AWS New Releases in March 2020

Let’s spend a few minutes looking at our team favorite AWS New Releases in March 2020, including:

  • Anonymous IP List rule group for AWS Web Application Firewall (WAF)
  • Tagging for VPC Flow Logs
  • Amazon CloudWatch composite alarm
  • Bottlerocket in public preview
  • New features for Amazon Redshift

 

Anonymous IP List rule group for AWS WAF

AWS WAF allows for a very easy to use, cloud-native integration of WAF rules in AWS. The service allows you to create rules that are arranged into rule groups that can be attached to web access control lists (ACL) to parse traffic crossing the Amazon CloudFront distribution, Amazon API Gateway API, or Application Load Balancer that the web ACL is attached to. Action is then taken on the traffic based on dispositions you can control such as block, allow, or count.

AWS announced a new AWS Managed Rules rule group that allows you to block traffic that is originating from users that are attempting to hide their location or skirt geographical restrictions. It is also useful against malicious traffic such as bots that often seek to mask their true location information in this way. Since it is an AWS Managed Rules rule group, all you have to do is attach it to your AWS WAF to take advantage of its benefit. No rules to manage!

It is simple to add a rule group to your web ACL in the AWS console. There is no cost to enable Anonymous IP List for AWS Managed Rules. To deep dive, check out the AWS WAF Developer Guide here.

 

Tagging for Amazon VPC Flow Logs

AWS announced in March resource tagging and tag-on-create for Amazon VPC Flow Logs. This is an important feature for those seeking to drive cloud adoption in an enterprise that has a vast estate. A vital aspect of managing AWS assets at the enterprise level is having visibility at multiple levels. Historically, that meant segmenting logs in Amazon S3 buckets to achieve separation and identification of flow logs coming in from various systems.

This new announcement adds the ability to add tags to the flow log for consumption of down-stream log aggregators and other tools. Tags are the simple key-value pairs that you are used to seeing in the AWS tagging environment and can be specified at the creation of the flow log or on existing flow logs. To learn more about tagging, please visit the user guide. To learn more about Amazon VPC Flow Logs, please refer to the documentation.

 

Amazon CloudWatch Composite Alarms

Amazon CloudWatch allows visibility into your AWS applications and infrastructure resources, on AWS and on-premises. It is the first-class cloud native monitoring and alerting service on AWS.

Its functionality was expanded late last year to provide cross-account, cross-region dashboards to give the enterprise administrator even greater ease in monitoring. But it still required conditions to be set and alerted individually. For some use cases, it would be more beneficial if one could create composite alarms, not alerting until the combination of several alarms reached an aggregate state. This would allow a minimization of alarm ‘noise’, allowing you to focus alarms to more meaningful information when triggered. This is exactly the functionality that was announced in March with Amazon CloudWatch composite alarms. Amazon CloudWatch composite alarms also publish to Amazon Simple Notification Service (SNS) topics enabling downstream triggers for things that can consume SNS information.

You can check out the Amazon CloudWatch pricing page for pricing information. To learn how you can create composite alarms, visit the user guide found here

 

Bottlerocket

For enterprise users leveraging Kubernetes via Amazon Elastic Kubernetes Service (EKS) on AWS there was an interesting new announcement in March. Introducing Bottlerocket, a new open source Linux-based operating system (OS) that is purpose-built to run containers. It contains only the essential software needed to run containers, making it even more lightweight than other similar container OS solutions. Some of the advantages of Bottlerocket are the single step update ability and reduced package dependencies due to the purpose built nature of the OS distribution. This allows for much smoother automation with a potential reduction in errors on update and single-step rollback when needed.

Bottlerocket is available now in public preview for Amazon EKS with plans to support Amazon Elastic Container Service (ECS) soon. Bottlerocket is an open-source project on GitHub. To get started, you can launch Amazon EC2 instances with the Bottlerocket AMI and join them to an Amazon EKS cluster. You can also visit the Bottlerocket documentation here.

 

Amazon Redshift – Pause and Resume and Column-Level Access Control

Pause and Resume

Amazon Redshift, now has the ability to pause and resume a cluster. This is very useful for any enterprise data warehouse administrator who has a need to temporarily cease compute billing on Amazon Redshift clusters. While storage is still charged, for cases such as development clusters, the compute billing can be stopped representing cost savings for those clusters.

To learn more about using pause and resume, check out the Amazon Redshift documentation.

Column-Level Access Control

For those currently using table-level access control for access to your Amazon Redshift data and need a finer, more level of control, March was your month! Introducing column-level access control for Amazon Redshift. Now, rather than implementing views-based access control or some other work around, you are able to leverage column based control using grant and revoke statements. For more information on how it works, see the Amazon Redshift documentation.

AWS New Releases in March 2020