Tuesday, December 28, 2021

AWS Trasnfer FEDRAMP


 

Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

AWS Transfer Family provides fully managed file transfers over SFTP, FTPS, and FTP for Amazon S3 and Amazon EFS. The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services

AWS Transfer Family is now authorized as FedRAMP Moderate in US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon) and as FedRAMP High in GovCloud(US-West) and GovCloud(US-East).

 US Federal agencies and commercial customers working with the US Federal government can now utilize AWS Transfer Family to run sensitive and highly regulated file transfer workloads.
 
 AWS compliance reference is available at https://aws.amazon.com/compliance/services-in-scope/

Posted by at 10 comments:
Labels: ,

Monday, December 20, 2021

AWS Log4j Vulnerability


We know Log4j security vulnerability hits the world recently and everyone is reacting to resolve immediately.  AWS is not an exception and their fixes are listed below.

More information about the Java hot patch is available at https://aws.amazon.com/blogs/security/open-source-hotpatch-for-apache-log4j-vulnerability/

Amazon Connect
Amazon Connect has been updated to mitigate the issues identified in CVE-2021-44228. 

Amazon Chime
Amazon Chime SDK services have been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

Amazon EMR
CVE-2021-44228 impacts Apache Log4j versions between 2.0 and 2.14.1 when processing inputs from untrusted sources. EMR clusters launched with EMR 5 and EMR 6 releases include open source frameworks such as Apache Hive, Apache Flink, HUDI, Presto, and Trino, which use these versions of Apache Log4j. When you launch a cluster with EMR’s default configuration, it does not process inputs from untrusted sources. Many customers use the open source frameworks installed on their EMR clusters to process and log inputs from untrusted sources. Therefore, AWS recommends that you apply the solution described here.

Amazon Fraud Detector
Amazon Fraud Detector services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Kendra
Amazon Kendra has been updated to mitigate CVE-2021-44228.

Amazon Lex
Amazon Lex has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie
The Amazon Macie service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Macie Classic
The Amazon Macie Classic service has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Monitron
Amazon Monitron has been updated to mitigate the issues identified in CVE-2021-44228.

Amazon RDS
Amazon RDS and Amazon Aurora have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon Rekognition
Amazon Rekognition services have been updated to mitigate the issues identified in CVE-2021-44228.

Amazon VPC
Amazon VPC, including Internet Gateway and Virtual Gateway services, have been updated to mitigate the Log4j issue referenced in CVE-2021-44228.

AWS AppSync
AWS AppSync has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046.

AWS Certificate Manager
AWS Certificate Manager services have been updated to mitigate the issues identified in CVE-2021-44228.

AWS Service Catalog
AWS Service Catalog has been updated to mitigate the issues identified in CVE-2021-44228.

AWS Systems Manager
AWS Systems Manager service has been updated to mitigate the issues identified in CVE-2021-44228. The Systems Manager agent itself is not affected by this issue.



Posted by at 3 comments:
Labels: , ,

Friday, December 10, 2021

Software Resilience

 

This week blog is based on my work experience in AWS.  On Tuesday 7 Dec 2021, our products got affected due to AWS multi hours global outage. 

The first phase of outage began at approximately 15:35 UTC (7:35 am PT), when multiple Amazon sites and services began to show significant performance degradation. While site loading appeared to mostly normalize by 16:50 UTC (8:50 am PT), we observed AWS API service failures that caused API transactions to experience dramatically higher completion times or simply time out.

Second wave of the outage lasted for over 7 hours, not fully resolving until approximately 0:44 UTC (4:44 pm PT) . We managed our products with Disaster Recovery (DR) strategy.

Amazon confirmed that service issues with AWS main US-East-1 region, located in Northern Virginia, were causing problems for its warehouse and delivery network.

On reading the various industry news, it was an opportunity to learn AWS influences in the industry.

AWS controlled 33% of the global cloud infrastructure market in the second quarter, according to Synergy Research Group, followed by Microsoft at 20% and Google at 10%.

As the result, key industry observations are

  • brought down many popular websites and services.
  • some of Amazon’s delivery operations ground to a halt, and third-party sellers couldn’t ship products.
  • Colleges that rely on software to host content had to postpone exams during finals week.

As software engineer, personal learning/improvement (recollecting golden words of my mentor Suresh) - resilience is to re-adapt to any crisis situation intelligently


Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)