AWS Re:invent 2017 Recap— the security version
After a long and sleepless 14hrs flight from Melbourne to Los Angeles and a subsequent hour long flight from Los Angeles to Las Vegas. I finally made it to “Sin City”.
This is my first AWS re:invent and I was really excited to meet and hear from other professionals on how AWS has changed their companies for the better. I had a lot of interesting conversations with SaaS providers and other vendors about security in cloud, multi-cloud environments, chaos engineers, security at scale. I can’t wait to put together a talk from my learning and share results from my followup experiments from the learning.
Today however, I want to share a recap from AWS re:invent 2017. I will be focussing only on the security releases from the conference.
Release 1: AWS Private Link
1) AWS Private Link allows an AWS customer to extend a TCP connection (network connectivity) between selected AWS services in an AWS account and
- Other AWS account(s) they own
- AWS account owned by their customer
- AWS account owned by their trusted partner
2) These selected service can made available as a service either directly or in AWS Marketplace.
3) Low latency and fault tolerance communication as the traffic will use the AWS Private network
4) Each connection between the service consumer and service provider will be initiated at the service provider and will need to be accepted by the service consumer.
5) The private link can use the “AWS Direct Connect” to extend services to on-premise networks
6) The service provider can run the service on EC2 instances, ECS containers or even on-premise servers (configured as IP Target)
6) Network Load Balancers will need to be provisioned 1 ENI per availability zone to have high availability within a region.
Source for AWS Private Link & AWS Re:invent Talks
Release 2: AWS GuardDuty
1) A “one-click enable” AWS threat intelligence service.
2) The service uses machine learning to inform customers of any malicious activities in their “single or multi-account AWS structure”
3) The service will need to be enabled on the Master AWS account. All the sub-accounts can be invited at this point to be included in the scans.
4) The service uses VPC Flow logs, CloudTrail logs and DNS logs to detect and report malicious activities in the scanned AWS accounts.
5) The logs are analysed to learn trends, patterns and anomalies that are known malicious patterns.
6) Analysis is performed against industry known threat resources and source provided in partnership with Crowdstrike and ProofPoint.
7) The service covers IT infrastructure only within the AWS accounts which includes, credentials, resources, guest operating systems and application communicating on the AWS account.
8) VPC Flow Logs is not required to be enabled to use this service. AWS will generate VPC logs (if not available) to produce the scan results.
9) The results from GuardDuty can be pushed to AWS CloudWatch Events to trigger AWS Lambda functions to perform specific actions based on the type of the issue discovered by GuardDuty
10) The customer will not notice any drop in performance or reliability of resources, while the service is use.
11) The service is currently available free for the first 30 days.
Source for AWS GuardDuty & AWS Re:invent Talks
Release 3: AWS IoT Device Defender
This service will secure a fleet of IoT devices managed by AWS. The service was announced as part of the next phase of IoT for AWS. The service was announced along with IoT device management and IoT Analytics.
Unlike the other IoT serivces, AWS IoT Device Defender service will be getting released in 2018.
It will have the following features — audit device policies, monitor device behaviour, identify anomalies and out of compliance behaviour and generate alerts.
“Out of band” — security releases
There were a few security releases for some of the well known AWS services:
Release 4:AWS Cognito
AWS Cognito now support for MFA
Release 5:AWS API Gateway
AWS API Gateway now supports private integration to private AWS VPC networks.
Release 6: Amazon FreeRTOS
AWS released it’s own version of IoT microcontroller operating system “that simplifies development, security, deployment, and maintenance of microcontroller-based edge devices.”
Source: Amazon FreeRTOS
Release 7: AWS EC2 Bare instances
This is a new type of instance released, this will be especially interesting for anyone who does forensic analysis in cloud. The service is only in preview mode for the moment.
Release 8: AWS Time Sync Service
The Amazon Time Sync service has been released and it’s free for use. This means the AWS resources can use the local 169.254.169.123 IP address, instead of internet connections to get their server time synched to Amazon time sync service.
Hopefully, this security update from AWS re:invent 2017 was helpful. I will followup with a presentation with any learnings from using the above services.
Did you like the list of security release, do you think I missed something. Leave a comment to let me know your thoughts.