 AWS User Groups. These groups are located in Jalisco, Puebla, Monterrey, Mérida, Mexico City, Mexicali, Cancún, León, Querétaro, San Luis Potosí, Ensenada, Saltillo, Tijuana, and Villahermosa, plus a specialized User Group called Embajadoras cloud (Cloud ambassadors) focused on women’s professional development. Together, these groups comprise 9,000+ total members.

AWS Global footprint – With this launch, AWS now spans 114 Availability Zones within 36 geographic Regions.

Available now – The new AWS Mexico (Central) Region is ready to support your business, and you can find a detailed list of the services available in this Region on the AWS Services by Region page.

To start building in mx-central-1, visit the AWS Global Infrastructure page.

Thanks to David Victoria for the AWS Community México 2024 photo.

— Eli

AWS re:Invent 2024: Security, identity, and compliance recap

2025-01-13 Marshall Jones

Post Syndicated from Marshall Jones original https://aws.amazon.com/blogs/security/aws-reinvent-2024-security-identity-and-compliance-recap/

AWS re:Invent 2024 was held in Las Vegas December 2–6, with over 54,000 attendees participating in more than 2,300 sessions and hands-on labs. The conference was a hub of innovation and learning hosted by AWS for the global cloud computing community.

In this blog post, we cover on-demand sessions and major security, identity, and compliance announcements that were unveiled leading up to and during the conference. Whether you missed the event or want to revisit the key takeaways, we’ve compiled the essential information for you to provide a comprehensive overview of the latest developments in AWS security, identity, and compliance. This year’s event put best practices for zero trust, generative AI–driven security, identity, and access management, DevSecOps, network and infrastructure security, data protection, and threat detection and incident response at the forefront.

Key announcements

For identity and access management, we launched multiple new features that can help you scale permissions management across your AWS Organizations.

Resource control policies (RCPs) – RCPs are a new type of organization policy that can be used to centrally create and enforce preventative controls on AWS resources in your organization. Using RCPs, you can centrally set the maximum available permissions to your AWS resources as you scale your workloads on AWS.
Centrally manage root access – With central management for root access, you now have a capability to centrally manage your root credentials, simplify auditing of credentials, and perform tightly scoped privileged tasks across your AWS member accounts managed using AWS Organizations.
Declarative policies – Declarative policies simplify the way you enforce durable intent, such as baseline configurations for AWS services within your organization.

Amazon Cognito announced four new features:

Feature tiers – Amazon Cognito launched two user pool feature tiers: Essentials and Plus. The Essentials tier offers comprehensive and flexible user authentication and access control features, helping you to implement secure, scalable, and customized sign-up and sign-in experiences. The Plus tier offers threat protection capabilities against suspicious sign-ins for customers who have elevated security needs for their applications.
Developer-focused console – Amazon Cognito now offers a streamlined getting-started experience featuring a quick wizard and use case–specific recommendations. This approach helps you set up configurations and reach your end users faster and more efficiently than ever before.
Managed Login – This feature is a fully managed, hosted sign-in and sign-up experience that you can personalize to align with your company or application branding. Managed Login helps you offload the undifferentiated heavy lifting of designing and maintaining custom implementations such as passwordless authentication and localization.
Passwordless authentication – With passwordless authentication, you can secure user access to your application with passkeys, email, and text messages. If your users choose to use passkeys to sign in, they can do so using a built-in authenticator, such as Touch ID on Apple MacBooks and Windows Hello facial recognition on PCs.

To discover security issues in your environment, Amazon GuardDuty launched Extended Threat Detection, a capability that you can use to identify sophisticated, multi-stage threats targeting your AWS accounts, workloads, and data. You can now use new threat sequence findings that cover multiple resources and data sources over an extensive time period, allowing you to spend less time on first-level analysis and more time responding to critical severity threats to minimize business impact.

Amazon OpenSearch Service now offers a zero-ETL integration with Amazon Security Lake, enabling you to query and analyze security data in-place directly through OpenSearch Service. This integration allows you to efficiently explore voluminous data sources that were previously cost-prohibitive to analyze, helping you streamline security investigations and obtain comprehensive visibility of your security landscape. With the flexibility to selectively ingest data and without the need to manage complex data pipelines, you can now focus on effective security operations while potentially lowering your analytics costs.

AWS Security Incident Response is a new service that helps you respond to security issues in your environment. This new service combines the power of automated monitoring and investigation, accelerated communication and coordination, and direct 24/7 access to the AWS Customer Incident Response Team to quickly prepare for, respond to, and recover from security events.

In the zero trust space, AWS Verified Access AWS Verified Accessand Amazon VPC Lattice both launched support for accessing non-HTTPS resources. Verified Access enables you to provide secure, VPN-less access to your corporate applications over protocols such as TCP, SSH, and RDP. With the launch of VPC Resources for Amazon VPC Lattice, you can now access your application dependencies through a VPC Lattice service network. You’re able to connect to your application dependencies that are hosted in different VPCs, accounts, and on-premises using additional protocols, including TLS, HTTP, HTTPS, and now TCP. Watch the on demand session to learn how you can enable zero trust access over non-HTTP(S) protocols by using AWS Verified Access.

