#727: AWS News: AWS Shield Network Security Director, Amazon GuardDuty for EKS, and more

A

This is episode 727 of the AWS podcast released on June 30, 2025. Hello everyone and welcome back to AWS Podcast. I'm Leesh here with you. Great to have you back. Good to be back, actually. And I'm joined by one of my two amazing co hosts, Julian Ford. G' day, Julian. How you going?

B

Fantastic. But if we count your dog on the couch that no one can see right now, maybe that's true.

A

Yes.

B

Co host number four.

A

Yeah, Chewy is the backup. Backup co host. Chewy is like maybe, I don't know, an outpost. Not an az, but maybe an outpost passive. You should.

B

She's sleeping on the couch, you know.

A

Exactly, exactly. So there has been, as always, lots going on and we just had the AWS reinforce conference in Philadelphia and this is the sort of big event where we all come together and talk all things security. And there's been some. There were some cool things there. Gillian, I think the new network security director is interesting. This is in preview part of the AWS SHIELD capability. Now what this is is it discovers network security issues before they can be exploited. So I don't know about you, Jillian, but I like to find out problems before they hurt me. That's a good thing.

B

That's a good idea.

A

It kind of is. And what this does is just. It makes it easy to understand what's going on in your environment. It compares it against best practices as well. You can see the network topology. I'm a visual learner. I like to see stuff it does a whole bunch of automation. Of course it integrates with Amazon Q developer. So natural language queries is a thing. It's kind of neat.

B

I think so too. I mean I like anything that just makes things a lot more simple and security, at least for me I think can feel complicated and scary at times. I like the step by step remediation instructions. Anything that's just. Now we're so used to everything just being like wanting to write in natural language to be able to get some interesting insights back. And I think that's pretty cool as something that is also included as well in this new feature within S.H.I.E.L.D.

A

Yeah, I think it's. It's super important related to that is. And there are lots of releases that reinforced. But another one that we thought was really interesting is the new capability in the AWS IAM Access Analyzer which lets you verify which IAM roles and users have access to critical resources. Now this is really important because it's not just saying you're secure it's being able to prove you're secure. And in the past, I know about you, but I've been involved in a lot of sort of, you know, paper based audits and that sort of stuff and it's just not, it's never accurate, it's never right. And this is, this is real stuff. Going through it and actually finding who has access to your S3 buckets, your DynamoDB tables, your RDS snapshots in a dashboard in one place with EventBridge integration. And we know as developers that Once you have EventBridge integration, the world is yours. You can do whatever you want. It's pretty cool.

B

So true. Yeah, I'm super excited for this because I know this is a theme that I hear a lot with the customers I work with is just trying to get a handle of who has access to what and that being a great, like a major starting point to improve your security posture. So super excited to see customers start using this.

A

Yeah. Yeah. And if you, if you're a Kubernetes user, I know a lot of our customers out there do use Kubernetes. We now have Amazon GuardDuty extended threat detection coverage for Amazon EKS clusters. So this is really useful for your sort of very sophisticated multi stage attacks that do take place. So it correlates and use algorithms to correlate attack sequences across different audit logs, runtime behaviors, malware execution, API activity. So it really can tell what's going on in the environment and automatically detect and show you what's going on and allow you to take action and to intervene.

B

Sounds super useful to me, Simon.

A

Yeah, more security is a good thing. So Julian, what's been going on in the world of analytics?

B

So Amazon managed streaming for Apache Kafka now supports Kafka version 3.8 on Express Brokers. Amazon OpenSearch ingestion now allows you to ingest data from Atlassian JIRA and Confluence and seamlessly index it in Amazon OpenSearch managed clusters and serverless collections. We've got one update in application integration. AWS announces an official source for AWS API model definition files and service model packages. This provides developers with access to API definitions for all AWS services. We now publish daily updates of these API models to an open source GitHub repository in Smithy format. I didn't even know what Smithy format is.

A

I'm a big fan of Smithy format. Makes it much easier to do things, you know what we're like in it. There's a million different formats and if we don't like the ones we have, we make new ones. And Smithy is one of them. But Smithy is good. We use that internally too.

