Skip to content
Aaron ReaDec 9, 2021 12:00:00 AM3 min read

AWS re:Invent Security re:Cap 2021

AWS re:Invent Security re:Cap 2021

AWS re:Invent Security re:Cap 2021

AWS re:Invent Security re:Cap 2021

It’s that time of year again. Temperatures are dropping, turkeys have been fried, and some of us just got back from a cloudy week in Las Vegas at AWS re:Invent! Here is a recap of what we think will be the most impactful security and compliance related updates from this year’s announcements.

S3 Access Management and Hardening

Amazon S3 is a foundational piece of the AWS puzzle and was the second service released way back in 2006. Since the advent of IAM and bucket policies in 2011, there have been multiple ways to secure buckets from unauthorized access but no explicit way to disable a method that was not in use. The new Amazon S3 Object Ownership setting allows a user to disable Access Control Lists in favor of using IAM/Bucket policies to lock down buckets and objects. This standardization results in a significant reduction of the attack surface for the oft critical use cases of cloud object storage. Additionally, further insight can be gathered from the S3 console’s policy editor with the application of IAM Access Analyzer against bucket and object policies. Read more about these new features here.

AWS Control Tower – Account Factory for Terraform & Region Deny and Guardrails

AWS Control Tower has two new features that will help ensure sprawling cloud environments meet compliance and manageability goals with ease. ‘Account Factory for Terraform’ extends Control Tower’s existing landing zone deployments to Terraform modules, providing a familiar and pluggable pipeline for managing AWS environments at scale. This is a welcome addition and will be complemented by another new feature of Control Tower: data residency guardrails. Of particular interest are settings that allow a blanket lockout of access at a regional level, effectively turning off AWS in that region for managed accounts. These features strengthen the argument for an automation first approach to large environments by simplifying fine grained and regionalized control over assets deployed using Control Tower. Account Factor for Terraform and Guardrails announcements.

AWS Data Exchange for APIs

With this announcement, AWS expands the Data Exchange’s current static dataset access and governance functionality to include third party GraphQL and Restful APIs registered in AWS. This is a major step forward for both consumers and providers of APIs in AWS who can now interact behind the same IAM controls used across their existing environments without the overhead of managing those authentication and governance layers independently. Much like the AMI marketplace for EC2, this will enable new use cases for AWS that may have been prohibitively complex to implement and secure in the past. Find more details here.

Amazon Inspector Update

In what may be considered a functional re-release of the AWS Inspector service, AWS announced a slew of new features and updates focused on automating resource discovery and scanning, integrating with AWS Organizations and AWS Security Hub, supporting modern workflows around containers, eventing, and reporting. Of particular note is the integration of Inspector assessment scanning into the AWS Systems Manager agent. This is a great step forward for users as it will simplify the establishment of foundational security posture and remove toil. Check the announcement here

CodeGuru Reviewer

CodeGuru Reviewer added “Secrets Detector” to help developers locate unsecured secrets and quickly adapt code to use AWS Secrets Manager with predefined snippets for AWS SDK supported languages. This is a welcome addition to the machine learning based review tool and will certainly help to further eradicate the scourge of hardcoded keys and passwords that have plagued codebases in recent years. Find more info here.

VPC IP Address Manager & VPC Network Access Analyzer

Two major updates to VPC network management were announced with Amazon VPC IP Address manager and VPC Network Access Analyzer. As the name implies, the former is automated IPAM for VPCs. The latter takes the essence of AWS’s IAM Access Analyzer and brings it to VPC networking, allowing intelligent analysis of various ‘scopes’ of network access in an environment. Both features will be welcome additions to environments strict compliance and audit regimens. Find out more about VPC IP Address Manager and VPC Network Access Analyzer

Conclusion

This year’s security related re:Invent announcements followed a theme of helping cloud consumers and producers meet in the middle by simplifying and standardizing good security posture. Follow our blog and social media (LinkedIn, Twitter) for further exploration of these and other re:Invent 2021 announcements.

avatar

Aaron Rea

Aaron is a Cloud Security Consultant who has been securing universities, startups, and large enterprises for over 15 years. He transitioned from a well-known cloud consultancy and has been a strong contributor to our largest clients. His areas of focus include cloud architecture and application modernization, data and infrastructure pipelining, proactive/reactive security automation and 'day 2' operations.

RELATED ARTICLES

The information presented in this article is accurate as of 7/19/23. Follow the ScaleSec blog for new articles and updates.