Amazon Route 53 Resolver DNS Firewall launched an advanced firewall rule that has a new set of capabilities that you can use to monitor and block suspicious DNS traffic associated with advanced DNS threats.

Amazon Virtual Private Cloud launched block public access, which is a one-click declarative control that admins can implement centrally to authoritatively block internet traffic for each of their VPCs.

As more and more customers deploy generative AI workloads into production, it’s important to have proper security controls. Amazon Bedrock launched two new features to help with this:

Automated Reasoning checks – Automated Reasoning checks help detect hallucinations and provide a verifiable proof that a large language model response is accurate. With Automated Reasoning checks, domain experts can more straightforwardly build specifications called Automated Reasoning Policies that encapsulate their knowledge in fields such as operational workflows and HR policies. Users of Amazon Bedrock Guardrails can validate generated content against an Automated Reasoning Policy to identify inaccuracies and unstated assumptions, and explain why statements are accurate in a verifiable way.
Multimodal toxicity detection (Preview) – Amazon Bedrock Guardrails now supports multimodal toxicity detection for image content, enabling organizations to apply content filters to images. This capability, now in public preview, removes the heavy lifting required to build your own safeguards for image data or spend cycles with manual evaluation that can be error-prone and tedious.

AWS has continued to work closely with partners to help drive customer success. There were three new partner programs launched at AWS re:Invent:

AI Security category – The AI Security category in the AWS Security competency helps you identify AWS Partners with deep experience securing AI environments and defending AI workloads against advanced threats. Partners in this category are validated for their capabilities in areas such as prevention of sensitive data disclosure, prevention of injection threats, security posture management, and implementing responsible AI filtering.
AWS Security Incident Response Specialization – Today, AWS customers rely on various third-party tools and services to support their internal security incident response capabilities. To better help both customers and partners, AWS introduced AWS Security Incident Response, a new service that helps you prepare for, respond to, and recover from security events. Alongside approved AWS Partners, AWS Security Incident Response monitors, investigates, and escalates triaged security findings from Amazon GuardDuty and other threat detection tools through AWS Security Hub. Security Incident Response is designed to identify and escalate only high-priority incidents.
Amazon Security Lake Ready Specialization – This specialization recognizes AWS Partners who have technically validated their software solutions to integrate with Amazon Security Lake and demonstrated successful customer deployments. These solutions have been technically validated by AWS Partner Solutions Architects for their sound architecture and proven customer success.

Experience content on demand

If you were unable to join us in person or you want to watch a session again, you can view the sessions that are available on demand. Catch the CEO Keynote with Matt Garman to learn how AWS is reinventing foundational building blocks in addition to developing brand-new experiences, all to empower AWS customers and partners with what they need to build a better future. You can also replay additional re:Invent 2024 keynotes.

Watch the Security Innovation Talk, with AWS CISO Chris Betz, to hear how the latest AWS innovations are helping customers move fast and stay secure. Learn how AWS empowers organizations to confidently integrate and automate security into their products, services, and processes so security teams can focus their time on work that brings the highest value to the business. Chris also shares how AWS is helping to make the internet more secure by scaling security innovation and investing in the security community.

Stream any of the AWS security, identity, and compliance breakout sessions and new launch talks on demand to learn about the following key topics, and more:

Consider joining us for more in-person security learning opportunities by saving the date for AWS re:Inforce 2025, which will take place June 16–18 in Philadelphia, Pennsylvania. We look forward to seeing you there!

If you want to discuss how these new announcements can help your organization improve its security posture, AWS is here to help. Contact your AWS account team today.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Security, Identity, & Compliance re:Post or contact AWS Support.

AWS Weekly Roundup: New Asia Pacific Region, DynamoDB updates, Amazon Q developer, and more (January 13, 2025)

2025-01-13 Betty Zheng (郑予彬)

Post Syndicated from Betty Zheng (郑予彬) original https://aws.amazon.com/blogs/aws/aws-weekly-roundup-new-asia-pacific-region-dynamodb-updates-amazon-q-developer-and-more-january-13-2025/

As we move into the second week of 2025, China is celebrating Laba Festival (腊八节), a traditional holiday, which marks the beginning of Chinese New Year preparations. On this day, Chinese people prepare Laba congee, a special porridge combining various grains, dried fruits, and nuts. This

nutritious mixture symbolizes harmony, prosperity, and good fortune — with each ingredient representing the diversity and abundance of life. This traditional practice dates back to when Buddha achieved enlightenment after consuming rice porridge, making it a symbol of both material and spiritual nourishment. The festival, occurring on the eighth day of the twelfth lunar month, marks the countdown to Spring Festival, China’s most significant traditional holiday celebrating family reunion and renewal.

As our global tech community grows, such cultural celebrations remind us of the importance of inclusive innovation and shared progress.

Last week’s launches

Let’s take a look at what Amazon Web Services (AWS) launched in this week.