B

I did not know that either. Pretty cool. So these AWS public service models, they enable developers to take advantage of the same service model definitions that AWS uses for live services. These API models can be pulled into integrated development environments using the new packages available in Maven and can be used for developer tools use cases like mock testing or evolving MCP server needs. So by utilizing open source Smithy code generators, you can also generate purpose built AWS SDKs. This sounds really cool.

A

Yeah, this is really powerful, particularly in this new world of mcps. And we'll be talking a lot more about MCPS in the future. Oh yeah, cool stuff. Cooking. Speaking of mcps, let's talk artificial intelligence. And if there's one topic I like talking about for our listeners, it's a price cut. And so we are really happy to announce a up to 45% price reduction for Amazon SageMaker AI instances to enable more cost effective generative AI model development. So these price reductions happen automatically and this is a great way to get more training done at less cost. And Amazon SageMaker AI also now supports the M7i, C7i and R7i for SageMaker model training and model processing. So these give you 15% better price performance compared to the previous generations. And so this is always a reminder that in general, wherever possible, use the latest generation of a particular instance type because that's going to help you get the best bang for your buck. And I think this is one of the things that's different again now if I think about things that are different in the cloud to the old days, in the old days you bought your server and you just used it and that's what you had and you couldn't change it easily. Now it's, it's the reverse. It's like you should be. If you're not changing your server type every 6 to 12 months, you probably leaving performance on the table. And I don't want you to do that. Amazon SageMaker AI training jobs have announced general availability of the P6B 200 instances powered by Nvidia B 200 GPUs. Now these are 2x performance compared to P5EN instances for AI training. So again, more power is always what people are seeking these days. Amazon SageMaker now offers an upgrade experience that lets you transition from SageMaker Studio to the SageMaker Unified Studio whilst preserving all your existing resources and keeping your controls. This means it's easy to use the new upgraded experience without having to do a whole lot of work. Amazon Bedrock Custom Model Import now supports the Quinn models so these are things like quin25 coder which I've had a bit of luck with running myself. These are useful for a wide range of different modalities. Quinn 25 coder obviously is optimized for co generation understanding, so it's really useful for things like code completion and bug fixing, et cetera. Amazon Lex has improved its conversational accuracy with LLM Assisted Natural Language understanding, so this means that it can do things like interpreting complex or lengthy utterances, maintaining accuracy despite spelling errors. Not that I'd ever make a spelling error extracting slots from verbose inputs and delivering better results with minimal training. And it doesn't need does not need any changes to permissions or integration settings. Amazon novasonic I know a lot of people have been using this lately. It's quite pretty cool. It's a state of the art speech to text foundation model. It now supports the Spanish language so now you have natural real time voice conversations to more users and developers worldwide. So this builds upon its existing support for English and it has both American and British accents and it has two additional masculine and feminine sounding expressive voices in Spanish. Still no Aussie voice petition for me to be the voice or Amazon novasonic.

B

I think people would start using it if they knew it was your voice.

A

You can now extend Amazon Q Developer IDE plugins with MCP tools. So these are model context protocol tools. So you can now augment the list of built in tools with any MCP server that supports the STDIO transport layer or Stead IO as I always call it. And these can be managed using the Q Developer using user interface, which is way easier than editing the JSON file. I don't know why I keep editing the JSON file. I should not be doing that, I should just be using the tool. Makes it a lot easier. Amazon Q Developer has introduced Pro tier upgrades for builder IDs so this gives you higher usage limits in your IDs and in the command line interface as well. Because capacity starts to become a thing, you start doing more and you want bigger limits. And Amazon Q Developer has launched Java Upgrade, a selective transformation in the cli. This is in preview and this will do the selection of steps for a transformation plan and a breakdown of a transformation job for granular code reviews and for first party and third party dependencies, the libraries and their versions you would like a Q Developer to upgrade during the JDK version upgrades will also be analyzed as well. So this is a pretty cool thing to I guess overcome that chore of having to keep things up to date. It's nice if you don't have to.

B

Next up we've got compute. Amazon EC2 auto scaling now offers the ability to filter out instance details from the Describe auto scaling groups in API with a new parameter. With include instances set to false, you can quickly access metadata and configurations about your auto scaling groups without the overhead of instance details, reducing the size of the API response and improving API response time. And if you're still not using auto scaling, I definitely recommend it. What do you think? Simon?

