Center for Internet Security (CIS) Benchmark para Bottlerocket já está disponível

O Bottlerocket, um sistema operacional com base em Linux criado especificamente para executar workloads de contêiner, agora tem uma Center for Internet Security (CIS) Benchmark. A CIS Benchmark é um catálogo de configurações com foco em segurança que ajudam os clientes do Bottlerocket a configurar ou documentar qualquer configuração não compatível de maneira simples e eficiente. A CIS Benchmark para Bottlerocket inclui os perfis de configuração de Nível 1 e Nível 2.

Os clientes que operam nos setores com requisitos de conformidade rigorosos, como serviços financeiros, saúde e governo federal, precisam mostrar que seus hosts do Bottlerocket estão em conformidade com uma variedade de certificações de conformidade, sendo uma delas a CIS Benchmark. Usando o documento de orientação da CIS Benchmark no formato PDF, os clientes podem determinar os requisitos de configuração e concluir o processo de configuração e proteção para hosts do Bottlerocket antes de implantá-los em produção.

A CIS Benchmark pode ser acessado gratuitamente para uso não comercial no site do CIS. Aplica-se a todas as versões oficiais do Bottlerocket a partir da versão 1.9.0.

O Bottlerocket é uma distribuição de código aberto com um modelo de desenvolvimento aberto e participação em comunidades, está disponível sem custo adicional e tem suporte total da Amazon Web Services. Você pode saber mais sobre o Bottlerocket acessando nossa página de produtos e o repositório Github do Bottlerocket. Para obter suporte, entre em contato com a equipe do Bottlerocket por meio do representante designado da AWS ou abrindo uma nova questão no GitHub do Bottlerocket.

Publicado originalmente em:

Amazon Aurora já oferece suporte ao Internet Protocol versão 6 (IPv6)

Agora, o Amazon Aurora oferece aos clientes a opção de usar endereços IPv6 (Internet Protocol versão 6) na Amazon Virtual Private Cloud (VPC) em instâncias do Amazon Aurora novas e existentes. Os clientes que migrarem para o IPv6 podem simplificar sua pilha de redes, executando os bancos de dados em uma rede compatível com IPv4 e IPv6.

O crescimento contínuo da Internet está exaurindo os endereços disponíveis do Internet Protocol versão 4 (IPv4). O IPv6 aumenta em várias ordens de magnitude o número de endereços disponíveis para que os clientes não precisem mais gerenciar espaços de endereços sobrepostos nas VPCs. Os clientes podem padronizar as aplicações na nova versão do Internet Protocol migrando para o IPv6 com apenas alguns cliques no Console de Gerenciamento da AWS.

O suporte do Amazon Aurora ao IPv6 está disponível em todas as regiões comerciais e AWS GovCloud (EUA) em que o Amazon Aurora é oferecido. Veja aqui a lista completa das regiões. Comece a usar na AWS CLI ou no Console de Gerenciamento da AWS.

Para saber mais sobre como configurar seu ambiente para IPv6, consulte o Guia do usuário do IPv6.

Publicado originalmente em:

Building a Self-Service, Secure, & Continually Compliant Environment on AWS

by Japjot Walia and Jonathan Shapiro-Ward


If you’re an enterprise organization, especially in a highly regulated sector, you understand the struggle to innovate and drive change while maintaining your security and compliance posture. In particular, your banking customers’ expectations and needs are changing, and there is a broad move away from traditional branch and ATM-based services towards digital engagement.

With this shift, customers now expect personalized product offerings and services tailored to their needs. To achieve this, a broad spectrum of analytics and machine learning (ML) capabilities are required. With security and compliance at the top of financial service customers’ agendas, being able to rapidly innovate and stay secure is essential. To achieve exactly that, AWS Professional Services engaged with a major Global systemically important bank (G-SIB) customer to help develop ML capabilities and implement a Defense in Depth (DiD) security strategy. This blog post provides an overview of this solution.

The machine learning solution

The following architecture diagram shows the ML solution we developed for a customer. This architecture is designed to achieve innovation, operational performance, and security performance in line with customer-defined control objectives, as well as meet the regulatory and compliance requirements of supervisory authorities.

