- If you have been following Cloud Security News Podcast for some time. Then you would remember a few episodes ago we brought to you the cloud security updates from some of the major conferences in the year so far. Well, it’s time for the final BIG Cloud Conference for 2021 – AWS Re-invent! AWS Re-invent is being held this week in person at Las Vegas and Virtually for those that prefer to attend virtually. You can register and view the event virtually and a recap of the security announcements on Cloud Security Podcast YouTube channel. As always all the important links will be in our podcast show notes. Here are all the important security updates from AWS Reinvent for you.
- Firstly, AWS has launched some improvements to a few of their existing services and no new Security service has been announced yet. With Google Cloud announcing their CyberSecurity Action team earlier this year, we were hoping for a similar response or better from AWS but nothing so far.
- AWS Shield, considered part of AWS services enabling security, has been around since 2016 managing Distributed Denial of Service (DDoS) protection service that protects applications running on AWS. AWS announced an Automatic Application Layer DDoS Mitigation for AWS Shield Advanced, the tier 2 customised version which comes at a cost. With this feature, AWS customers can automatically mitigate malicious web traffic that threatens to impact application availability. It automatically creates, tests, and deploys AWS WAF rules to mitigate layer 7 DDoS events on behalf of customers. More on this here. Some of the reactions to this have been interesting on the internet with many claiming they all assumed that DDoS was always assumed to be part of AWS Shield Advanced.
- Next up are the improvements made to Amazon Cloud Guru. Amazon Cloud Guru helps improve code quality and automate code reviews by scanning and profiling Java and Python applications, allowing you to detect potential defects and bugs in your code. Amazon announced the new Amazon CodeGuru Reviewer Secrets Detector, an automated tool that helps developers detect secrets in source code or configuration files, such as passwords, API keys, SSH keys, and access tokens. With the use of machine learning, allowing you to identify hardcoded secrets as part of your code review process. You can read more about this here
- Another AWS services enabling security in AWS is Amazon Inspector. Launched in 2015, it is used to automate security assessment and management at scale on Amazon Machine Images(AMI) in AWS. Customers use Amazon inspector to meet security and compliance requirements for workloads deployed to AWS as it scans for unintended network exposure, software vulnerabilities, and any deviations from application security best practice. This year at Re-Invent Amazon launched the new and of course improved Amazon Inspector. So what are these improvements?
Continual, automated assessment scans are replacing periodic manual scanning – which surely will be welcomed by many
- Once installed the new Amazon Inspector recognises all running Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Container Registry repositories.
- Workloads are now assessed on both EC2 and container based infrastructure
Allows for highly contextualised improved risk scoring
- Integration with AWS Organisations, AWS Security Hub and Amazon Eventbridge which means Amazon AWS can be used across all accounts in an organisation, better integration with workflows and auto remediation, easier detection of vulnerabilities
More on the new Amazon Inspector here
- For those storing CloudTrail logs or other important logs to help with incident response in S3 buckets, you can now use EventBridge to build applications that react quickly and efficiently to changes in your S3 objects. This will deliver responses to potential Events/incidents of interest in a faster, more reliable, and in a more developer-friendly way than ever. More on this here
- If you use AWS Control Tower and care about Data Residency, now you will be able to apply Preventive and detective controls that prevent provisioning resources in unwanted AWS Regions by restricting access to AWS APIs through service control policies (SCPs) built and managed by AWS Control Tower. This means that content cannot be created or transferred outside of your selected Regions at the infrastructure level. More on this here
- As Amazon rightly puts it “Managing, monitoring, and auditing IP address allocation for at-scale networks, as the growth in cloud workloads and connected devices continues at a rapid pace, is a complex, time-consuming, and potentially error-prone task.” To assist with this they have announced Amazon VPC IP Address Manager (IPAM), a new feature that provides network administrators with an automated IP management workflow.making it easier to organize, assign, monitor, and audit IP addresses in at-scale networks. More on this here
- Amazon believes “If you are a member of your organization’s networking, cloud operations, or security teams, you are going to love this new feature.” Amazon VPC Network Access Analyzer. In contrast to manual checking of network configurations, which is error-prone and hard to scale, this tool lets you analyze your AWS networks of any size and complexity. You can get started with a set of Amazon-created scopes, and then either copy & customize them, or create your own from scratch. Tell us if you do actually love this this new feature. More on this here
- Last but certainly not the least Amazon also announced another couple of features to simplify access management for data stored in Amazon Simple Storage Service (Amazon S3).
A new Amazon S3 Object Ownership setting that lets you disable access control lists and the Amazon S3 console policy editor which now reports security warnings, errors, and suggestions powered by IAM Access Analyzer. More on these here