New AWS Asia Pacific (Thailand) Region– AWS has expanded its global infrastructure with the launch of the new Asia Pacific (Thailand) AWS Region, featuring three Availability Zones. With this addition, customers in Thailand and throughout Southeast Asia can serve customers with reduced latency while maintaining data residency within Thailand. The newly launched Region supports the complete range of AWS services and strengthens our presence in the rapidly growing ASEAN market.

New AWS Direct Connect location in Bangkok – Following the launch of our Thailand Region, we’ve established a new AWS Direct Connect location in Bangkok and expanded our existing infrastructure. This addition provides customers in Thailand with improved connectivity options and reduced network latency when accessing AWS services.

Database and analytics

Configurable point-in-time recovery periods for Amazon DynamoDB – Amazon DynamoDB now enables customizable point-in-time recovery (PITR) periods, which means customers can specify recovery durations ranging from 1 to 35 days on a per-table basis. This enhancement enables organizations to meet precise compliance requirements while maximizing cost-efficiency. The feature is now available across all AWS Regions, including AWS GovCloud (US West) and China Regions. This flexibility in data recovery periods empowers customers to align their backup policies precisely with their business requirements and regulatory obligations.

Amazon MSK Connect APIs with AWS PrivateLink – Amazon Managed Streaming for Apache Kafka Connect (Amazon MSK Connect) APIs now support AWS PrivateLink, giving customers access to MSK Connect APIs through private endpoints within their virtual private cloud (VPC). This enhancement provides increased security and reduced data exposure by keeping traffic within the AWS network.

Generative AI and machine learning

Amazon Q Developer in SageMaker Code Editor– Amazon Q Developer is now integrated into the Amazon SageMaker Code Editor integrated development environment (IDE), enhancing the developer’s experience with AI-powered code assistance. Intelligent code suggestions, documentation assistance, and contextual recommendations are now directly available within the SageMaker development environment.

Management and governance

AWS Systems Manager Automation in AWS Chatbot – AWS Chatbot now offers 20 additional AWS Systems Manager Automation runbook recommendations, expanding its capabilities for automated operations management. These new recommendations help customers streamline their operational tasks and implement best practices more efficiently through chat-based interactions.

AWS Transit Gateway cost analysis enhancement – We’ve introduced new capabilities for analyzing Transit Gateway data processing charges using cost allocation tags. This feature provides improved visibility and control over networking costs, enabling organizations to track and optimize AWS Transit Gateway usage efficiently. The enhanced cost analysis tools deliver detailed insights into network traffic patterns and associated costs.

Other AWS news and highlights

2024’s most popular DevOps blog posts – The retrospective blog post “The most visited DevOps and Developer Productivity blog posts in 2024” has reached the top one position on this week’s AWS most popular articles chart. This compilation presents the most influential DevOps content from 2024, offering insights into trending topics and best practices. The collection examines key developments in continuous integration and continuous development (CI/CD), infrastructure as code (IaC), and automation practices.

New security course for generative AI – AWS Skill Builder has released a new course focusing on securing generative AI applications on AWS. This comprehensive training teaches professionals to implement security best practices for artificial intelligence and machine learning (AI/ML) workloads, addressing data protection, model security, and compliance requirements. The course meets the growing demand for specialized security knowledge in the rapidly evolving field of generative AI.

Amazon Connect Contact Lens free trials – We’re introducing free trials for first-time users of Amazon Connect Contact Lens conversational analytics and performance evaluations. New customers can process up to 100,000 voice minutes monthly at no cost for 2 months, and first-time performance evaluation users receive a 30-day free trial starting with their first evaluation. With this initiative, customers can experience Contact Lens capabilities in their environment without additional costs. The free trials are available across all AWS Regions where Contact Lens is supported.

For a full list of AWS announcements, be sure to keep an eye on the What’s New with AWS page.

Whether you’re a developer, architect, business leader, or you’re starting your cloud journey – and regardless of what 2024 brought your way – 2025 presents new opportunities for everyone.

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

– Betty

New AWS Skill Builder course available: Securing Generative AI on AWS

2025-01-09 Anna McAbee

Post Syndicated from Anna McAbee original https://aws.amazon.com/blogs/security/new-aws-skill-builder-course-available-securing-generative-ai-on-aws/

To support our customers in securing their generative AI workloads on Amazon Web Services (AWS), we are excited to announce the launch of a new AWS Skill Builder course: Securing Generative AI on AWS.

This comprehensive course is designed to help security professionals, architects, and artificial intelligence and machine learning (AI/ML) engineers understand and implement security best practices for generative AI applications and models in the AWS Cloud.

AWS Skill Builder is a learning center for AWS customers and partners to build cloud skills through digital trainings, self-paced labs, and other course types. AWS Skill Builder has a variety of AWS security content to help customers understand concepts and gain hands-on experience with AWS security.

