Issue 69 of AWS Cloud Security Weekly

(This is just the highlight of Issue 69 of AWS Cloud Security weekly @ https://aws-cloudsec.com/p/issue-69 << Subscribe to receive the full version in your inbox weekly for free!!)

What happened in AWS CloudSecurity last week October 29- November 05, 2024?

• AWS Payment Cryptography announced an EMV PIN change feature, cardholder-selectable PINs, and PIN reveal. The EMV PIN change feature allows issuers to create secure payloads for updating PINs stored on the EMV chip of credit or debit cards. Cardholder-selectable PINs and PIN reveal, can enable cardholders to set or retrieve their PINs through a mobile app, ensuring PCI compliance with end-to-end PIN data encryption. AWS Payment Cryptography enables you to migrate payment processing workloads to the cloud.
• AWS Network Firewall has introduced a new feature that enables you to adjust the TCP idle timeout value to match your application’s specific TCP idle timeout needs. This enhancement allows AWS Network Firewall to perform continuous stateful inspection on applications with long-lived connections, such as financial systems, databases, and ERP applications. Previously, the TCP idle timeout was set to a fixed 350 seconds, which could disrupt the long-lived connections of some applications. Now, with this update, you can configure the TCP idle timeout anywhere from 60 to 6000 seconds, while the default remains at 350 seconds for compatibility with existing setups.
• AWS Incident Detection and Response is now available in 16 additional AWS regions.
• SES Mail Manager has introduced three new features. First, it now supports authenticated connections to ingress endpoints over TCP port 587 (the email submission port). Second, it enforces verified customer identity when using Mail Manager SMTP relays, and allows you to create routing rules based on MIME header content. Lastly, Mail Manager archives now support message envelope search, enabling users to distinguish between named and blind-copied recipients when searching and exporting archived messages. With support for connections over TCP port 587, ingress endpoints can now more seamlessly replace on-premises mail servers, such as Exchange or Postfix, which often use this same port. Additionally, Mail Manager’s relay function now includes a custom header to identify the specific source, and a corresponding rule action allows you to enforce this unique identifier as a delivery condition. Together, these features enhance relaying security beyond simply relying on allowlisted IP addresses. Lastly, the search and export capabilities in archiving now treat the message envelope ‘From’ and ‘To’ as distinct fields, separate from the visible ‘From’ and ‘To’ fields, which may show different values. This makes it possible to easily identify messages received via BCC.
• Amazon WorkMail now offers multi-factor authentication (MFA) support through integration with AWS IAM Identity Center, adding an extra layer of security to WorkMail logins and helping prevent unauthorized access. Administrators can link IAM Identity Center with Active Directory or external identity providers like Okta or Microsoft Entra ID, allowing mailbox users to sign in to the WorkMail web app using IAM Identity Center credentials.
• AWS now simplifies security group management with new sharing features. You can associate a security group with multiple VPCs in the same account and share it across participant accounts in a shared VPC. This improves consistency and eases configuration for administrators, allowing uniform traffic control across VPCs and accounts. Previously, security groups were limited to the VPC they were created in, but now you can enforce consistent traffic rules for resources across VPCs and accounts within your organization.