The highest 12 safety bulletins at AWS re:Invent 2021

As the biggest cloud supplier, Amazon Internet Companies (AWS) actually has just one selection in relation to safety—and that’s to strategy issues “holistically,” the corporate’s high cybersecurity govt mentioned this week throughout AWS re:Invent 2021.

“You don’t wish to safe only one factor or one edge—or use one method or one strategy,” mentioned Stephen Schmidt, chief data safety officer at AWS, throughout a session on the convention in Las Vegas Thursday.

“By utilizing separate—usually overlapping—instruments and strategies, and totally different procedures, we construct way more sturdy protections that’s resilient to particular person faults,” Schmidt mentioned. “One of many issues that we search for within the inside design of our providers is, we by no means need one safety management to be the definitive barrier between adversaries and our providers. There should be multiples right here. And I encourage you to assume the identical approach.”

High bulletins

In that spirit, AWS unveiled new safety merchandise and options at re:Invent 2021 to assist safe every part from infrastructure to functions to the app improvement course of itself. Key themes included bringing extra automation to many safety processes, new capabilities to allow safe entry to information, enhanced community and IoT safety, and improved safety for containers.

Safety is pivotal in any firm’s information journey, AWS CEO Adam Selipsky mentioned throughout his keynote at re:Invent on Tuesday.

“You have to have full management over the place your information sits, who has entry to it, and what might be performed with it at each step,” Selipsky mentioned. “AWS is aware of how essential that is to each buyer.”

Finally, years of developments in safety from each AWS itself and cloud companions now imply that safety can truly be extra of an asset than a legal responsibility in cloud environments, executives from numerous cloud safety companies advised VentureBeat this week.

“We’re lastly transferring previous the times the place safety is perceived as a hindrance to cloud adoption,” mentioned Glen Pendley, deputy chief know-how officer at cybersecurity vendor Tenable, in an e-mail. “It was an enormous impediment years in the past when folks have been making an attempt to drive know-how that was designed to operate on-prem right into a cloud setting. Now you might be seeing an actual shift for safety instruments to be designed and constructed as cloud-native.”

George Gerchow, chief safety officer at Sumo Logic, a cloud log administration and monitoring vendor, mentioned he’s “seeing safety as an enormous driver for cloud now—for the primary time ever.”

Prior to now, the motives for transferring to the cloud have “all the time been opex price, end-user expertise, having the ability to ship an answer to the market sooner,” Gerchow advised VentureBeat. “However now, I do consider that safety is a driver for cloud. As a result of folks wish to cut back that footprint of what it’s they’re securing—and give attention to the info, give attention to the applying.”

What follows are particulars on the highest 12 safety bulletins from Amazon Internet Companies at re:Invent 2021.

Enhanced cloud vulnerability administration

AWS used re:Invent to announce a number of new options for bettering and automating the administration of vulnerabilities on its platform, in response to evolving safety necessities within the cloud.

Newly added capabilities for the Amazon Inspector service will meet the “crucial have to detect and remediate at velocity” to be able to safe cloud workloads, AWS mentioned in a weblog publish.

Within the publish concerning the Amazon Inspector updates, AWS acknowledged that “vulnerability administration for cloud clients has modified significantly” for the reason that service first launched in 2015. Among the many new necessities are “enabling frictionless deployment at scale, assist for an expanded set of useful resource varieties needing evaluation, and a crucial have to detect and remediate at velocity,” AWS mentioned within the publish.

Key updates for Amazon Inspector embody evaluation scans which might be continuous and automatic — taking the place of handbook scans that happen solely periodically — together with automated useful resource discovery.

Utilizing the up to date Amazon Inspector will allow auto-discovery and start a continuous evaluation of a buyer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads — in the end evaluating the shopper’s safety posture “even because the underlying sources change,” AWS wrote.

The corporate additionally introduced numerous different new options for Amazon Inspector, together with extra assist for container-based workloads, with the flexibility to evaluate workloads on each EC2 and container infrastructure; integration with AWS Organizations, enabling clients to make use of Amazon Inspector throughout all of their group’s accounts; elimination of the standalone Amazon Inspector scanning agent, with evaluation scanning now carried out by the AWS Methods Supervisor agent (so {that a} separate agent doesn’t should be put in); and enhanced danger scoring and simpler identification of essentially the most crucial vulnerabilities.

A “extremely contextualized” danger rating can now be generated via correlation of Frequent Vulnerability and Exposures (CVE) metadata with elements similar to community accessibility, AWS mentioned.

Securing containers from public registries

To assist improvement groups which might be utilizing containers from publicly accessible registries to safe the containers, AWS introduced pull-through cache repository assist in Amazon Elastic Container Registry.