The course highlights are as follows:

Introduction to the Generative AI Security Scoping Matrix – Learn how to categorize and secure different AI implementations by using this innovative framework.
Coverage of key AI security frameworks – Gain insights into the OWASP Top 10 for Large Language Models (LLMs) and the MITRE ATLAS framework.
Practical security strategies – Develop skills to implement comprehensive security across the areas of governance, legal, risk, controls, and resilience for various AI scopes.
Real-world applications – Apply security concepts to case studies covering consumer applications, enterprise solutions, pre-trained models, fine-tuned models, and self-trained models.

To take the new course

Sign up for your free AWS Skill Builder account.
Search for “Securing Generative AI on AWS” in the course catalog.
Enroll in the course and start learning!

More information

For more information on generative AI security, we recommend reviewing our recent blog post series:

We value your feedback and contributions. If you have thoughts or insights about the course after completing it, please share them in the Comments section below or contact AWS Support.

Announcing the new AWS Asia Pacific (Thailand) Region

2025-01-08 Donnie Prakoso

Post Syndicated from Donnie Prakoso original https://aws.amazon.com/blogs/aws/announcing-the-new-aws-asia-pacific-thailand-region/

Today, we’re pleased to announce that the AWS Asia Pacific (Thailand) Region is now generally available with three Availability Zones and API name ap-southeast-7.

The AWS Asia Pacific (Thailand) Region is the first infrastructure Region in Thailand and the fourteenth Region in Asia Pacific, joining existing Regions in Hong Kong, Hyderabad, Jakarta, Malaysia, Melbourne, Mumbai, Osaka, Seoul, Singapore, Sydney, and Tokyo, as well as the Beijing and Ningxia China Regions.

Lumphini Park, one of the largest green spaces in central Bangkok spanning 142 acres.

The adoption of cloud computing has gained significant momentum in Thailand, driven by evolving business needs and government initiatives such as Thailand 4.0. These initiatives aim to transform Thailand into an innovation-driven economy by using emerging technologies to enhance productivity, competitiveness, and sustainable growth.

The new AWS Region will help startups, enterprises, government agencies, educational institutions, and nonprofit organizations run their applications and serve end users while maintaining data residency in Thailand. This aligns with Thailand’s digital transformation goals and the growing demand for cloud services. Over the next 15 years, Amazon Web Services (AWS) planned investments in Thailand are estimated to contribute $10B to Thailand’s Gross Domestic Product (GDP) and support an estimated average of 11,000 full-time equivalent (FTE) jobs in local Thai businesses annually.

Growing presence of AWS in Thailand
Our journey in Thailand began in 2013 with the first AWS office in Bangkok. Since then, AWS has continuously expanded its infrastructure and services in the country:

Amazon CloudFront – Since 2020, AWS has established six Amazon CloudFront edge locations throughout Thailand. These edge locations are part of the highly secure and programmable AWS content delivery network (CDN), designed to accelerate the delivery of data, videos, applications, and APIs to users worldwide with low latency and high transfer speeds.

AWS Outposts – In the same year, 2020, AWS introduced AWS Outposts to the Thai market. As a fully managed solution, AWS Outposts brings AWS infrastructure and services to virtually any on-premises or edge location, enabling a truly consistent hybrid experience. This service is particularly valuable for workloads that require low latency, local data processing, or local data storage.

AWS Local Zones – In 2022, AWS strengthened its commitment to Thailand by launching AWS Local Zones in Bangkok. This infrastructure deployment places compute, storage, database, and other select services closer to large population, industry, and IT centers. As a result, customers can deliver applications requiring single-digit millisecond latency to end users.

AWS Direct Connect – AWS established a AWS Direct Connect location in Bangkok in 2023 to enhance connectivity options and added a new AWS Direct Connect location with the launch of the AWS Asia Pacific (Thailand) Region. Customers can use AWS Direct Connect to establish secure and dedicated network connections to their AWS resources, providing improved network performance and reduced bandwidth costs.

AWS customer success stories in Thailand
Organizations in Thailand are using our services to drive innovation and transformation. Here are a few examples:

2C2P
2C2P, a leading Thailand-based FinTech startup, chose AWS for its robust security capabilities. As an omnichannel payment service provider in Southeast Asia, the company processes millions of customer payments globally using AWS CloudHSM for cryptographic key management, AWS Shield for distributed denial of service (DDoS) protection, and AWS Secrets Manager to safeguard sensitive credentials.

“Through AWS, we’ve unlocked the power to securely, dynamically, and compliantly scale to meet the surge in payment transaction volumes. AWS CloudHSM plays a pivotal role in fulfilling compliance requirements and propelling us toward accelerated business expansion,” says Myo Zaw, Chief Technology Officer at 2C2P.

aCommerce
aCommerce, the largest ecommerce enabler in Southeast Asia, has revolutionized market intelligence by launching AskIQ, a generative AI–powered feature on AWS. This software as a service (SaaS) platform provides the world’s leading brands with comprehensive competitor and category performance tracking capabilities across Southeast Asia’s largest ecommerce sites.

Leena Chanvirach, VP of Data Products at aCommerce Group, emphasizes the strategic value of their AWS collaboration: “Our collaboration with AWS allows clients to double down on their core competencies and business priorities. This best-of-both-worlds approach gives brands a competitive edge without the burden of building and maintaining sophisticated data infrastructure in-house.”

