Security announcements at AWS Re: Invent 2023

AWS re:Invent is AWS’s end-of-the-year event where the latest developments of AWS Cloud microservices are announced. Our team had the pleasure of attending talks with the most important announcements for what’s next in Cloud Security and the following is their shortlist.

Access analyzer

1) Custom policy checks powered by automated reasoning.

Custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments.
It uses the power of automated reasoning—security assurance backed by mathematic proof-.
To detect nonconformant updates to policies
Easy to integrate into CI/CD pipelines

2) Simplified inspecting unused access to guide you toward the least privilege.

IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings.
The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users.
The findings provide visibility into unused services and actions for active IAM roles and users.

Security Hub

1) Customized security controls.

Security teams can now refine the best practices monitored by Security Hub controls to meet more specific security expectations, with your specific password policies, retention frequencies, or other attributes.

2) Major dashboard enhancements.

New data visualizations, filtering, and customization enhancements.
You can now filter and customize your dashboard views, as well as view a new set of widgets that were carefully chosen to reflect the modern cloud security threat landscape and relate to potential threats and vulnerabilities in your AWS cloud environment.
The new filtering functionality allows you to filter the Security Hub dashboard by account name and ID, resource tag, and product name, such as Amazon GuardDuty or Amazon Inspector, Region, severity, and application. You can also choose which widgets will appear in the dashboard, and customize their position and size.

3) Findings enrichment.

Metadata enrichment for findings aggregated in AWS Security Hub allows you to contextualize better, prioritize, and take action on your security findings.
This enrichment adds resource tags, a new AWS application tag, and account name information to every finding ingested into Security Hub, including findings from AWS security services such as Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer, as well as a large and growing list of AWS Partner Network (APN) solutions.
Eliminates the need to build data enrichment pipelines or manually enrich metadata of security findings. It also makes it easier to fine-tune findings for automation rules, search or filter findings and insights, and assess security posture status by application in Security Hub widgets, and in related AWS applications.

4) New central configuration capabilities.

Centrally enable and configure Security Hub standards and controls across accounts and Regions in just a few steps.
Use the Security Hub central configuration to address gaps in your security coverage by creating security policies with your desired standards and controls and applying them in selected Regions across accounts and Organizational Units (OUs).
Set the Security Hub delegated administrator (DA) for all Regions at once, and then view and configure the cloud security posture management capabilities, such as standards and controls, for all or some accounts globally, without needing to update them account-by-account and Region-by-Region.

Secret Manager

1) Supports batch retrieval of secrets.

A single API call to identify and retrieve a group of secrets for your application.
With the BatchGetSecretValue, you can input a list of secret names, ARNs, or filter criteria, such as tags. The API returns a response for all secrets meeting the criteria in the same format as the existing GetSecretValue API. This allows you to optimize your workloads while reducing the number of API calls.

Amazon Detective

1) Supports security investigations for Amazon GuardDuty ECS.

2) Runtime Monitoring.

Enhanced visualizations and additional context for detections on ECS.
Use the new runtime threat detections from GuardDuty and the investigative capabilities from Detective to improve your detection and response for potential threats to your container workloads.

3) Log retrieval from Amazon Security Lake.

Integrates with Amazon Security Lake, enabling security analysts to query and retrieve logs stored in Security Lake.
To get additional information from AWS CloudTrail logs and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs stored in Security Lake while conducting security investigations in Detective.

4) Investigations for IAM.

Automatically investigates AWS Identity and Access Management (IAM) entities for indicators of compromise (IoC).
It helps security analysts determine whether IAM entities have potentially been compromised or involved in any known tactics, techniques, and procedures (TTP) from the MITRE ATT&CK framework.
There is no additional charge for this new capability, and it’s available for all existing and new Detective customers.

Amazon GuardDuty

1) Runtime monitoring for Amazon EC2.

It gives you visibility into on-host, and operating system–level activities and provides container-level context into detected threats.
Compatible with AWS Organizations

2) ECS Runtime Monitoring, including AWS Fargate.

Expansion of Amazon GuardDuty that introduces runtime threat detection for Amazon Elastic Container Service (Amazon ECS) workloads—including serverless container workloads running on AWS Fargate.
It gives you visibility into on-host and operating system-level activities. It provides container-level context into detected threats, such as containers repurposed for cryptocurrency mining or unusual activity indicating unauthorized code execution on your container.

AWS Analytics

1) Simplified users’ data access across services with the IAM Identity Center.

Use trusted identity propagation with AWS IAM Identity Center to manage and audit access to data and resources based on user identity.
Available to customers accessing AWS data sources through Amazon Quicksight, EMR Studio, and Redshift Query Editor; supported third-party tools and applications; and S3 Access Grants.
In big data environments managed by Amazon EMR, trusted identity propagation is available for EMR on EC2.
It interacts with authorization engines, including Amazon Redshift, Lake Formation, and S3 Access Grants, and propagates the user’s identity to the data source, Amazon Redshift or S3.

Amazon Inspector

1) Agentless vulnerability assessments for Amazon EC2 in preview.

Continuous monitoring of your Amazon EC2 instances for software vulnerabilities without installing an agent or additional software.
You can expand your vulnerability assessment coverage across your EC2 infrastructure with Amazon Inspector agentless scanning for EC2 instances that do not have SSM Agents installed or configured.
Amazon Inspector takes snapshots of EBS volumes to collect software application inventory from the instances to perform vulnerability assessments.

2) Request a Cyber Insurance Quote from an AWS Cyber Insurance Competency Partner.

Customers can receive cyber insurance pricing estimates, purchase plans, and be confident they have the coverage for security and recovery services when needed most.
Customers leverage an AWS Security Hub assessment scanning against the AWS Foundational Best Practices Framework and deliver the assessment results to insurance providers.
Customers with a security posture that follows AWS best practices achieve rewards similar to “safe-driver” discounts.

3) AWS Built-in Competency Partner software automates Installation for customers.

AWS Built-in software uses a well-architected Modular Code Repository (MCR) designed to add value to partner software solutions.
Building blocks called Cloud Foundational Services across multiple domains such as identity, security, and operations.

Final thoughts

AWS re:Invent 2023 has not only redefined the benchmarks for cloud security but has also set a new standard for collaboration between cloud providers, security solutions, and insurance services. These advancements collectively contribute to fostering a more secure, efficient, and responsive cloud computing landscape.