The set of announcements at AWS’s annual re:Invent is always impressive, albeit a bit of a firehose for which AWS’s own Amazon Kinesis data streaming processing engine would be helpful. At last week’s AWS re:Invent, a seminal annual IT event only AWS can get away with scheduling the week after Thanksgiving, the company announced a number of important security capabilities, some small, some big, all customer-driven. Thematically, in addition to a clear focus on identity and access management features designed to help customers rein in their AWS identities and secure S3 buckets, AWS is clearly focused on enabling enterprise-class use cases.
- Bringing cloud security to the SOC
Amazon Detective brings cloud security to the SOC with a new service based on technology the company landed in its acquisition of threat hunting pioneer Sqrrl. The underlying scalable graph technology enables both reactive investigative and proactive hunting use cases by correlating a series of events into actionable findings. The service is a prime example of cloud-scale security analytics offerings my colleague Jon Oltsik has been opining based on a premise that cloud platforms are purposeful for the job of ingesting and making sense of massive amounts of event telemetry.
- Enabling secure data processing
AWS Nitro Enclaves provides an air gapped-like environment for the secure processing of an organization’s most sensitive data by leveraging the Nitro trusted computing platform to create completely partitioned servers. Secure connectivity to AWS’s key management service, AWS KMS, allows for decryption, processing, and then re-encryption so that sensitive data is never exposed in the clear.
- Tightening up cloud identities via least privileged policies
- Amazon S3 Access Points simplifies the important task of granting access to S3 buckets based on policies tailored to each workload, simplifying authoring, tuning, and updating such policies while reducing the blast radius via a least privileged approach.
- IAM Access Analyzer is a new feature of AWS IAM that allows administrators to evaluate the intended versus actual levels of external sharing. And for staying on top of IAM roles, before AWS re:Invent AWS launched “role last use timestamp,” a feature of IAM Access Advisor, to quickly identify and delete stale roles.
- AWS CloudTrail Insights provides needle-in-the-haystack level of visibility into a typically massive corpus of AWS CloudTrail events by identifying those which are anomalous and thus could be indicative of a compromise such as, but not limited to, changes to IAM policies.
- Bring-your-own network security (BYONetSec)
VPC Ingress Routing enables BYONetSec (sorry, someone had to go there!) uses cases by routing VPC data flows through third-party VPC-resident VM-based network security controls for content inspection—think filtering, DNS security, threat detection, and data loss prevention (DLP)—with an initial set of partner integrations announced and more likely on the horizon.
- A precursor to dev-time AppSec?
Amazon CodeGuru is a new code analysis service for identifying what AWS framed as “expensive code,” which results in the over provisioning of resources. So, not a security service, but could this be evolved into static analysis for code testing? Stay tuned, but in general, dev-time AppSec controls are finally getting the attention this discipline deserves.
- Tag policies, because naming matters
In a metadata-driven infrastructure and security-as-code context, namespace consistency is critical, which is why I thought this seemingly modest feature is actually a big deal. Tag policies employ a tag dictionary to enforce consistency with the values and syntax for how AWS resources are named. When used in review mode, those services that are not named in compliance with the dictionary are exposed as a precursor to flipping to enforcement mode in which only compliant services can be deployed to prod. As such, tag policies pave the way for consistency of assigned security policies while also ferreting out potentially rogue and unprotected services.
- Enabling integrated fraud detection use cases
A new API to AWS’s ML-based fraud detection service enables integration for a variety of use cases including detecting fraudulent credit card transactions—a welcome capability given the ongoing spate of cyber business fraud.
In the context of the higher order bit that underpins one’s cloud security program, the shared responsibility model, customers need visibility and control to meet their part of the obligation. Front and center in doing so is the intersection of managing identities to secure cloud-resident sensitive data. This is why packaging matters and why I applaud the fact that many (not all) of these capabilities from AWS are available at no charge. AWS’s security business units also get credit in my book for mostly descriptive naming—there is enough to process without needing a decoder ring to map names to functionality.