Ascend Money
Ascend Money, a leading Southeast Asian FinTech company, achieved a 70 percent reduction in compute costs while simultaneously improving application performance by up to 40 percent in certain workloads. Ascend Money implemented a sophisticated compute strategy using Amazon EC2 instances, resulting in significant operational improvements.

“AWS has significantly improved our performance, enabling us to deliver more innovative services to our customers,” says Peerawit Phuangkaeo, Head of Technical Operations at Ascend Money.

Building cloud skills together
AWS has built comprehensive programs for cloud education and skills development in Thailand, training more than 50,000 individuals in cloud skills since 2017. Here are some of the programs:

AWS Skill Builder
AWS Skill Builder is an online learning center where you can learn from AWS experts and build cloud skills online. AWS has made cloud education more accessible to Thai learners by offering more than 600 courses, with 106 courses specifically available in Thai language. The recent launch of the Amazon AI Ready initiative has further expanded the learning opportunities, particularly in the growing field of AI.

AWS Educate
Since its introduction in 2016, AWS Educate has played a transformative role in Thai education. The program has successfully integrated cloud computing into educational curricula across Thailand, providing students with direct access to AWS resources and hands-on experience. The impact has been substantial, with over 20,000 Thai students enrolled in the program. Beyond student education, AWS Educate has invested in training Thai educators, preparing them to deliver engaging and practical cloud computing courses that prepare students for the demands of the digital economy.

AWS Academy
AWS Academy has been instrumental in connecting academic learning with industry needs since its launch in Thailand in 2017. Through strategic partnerships with more than 30 leading universities and colleges across the country, AWS Academy has created a robust pipeline of cloud-skilled professionals. The program provides educational institutions with comprehensive cloud computing curricula that align with industry needs, making sure that students graduate with practical, job-ready skills.

Through these various initiatives and programs, AWS is not just providing educational resources, it’s building a foundation for Thailand’s digital future by helping equip the workforce with the necessary skills to use cloud technologies effectively.

Supporting sustainable innovation in Thailand
The AWS commitment to sustainability extends to supporting innovative companies in Thailand that are driving environmental initiatives.

BODA Technology & Consultancy
BODA, an AWS powered sustainability startup, uses AWS IoT Core to develop AI-powered solutions for energy efficiency optimization. The company has successfully improved operations in over 100,000 buildings and factories across Thailand, enabling these facilities to maximize efficiency while reducing costs and environmental impact.

GSPC Group
GSPC Group, a leading sustainable power company in Thailand, demonstrates how AWS supports the energy sector’s digital transformation. Following the merger between Global Power Synergy Public Company and Glow Energy, the group chose AWS Cloud for migrating its photovoltaic solar plant operations. Working with AWS and AWS Partner Dailitech, GSPC Group has achieved a 20–25 percent reduction in hardware, software, and licensing costs since moving to the cloud.

Things to know
AWS Community in Thailand — Thailand is home to two AWS Heroes, seven AWS Community Builders, and more than 17,000 members of the AWS User Group. If you’re interested in joining AWS User Group Thailand, visit their Facebook page.

AWS Global footprint — AWS now spans 111 Availability Zones within 35 geographic regions worldwide. We have announced plans for 15 more Availability Zones and five more AWS Regions in Germany, Taiwan, Mexico, the Kingdom of Saudi Arabia, and New Zealand.

The new Asia Pacific (Thailand) Region is ready to support your business. To learn more, visit the AWS Global Infrastructure page and start building on ap-southeast-7!

Happy building!
— Donnie

Happy New Year! AWS Weekly Roundup: 2025 Tech Predictions, Llama 3.3 70B, Stable Diffusion 3.5 Large, custom billing view, and more (January 6, 2025)

2025-01-06 Prasad Rao

Post Syndicated from Prasad Rao original https://aws.amazon.com/blogs/aws/happy-new-year-aws-weekly-roundup-2025-tech-predictions-llama-3-3-70b-stable-diffusion-3-5-large-custom-billing-view-and-more-january-6-2025/

Happy New Year! We are witnessing technology augment human ingenuity in inspiring ways. In the coming years, using technology for positive impact will redefine the way we think about success. Amazon CTO, Dr. Werner Vogels, offers five forward-looking tech predictions for 2025, and beyond:

The workforce of tomorrow is mission-driven
A new era of energy efficiency drives innovation
Technology tips the scales in the discovery of truth
Open data drives decentralized disaster preparedness
Intention-driven consumer technology takes hold

Download the Werner Vogels’ Tech Predictions for 2025 and Beyond ebook, or read Werner’s All Things Distributed blog to learn more about how these technological trends are shaping our world and paving the way for a more innovative, efficient, and purposeful future.

AWS re:Invent 2025 videos and re:Caps
If you’re looking to catch up on re:Invent announcements or delve deeper into the latest AWS innovations, you have several options available like:

Watch the keynotes, innovation talks, and breakout sessions on-demand.
Download the summary of key AWS re:Invent announcements.
Attend free in-person community re:Cap sessions organized by volunteers from AWS User Groups around the world.

