Our Favorite AWS re:Invent Security Announcements
In this blog you will find a brief rundown of our favorite security announcements from the 2019 AWS re:Invent
AWS re:Invent was held this past week in Las Vegas and ScaleSec was able to attend for a seventh straight year. This is always an exciting conference as AWS rolls out new features and services that are available right away or as a sneak peek into the future of AWS. Our team members are focused on cloud security, and we wanted to highlight some of our favorite security announcements from re:Invent.
S3 Access Points (Generally Available)
S3 Access Points are unique hostnames that provide an alternative to the complex nature of scaling S3 Bucket Policies by leveraging dedicated policies for individual applications or teams. With S3 Bucket Policies, when a new team or application needs access to data there is a single policy document for the entire S3 bucket that needs to be updated. With S3 Access Points, a new dedicated access point can be created for the new team or application which has many benefits, including:
Reduced Blast Radius: With dedicated S3 Access Points you no longer have to edit or update a policy that other live teams are utilizing which in turn reduces the blast radius in the event of human error during the update process.
Individual IAM Policies: Each S3 Access Point has their own unique IAM policy which dictates the access allowed or specifies conditions that must be met in order to read or write data inside the S3 bucket. You can also lock down the S3 Access Point to only allow requests from a specific VPC.
Unique DNS / Hostname: Because individual S3 Access Points have their own hostnames, applications or teams can use their dedicated DNS name/URL instead of the standard S3 bucket URL to interact with the S3 bucket’s data. Example: https://[access_point_name]-[accountID].s3-accesspoint.[region].amazonaws.com
Scalability: Each account can create 1,000 access points per region which allows for greater scalability and flexibility compared to S3 bucket policies. S3 Access Points fit nicely into CI/CD pipelines and Infrastructure as Code because each team or user can create their own Access Point instead of sharing a S3 bucket policy between hundreds or even thousands of users.
Amazon Detective (Preview)
Amazon Detective is a brand new offering that leverages machine learning, statistical analysis, and graph theory to assist users in security investigations. Amazon Detective reads and analyzes AWS CloudTrail, VPC flow logs, and Amazon GuardDuty findings to create a view of resource behaviors and interactions between the data points. Users can setup a “Master Account” for Amazon Detective and invite member accounts to send their log data to the central master account. This setup creates a single pane of glass view into all of your AWS Organization’s Amazon Detective visualizations and findings which can assist in root cause analysis for security issues.
Amazon CodeGuru (Preview)
Amazon CodeGuru is a brand new offering that utilizes machine learning to automate code reviews (CodeGuru Reviewer) and also application performance recommendations (CodeGuru Profiler). Although CodeGuru only supports Java applications today, there will be more language support as the service matures. CodeGuru Profiler and CodeGuru Reviewer make intelligent recommendations for fixing the issues they report based on known best practices, and it can also reference the AWS API and SDK documentation to verify the submitted code is up to date with the latest features.
CodeGuru Reviewer can run automatically on pull requests and make recommendations inline directly inside the PR. Some of the issues CodeGuru can spot are:
Thread safety issues
Bad handling of sensitive data (credentials)
CodeGuru Profiler is a continuously running offering that looks to reduce CPU utilization where possible in your applications to cut compute costs and improve application performance.
CodeGuru offers a free 90 day free trial in all regions but afterwards has the following charges related to how the service is utilized:
CodeGuru Reviewer: $0.75 per 100 lines of code scanned per month
CodeGuru Profiler: $0.005 per sampling hour for the first 36,000 sampling hours per application profile per month. No additional charge beyond 36,000 sample hours per application profile.
Amazon Fraud Detector (Preview)
This new service uses machine learning to identify potentially fraudulent online activities such as online payments and fake account creations. Fraud Detector is fully managed and a machine learning model can be created in only a few minutes. Fraud Detector works to detect:
Legitimate vs illegitimate account creations
Guest checkout verification
‘Try Before You Buy’ service abuse
Online payment review (not yet supported)
Access Analyzer for S3 (Generally Available)
Access Analyzer for S3 is a new feature of S3 that monitors and reviews S3 access policies and provides a visual dashboard of the results. Users can interact with the dashboard to view findings per bucket, remove public access (with a single click), or download a .csv report of the current findings. Access Analyzer breaks down your S3 buckets into two separate categories: Buckets with public access and buckets with access from other AWS accounts.
