< ciso
brief />
Tag Banner

All news with #aws cloudtrail tag

39 articles

AWS Certificate Manager adds managed ACME endpoints

πŸ›‘οΈ AWS Certificate Manager (ACM) now offers a fully managed ACME server endpoint that issues public TLS certificates with 45-day validity from Amazon Trust Services, compatible with any ACMEv2 client such as Certbot, cert-manager, and acme.sh. PKI teams can create managed ACME endpoints with domain scopes, wildcard controls, and delegated issuance without sharing DNS credentials. Domain validation is performed once at the endpoint level, and issuance and renewal activities are auditable via the ACM console, AWS CloudTrail, and Amazon CloudWatch. ACME support is available in all commercial AWS Regions; see ACM pricing and documentation for details.
read more β†’

CloudWatch Adds Alarms Directly From Log Queries

πŸ”” Amazon CloudWatch now lets you create alarms directly from log queries, enabling anomaly alerts without leaving the log analysis workflow. You can set thresholds on query results without first creating metric filters or custom metrics, simplifying monitoring and alerting. Alarms support standard CloudWatch actions such as Amazon SNS notifications and Amazon EventBridge integrations, and are available in all commercial AWS Regions except UAE and Bahrain. Configure these alarms via the CloudWatch console, AWS CLI, CloudFormation, or AWS SDKs.
read more β†’

Amazon ECS adds real-time deployment observability

πŸš€ Amazon Elastic Container Service (Amazon ECS) now offers real-time deployment observability within the Amazon ECS Console. This update enables customers to track deployment progress, monitor health, and diagnose failures directly in the console with a live deployment timeline, circuit breaker and alarm status, and container and load-balancer health checks. Failed tasks surface with diagnostic context and deep links to related services like AWS CloudTrail. These features are available at no additional charge in all AWS commercial Regions and AWS GovCloud (US) for services using the rolling update deployment type.
read more β†’

CloudWatch OTel Container Insights for Amazon EKS

πŸš€ Amazon CloudWatch now offers OTel Container Insights for Amazon EKS, collecting infrastructure metrics at 30-second granularity using open-source receivers like cAdvisor, Kube State Metrics, and NVIDIA DCGM. Each metric includes OpenTelemetry semantic conventions and Kubernetes labels to simplify correlation across nodes, pods, and workloads with a single PromQL query. Pre-built dashboards provide immediate visibility into cluster health, node performance, and pod-level resource usage, and the CloudWatch PromQL endpoint enables direct connection of existing Prometheus and Grafana dashboards. Enable the feature from the EKS console, the CloudWatch Observability add-on (v6.2.0+), Helm, or CloudFormation; it is available in all commercial AWS Regions except UAE, Bahrain, and Israel (Tel Aviv).
read more β†’

Accelerating AWS security investigations with Kiro CLI

πŸ” This post shows how Kiro CLI, an AI-powered command line assistant, speeds AWS security investigations by proposing, explaining, and optionally executing AWS CLI commands while documenting each step. It demonstrates a GuardDuty-driven investigation following the AWS Security Incident Response Guide: triage, EC2 and IAM assessment, CloudTrail analysis, containment, and remediation. The walkthrough highlights benefits like faster triage, automated CloudTrail queries, and guided remediation, while advising human validation and forensic preservation.
read more β†’

Detecting and Preventing Subdomain Takeover Risks

πŸ”Ž This post explains how subdomain takeover occurs when dangling DNS CNAME records point to deleted AWS resources and how attackers can reclaim those names to serve malicious content. It describes which AWS services use globally claimable namespaces (notably S3, CloudFront, and Elastic Beanstalk), outlines potential impacts such as reputation damage and phishing, and recommends detection using AWS Config inventory checks rather than DNS resolution. The article also summarizes a reference implementation that deploys a Lambda-based Config rule, Security Hub findings, optional SNS alerts, and mitigation best practices including deleting DNS records before resources and adopting account regional S3 namespaces where applicable.
read more β†’

Attack Techniques Targeting Cloud Logging Services

πŸ” Cloud logging services like AWS CloudTrail and Google Cloud Logging offer essential visibility into cloud activity but are also high-value targets for attackers. This article examines two primary attack goalsβ€”defense evasion and establishing continuous visibilityβ€”and demonstrates methods attackers use to disrupt or exfiltrate logs. It outlines practical attack techniques such as stopping logging, deleting storage or routers, abusing encryption keys, and log poisoning, and highlights detection and mitigation approaches.
read more β†’

Gain visibility into DDoS attacks with flow logs

πŸ›‘οΈ This post explains how AWS Shield Advanced attack flow logs capture metadata during DDoS events and publish records to Amazon S3, CloudWatch Logs, or Data Firehose. It outlines the fields included in each flow log entry, describes delivery configuration and required IAM permissions, and shows how to create the CloudWatch Logs delivery objects that connect a Shield protection to a destination. The article also covers output formats, file size and timing, cost considerations, and cross-account/Region aggregation options.
read more β†’

Amazon EKS Capabilities add CloudWatch Vended Logs

🟣 Amazon EKS Capabilities can now be configured as log delivery sources using Amazon CloudWatch Vended Logs to capture logs from managed controllers such as Argo CD, AWS Controllers for Kubernetes (ACK), and kro. Customers can enable delivery via CloudWatch APIs or the AWS Console and send logs to CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. The feature is available in all Regions that support EKS Capabilities and incurs standard CloudWatch Vended Logs pricing with no additional EKS charge.
read more β†’

