AWS re:Invent Security re:Cap 2021
It’s that time of year again. Temperatures are dropping, turkeys have been fried, and some of us just got back from a cloudy week in Las Vegas at AWS re:Invent! Here is a recap of what we think will be the most impactful security and compliance related updates from this year’s announcements.
S3 Access Management and Hardening
Amazon S3 is a foundational piece of the AWS puzzle and was the second service released way back in 2006. Since the advent of IAM and bucket policies in 2011, there have been multiple ways to secure buckets from unauthorized access but no explicit way to disable a method that was not in use. The new Amazon S3 Object Ownership setting allows a user to disable Access Control Lists in favor of using IAM/Bucket policies to lock down buckets and objects. This standardization results in a significant reduction of the attack surface for the oft critical use cases of cloud object storage. Additionally, further insight can be gathered from the S3 console’s policy editor with the application of IAM Access Analyzer against bucket and object policies. Read more about these new features here.
AWS Control Tower – Account Factory for Terraform & Region Deny and Guardrails
AWS Control Tower has two new features that will help ensure sprawling cloud environments meet compliance and manageability goals with ease. ‘Account Factory for Terraform’ extends Control Tower’s existing landing zone deployments to Terraform modules, providing a familiar and pluggable pipeline for managing AWS environments at scale. This is a welcome addition and will be complemented by another new feature of Control Tower: data residency guardrails. Of particular interest are settings that allow a blanket lockout of access at a regional level, effectively turning off AWS in that region for managed accounts. These features strengthen the argument for an automation first approach to large environments by simplifying fine grained and regionalized control over assets deployed using Control Tower. Account Factor for Terraform and Guardrails announcements.
AWS Data Exchange for APIs
With this announcement, AWS expands the Data Exchange’s current static dataset access and governance functionality to include third party GraphQL and Restful APIs registered in AWS. This is a major step forward for both consumers and providers of APIs in AWS who can now interact behind the same IAM controls used across their existing environments without the overhead of managing those authentication and governance layers independently. Much like the AMI marketplace for EC2, this will enable new use cases for AWS that may have been prohibitively complex to implement and secure in the past. Find more details here.
Amazon Inspector Update
In what may be considered a functional re-release of the AWS Inspector service, AWS announced a slew of new features and updates focused on automating resource discovery and scanning, integrating with AWS Organizations and AWS Security Hub, supporting modern workflows around containers, eventing, and reporting. Of particular note is the integration of Inspector assessment scanning into the AWS Systems Manager agent. This is a great step forward for users as it will simplify the establishment of foundational security posture and remove toil. Check the announcement here
CodeGuru Reviewer added “Secrets Detector” to help developers locate unsecured secrets and quickly adapt code to use AWS Secrets Manager with predefined snippets for AWS SDK supported languages. This is a welcome addition to the machine learning based review tool and will certainly help to further eradicate the scourge of hardcoded keys and passwords that have plagued codebases in recent years. Find more info here.
VPC IP Address Manager & VPC Network Access Analyzer
Two major updates to VPC network management were announced with Amazon VPC IP Address manager and VPC Network Access Analyzer. As the name implies, the former is automated IPAM for VPCs. The latter takes the essence of AWS’s IAM Access Analyzer and brings it to VPC networking, allowing intelligent analysis of various ‘scopes’ of network access in an environment. Both features will be welcome additions to environments strict compliance and audit regimens. Find out more about VPC IP Address Manager and VPC Network Access Analyzer
This year’s security related re:Invent announcements followed a theme of helping cloud consumers and producers meet in the middle by simplifying and standardizing good security posture. Follow our blog and social media (LinkedIn, Twitter) for further exploration of these and other re:Invent 2021 announcements.
The information presented in this article is accurate as of December 9, 2021. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.