Access Analyzer also displays how the bucket is shared; whether its an Access Control List (ACL) or a bucket policy and allows the user to drill into the configuration directly from the dashboard. Access Analyzer for S3 is turned on once AWS IAM Access Analyzer is enabled.
IAM Access Analyzer (Generally Available)
This next new feature of AWS IAM utilizes automated reasoning to determine who or what has access to your resources by analyzing and monitoring the access policies attached to the individual resources. The current services and resources covered are:
AWS Lambda functions
Access Analyzer identifies which external principals can access the resources in your account, their access level (list, read, write, permissions management, etc.), and what IAM permissions they specifically have on your resources.
IAM Access Analyzer can also directly integrate with Security Hub to send its findings into a single pane of glass view alongside your other security tools.
EC2 Image Builder (Generally Available)
While at first glance this announcement might not appear to be security related, but creating a repeatable build process for EC2 resources is one of the most important practices for organizations that leverage Amazon EC2. EC2 Image Builder provides a GUI and requires no manual build steps to build a secure EC2 AMI.
EC2 Image Builder provides default (AWS-provided) secure build templates for AMIs or allows users to create their own. Secure templates include actions such as:
Ensure security patches are applied
Enforce strong passwords
Turn on full disk encryption
Close all non-essential ports
Enable software firewalls
Enable logging and audit controls
Leveraging EC2 Image builder to create your organizations’ custom AMIs will provide a repeatable and scalable build process without the risk of human error, but the advantage of a standard security build step that is always applied.
AWS Nitro Enclaves (Private Preview is Coming Soon)
AWS Nitro Enclaves are not yet available for preview but conceptually they will create an isolated “environment” inside your EC2 that can be leveraged to handle sensitive data. A use case for Nitro Enclaves would be to offload decryption and tokenization of PII, SSNs, or other sensitive data to the isolated enclave so that users with access to the EC2 would not be able to view or handle the clear text data. Even root users cannot access the enclave’s data providing total isolation.
Some of the benefits of AWS Nitro Enclave are:
Isolation and Security: Enclaves are fully isolated environments with no operator or administrator access. There is no persistent storage for the enclave and only secure local connectivity is authorized.
Cryptographic Attestation: The Nitro Hypervisor provides cryptographic attestation for the code and the enclave’s identity. The hypervisor provides a signed attestation document to prove its identity to other parties or services.
Flexible resource allocation: The user is able to dedicate CPU cores and memory from the main EC2 instance to the enclave itself.
Windows gMSA Support in ECS (Generally Available)
Windows group Managed Service Account (gMSA) is a new authentication functionality from Amazon ECS for Windows containers. This new functionality overcomes the previous hurdle of Windows containers not being able to be domain-joined and now allows windows applications to authenticate to an Active Directory domain controller via the host EC2 instance itself. When a Windows container is configured to run with gMSA, the host EC2 will retrieve the gMSA credentials for the container and its applications.
Introducing the AWS Public Safety & Disaster Response Competency
A new APN competency was released during re:Invent and it is related to Public Safety and Disaster Response. The competency distinguishes partners who have “proven success in helping customers implement secure, reliable, cloud-enabled offerings to enhance public safety and disaster response capabilities in one or more of the specialized categories listed below.”
Emergency Management Operations
Data and Analytics
Infrastructure Resilience and Recovery
Amazon Builders’ Library (Generally Available)
The Amazon Builders’ Library just sounds cool: Detailed articles written by senior technical leaders in AWS that explain how and why AWS runs their systems like they do. The Library is currently broken into two categories, Architecture and Software Delivery & Operations, with plans to expand in the future. The Builders’ Library provides a unique insight that normally is only shared with a select few involved in a closed door process.
That wraps up our favorite 2019 AWS re:Invent security announcements. Keep an eye out on our blogs and websites for deeper dives into these exciting new services and features.
The information presented in this article is accurate as of 12/11/2019. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.
Well-Architected Infrastructure on AWS Using Pulumi Crosswalk and TypeScript
Using Infrastructure as Code (IaC) to define your infrastructure helps to avoid deployment inconsistencies, increase developer productivity, and lower costs.