Hello, cloud gurus! I’m Stephen Sennett, bringing you only the finest in AWS news this week! This time, we’ve got new security updates to CodeGuru Reviewer (namely, detectors for log-injection flaws) as well as new performance features for EFS, new security features for Web Application Firewall, and new auto-adjusting features for AWS Budgets. Read on for all the deets.
Your keys to a better career
Get started with ACG today to transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.
CodeGuru Reviewer security updates
Amazon’s CodeGuru Reviewer has recently had two interesting updates, with the new Detector Library being announced, and new security detectors for log-injection vulnerabilities.
We need only cast our minds back to December when security researchers from Alibaba Cloud published the now-infamous Log4Shell vulnerability in the popular Java logging utility, Log4J. This snafu impacted everything from Twitter to Minecraft to internet-connected toasters. Anyone involved in discovering and remediating this issue (*raises hand*) will know what a challenge it was.
This new detector makes it easier to prevent forged or malicious entries from being made to applications we’re developing. Granted, this won’t solve everything, but it gets us a step closer. The new Detector Library contains information on all of the different security and quality detectors used by CodeGuru, including examples of the code, compliance indicators, and other information to help you dive deeper to understand their findings.
Also, if you’re still not entirely familiar with the Log4Shell vulnerability, our team at Pluralsight put together a cool blog post explaining it further, and there’s a webinar discussing the aftermath and remaining concerns.
EFS supports sub-millisecond read latency
Amazon Elastic File System now supports sub-millisecond read latency for General Purpose storage. The distributed nature of EFS has meant that it incurred some latency dealing with files across the system. While many applications may be able to tolerate this latency, high-performance solutions need leaner efficiency. How long it takes for that first byte to arrive makes a huge difference: Dropping that latency as low as 600 microseconds cuts latency in half.
Write Operations for General Purpose EFS are still in the low single-digit milliseconds range, and while EFS Max I/O latency remains higher, the trade-off for throughput is still very worth it in many scenarios. For full details, check out the AWS Documentation on EFS Performance. This feature is available right now in all regions where EFS is available, and requires no changes to take effect.
WAF Fraud Control
The new AWS Web Application Firewall Fraud Control – Account Takeover Prevention (ATP) solution (*phew*) has been launched to help protect your web app login pages against a range of attacks. Account Takeover Prevention looks at attempted login activities and registers any anomalous behaviors that may indicate attempted comprise, such as:
- credential stuffing, where an attacker attempts to use a variety of stolen credentials from previous data breaches, or
- brute forcing, by simply throwing random passwords at the login page until it works
It’s only available in a few regions so far, and there is an additional cost to activate this feature. With both a monthly subscription fee and a cost of $1 per thousand login attempts, it’s not certainly cheap. But for large enterprises, that’s a small cost overall. And since it’s part of WAF and blocking attacks at the network edge, I’d expect brute force attacks to be shut down before they incur enormous costs.
If you’re running your own login solution that doesn’t already have this protection included, it’s probably worth checking out.
AWS Budgets now supports auto-adjusting budgets that can dynamically update their limits based on your usage. Alongside fixed and planned budgets, auto-adjusting budgets track the average of your spend across the previous budgeting period and uses that number to set a new baseline — and sends an alert to any budget subscribers.
To address the elephant in the room, yes, this is AWS taking a service designed to limit your spending and adding a feature designed to increase your spending.
Corey Quinn summarizes this brilliantly, with his tweet explaining, “AWS Budget go brrrrrrr.”
One of the challenges organizations have with their cloud bills is that their financial management is often second-tier to just building stuff. This means when your newly deployed database cluster starts running up an extra $20,000 a month, it’s sometimes not accounted for in the budget reporting. Alerts get triggered and just become white-noise until someone readjusts the budget to the new levels—often weeks or months after the change was first made. This is what auto-adjusting budgets aims to smooth out.
Organizations need to have solid management practices for understanding their cloud costs. You absolutely cannot grow a mature cloud organization without it. Where organizations would otherwise completely ignore budgeting as being too hard, I could see this being a handy feature — if used with the absolute care it deserves.
We’re keeping the updates coming
That’s it for the news this week! Until next time, go forth and learn all the things. And as always, keep being awesome, cloud gurus!