A

I don't know what to tell you. If auto scaling is not a part of your life, if you're using EC2 instances, then torture friendly essays. That's in all seriousness, it's still.

B

It really is.

A

Yes, it's one of the coolest features. It has so many capabilities. It lets you do things before the instances start, after the instances stop, it lets you do rolling upgrades. It is the secret source of maintaining a highly available instance based architecture.

B

Absolutely. I could not have said it any better myself. And we are also announcing the job completion Metadata logging for AWS Parallel Computing Service so with this launch, Parallel computing service can be configured to emit job completion logs to Amazon CloudWatch logs S3 and Amazon Data Firehose. AWS Compute Optimizer now identifies idle EC2 auto scaling groups with GPU instances. As AI development accelerates, organizations are creating more auto scaling groups with the G and P instance types for training and inference workloads. So now with the Nvidia CloudWatch Agent Compute Optimizer analyzes utilization data and it identifies groups that have completed jobs and are made idle during your specified lookback period, making it easier to identify and prevent waste on these high cost instance types. This is definitely one that you definitely want to bookmark. If you are going to be using any of those instances, you definitely want to make sure that you're using the right amount of compute. You're turning off those instances when you're not using them.

A

Yeah, we have all the tools are there to help you not use stuff. That's the beautiful thing. It's like we don't want you to use too much. Use just enough.

B

Just the right amount. That's right. AWS Deadline Cloud Monitor now includes a worker dashboard that makes it easy to monitor performance of your workers. AWS is expanding access to Amazon Elastic VMware service through public Preview. This builds on the momentum of the initial private preview announcement that happened back at re invent in 2024. So customers who want to run VMware Cloud foundation based workloads, they can do that within their vpc.

A

Let's talk contact Center. Amazon Connect has enhanced communication limits for outbound campaigns so you can do more. Amazon Connect customer profiles for travel and hospitality can now allow you to more seamlessly ingest and map data from your industry specific source systems into your customer profile so you get a better view. It now has industry specific mapping from over 75 source systems so you can use things like Amadeus, which is even a travel system I know of, to integrate data. So integration of data is always a challenge. We want to make sure we have that there. Amazon Connect customer profiles now offer a profile explorer so you can access a unified customized view of all of your customer profiles. And Amazon Connect has enhanced hold duration tracking for multi party calls. So this new field allows contact center managers to gain insights into hold patterns at the individual agent level during customer interaction. And it also gives other benefits like better agent performance management and how to improve stuff. You know, let's face it, none of us want to be kept on hold too long. This allows that feedback loop to go, what's not working here that everyone's on hold for a long time. I like it because remember your call is important to us. And last one for this one. Amazon Connect introduces enhanced calculated attributes. So this gives you timestamp controls, historical data backfill and improved limits to help you transform your customer data into actionable insights. You can now specify timestamps on your data including future dated events and you can process historical data with increased limits. So this gives you the ability to do things like tracking upcoming appointments, analyzing long term customer behavior patterns, evaluating customer lifetime value, and making sure your agents are prepared with relevant context before customer interactions. I tell you, the Amazon Connect team, they just, you know, just keep pushing out great capabilities for customers. It's a really, it's good to see.

B

They really do. Yeah, I'm definitely excited. I'm seeing so much interest now with being able to have these call center types of workflows using AI. So I'm definitely excited to see how Connect can help more customers be able to do that. And now let's talk about containers. Amazon EKS POD Identity now provides a simplified experience for configuring application permissions to access AWS resources in separate accounts. With enhancements to eks pod identity APIs, you can now seamlessly configure access to resources across AWS accounts by providing the resource account IAM details during the creation of the POD Identity Association. Amazon ECS now supports updating capacity providers for an existing ECS service. With this enhancement, customers can seamlessly update the underlying COMPUTE configuration for their ECS services without incurring operational overhead or potential disruption from needing to recreate their services. Now we've got databases Amazon RDS for MySQL now supports Community MySQL Innovation Release 9.3 in the Amazon RDS Database Preview Environment. This allows you to evaluate the latest innovation Release on Amazon RDS for MySQL. Amazon RDS for DB2 now supports cross region Standby replicas. This is a new feature that helps customers reduce database downtime during disaster recovery. Amazon RDS custom for SQL Server now supports cumulative update 18 for Microsoft SQL Server 2022.

A

Jillian could this be an opportunity for me to remind people to patch your stuff?

B

I was waiting for you to do that. Oh my God, yes. It never gets old.

A

Yes, patch your stuff.

B

This update is available for SQL Server Developer Web Standard and Enterprise editions. And hopefully you're just now motivated because of Simon AWS announces the open sourcing of PG Active A postgres extension for Active Active replication Ooh, I love all these like resiliency, like disaster recovery. Like this is a cool one too.

A

Because this one, this one brings it to the next level of failover capability. It's great.

B

Yeah. So PG Active lets you use asynchronous Active Active replication for streaming data between database instances to provide additional resiliency and flexibility in moving data between database instances, including writers located in different regions. And so this helps maintain for availability operations like switching write traffic to a different instance. PG Active builds on the foundation of postgres logical replication features such as bidirectional replication between tables starting in Postgres 16. And this is open source. So I I'm excited about this one. I think more and more customers I'm sure like whether it's regulatory, maybe just for that high availability, their business is growing. They're just looking at more opportunities to be able to expand globally and having Active Active. So this is super cool that there's just an even open source support for it. Amazon Dynamodb streams add support for Kinesis Client Library 3.0. Valki introduces Glide 2.0 with support for GO, open telemetry and pipeline batching. So Glide stands for the General Language Independent Driver for the enterprise, which is the latest release of one of its official open source Valky client libraries. And if you're not familiar with Valky, this is the most Permissive open source source alternative to Redis stewarded by the Linux foundation, so it's meant to always be open source. And Glide is a reliable, high performance, multi language client that supports all the Valkey commands.

A

Nice. You can glide. Let's glide, let's talk front end. Web and mobile AWS AppSync enhances security with default encryption for GraphQL API caching, so it will automatically enable encryption at REST and in transit for all new API caching configurations. And this means that your posture is better management and governance. AWS Console Mobile application has added support for CloudWatch Log Insights. So this is really cool if you need to search and analyze log data while on the go. And let's face it, we've all had those weekends where things aren't going well, you're out of pocket, you're not near your laptop, et cetera. Well, the AWS Console Mobile app has your back. Aws, yeah, yeah. AWS Marketplace now supports the Private Marketplace management in the console, so you can now manage things that are private to your organizational unit. Only the Amazon CloudWatch agent has added support for EBS detailed performance statistics. So this gives you more granular visibility into your volume's IO performance, so you can understand what's going on and why things are going wrong. You can track performance trends, you can create custom dashboards, you can set up alarms. This is a good thing. And AWS Control Tower now supports Service Linked AWS Config Managed Config rules. That's hard to say, but basically a Service Linked AWS config rule is managed entirely by AWS services and cannot be edited or deleted by users. To maintain consistency, prevent configuration drift or simplify the user experience, you can update these rules only through AWS Control Tower.

B

We've got a few updates, actually. No, not a few. There's. There's a couple in networking and content delivery.

A

In fact, I think technically there's more than a couple because there's more than two. So it's now more than.

B

Ooh, you know what? I didn't really know what the definition of a couple is.

A

Yeah. Remedial Meth tutor for Jillian Ford. Remedial Meth Tutor for Jillian Ford.

B

Well, I don't need. There's AI now there's a.

A

Of course, yes. He could do the thinking for you.

B

Do the thinking. All right, well, now we've got AWS Network Firewall. They've now launched support for Active Threat Defense. This is a new security feature that helps you protect your Amazon Virtual Private Cloud workloads against Threat activities observed across AWS global infrastructure using Amazon Threat Intelligence. So network Firewall with active threat defense. This provides automated intelligence driven protection against dynamic ongoing threat activities observed across the infrastructure within aws. So you configure the managed rule groups in your firewall and this is going to automatically block suspicious traffic such as command and control, communication, embedded URLs, malicious domains. This sounds super useful.

A

It is a big deal. And this actually builds upon a technology we've talked about in the past called Mad Pot. There's also some great blog posts about that. And this is, this is AWS's Global Threat Detection system where we have hundreds of thousands of instances out there pretending to be targets so that the miscreants attack it and then we interpret what they do with the attacks and then that starts to inform how to protect. And so we're seeing in real real time what's going on there out there and then we're putting in place defenses immediately to counteract those. So it's, yeah, it's, it's very cool and extensive technology that really tightens up the feedback loop of the threats emerging and then actually mitigating against those threats rather than waiting for a new rule set to be published or someone to put out a cve, et cetera.

B

Another one from AWS Network Firewall. They now support AWS Transit Gateway Native Integration. This capability is available in five AWS regions and if you are new to Transit Gateway, this interconnects your VPC and on premises networks while AWS Network Firewall provides comprehensive security controls for those VPCs. AWS Cloud Wan announces the general availability for Security group referencing an enhanced domain Name system across VPCs connected by Cloud WAN. So with SG, which is the security group referencing these customers can simplify management of security groups and gain a better security posture for cross VPC connectivity via Cloud wan. So with enhanced DNS support, customers can enable the resolution of public DNS hostings to private IP addresses for DNS queries from VPCs attached to Cloudwave WAN. Amazon Cloudfront introduces a new console experience that simplifies the delivery of secure high performance applications to users on the Internet. AWS WAF reduces web application security configuration steps and provides expert level protection.

A

That's the kind of protection I want expert level, not basic level. I want expert level. Let's talk security identity and compliance. We touched on a few security things early on, but there's more. AWS KMS has launched on demand key rotation for imported keys. So that means you can meet your compliance requirements by keeping your Keys Rolling Amazon ECR enhanced scanning now surfaces image use status. So now you can understand the last use date, the number of clusters that the image was used in and the cluster arns as well. We talked also about the AWS shield improvements, but we're now also happy to introduce AWS Security Hub for risk prioritization and response at scale. This is in preview as well. This is a good one because this basically transforms correlated security signals into actionable insights through visualizations and contextual analytics. So it means you can identify critical patterns and trends and you can centralize your security ops. So for example, it detects and correlates scenarios where publicly exposed resources with highly exploitable vulnerabilities have access to storage with sensitive data. So this means you can get a better risk context so you can make more informed decisions about immediate action on security issues. So enhanced capabilities include exposure findings, security focused asset inventory, attack path visualization. That one's pretty cool. And automated response workflows with ticketing and system integration so you can action things super super quick.

B

Wow, I really like that for yeah for especially for leaner teams where I see it often where like leaner security team they look at maybe Security Hub and it can feel a bit overwhelming because there's so many different things you don't really know what necessarily to prioritize and how do you do that when you're also responsible for building out features. So now I just love that these automated response workflows and the prioritization just helps them to be able to actually take baby steps at being able to improve their security posture.

A

That is a great call out. Great call out. AWS Certificate Manager or ACM has announced exportable public certificates that you can use on any workload that requires a public TLS certificate, whether within AWS or outside. This is very very cool because now you can issue public certificates that you can export and access to securely terminate TLS traffic on anything, including EC2 instances, containers and on premises as well. Now this helps you. You know you could before you could do this all within aws, but now you can use them anywhere. And the nice thing is the exportable public certificates are valid for 395 days and they cost just $15 per fully qualified domain name and $149 per wildcard name. You don't need to sign up for bulk issuance contracts. You pay once through the lifetime of certificate. You can monitor and automate the use of those certificates as well. It's I think this is going to make easy easier implementation of certificates which is nice. Speaking of nice and having good things, AWS IAM now enforces MFA for root access across all account types.

B

I think you need your. One of your sound effects for this one.

A

I know, sorry. Yeah. Let me think about what we're going to go with on this one. Sorry. See, I wasn't ready. I wasn't ready for the need to actually do this. I think I've got one that's appropriate, but we'll see if you like it. Hang on, here we go.

B

That's. That's what exactly I was being.

A

That's appropriate.

B

Perfect.

