AWS re:Invent is an annual cloud computing event held to showcase new features and services available on Amazon Web Services. This year, re:Invent is completely virtual, free, and spans three weeks.
At ScaleSec, our focus is always on security and compliance. In order to stay on the cutting edge of cloud computing, we monitor AWS re:Invent announcements and consider how each one can help our customers keep their AWS environments secure.
ScaleSec’s re:Invent Security re:Cap is a running list of our favorite security announcements from each week, along with a brief summary and direct link for more in-depth information.
AWS Security Hub supports bidirectional integration with ServiceNow ITSM | 11 Dec 2020 | LINK
For ServiceNow ITSM users, keeping your tickets and issues in sync with the latest security findings in AWS Security Hub just got a lot easier. Available free of charge, the AWS Service Management Connector for ServiceNow now enables manual or automatic ticket creation from AWS SecurityHub findings. Choose what findings, unique to your security program, should be converted into tickets within ServiceNow ITMS. With this update, AWS Security Hub findings can now receive updates from ServiceNow ITSM about status, severity, and more.
Application Manager adds the ability to view logical groupings of application resources with a “single pane of glass” view. This new feature brings together service and event data to produce operational metrics about your application within AWS Systems Manager. Make informed decisions about managing your applications faster through data and act on it within Application Manager through the use of automated runbooks. Create runbooks just for your organization, or use what Amazon has provided for addressing common issues found in applications on the platform.
Change Manager is a new feature of AWS System Manager that provides native change management features at scale through integration with AWS Organizations. Change Manager is designed to bring stability, continuity, and speed to changes in AWS. Amazon provides predefined workflows to take the guesswork out of change control best practices. Combined with the Application Manager announcement, you can now quickly roll back changes automatically with CloudWatch alarms and leverage information within Application Manager to investigate what went wrong.
A busy time for AWS Systems Manager! Amazon announced Fleet Manager to manage fleets of your deployed systems (Windows, Linux, and MacOS) both in AWS and on-premise in your data centers. With this new offering, you can troubleshoot and perform common maintenance tasks across all of your systems. With Fleet Managers visualization tools, you can monitor and take action on your fleets all without needing to log into any one system within the fleet directly.
Introducing AWS Fault Injection Simulator | 15 Dec 2020 | LINK
Pre-announced this week at Re:Invent, and coming early next year, you will be able to embrace chaos engineering with AWS Fault Injection Simulator. You can now stress test your application and infrastructure in a controlled and repeatable way. Fault Injection Simulator can simulate real-world scenarios which will raise awareness of issues so that you can optimize your applications before business-impacting outages occur. Fault Injection Simulator offers templates to perform standard and repeatable disruptive behaviors. Use templates to baseline application performance against stressors and measure improvement with iterative chaos testing. Amazon will provide pre-built templates or create your own to uniquely test your application.
**AWS Single Sign-On now supports Microsoft Active Directory (AD) synchronization **| 15 Dec 2020 | LINK
If you manage AWS Single Sign-On with Microsoft AD, AD sync is now available to provide your organization’s identity and access information consistently across your infrastructure. You can now automatically synchronize changes to your AD users and groups to simplify management of authorization and access control to your AWS Account and resources. AWS SSO provides just-in-time (JIT) sync, which will reduce operational risk of attribute and access inconsistencies.
APIs now available for the AWS Well-Architected Tool | 16 Dec 2020 | LINK
Amazon now offers an API for the AWS Well-Architected Tool, allowing programmatic access for evaluating your workloads against Amazon’s best practices. Define your workloads and evaluate against best practices continuously through automation. This lays the groundwork for integration with third party tools for detection of risks and deviations from best practice.
Attribute-Based Access Control (ABAC) for the AWS Key Management Service | 17 Dec 2020 | LINK
AWS Key Management Service can now use tags and aliases in policy conditions. This means that when you specify access controls for your KMS keys, you can use tag conditions to only grant access to a specific function or purpose. In addition to the access control normally available for KMS key policies, this feature provides a more advanced and flexible set of access controls to truly embrace least privilege. Key management is an important part of a good data protection strategy, and ABAC will allow more effective and granular control.
Announcing Amazon Route53 support for DNSSEC | 17 Dec 2020 | LINK
Amazon announced DNSSEC support for Route53, which will bring important security controls to how your workloads resolve DNS. DNSSEC is an authentication method which allows for both data origin authentication, and data integrity protection. This ensures that you are resolving DNS queries from a trusted source, and that the information sent has not been modified in transit. This mitigates attacks on your DNS infrastructure, like cache poisoning, where an attacker intercepts and tampers with your DNS requests and returns false information. Such an attack can result in redirecting a user to a fraudulent website hosted at a different IP address. In AWS, DNSSEC for Route53 will provide these DNS security controls, which can help meet compliance objectives, like FedRAMP.