Machine learning solution developed for customer

This solution is built and automated using AWS CloudFormation templates with pre-configured security guardrails and abstracted through the service catalog. AWS Service Catalog allows you to quickly let your users deploy approved IT services ensuring governance, compliance, and security best practices are enforced during the provisioning of resources.

Further, it leverages Amazon SageMakerAmazon Simple Storage Service (S3), and Amazon Relational Database Service (RDS) to facilitate the development of advanced ML models. As security is paramount for this workload, data in S3 is encrypted using client-side encryption and column-level encryption on columns in RDS. Our customer also codified their security controls via AWS Config rules to achieve continual compliance

Compute and network isolation

To enable our customer to rapidly explore new ML models while achieving the highest standards of security, separate VPCs were used to isolate infrastructure and accessed control by security groups. Core to this solution is Amazon SageMaker, a fully managed service that provides the ability to rapidly build, train, and deploy ML models. Amazon SageMaker notebooks are managed Juypter notebooks that:

  1. Prepare and process data
  2. Write code to train models
  3. Deploy models to SageMaker hosting
  4. Test or validate models

In our solution, notebooks run in an isolated VPC with no egress connectivity other than VPC endpoints, which enable private communication with AWS services. When used in conjunction with VPC endpoint policies, you can use notebooks to control access to those services. In our solution, this is used to allow the SageMaker notebook to communicate only with resources owned by AWS Organizations through the use of the aws:PrincipalOrgID condition key. AWS Organizations helps provide governance to meet strict compliance regulation and you can use the aws:PrincipalOrgID condition key in your resource-based policies to easily restrict access to Identity Access Management (IAM) principals from accounts.

Data protection

Amazon S3 is used to store training data, model artifacts, and other data sets. Our solution uses server-side encryption with customer master keys (CMKs) stored in AWS Key Management Service (SSE-KMS) encryption to protect data at rest. SSE-KMS leverages KMS and uses an envelope encryption strategy with CMKs. Envelop encryption is the practice of encrypting data with a data key and then encrypting that data key using another key – the CMK. CMKs are created in KMS and never leave KMS unencrypted. This approach allows fine-grained control around access to the CMK and the logging of all access and attempts to access the key to Amazon CloudTrail. In our solution, the age of the CMK is tracked by AWS Config and is regularly rotated. AWS Config enables you to assess, audit, and evaluate the configurations of deployed AWS resources by continuously monitoring and recording AWS resource configurations. This allows you to automate the evaluation of recorded configurations against desired configurations.

Amazon S3 Block Public Access is also used at an account level to ensure that existing and newly created resources block bucket policies or access-control lists (ACLs) don’t allow public access. Service control policies (SCPs) are used to prevent users from modifying this setting. AWS Config continually monitors S3 and remediates any attempt to make a bucket public.

Data in the solution are classified according to their sensitivity that corresponds to your customer’s data classification hierarchy. Classification in the solution is achieved through resource tagging, and tags are used in conjunction with AWS Config to ensure adherence to encryption, data retention, and archival requirements.

Continuous compliance

Our solution adopts a continuous compliance approach, whereby the compliance status of the architecture is continuously evaluated and auto-remediated if a configuration change attempts to violate the compliance posture. To achieve this, AWS Config and config rules are used to confirm that resources are configured in compliance with defined policies. AWS Lambda is used to implement a custom rule set that extends the rules included in AWS Config.

Data exfiltration prevention

In our solution, VPC Flow Logs are enabled on all accounts to record information about the IP traffic going to and from network interfaces in each VPC. This allows us to watch for abnormal and unexpected outbound connection requests, which could be an indication of attempts to exfiltrate data. Amazon GuardDuty analyzes VPC Flow Logs, AWS CloudTrail event logs, and DNS logs to identify unexpected and potentially malicious activity within the AWS environment. For example, GuardDuty can detect compromised Amazon Elastic Cloud Compute (EC2) instances communicating with known command-and-control servers.


Financial services customers are using AWS to develop machine learning and analytics solutions to solve key business challenges while ensuring security and compliance needs. This post outlined how Amazon SageMaker, along with multiple security services (AWS Config, GuardDuty, KMS), enables building a self-service, secure, and continually compliant data science environment on AWS for a financial service use case.

Original em: