What did AWS Re: Invent bring us in terms of Security?

Re: Invent is the most anticipated event by the AWS community, not only because of the networking and relationships that are based there but also because it is time to learn first-hand what new tools or features AWS will offer us for this new cycle.

In the case of security, the announcements have contemplated various tools, let's see what they are about.

Amazon Security Lake

Allows you to centralize security events automatically from cloud, on-premises, and custom security sources across Regions, giving you the chance to optimize and manage security data for more efficient storage and query performance.

The current AWS services that provide info to compile logs activity are:

• Amazon VPC

• Amazon S3

• AWS Lambda

• Amazon Route 53

• AWS CloudTrail

• AWS Security Hub

Also, by intermediating Security Hub, any service that has integration with it can send info to the data lake.

The principal benefit of this data lake is that it allows you to analyze the data using your preferred analytics tools while retaining control and ownership of your security data. You can use Amazon Athena, Detective, OpenSearch or SageMaker from the AWS side, or any other 3rd party tool. This is possible because the data is normalized to an industry standard like Open Cybersecurity Schema Framework, avoiding vendor lock-in.

Amazon GuardDuty RDS Protection

It’s a threat detection for Amazon Aurora databases that allows you to identify potential threats to data stored in your Amazon Aurora databases. It uses machine learning by continuously monitoring existing and new Amazon Aurora databases in your organization.

So now, you will easily identify if your DB users are having anomalous behavior, like trying to connect from outside the organization when always connecting from inside, or if your database is facing password spraying, or suffering brute force attacks trying to discover your user's passwords.

It has a free trial and you shouldn’t have a database performance impact or require modifications to enable it.

Amazon Inspector for Lambda Functions

With this, Amazon Inspector is able to map vulnerabilities detected in software dependencies (CVE) used in AWS Lambda functions and in the underlying Lambda layers. It supports automatic exclusion for functions that haven’t been invoked during 90 days and manual exclusion based on tags. -it costs 0.30 U$S per function, per month (don’t need to pay extra per re-scan)

Amazon Macie Automated Data Discovery

The interactive S3 data map allows you to easily check the strength of your data security posture; how many buckets are encrypted, allow public access, etc.

Another benefit of this map is that due that Macie now automatically scans bucket objects searching for sensitive data, you can check in the interactive map the report of sensitive data and sensitivity score for each bucket, providing you cost-efficient visibility into sensitive data stored in Amazon S3.

It has a 30-day free trial and then It’s billed according to the total amount of objects in s3 for your account, on a daily basis.

Amazon Verified Permissions

It validates user identity through the integration with several trust providers allowing you to sync user profiles, attributes, and group memberships; and the accompaniment of fine-grained Permissions and authorization rules. This way it generates a security perimeter around the application, with policy and schema management

It simplifies compliance audits at scale, identifies overprovisioned permissions, and connects to monitoring workflows that analyze millions of permissions across applications with the power of automated reasoning

It allows you to build applications faster and support Zero Trust, architectures with dynamic, real-time authorization decisions based on the govern fine-grained permissions within applications and data with policy lifecycle management

AWS KMS external key store (XKS)

This feature has as its objective to provide users who want to protect their data with a ciphered key that isn’t stored in the cloud (due to country regulations or compliance requirements): it extends existing AWS KMS custom key store feature beyond AWS CloudHSM (customer-controlled, single-tenant HSM inside AWS datacenters) to keys in on-premises HSM, providing the same integration that KMS has with all the AWS services.

AWS Config Proactive Compliance

Proactively check for compliance with AWS Config rules prior to resource provisioning. Running these rules before provisioning, for example in an infrastructure-as-code CI/CD pipeline, you can earlier detect non-compliant resources, and this saves you time remediating non-compliant resources in the future when all the system is operative!

AWS Control Tower – Comprehensive Controls Management

By defining a map, and managing the controls required to meet the most common control objectives and regulations you can apply managed preventative, detective, and proactive controls to accounts and organizational units (OUs) by service, control objective, or compliance framework, reducing the time to vet AWS services from months or weeks to minutes

AWS Control Tower Account Factory Customization (AFC)

Previously, only standard settings were available for VPCs, etc., and customization required a combination of Customization for Control Tower, etc. Now, Service Catalog products can be specified when creating an account or adding an Account to Control Tower. The product is automatically deployed when an account is created, and the initial setup of the account is performed.

Service Catalog products are defined in CloudFormation templates, allowing for flexible initial setup.

If you are interested in learning more about these new features, you can check the playlist with the re: Invent sessions related to Security, compliance, and Identity.

To learn about the top announcements click here.

Lourdes Dorado

Cloud Engineer

Teracloud

If you want to know more about Cloud Security, we suggest checking Best Security Practices, Well-Architected Framework To learn more about cloud computing, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.