Launches from the last few weeks
Since our last week in review on December 16, 2024, I’d like to highlight some launches from year end, as well as from last week:

Availability of Llama 3.3 70B in Amazon SageMaker JumpStart and in Amazon Bedrock – Meta’s Llama 3.3 70B represents a significant advancement in model efficiency and performance optimization. Llama 3.3 70B is a text-only instruction-tuned model that provides enhanced performance relative to Llama 3.1 70B and Llama 3.2 90B when used for text-only applications. You can now use the model in both Amazon SageMaker JumpStart, as well as in Amazon Bedrock.

Availability of Stable Diffusion 3.5 Large in Amazon Bedrock – Stable Diffusion 3.5 Large by Stability AI is the most powerful model in the Stable Diffusion family at 8.1 billion parameters trained on Amazon SageMaker HyperPod. You can now use Stable Diffusion 3.5 Large in Amazon Bedrock to generate high-quality images from text descriptions.

New Amazon Kinesis source connector for Apache Flink – The Apache Flink community has released version 5.0.0 of AWS services connectors, an AWS open source contribution. This release introduces the Kinesis Streams Source, a new connector for reading data from Amazon Kinesis Data Streams, replacing the previous Kinesis Consumer.

Support of AWS Global Accelerator in Amazon WorkSpaces Personal – Amazon WorkSpaces Personal now integrates with AWS Global Accelerator (AGA) to enhance WorkSpaces connection performance by optimizing streaming traffic through the AWS Global Network and edge locations. This feature particularly benefits customers whose end users connect to WorkSpaces across long distances. You can enable the AGA feature at either the WorkSpaces directory level or for individual WorkSpaces running Amazon DCV protocol.

New resource insights in AWS Resource Explorer – With the enhanced Resource Explorer experience, relevant data and insights from multiple AWS services is centralized for supported resource types. You can use the new features to take actions on resources directly from the Resource Explorer console, such as manage tags, add resources to applications, and get additional information about a resource with Amazon Q.

General availability of custom billing view in AWS Billing and Cost Management – Custom billing view allows you to provide application and business unit owners access to relevant cost management data across multiple AWS accounts using a single view in AWS Cost Explorer without granting access to the AWS management account. You can create filtered views of cost management data based on cost allocation tags or specific AWS accounts.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Upcoming AWS events
Check your calendars and sign up for these AWS events:

AWS at CES 2025 (January 7-10) – AWS will be representing some of the latest cloud services and solutions that are purpose built for the automotive, mobility, transportation, and manufacturing industries. Join us to learn about the latest cloud capabilities across generative AI, software define vehicles, product engineering, sustainability, new digital customer experiences, connected mobility, autonomous driving, and so much more, in Amazon Experience Area.

AWS at NRF 2025 (January 12-14) – Join AWS at the retail’s big show to see generative AI and cutting-edge technologies in action. Listen to innovative big ideas sessions, curated TechTalks, and experience the latest in retail trends, and technologies and more.

Amazon QuickSight Learning Series – Kick off your 2025 by supercharging your data skills. Join the online Learning Series in January to learn about the cutting-edge features of Amazon QuickSight unveiled at re:Invent 2024.

You can browse all upcoming in-person and virtual events.

That’s all for this week. Check back next Monday for another Weekly Roundup!

–Prasad

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

The most visited DevOps and Developer Productivity blog posts in 2024

2025-01-02 Brian Beach

Post Syndicated from Brian Beach original https://aws.amazon.com/blogs/devops/the-most-visited-devops-and-developer-productivity-blog-posts-in-2024-copy/

As we kick off 2025, I wanted to take a moment to highlight the top posts from 2024. Without further ado, here are the top 10 DevOps and developer productivity blog posts of 2024.

Announcing CDK Migrate A single command to migrate to the AWS CDK – This blog post announces the general availability of CDK Migrate, a new feature of the AWS Cloud Development Kit (CDK). CDK Migrate allows users to easily convert existing AWS CloudFormation templates, deployed CloudFormation stacks, or resources created outside of Infrastructure as Code (IaC) into a CDK application. The post explains the benefits of using IaC and compares CDK Migrate to the CloudFormation IaC Generator and CDK Import. It then provides a detailed walkthrough of how to use CDK Migrate to convert a CloudFormation template into a CDK application, including the migration process, code generation, and deployment steps.

Import entire applications into AWS CloudFormation – This blog post introduces AWS CloudFormation’s new IaC generator feature, which allows users to import entire applications and their related resources into Infrastructure as Code (IaC) management. The feature scans an AWS account, identifies relationships between resources, and generates a CloudFormation template based on existing infrastructure. This solves the challenge of manually creating templates for non-IaC resources and enables a more holistic approach to managing resource groups. The post demonstrates the feature’s use in importing a complex VPC setup into CloudFormation, highlighting its ability to simplify the process of bringing existing resources under IaC management, thus extending benefits like repeatability, reliability, and auditability to previously unmanaged resources.

