Nov. 30 - Dec. 4 re:Invent Security re:Cap

AWS re:Invent is an annual cloud computing event held to showcase new features and services available on Amazon Web Services. This year, re:Invent is completely virtual, free, and spans three weeks.

At ScaleSec, our focus is always on security and compliance. In order to stay on the cutting edge of cloud computing, we monitor AWS re:Invent announcements and consider how each one can help our customers keep their AWS environments secure.

ScaleSec’s re:Invent Security re:Cap is a running list of our favorite security announcements from each week, along with a brief summary and direct link for more in-depth information.

AWS License Manager enhances automated discovery with tag-based search and detection of software uninstalls | 03 DEC 2020 | LINK

AWS License Manager can now auto detect when software has been uninstalled from tracked resources. When an uninstallation is detected, the centralized reporting dashboard is updated for a single pane-of-glass view to track the licenses and softwares installed on your AWS resources.

AWS Marketplace Now Offers Professional Services | 03 DEC 2020 | LINK

Customers of AWS Marketplace can now purchase professional service offerings in addition to the already existing software products. By offering professional services via the AWS marketplace, potential customers can reduce the procurement time from months to days. Examples of offerings range from assessments and implementations to support or training. This has the potential to put more security-focused professional service offerings front and center along with the security products currently available.

Amazon S3 Update – Strong Read-After-Write Consistency | 01 DEC 2020 | LINK

Amazon S3 now supports strong consistency for “all S3 GET, PUT, and LIST operations, as well as operations that change object tags, ACLs, or metadata”. This is a huge improvement because previously what returned from a list call might not be accurate due to a slight delay in consistency. As an added benefit, this update has no impact on performance and is available at no additional cost. Having accurate information about where your data lives, what state it is in, or the current permissions attached to the objects is a critical component of your data governance plan.

Amazon CodeGuru Reviewer announces Security Detectors | 01 DEC 2020 | LINK

Amazon CodeGuru is a developer tool that can automate code reviews and make application performance recommendations. A new feature, Security Detectors, “helps identify security risks from the top ten Open Web Application Security Project (OWASP) categories (OWASP is a standard awareness document for developers and web application security), security best practices for AWS APIs, and common Java crypto libraries.” There are currently four different categories of security issues supported:

1. AWS API Security Best Practices
2. Java Crypto Library Best Practices
3. Secure Web Applications for web app related security issues
4. AWS Security Best Practices

Amazon EKS simplifies installation and management for Kubernetes cluster add-ons | 01 DEC 2020 | LINK

A nice usability improvement, Amazon EKS now lets you “install, manage, and update common operational software for your cluster directly through the EKS console, CLI, and API.” With support for the Amazon VPC CNI networking plugin at launch, more add-ons will be available soon. By exposing this functionality via the CLI, API, and EKS console, managing the currently installed software becomes less risky with better visibility and control over what is installed and what can be installed moving forward.

Introducing EKS Anywhere | 01 DEC 2020 | LINK

AWS announced a new deployment option for Amazon EKS called EKS Anywhere. EKS Anywhere provides “an installable software package for creating and operating Kubernetes clusters on-premises and automation tooling for cluster lifecycle support.”. What this provides is a consistent and repeatable process for deploying identical EKS clusters on AWS, bare metal servers, or on-premise virtual machines (VSphere). EKS Anywhere takes advantage of the new release of Amazon EKS Distro.

Introducing Amazon EKS Distro | 01 DEC 2020 | LINK

Amazon has open sourced their Kubernetes Amazon EKS distribution for customers to deploy workloads outside of AWS that are identical to their Amazon EKS clusters. This workload alignment facilitates identical Kubernetes and dependency versions in addition to the same security patches for your AWS-based EKS clusters and your non-AWS Kubernetes clusters. Customers who deploy Kubernetes clusters (outside of EKS) with the Amazon EKS distro can subscribe to an Amazon SNS topic to track available updates and security patches. This topic will alert and keep customers informed so they can align their AWS and non-AWS EKS clusters from a security and patching standpoint.

