My Security Takeaways @ re:Invent 2019
I had a chance of attending AWS’ annual learning conference re:Invent this year in Las Vegas, NV where the cloud computing giant brought together more than 65,000 IT Professionals from across the global cloud community. The 5 day conference had more than 2500 sessions, workshops and chalk talks discussing all things cloud, ranging from basics of compute and storage, to the latest advancements in quantum computing and security.
One of my favorite sessions from the conference was the Leadership: Cloud Security session delivered by Steve Schmidt, CISO of AWS. He laid out some of the essential tasks that Security Teams should focus on that I thought were really spot on.
There were multiple new product announcements and feature updates around these throughout the conference. Here are some of the top security related features that caught my attention over the week:
- Amazon Detective — Makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities within your Cloud environment. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables users to easily conduct faster and more efficient security investigations.
Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of resources, users, and the interactions between them over time. With this unified view, users can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
This seems to be a product emerged from AWS’ acquisition of SQRRL in early 2018. Currently, the service is in open preview, and you can sign up to access the preview here.
2. IAM Access Analyzer — IAM Access Analyzer generates comprehensive findings that identify resources that can be accessed from outside an AWS account, by evaluating resource policies using mathematical logic and inference to determine the possible access paths allowed by the policies. This service uses Automated Reasoning (an area of cognitive science that automates different aspects of reasoning related to mathematics and formal logic) to comprehensively summarize which resources grant public or cross-account access. The service is one step ahead of Zelkova, and shows who has access to what. This is now Generally Available and you can start using it with no extra cost.
Limitations: Access Analyzer is currently limited to Amazon S3, AWS IAM, AWS KMS, Lambda and SQS services. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it’s enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you’re using supported AWS resources.
3. AWS KMS Asymmetric Keys — Users can now create, manage, and use asymmetric (public/private key)pairs to protect their application data using Key Management Service (KMS) and use it per se for digital signing. This feature is Generally Available and you can start using it today.
4. AWS Managed Rules for WAF — An update to the WAF service was announced a week before re:Invent and was demoed at the event. WAF v2 now includes managed rule groups with rules managed by the AWS Threat Research Team, which automatically includes blocking known malicious actors such as botnets. The WAF v2 also introduces enhanced API operations and increases the limit of Web ACL rules to 1500.
5. AWS SSO with Azure AD — This is another service that was announced few days prior to the re:Invent, and was demoed at the conference. It enables enterprises that use Azure AD to leverage their existing identity store with AWS Single Sign-On, including automatic synchronization of user identities and groups. The role based access control on premises can also be translated to Attribute-Based Access Control (ABAC) when using Identity Federation with Azure.
6. Amazon S3 Access Points — This is a new S3 Resource Type that allows for simplified access control for shared buckets accessed by multiple teams within an organization. These Access Points have unique hostnames with dedicated access policies that describe how data can be accessed using that endpoint, which allows buckets to have multiple access points and each access point to have its own AWS IAM policy. Access Points gets its own hostname, ARN and an IAM Resource Policy.
Hostname: myap-123456789012.s3-accesspoint.us-west-1.amazonaws.com
ARN: arn:aws:s3:us-west-1:12345689012:accesspoint/myap
7. VPC Ingress Routing — Users can now associate route tables with an internet gateway or virtual private gateway, and redirect Amazon VPC traffic through third party virtual appliances in their VPC.
8. AWS Transit Gateway Inter-Region Peering — AWS Transit Gateway now supports the ability to establish peering connections between Transit Gateways in different AWS Regions. This enables customers to extend this connectivity and build global networks spanning multiple AWS Regions. Traffic using inter-region Transit Gateway peering always stays on the AWS global network and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks. Inter-region Transit Gateway peering encrypts inter-region traffic with no single point of failure.
Limitation: Inter-region Transit Gateway peering is available in US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and EU (Frankfurt) AWS Regions.
9. AWS Transit Gateway Network Manager — AWS Transit Gateway Network Manager provides a single global view of an organization’s private network including the Transit Gateway and on-premises network devices using partners supported SD-WAN devices. It allows a single view for centralized Network Monitoring, Global Network Visibility and SD-WAN Integration.
10. AWS Nitro Enclaves — Enclaves are virtual machines attached to EC2 instances that come with no persistent storage, no administrator or operator access, and only secure local connectivity to your EC2 instance. This allows users to create isolated compute environments to further protect and securely process highly sensitive data within Amazon EC2 instances, including cryptographic attestation for any proprietary software as well as integration with AWS KMS.
11. Graviton v2 Processor — This is the next generation of Graviton processors currently powering the Amazon EC2 A1 instances. The newer version, powers Amazon EC2 M6g,C6g and R6g instances to provide 7x performance, 4x the number of compute cores, 2x larger caches, and 5x faster memory compared to the first-generation Graviton processors. This is in addition to the always-on 256-bit DRAM encryption and 50% faster per core encryption performance of the first generation Graviton processors.
12. Amazon CodeGuru — CodeGuru Reviewer uses program analysis combined with machine learning models trained on millions of lines of Java code from the Amazon code base and other sources. It provides intelligent recommendations to improve application performance, efficiency and code quality in Java applications. It has the ability to integrate with code repositories such as GitHub, CodeCommit and evaluate code upon every Pull Requests and can check for any violations of critical defects such as data leaks, concurrency issues, and inefficient use of AWS resources. It suggests changes to specific lines of code to remediate the defects.
I will update this post as I use and implement these services in the near future.
