What did AWS Re: Invent bring us in terms of Security?
Updated: Jul 10
Re: Invent is the most anticipated event by the AWS community, not only because of the networking and relationships that are based there but also because it is time to learn first-hand what new tools or features AWS will offer us for this new cycle.
In the case of security, the announcements have contemplated various tools, let's see what they are about.
Amazon Security Lake
Allows you to centralize security events automatically from cloud, on-premises, and custom security sources across Regions, giving you the chance to optimize and manage security data for more efficient storage and query performance.
The current AWS services that provide info to compile logs activity are:
Amazon VPC
Amazon S3
AWS Lambda
Amazon Route 53
AWS CloudTrail
AWS Security Hub
Also, by intermediating Security Hub, any service that has integration with it can send info to the data lake.
The principal benefit of this data lake is that it allows you to analyze the data using your preferred analytics tools while retaining control and ownership of your security data. You can use Amazon Athena, Detective, OpenSearch or SageMaker from the AWS side, or any other 3rd party tool. This is possible because the data is normalized to an industry standard like Open Cybersecurity Schema Framework, avoiding vendor lock-in.
Amazon GuardDuty RDS Protection
It’s a threat detection for Amazon Aurora databases that allows you to identify potential threats to data stored in your Amazon Aurora databases. It uses machine learning by continuously monitoring existing and new Amazon Aurora databases in your organization.
So now, you will easily identify if your DB users are having anomalous behavior, like trying to connect from outside the organization when always connecting from inside, or if your database is facing password spraying, or suffering brute force attacks trying to discover your user's passwords.
It has a free trial and you shouldn’t have a database performance impact or require modifications to enable it.
Amazon Inspector for Lambda Functions
With this, Amazon Inspector is able to map vulnerabilities detected in software dependencies (CVE) used in AWS Lambda functions and in the underlying Lambda layers. It supports automatic exclusion for functions that haven’t been invoked during 90 days and manual exclusion based on tags. -it costs 0.30 U$S per function, per month (don’t need to pay extra per re-scan)
Amazon Macie Automated Data Discovery
The interactive S3 data map allows you to easily check the strength of your data security posture; how many buckets are encrypted, allow public access, etc.
Another benefit of this map is that due that Macie now automatically scans bucket objects searching for sensitive data, you can check in the interactive map the report of sensitive data and sensitivity score for each bucket, providing you cost-efficient visibility into sensitive data stored in Amazon S3.
It has a 30-day free trial and then It’s billed according to the total amount of objects in s3 for your account, on a daily basis.
Amazon Verified Permissions
It validates user identity through the integration with several trust providers allowing you to sync user profiles, attributes, and group memberships; and the accompaniment of fine-grained Permissions and authorization rules. This way it generates a security perimeter around the application, with policy and schema management
It simplifies compliance audits at scale, identifies overprovisioned permissions, and connects to monitoring workflows that analyze millions of permissions across applications with the power of automated reasoning
It allows you to build applications faster and support Zero Trust, architectures with dynamic, real-time authorization decisions based on the govern fine-grained permissions within applications and data with policy lifecycle management
AWS KMS external key store (XKS)
This feature has as its objective to provide users who want to protect their data with a ciphered key that isn’t stored in the cloud (due to country regulations or compliance requirements): it extends existing AWS KMS custom key store feature beyond AWS CloudHSM (customer-controlled, single-tenant HSM inside AWS datacenters) to keys in on-premises HSM, providing the same integration that KMS has with all the AWS services.
AWS Config Proactive Compliance
Proactively check for compliance with AWS Config rules prior to resource provisioning. Running these rules before provisioning, for example in an infrastructure-as-code CI/CD pipeline, you can earlier detect non-compliant resources, and this saves you time remediating non-compliant resources in the future when all the system is operative!
AWS Control Tower – Comprehensive Controls Management
By defining a map, and managing the controls required to meet the most common control objectives and regulations you can apply managed preventative, detective, and proactive controls to accounts and organizational units (OUs) by service, control objective, or compliance framework, reducing the time to vet AWS services from months or weeks to minutes
AWS Control Tower Account Factory Customization (AFC)
Previously, only standard settings were available for VPCs, etc., and customization required a combination of Customization for Control Tower, etc. Now, Service Catalog products can be specified when creating an account or adding an Account to Control Tower. The product is automatically deployed when an account is created, and the initial setup of the account is performed.
Service Catalog products are defined in CloudFormation templates, allowing for flexible initial setup.
If you are interested in learning more about these new features, you can check the playlist with the re: Invent sessions related to Security, compliance, and Identity.
To learn about the top announcements click here.
Lourdes Dorado
Cloud Engineer
Teracloud
If you want to know more about Cloud Security, we suggest checking Best Security Practices, Well-Architected Framework To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.