Amazon EKS adds built-in logging support for AWS Fargate | 01 DEC 2020 | LINK

Amazon EKS with AWS Fargate no longer requires a sidecar to forward container logs to log storage and analytics services. Using a Kubernetes ConfigMap, users can route logs to their destination of choice. This new feature lowers the operational overhead of managing Fargate logging and offloads the heavy lifting to AWS.

Amazon Web Services Announces AWS Proton | 01 DEC 2020 | LINK

A brand new service, AWS Proton is a fully managed deployment service for container and serverless applications. Security and infrastructure teams can now use AWS Proton to fully bake-in security controls and guardrails into a self-service like portal for application teams to leverage. AWS Proton supports visibility into what has been deployed, versioning support for update tracking, CI/CD automated security checks and much more.

AWS Amplify announces new Admin UI | 01 DEC 2020 | LINK

The AWS Amplify Admin UI provides “an easy way to develop app backends and manage app content outside the AWS console.” The Admin UI can be used by users outside of AWS (and developers in AWS) via an email invite and provides the ability to model data, configure authentication and authorization, and manage users, groups, and app content. The Admin UI is automatically provisioned via CloudFormation and can be converted into the Amplify CLI for local development.

Amazon S3 Replication adds support for two-way replication | 01 DEC 2020 | LINK

Amazon S3 now supports bi-directional replication to sync object metadata like object ACLs, tags or object locks between two or more buckets. This replication can apply to all objects in a bucket or a subset of objects. This is an important feature if you want to build shared datasets across regions and must keep the objects and their metadata in sync.

Announcing Amazon S3 Bucket Keys | 01 DEC 2020 | LINK

A big cost savings for organizations with large amounts of data stored in S3, S3 Bucket Keys uses a single KMS key on the bucket-level versus one in KMS. The bucket-level KMS key is used to generate a data encryption key (DEK) for each object stored in S3 and wraps that DEK with the bucket-level key inside of S3. This new functionality reduces the number of calls to KMS which will greatly reduce the costs associated with server-side encryption.

Announcing Amazon ECR Public and Amazon ECR Public Gallery | 01 DEC 2020 | LINK

Amazon ECR Public is a fully managed registry to publicly share container images. Anyone with or without an AWS account can use the Amazon ECR Public Gallery website to browse and search for public images as well as pull those images locally. Uploaded images are geo-replicated for worldwide availability and workloads running in AWS have unlimited bandwidth from ECR Public. Before Amazon ECR Public, users would maintain local copies of public images which would quickly become out of sync and require operational overhead to maintain.

Amazon S3 Replication adds support for multiple destinations | 01 DEC 2020 | LINK

A new feature for Amazon S3 Replication, multiple destinations removes the previous requirement of building your own forwarding or replication configuration to support more than one destination. Now, you have the ability to replicate data from one source bucket to multiple destination buckets. This is a great feature to meet any requirements for multi-region data backups because you now only have to configure this on your source bucket.

AWS announces Amazon DevOps Guru in Preview | 01 DEC 2020 | LINK

The CIA triad is a security model consisting of confidentiality, integrity, and availability. Amazon DevOps Guru focuses on the availability of your applications by identifying behaviors that deviate from standard patterns that have the potential to cause downtime. When an anomaly is detected Amazon DevOps Guru will provide a summary, the likely root cause, and information on when and where the issue is located.

AWS Lambda now supports container images as a packaging format | 01 DEC 2020 | LINK

Serverless Lambda functions can now be packaged inside container images and uploaded to Amazon ECR and Docker Hub. This allows you to use your container tooling, workflows, and dependencies you are already familiar with for your containers but for your lambda functions.

Announcing Amazon EC2 Mac instances for macOS | 01 DEC 2020 | LINK

AWS now supports macOS EC2 instances using bare metal Apple Mac Minis. This allows Apple developers to leverage the flexibility, scalability, and cost benefits of AWS that were previously only available to linux or windows developers. In addition to Amazon EC2 Mac instances, Amazon Systems Manager can now support and manage macOS EC2 instances using it’s SSM agent.

Introducing ECS Anywhere | 01 DEC 2020 | LINK

ECS Anywhere allows customers to run ECS tasks on customer-manager infrastructure. The ECS control plane still runs in the cloud, fully managed by AWS, but the individual ECS tasks are what users deploy on-premise or on their own infrastructure. You can find a demo of ECS Anywhere here.