As the largest cloud provider, Amazon Web Services (AWS) really has only one choice when it comes to security—and that is to approach things “holistically,” the company’s top cybersecurity executive said this week during AWS re:Invent 2021.
“You don’t want to secure just one thing or one edge—or use one technique or one approach,” said Stephen Schmidt, chief information security officer at AWS, during a session at the conference in Las Vegas Thursday.UnmuteDuration 0:56/Current Time 0:43Advanced SettingsFullscreenPauseUp Next
“By using separate—often overlapping—tools and techniques, and different procedures, we build far more robust protections that’s resilient to individual faults,” Schmidt said. “One of the things that we look for in the internal design of our services is, we never want one security control to be the definitive barrier between adversaries and our services. There must be multiples here. And I encourage you to think the same way.”
Top announcements
In that spirit, AWS unveiled new security products and features at re:Invent 2021 to help secure everything from infrastructure to applications to the app development process itself. Key themes included bringing more automation to many security processes, new capabilities to enable secure access to data, enhanced network and IoT security, and improved security for containers.
Security is pivotal in any company’s data journey, AWS CEO Adam Selipsky said during his keynote at re:Invent on Tuesday.
“You need to have complete control over where your data sits, who has access to it, and what can be done with it at every step,” Selipsky said. “AWS knows how important this is to every customer.”
Ultimately, years of advancements in security from both AWS itself and cloud partners now mean that security can actually be more of an asset than a liability in cloud environments, executives from a number of cloud security firms told VentureBeat this week.
“We are finally moving past the days where security is perceived as a hindrance to cloud adoption,” said Glen Pendley, deputy chief technology officer at cybersecurity vendor Tenable, in an email. “It was a big obstacle years ago when people were trying to force technology that was designed to function on-prem into a cloud environment. Now you are seeing a real shift for security tools to be designed and built as cloud-native.”
George Gerchow, chief security officer at Sumo Logic, a cloud log management and monitoring vendor, said he is “seeing security as a huge driver for cloud now—for the first time ever.”
In the past, the motives for moving to the cloud have “always been opex cost, end-user experience, being able to deliver a solution to the market faster,” Gerchow told VentureBeat. “But now, I do believe that security is a driver for cloud. Because people want to reduce that footprint of what it is they’re securing—and focus on the data, focus on the application.”
What follows are details on the top 12 security announcements from Amazon Web Services at re:Invent 2021.
Enhanced cloud vulnerability management
AWS used re:Invent to announce several new features for improving and automating the management of vulnerabilities on its platform, in response to evolving security requirements in the cloud.
Newly added capabilities for the Amazon Inspector service will meet the “critical need to detect and remediate at speed” in order to secure cloud workloads, AWS said in a blog post.
In the post about the Amazon Inspector updates, AWS acknowledged that “vulnerability management for cloud customers has changed considerably” since the service first launched in 2015. Among the new requirements are “enabling frictionless deployment at scale, support for an expanded set of resource types needing assessment, and a critical need to detect and remediate at speed,” AWS said in the post.
Key updates for Amazon Inspector include assessment scans that are continual and automated — taking the place of manual scans that occur only periodically — along with automated resource discovery.
Using the updated Amazon Inspector will enable auto-discovery and begin a continual assessment of a customer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads — ultimately evaluating the customer’s security posture “even as the underlying resources change,” AWS wrote.
The company also announced a number of other new features for Amazon Inspector, including additional support for container-based workloads, with the ability to assess workloads on both EC2 and container infrastructure; integration with AWS Organizations, enabling customers to use Amazon Inspector across all of their organization’s accounts; elimination of the standalone Amazon Inspector scanning agent, with assessment scanning now performed by the AWS Systems Manager agent (so that a separate agent doesn’t need to be installed); and enhanced risk scoring and easier identification of the most critical vulnerabilities.
A “highly contextualized” risk score can now be generated through correlation of Common Vulnerability and Exposures (CVE) metadata with factors such as network accessibility, AWS said.