AWS IoT Core adds Ping and AuthNError logs

πŸ” AWS IoT Core now emits two new Amazon CloudWatch Log event types to help troubleshoot device connectivity and authentication across IoT fleets. The Ping log captures MQTT Keep‑alive messages to identify connections or devices that fail to maintain connectivity. The Connection.AuthNError log records rejected connection attempts with detailed error codes to speed resolution of credential and certificate issues. Enable event-level logging and choose a CloudWatch log group, then opt into these event types; they are available in all AWS Regions where AWS IoT Core operates.
read more β†’

AWS Organizations emits CloudTrail events for account changes

πŸ”” AWS Organizations now emits CloudTrail events to the management account when member accounts join or leave an organization, introducing two new events: AccountJoinedOrganization and AccountDepartedOrganization. The join event records method (Created or Invited) and timestamp, while the depart event records mode (Left, Removed, or Cleaned) and timestamp. Administrators can use these events with CloudWatch alarms or EventBridge rules to enable real‑time notifications and faster incident response.
read more β†’

Introducing the AWS Customer Incident Response Team

πŸ”’ The AWS Customer Incident Response Team (CIRT) is a 24/7 global team that helps customers during active security events affecting the customer side of the Shared Responsibility Model. The team analyzes AWS service logs and the control plane using sources like AWS CloudTrail, VPC Flow Logs, and GuardDuty, provides triage and containment guidance, and recommends follow-up actions. AWS also publishes tools, workshops, and the Threat Technique Catalog for AWS (TTC) to help customers prepare and detect recurring tactics and techniques.
read more β†’

Preventing Unauthorized AWS Organizations Account Removal

πŸ”’ The AWS Customer Incident Response Team describes a tactic where attackers use credentials with the organizations:LeaveOrganization permission to remove a member account from an AWS Organization, bypassing inherited safeguards such as Service Control Policies and centralized management. After removal, the account is disentangled from consolidated billing, organization-wide CloudTrail trails, and delegated GuardDuty findings, reducing visibility. The post urges deploying the DenyLeaveOrganizationSCP, enforcing least privilege, securing root users with MFA and centralized root management, and updating detection and response workflows to monitor related CloudTrail events.
read more β†’

CloudWatch Logs Insights Adds Tag-Based Log Group Queries

🏷 CloudWatch Logs Insights now supports querying log groups by tags, allowing searches across all log groups that share key-value tags without listing them explicitly. Tags such as Environment:Production, Application:PaymentService, or Owner:TeamName let teams scope queries by environment, application, or ownership. As log group tags are added or removed, queries automatically reflect the matching log groups, reducing operational overhead as environments scale. This capability is available today in all commercial AWS Regions.
read more β†’

Amazon EventBridge Data Plane Now Logged in AWS CloudTrail

πŸ”’ Amazon EventBridge now supports logging data plane APIs to AWS CloudTrail, giving customers greater visibility into event bus activity. The update adds capture of the PutEvents API and records requester identity, IP address, timestamps, and request details. You can opt in per event bus via the CloudTrail console or APIs; the capability is available in commercial, GovCloud (US), and AWS China regions.
read more β†’

SageMaker Training Plans: CloudWatch Metrics for Capacity

πŸ“Š Amazon SageMaker Training Plans now publishes Amazon CloudWatch metrics to track utilization of capacity reservations tied to purchased Flexible Training Plans. Administrators gain both historical and real‑time views of instance usage at the individual plan level and across an account, enabling informed decisions about capacity allocation and cost optimization. This observability helps teams align compute consumption with AI budgets and timelines while reducing wasted reserved capacity.
read more β†’

Amazon Connect audit logging for supervisor status changes

πŸ”’ Amazon Connect now records agent activity status changes made through analytics dashboards in CloudTrail, capturing the supervisor identity, timestamp, and the specific status transition. This enhancement provides contact centers with clearer audit trails and operational visibility for actions such as switching an agent from "Available" to "Break." The capability is available in all AWS commercial and AWS GovCloud (US-West) regions where Amazon Connect is offered; ensure CloudTrail logging is enabled to see the events automatically.
read more β†’

Amazon CloudWatch: Cross-Region Telemetry Enablement Rules

πŸ“‘ Amazon CloudWatch now lets customers audit and enable telemetry from AWS services such as Amazon EC2, Amazon VPC, and AWS CloudTrail across multiple Regions from a single region. Administrators can create organization-wide enablement rules scoped to specific regions or all supported regions, and rules targeting all regions automatically expand to include newly launched regions. The feature is available in all AWS commercial regions and standard CloudWatch ingestion pricing applies.
read more β†’

Amazon CloudWatch Adds Native OpenTelemetry Metrics

πŸ“ˆ Amazon CloudWatch now supports native OpenTelemetry metrics in public preview, allowing customers to send metrics directly via OTLP without custom conversion logic or additional tooling. You can combine custom OTel metrics with AWS-vended metrics from over 70 services and query them using PromQL across EKS and on-premises environments with no additional agents or code changes. CloudWatch anomaly detection and a new Query Studio console enable unified dashboards and alarms that span application and infrastructure telemetry.
read more β†’

AWS Private CA Now Publishes CloudWatch Utilization Metrics

πŸ”” AWS announced that AWS Private Certificate Authority (AWS Private CA) now publishes CA utilization metrics to Amazon CloudWatch, providing visibility into certificate issuance counts and the number of CAs per Region. The metrics track certificates issued by each CA and total CAs in a Region, enabling CloudWatch alarms and automation to replace or transition CAs approaching quota limits. This capability helps prevent quota-related service disruptions for services such as Amazon EKS, Amazon ECS Service Connect, and Amazon WorkSpaces.
read more β†’