A

Okay, here we go. So the new MFA enforcement is a significant milestone. Basically it's a high bar for a customer security defense posture because basically it means you have to have an MFA and you can register up to eight MFA devices per root and IM user. So this is really useful as well on those distributed teams, et cetera, where you still need to provide that access. You're not sort of fighting over the one MFA device if you don't have mfa. And this is. This is a Simon tip. The Internet is a scary place if you don't have MFA on everything you log into in your life. That's your homework. Yes, go ahead. You need multi factor authenticate passwords. They're so 1990. You gotta have it. And now we have it across everything, which is great. Speaking about scariness, AWS KMS adds support for post Quantum MLDSA digital signatures. So this is a quantum resistant digital signature algorithm designed to help organizations address emerging quantum computing threats. This post quantum computing signature algorithm is one of the selected algorithms standardized by NIST to protect sensitive data well into the foreseeable future, including after the advent, I should say, of cryptographically relevant quantum computers. AWS WAF now supports Automatic Application layer Distributed Denial of Service protection. So this is at the layer 7 level. And this automatically detects and mitigates DDoS events of any duration. To ensure the applications on CloudFront, ALB and other AWS services are up and running. Amazon Verified Permissions reduces authorization request pricing by up to 97%. So it's much better than it was before. Express JS developers can now add authorization in minutes with Amazon Verified Permission. So if you use that, this makes it super easy. And one quick update in the topic of serverless power tools for AWS Lambda introduces Bedrock Agents functionality utility. If you are not a Power Tools for AWS Lambda user, I encourage you to be so. It does a whole lot of cool stuff that are sort of in the category of stuff I really want my application to do, but it takes a lot of time and effort. This just does it for you. You know, parameter injection, response, formatting, boilerplate code. Just good stuff. I'm. I'm a fan of power tools.

B

And speaking of other things to be a fan of, let's talk about storage. Amazon EFS now supports IPv6 for both EFS APIs and mount targets. Amazon S3 Express 1 Zone now supports renaming objects with with the new Rename object API. For the first time in S3, you can rename existing objects atomically with a single operation without any data movement. AWS Backup announces support for multiparty approval in AWS organizations for logically air gapped vaults to enhance data recovery. The new AWS backup feature enables customers to authorize access to backups for approved accounts in logically air gapped vaults and even when the owning account becomes inaccessible due to inadvertent or malicious events. Multiparty approval is a new governance capability that requires multiple authorized individuals to approve critical operations before execution on AWS resources. This distributed decision making process adds an enhanced security layer by preventing any single person from making unilateral changes. Oh, I feel so much better than that. Knowing that you don't have to worry about making a mistake of setting a backup period for a very long time and you're like, oh my gosh, wait.

A

Like the two per. The two person rule is very handy in these situations.

B

Yes, especially maybe even with backup and like cost optimization if you, you want to retain these backups and maybe you think oh let me set a very long like retention period and you're like wait, but now I'm getting told by my CFO I need to reduce my costs and I've got all these backups so I think having that extra layer so you're not, you don't make any decisions you don't regret.

A

You might regret. Exactly.

B

Amazon S3 now includes additional context in HTTP 403 access denied errors for requests made to resources in accounts within the same AWS organization. This context includes the type of policy that denied access, the reason for denial, and information on the AWS IAM user role that requested access to the resource.

A

This is such an ergonomics improvement. Oh my goodness. If, if you're trying to figure out the security policy that you put in place that you, you're now bumping into this across a big estate. This is. Yeah, I'm happy with this one.

B

I mean there's a lot of basic. I mean I've got one more but I mean just all the these small updates that are like huge wins.

A

Huge. Yeah.

B

And the Last 1, Amazon S3 adds S3 Tables of storage cost information for individual tables in AWS Cost Explorer and AWS Cost and Usage reports. You can now track and analyze all S3 tables costs including storage, API requests and maintenance operations for each table in your data lake. This helps you make decisions about resource optimization and to attribute cost to specific projects and business units. Another one that I'm also super excited about, especially as more and more customers are using Apache Iceberg and want to be able to take advantage of S3 and being able to query it and understanding their costs as they're making better business decisions. This is another one. We've had so many of these mfa.

A

Like yeah, it's been a big ergonomics week I think. Lots of lots of ergonomics things that just nicer a few price reductions, you know. Life is good. Life is good. Jillian, how do folks reach out to you?

B

LinkedIn I am Jillian Ford on LinkedIn.

A

There you go. And if you want to go Old School, awspodcast@Amazon.com is the place to do it. And of course, until next time, keep on building.