Securing containers from public registries
To help development teams that are using containers from publicly accessible registries to secure the containers, AWS announced pull-through cache repository support in Amazon Elastic Container Registry.
The support will “offer developers the improved performance, security, and availability of Amazon Elastic Container Registry for container images that they source from public registries,” AWS said in a blog.
“Images in pull-through cache repositories are automatically kept in sync with the upstream public registries, thereby eliminating the manual work of pulling images and periodically updating,” the blog said. “Pull through cache repositories provide the benefits of the built-in security capabilities in Amazon Elastic Container Registry, such as AWS PrivateLink enabling you to keep all of the network traffic private, image scanning to detect vulnerabilities, encryption with AWS Key Management Service (KMS) keys, cross-region replication, and lifecycle policies.”
Threat detection for container workloads
AWS said it’s responding to the rising need for container security with plans to launch new threat detection capabilities for container workloads during the first quarter of 2022.
Schmidt said the company does not typically pre-announce features that are still under development. But given the growing importance of container security, the cloud giant is making an exception in revealing its new container threat detection features, he said.
The first new container threat detection features, launching in Q1 of 2022, will involve extending the Amazon GuardDuty threat detection service to Amazon Elastic Kubernetes Service (EKS) audit logs, he said.
“This will provide customers intelligent threat detection for their container workloads — scanning for unusual resource deployments [and] things like malicious configuration changes, or escalation of privilege attempts,” Schmidt said.
Automated secrets detector
At re:Invent 2021, AWS unveiled a new automated secrets detector feature for its Amazon CodeGuru Reviewer tool.
The feature addresses the issue of developers inadvertently committing secrets to source code or configuration files, including passwords, API keys, SSH keys, and access tokens.
The new capability leverages machine learning to detect hardcoded secrets during a code review process, “ultimately helping you to ensure that all new code doesn’t contain hardcoded secrets before being merged and deployed,” wrote AWS in a blog post.
Secure access to sensitive data
AWS announced new features for providing secure access to sensitive data in the AWS Lake Formation data lake service, with the introduction of row- and cell-level security capabilities.
AWS Lake Formation enables the collection and cataloging of data from databases and object storage, but it’s up to users to determine the best way to secure access to different slices of data.
To make that easier, row- and cell-level security capabilities for Lake Formation are now generally available, Selipsky said during a keynote at re:Invent.
To get customized access to slices of data, users have previously had to create and manage multiple copies of the data, keep all the copies in sync, and manage “complex” data pipelines, Selipsky said.
With the new updates, “now you can enforce access controls for individual rows and cells,” Selipsky said.
For securing sales data, for instance, rather than creating multiple tables for each sales team and country, “you just define a set of policies that provide access to specific rows for specific users—without having to duplicate data or build data pipelines,” he said. “It puts the right data in the hands of the right people—and only the right people.”
Amazon WorkSpaces Web
In terms of enabling secure end-user computing, AWS announced general availability for Amazon WorkSpaces Web, described as a “low cost, fully managed WorkSpace built specifically to facilitate secure, web-based workloads.”
“WorkSpaces Web makes it easy for customers to safely provide their employees with access to internal websites and SaaS web applications without the administrative burden of appliances or specialized client software,” AWS said in a blog post. “With Amazon WorkSpaces Web, corporate data never resides on remote devices. Web sites are rendered in an isolated container in AWS, and pixel streamed to the user. The isolated browsing session provides an effective barrier against attacks packaged in web content and prevents potentially compromised end-user devices from ever connecting with internal servers.”
Additionally, “every session launches a fresh, always up to date, nonpersistent web browser. WorkSpaces Web supports enterprise controls that allow administrators to set browser policies (e.g., set default home page, bookmarks, enable/disable extensions, allow/deny list specific URLs, or any of Chrome’s 300+ policies) and user settings (e.g. clipboard, file transfer, or local printer controls),” the blog says. “When the session is complete, the browser instance is terminated, ensuring sensitive corporate web content is never outside enterprise control.”
S3 access management
AWS announced an update for its Simple Storage Service (S3) that aims to simplify access management for S3 data.