Terraform CI CD and testing on AWS with the new Terraform Test Framework – This blog post discusses the use of Terraform Test, a new framework for validating Terraform modules on AWS. It explains how to create and run various test scenarios, including basic resource creation validation, input variable validation, and testing with supporting resources like KMS keys. The post also outlines how to integrate Terraform Test into a CI/CD pipeline using AWS services such as CodeCommit, CodeBuild, CodePipeline, and S3. It compares Terraform Test with other testing strategies and provides guidance on when to use each approach. The article concludes by recommending further resources for learning about Terraform testing and CI/CD on AWS.

AWS CodePipeline adds support for Branch based development and Monorepos – This AWS blog post announces new features for CodePipeline, including triggers and execution modes, which support branch-based development and monorepo strategies. The post outlines three pipeline examples: a GitFlow release pipeline using queued execution mode, a pull request validation pipeline using parallel execution mode, and a monorepo pipeline that triggers only for specific folder changes. These new capabilities allow teams to create more flexible and efficient continuous delivery pipelines. The post explains how to set up each pipeline type using the AWS Management Console, detailing the configuration of triggers, branch filters, and execution modes. These enhancements aim to simplify pipeline management for various development workflows.

Best practices for managing Terraform State files in AWS CI CD Pipeline – This blog post discusses best practices for managing Terraform state files in AWS CI/CD pipelines. It highlights the challenges of handling state files locally and recommends using remote backends, particularly Amazon S3 with DynamoDB for state locking. The post outlines steps to create and secure S3 buckets and DynamoDB tables for state management. It then provides an example architecture and implementation guide for integrating Terraform state management into an AWS CI pipeline using CodeCommit, CodeBuild, and Lambda. The post includes code snippets and instructions for setting up the infrastructure, deploying an application, and verifying the state file storage in S3 and DynamoDB.

How we sped up AWS CloudFormation deployments with optimistic stabilization – This AWS blog post discusses how CloudFormation improved its resource provisioning process, introducing an optimistic stabilization strategy that can reduce stack deployment times by up to 40%. The post explains the concept of resource stabilization in CloudFormation, contrasting it with direct AWS CLI deployments. It details the evolution from a sequential deployment approach to the new optimistic strategy, which allows for parallel resource creation while maintaining dependency checks. The update also includes a new CONFIGURATION_COMPLETE status, providing better visibility into the deployment process. These improvements aim to enhance deployment speed and efficiency for CloudFormation users.

Best practices working with self hosted GitHub Action runners at scale on AWS – This AWS blog post discusses best practices for using self-hosted GitHub Action runners on AWS at scale. It covers key aspects such as security, performance, and cost optimization. The post recommends using ephemeral runners and short-lived AWS credentials to enhance security, utilizing runner groups for isolation, and implementing warm pools to reduce startup times. It also suggests using optimized AMIs, considering Spot instances for cost savings, and leveraging Amazon CloudWatch for metrics and observability. The blog emphasizes the importance of understanding security responsibilities and provides strategies for efficient scaling and management of GitHub Action runners in AWS environments.

Amazon Q Developer just reached a 260 million dollar milestone – This blog post, dated August 1, 2024, highlights a significant milestone achieved by Amazon Q Developer, an AI-powered assistant for software development. Amazon CEO Andy Jassy announced that the tool’s code transformation agent helped migrate thousands of production applications from Java 8 or 11 to Java 17. This effort saved an estimated 4,500 years of development work for over a thousand developers and resulted in performance improvements worth $260 million in annual cost savings. The post also mentions that Amazon Q Developer offers various agents to assist with tasks like feature implementation, code refactoring, and documentation, potentially increasing developer productivity by up to 40%.

A new and improved AWS CDK construct for Amazon DynamoDB tables – This blog post introduces TableV2, a new AWS Cloud Development Kit (CDK) construct for Amazon DynamoDB tables. TableV2 offers several improvements over the original construct, including native support for global tables, simplified configuration of global secondary indexes and auto scaling, and CloudFormation drift detection across all replicas. It eliminates the need for a separate Lambda function to manage replicas and provides more granular control over replica properties. The post discusses the background, features, and benefits of TableV2, highlighting its capabilities in managing replicas, billing, and encryption. Overall, TableV2 is presented as a more powerful and flexible tool for building and managing DynamoDB tables at scale.

Introducing the next level of AI powered workflows with Amazon Q Developer inline chat – This blog post announces the introduction of inline chat for Amazon Q Developer, a new feature that combines in-IDE chat with direct code updates. Powered by Anthropic’s latest Claude 3.5 Sonnet model, this capability allows developers to describe issues or ideas within the code editor and receive AI-generated responses seamlessly integrated into their codebase. The post highlights how inline chat improves upon existing features like inline suggestions and separate chat windows, making it ideal for tasks such as editing existing files, fixing bugs, optimizing code, refactoring, and adding comments. Two examples demonstrate its effectiveness in refactoring code and adding documentation, showcasing the feature’s potential to enhance developer productivity.

