Cloud ops rejoice, AWS has ended the preview phase of AWS Control Tower, making the service for automating the creation of multi-account AWS environments generally available in US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) regions.
Control Tower offers a web UI to help users set up environments featuring useful components such as identity management, federated account access, centralised logging and cross-account security. Under the hood it uses home-grown services such as AWS Organizations, Identity and Access Management, CloudTrail, and Single Sign-On.
During the set-up process it takes whitepapers, documentation and other info material the company has at their fingertips into account, to make sure the Landing Zone dubbed multi-account environment follows best practices.
AWS plans to extend the availability to other regions in the next couple of months. The team is also working to let customers set up their own policy controls (Guardrails) and more importantly to set up landing zones in parallel to existing AWS accounts, which isn’t really an option yet.
Compliance issues? Security Hub hits GA
Another service that matured into general availability this week is the AWS Security Hub. This is meant to automate compliance checks and give a centralised view into security alerts. The latter are also grouped by the system so that customers have a better idea on what to tackle first. In addition, custom actions can be set up to automatically trigger events for sending notifications to a medium of your choice (chat, dashboard, pager etc) in certain circumstances.
Compliance-wise, the hub only comes with checks to see if the unit (e.g. application, workload) in question complies with the rules extracted from the Center for Internet Security’s AWS Foundations Benchmark. More compliance standards are meant to be added later this year.
While Control Tower is free of additional charge (you have to pay for the services it enables, though) Security Hub is priced by the quantity of compliance checks and finding ingestion events. There is a free 30 day trial period to get a rough idea about the cost. Regularly it’s $0.0010 per check for the first 100,000 compliance checks/account/region/month, dropping down to $0.0008 per check for the next 400,000 checks, and again to $0.0005 per check for over 500,000 checks/account/region/month. Finding ingestion events is free for the first 10,000, after that it’s $0.00003 per event.
Network Load Balancer gets IoT-ready
Aside from that AWS introduced UDP Load Balancing as a new feature to the Network Load Balancer that has been around for a while. UDP stands for user datagram protocol and is an alternative to the often used transmission control protocol TCP in loss-tolerating, low-latency scenarios.
According to the company the feature has been requested for a while and is available in all commercial regions now. It is meant to help with deploying connectionless services in areas such as IoT, and data streaming and the handling of authentication and authorization in that context.
In the announcement, AWS chief evangelist Jeff Barr wrote that “You no longer need to maintain a fleet of proxy servers to ingest UDP traffic, and you can now use the same load balancer for both TCP and UDP traffic.” Load balancers with UDP support can be set up for Instance type targets only – so no IP target types or PrivateLinks – in the usual ways via CloudFormation template, CLI, or console.