The assist will “provide builders the improved efficiency, safety, and availability of Amazon Elastic Container Registry for container photos that they supply from public registries,” AWS mentioned in a weblog.

“Photos in pull-through cache repositories are routinely stored in sync with the upstream public registries, thereby eliminating the handbook work of pulling photos and periodically updating,” the weblog mentioned. “Pull via cache repositories present the advantages of the built-in safety capabilities in Amazon Elastic Container Registry, similar to AWS PrivateLink enabling you to maintain all the community visitors non-public, picture scanning to detect vulnerabilities, encryption with AWS Key Administration Service (KMS) keys, cross-region replication, and lifecycle insurance policies.”

Risk detection for container workloads

AWS mentioned it’s responding to the rising want for container safety with plans to launch new risk detection capabilities for container workloads throughout the first quarter of 2022.

Schmidt mentioned the corporate doesn’t usually pre-announce options which might be nonetheless beneath improvement. However given the rising significance of container safety, the cloud large is making an exception in revealing its new container risk detection options, he mentioned.

The primary new container risk detection options, launching in Q1 of 2022, will contain extending the Amazon GuardDuty risk detection service to Amazon Elastic Kubernetes Service (EKS) audit logs, he mentioned.

“It will present clients clever risk detection for his or her container workloads — scanning for uncommon useful resource deployments [and] issues like malicious configuration adjustments, or escalation of privilege makes an attempt,” Schmidt mentioned.

Automated secrets and techniques detector

At re:Invent 2021, AWS unveiled a brand new automated secrets and techniques detector characteristic for its Amazon CodeGuru Reviewer software.

The characteristic addresses the difficulty of builders inadvertently committing secrets and techniques to supply code or configuration recordsdata, together with passwords, API keys, SSH keys, and entry tokens.

The brand new functionality leverages machine studying to detect hardcoded secrets and techniques throughout a code evaluation course of, “in the end serving to you to make sure that all new code doesn’t comprise hardcoded secrets and techniques earlier than being merged and deployed,” wrote AWS in a weblog publish.

Safe entry to delicate information

AWS introduced new options for offering safe entry to delicate information within the AWS Lake Formation information lake service, with the introduction of row- and cell-level safety capabilities.

AWS Lake Formation permits the gathering and cataloging of knowledge from databases and object storage, however it’s as much as customers to find out one of the best ways to safe entry to totally different slices of knowledge.

To make that simpler, row- and cell-level safety capabilities for Lake Formation at the moment are typically accessible, Selipsky mentioned throughout a keynote at re:Invent.
To get personalized entry to slices of knowledge, customers have beforehand needed to create and handle a number of copies of the info, maintain all of the copies in sync, and handle “advanced” information pipelines, Selipsky mentioned.

With the brand new updates, “now you’ll be able to implement entry controls for particular person rows and cells,” Selipsky mentioned.

For securing gross sales information, as an illustration, slightly than creating a number of tables for every gross sales staff and nation, “you simply outline a set of insurance policies that present entry to particular rows for particular customers—with out having to duplicate information or construct information pipelines,” he mentioned. “It places the proper information within the fingers of the proper folks—and solely the proper folks.”

Amazon WorkSpaces Internet

When it comes to enabling safe end-user computing, AWS introduced basic availability for Amazon WorkSpaces Internet, described as a “low price, absolutely managed WorkSpace constructed particularly to facilitate safe, web-based workloads.”

“WorkSpaces Internet makes it straightforward for purchasers to soundly present their staff with entry to inside web sites and SaaS net functions with out the executive burden of home equipment or specialised consumer software program,” AWS mentioned in a weblog publish. “With Amazon WorkSpaces Internet, company information by no means resides on distant gadgets. Websites are rendered in an remoted container in AWS, and pixel streamed to the consumer. The remoted looking session supplies an efficient barrier towards assaults packaged in net content material and prevents probably compromised end-user gadgets from ever connecting with inside servers.”

Moreover, “each session launches a contemporary, all the time updated, nonpersistent net browser. WorkSpaces Internet helps enterprise controls that enable directors to set browser insurance policies (e.g., set default residence web page, bookmarks, allow/disable extensions, enable/deny checklist particular URLs, or any of Chrome’s 300+ insurance policies) and consumer settings (e.g. clipboard, file switch, or native printer controls),” the weblog says. “When the session is full, the browser occasion is terminated, making certain delicate company net content material is rarely exterior enterprise management.”

S3 entry administration

AWS introduced an replace for its Easy Storage Service (S3) that goals to simplify entry administration for S3 information.