A new Amazon S3 Object Ownership setting lets users disable access control lists (ACLs), while the Amazon S3 console policy editor now “reports security warnings, errors, and suggestions powered by IAM Access Analyzer as you author your S3 policies,” AWS said in a blog.
The new Amazon S3 Object Ownership setting, called Bucket owner enforced, “lets you disable all of the ACLs associated with a bucket and the objects in it,” the blog says. “When you apply this bucket-level setting, all of the objects in the bucket become owned by the AWS account that created the bucket, and ACLs are no longer used to grant access. Once applied, ownership changes automatically, and applications that write data to the bucket no longer need to specify any ACL. As a result, access to your data is based on policies. This simplifies access management for data stored in Amazon S3.”
Automated application-layer DDoS mitigation
For helping customers with the mitigation of distributed denial-of-service (DDoS) attacks, AWS announced an update to AWS Shield, the company’s managed DDoS protection service for apps that run on AWS.
The new update brings automatic application-layer DDoS mitigation to AWS Shield Advanced, AWS said.
“This is a new set of capabilities included for all Shield Advanced customers that automatically mitigate malicious web traffic that threatens to impact application availability,” the company said in a blog post. “This feature automatically creates, tests, and deploys AWS WAF rules to mitigate layer 7 DDoS events on behalf of customers.”
Network address management and auditing
AWS announced network address management and auditing “at scale” with the Amazon Virtual Private Cloud (VPC) IP Address Manager (IPAM).
The new feature “provides network administrators with an automated IP management workflow. IPAM makes it easier for network administrators to organize, assign, monitor, and audit IP addresses in at-scale networks, lowering the management and monitoring burden and eliminating the manual processes that can lead to delays and unintended errors,” AWS said in a blog post.
VPC Network Access Analyzer
AWS announced the launch of a new offering, the Amazon VPC Network Access Analyzer, that enables users to identify configurations that might result in unintended access to the network.
“It will point out ways that you can improve your security posture while still letting you and your organization be agile and flexible,” AWS said in a blog post. “In contrast to manual checking of network configurations, which is error-prone and hard to scale, this tool lets you analyze your AWS networks of any size and complexity.”
IoT ExpressLink
In the realm of IoT, AWS announced the new IoT ExpressLink offering—”a simple, powerful solution that allows you to easily quickly develop secure IoT devices,” said Michael MacKenzie, general manager for AWS Industrial IoT and Edge, during a session at re:Invent.
“Modules that use AWS IoT ExpressLink make it faster and easier for developers of all skill levels to securely connect almost any device to the cloud and seamlessly integrate with over 200 AWS IoT services, including AWS IoT Core,” AWS said in a blog post.
Modules with AWS IoT ExpressLink help overcome the typical challenges faced by developers around the building of IoT devices—including security challenges, AWS said.
“A typical IoT application adds 50,000 (or more) lines of new embedded C code to a project … The challenge is that this increase in code is difficult to manage and maintain while security vulnerabilities are concealed across hundreds of folders and files,” AWS said. “AWS IoT ExpressLink helps developers with the complex and security-critical code by packaging it into a single hardware component.”
IoT Greengrass secure management
IoT Greengrass is an AWS cloud service for the development, deployment, and management of IoT device software and applications. At re:Invent, AWS announced a new capability for secure management of IoT Greengrass devices via AWS Systems Manager (SSM).
“Managing vast fleets of varying systems and applications remotely can be a challenge for administrators of edge devices,” AWS said in a blog post.
In response, the company has integrated IoT Greengrass and SSM “to simplify the management and maintenance of system software for edge devices,” the post says. “When coupled with the AWS IoT Greengrass Client Software, edge device administrators now can remotely access and securely manage with the multitude of devices that they own – from OS patching to application deployments. Additionally, regularly scheduled operations that maintain edge compute systems can be automated, all without the need for creating additional custom processes.”
Ultimately, for IT administrators, “this release gives a complete overview of all of their devices through a centralized interface, and a consistent set of tools and policies with the AWS Systems Manager,” AWS said.