AWS completes the CCCS PBHVA assessment with 149 services and features in scope

2024-12-19 Naranjan Goklani

Post Syndicated from Naranjan Goklani original https://aws.amazon.com/blogs/security/aws-completes-the-cccs-pbhva-assessment-with-149-services-and-features-in-scope/

We continue to expand the scope of our assurance programs at Amazon Web Services (AWS) and are pleased to announce the successful completion of our first ever Protected B High Value Assets (PBHVA) assessment with 149 assessed services and features. Completion of this assessment effective October 4, 2024, makes AWS the first cloud service provider (CSP) in Canada to meet this high security bar and provide assurance to our valued customers. This assessment also re-affirms our commitment to helping public and commercial customers achieve and maintain the highest-grade security standard for workloads with increased sensitivity.

What is the PBHVA assessment and why is it important?

The Protected B High Value Asset (PBHVA) overlay seeks to enhance the integrity and availability of customer organizational workloads that are considered to have an increased level of sensitivity. These are systems that the Government of Canada (GC) and its service providers use to support delivery of services at a national scale or that are determined to be significant for handling sensitive information. The overlay is a set of 117 controls from the ITSG-33 security control catalogue (baselined against NIST 800-53), which augments the security safeguards to enhance integrity and availability.

As of October 4, 2024, there are a total of 149 AWS services and features that were assessed by the Canadian Centre for Cyber Security (CCCS) under PBHVA assessment criteria. The assessment covers services and features that are available in both the Canada (Central) and Canada West (Calgary) AWS Regions.

How can you access the assessment?

The summary assessment is available through AWS Artifact. You can also learn more about the PBHVA assessment on our AWS PBHVA webpage.

AWS strives to continuously bring services into scope of its compliance programs to help you meet your architectural and regulatory needs. Please reach out to your AWS account team if you have questions or feedback about the PBHVA assessment.

If you have feedback about this post, submit comments in the Comments section below.

Noise

Tag Archives: announcements

Amazon Redshift enhances security by changing default behavior in 2025

Updated whitepaper available: Aligning to the NIST Cybersecurity Framework in the AWS Cloud

Testing and evaluating GuardDuty detections

Overview

Getting started with the GuardDuty Tester

Manual investigation

To start a manual investigation:

Creating alerts

To test alerts:

Automated response

Conclusion

Announcing upcoming changes to the AWS Security Token Service global endpoint

Upcoming changes to the STS global endpoint

Our recommendation

Building a culture of security: AWS partners with the BBC

2024 C5 Type 2 attestation report available with 179 services in scope

AWS Weekly roundup: EventBridge, SNS FIFO, Amazon Corretto, Amazon Connect, Amazon Bedrock, and more

Luma AI’s Ray2 video model is now available in Amazon Bedrock

CCN releases guide for Spain’s ENS landing zones using Landing Zone Accelerator on AWS

Spanish version

CCN publica la guía para las Zonas de Aterrizaje del ENS con AWS Landing Zone Accelerator

AWS Weekly Roundup: New AWS Mexico (Central) Region, simultaneous sign-in for multiple AWS accounts, and more (January 20, 2025)

AWS achieves HDS certification for 24 AWS Regions

Now open — AWS Mexico (Central) Region

AWS re:Invent 2024: Security, identity, and compliance recap

Key announcements

Experience content on demand

AWS Weekly Roundup: New Asia Pacific Region, DynamoDB updates, Amazon Q developer, and more (January 13, 2025)

New AWS Skill Builder course available: Securing Generative AI on AWS

To take the new course

More information

Announcing the new AWS Asia Pacific (Thailand) Region

Happy New Year! AWS Weekly Roundup: 2025 Tech Predictions, Llama 3.3 70B, Stable Diffusion 3.5 Large, custom billing view, and more (January 6, 2025)

The most visited DevOps and Developer Productivity blog posts in 2024

The collective thoughts of the interwebz

Overview

Getting started with the GuardDuty Tester

Manual investigation

To start a manual investigation:

Creating alerts

To test alerts:

Automated response

Conclusion

Upcoming changes to the STS global endpoint

Our recommendation

Spanish version

CCN publica la guía para las Zonas de Aterrizaje del ENS con AWS Landing Zone Accelerator

#10 Deploy Stable Diffusion ComfyUI on AWS elastically and efficiently

#9 Let’s Architect! Designing Well-Architected systems

#8 Let’s Architect! Learn About Machine Learning on AWS

#7 Creating an organizational multi-Region failover strategy

#6 Building a three-tier architecture on a budget

#5 Announcing updates to the AWS Well-Architected Framework guidance

#4 Let’s Architect! Serverless developer experience in AWS

#3 London Stock Exchange Group uses chaos engineering on AWS to improve resilience

#2 Achieving Frugal Architecture using the AWS Well-Architected Framework Guidance

#1 How an insurance company implements disaster recovery of 3-tier applications

Thank you!

Key announcements

Experience content on demand

To take the new course

More information

What is the PBHVA assessment and why is it important?

How can you access the assessment?

The collective thoughts of the interwebz