A brand new Amazon S3 Object Possession setting lets customers disable entry management lists (ACLs), whereas the Amazon S3 console coverage editor now “reviews safety warnings, errors, and strategies powered by IAM Entry Analyzer as you writer your S3 insurance policies,” AWS mentioned in a weblog.

The brand new Amazon S3 Object Possession setting, known as Bucket proprietor enforced, “helps you to disable all the ACLs related to a bucket and the objects in it,” the weblog says. “Whenever you apply this bucket-level setting, all the objects within the bucket turn into owned by the AWS account that created the bucket, and ACLs are not used to grant entry. As soon as utilized, possession adjustments routinely, and functions that write information to the bucket not have to specify any ACL. Because of this, entry to your information is predicated on insurance policies. This simplifies entry administration for information saved in Amazon S3.”

Automated application-layer DDoS mitigation

For serving to clients with the mitigation of distributed denial-of-service (DDoS) assaults, AWS introduced an replace to AWS Protect, the corporate’s managed DDoS safety service for apps that run on AWS.

The brand new replace brings automated application-layer DDoS mitigation to AWS Protect Superior, AWS mentioned.

“This can be a new set of capabilities included for all Protect Superior clients that routinely mitigate malicious net visitors that threatens to influence utility availability,” the corporate mentioned in a weblog publish. “This characteristic routinely creates, exams, and deploys AWS WAF guidelines to mitigate layer 7 DDoS occasions on behalf of consumers.”

Community deal with administration and auditing

AWS introduced community deal with administration and auditing “at scale” with the Amazon Digital Personal Cloud (VPC) IP Tackle Supervisor (IPAM).

The brand new characteristic “supplies community directors with an automatic IP administration workflow. IPAM makes it simpler for community directors to arrange, assign, monitor, and audit IP addresses in at-scale networks, decreasing the administration and monitoring burden and eliminating the handbook processes that may result in delays and unintended errors,” AWS mentioned in a weblog publish.

VPC Community Entry Analyzer

AWS introduced the launch of a brand new providing, the Amazon VPC Community Entry Analyzer, that allows customers to determine configurations which may lead to unintended entry to the community.

“It’s going to level out methods that you could enhance your safety posture whereas nonetheless letting you and your group be agile and versatile,” AWS mentioned in a weblog publish. “In distinction to handbook checking of community configurations, which is error-prone and exhausting to scale, this software helps you to analyze your AWS networks of any measurement and complexity.”

IoT ExpressLink

Within the realm of IoT, AWS introduced the brand new IoT ExpressLink providing—”a easy, highly effective resolution that means that you can simply rapidly develop safe IoT gadgets,” mentioned Michael MacKenzie, basic supervisor for AWS Industrial IoT and Edge, throughout a session at re:Invent.

“Modules that use AWS IoT ExpressLink make it sooner and simpler for builders of all ability ranges to securely join virtually any gadget to the cloud and seamlessly combine with over 200 AWS IoT providers, together with AWS IoT Core,” AWS mentioned in a weblog publish.

Modules with AWS IoT ExpressLink assist overcome the everyday challenges confronted by builders across the constructing of IoT gadgets—together with safety challenges, AWS mentioned.

“A typical IoT utility provides 50,000 (or extra) strains of recent embedded C code to a mission … The problem is that this enhance in code is troublesome to handle and keep whereas safety vulnerabilities are hid throughout a whole lot of folders and recordsdata,” AWS mentioned. “AWS IoT ExpressLink helps builders with the advanced and security-critical code by packaging it right into a single {hardware} element.”

IoT Greengrass safe administration

IoT Greengrass is an AWS cloud service for the event, deployment, and administration of IoT gadget software program and functions. At re:Invent, AWS introduced a brand new functionality for safe administration of IoT Greengrass gadgets through AWS Methods Supervisor (SSM).

“Managing huge fleets of various programs and functions remotely is usually a problem for directors of edge gadgets,” AWS mentioned in a weblog publish.

In response, the corporate has built-in IoT Greengrass and SSM “to simplify the administration and upkeep of system software program for edge gadgets,” the publish says. “When coupled with the AWS IoT Greengrass Consumer Software program, edge gadget directors now can remotely entry and securely handle with the multitude of gadgets that they personal – from OS patching to utility deployments. Moreover, frequently scheduled operations that keep edge compute programs might be automated, all with out the necessity for creating extra customized processes.”

Finally, for IT directors, “this launch offers a whole overview of all of their gadgets via a centralized interface, and a constant set of instruments and insurance policies with the AWS Methods Supervisor,” AWS mentioned.