All the Security and Compliance Features Announced at AWS Re:Invent 2018
Yet another Re:Invent has concluded, leaving behind a trail of announcements, new features, and vendor swag (how many T-shirts can we possibly own?).
Security was a hot topic at this year’s conference; so much so that it was mentioned in-depth within the first 10 minutes of Andy Jassy’s keynote and numerous times afterwards, as well as during Werner Vogel’s keynote the following day.
A number of new security features, products, and changes were announced that piqued our interests. We’ve summarized our notes from the conference below.
AWS Firecracker
Re:Invent had barely started when AWS dropped one of the more interesting announcements of the week: the open sourcing of the virtualization technology behind AWS Lambda and Fargate that enables true, VM-level isolation of workloads. Unlike Docker, Firecracker runs distinct “micro-VMs” that create fully separate kernels, reducing the attack surface for compromised services.
AWS Well-Architected Tool
Designing a secure, highly-available, compliant AWS application can be difficult. AWS seems to have recognized this and released a tool to help users evaluate their workloads in the areas of operations, security, reliability, performance, and cost efficiency. The Well-Architected Tool is more of a questionnaire with recommendations than the type of managed service that AWS is known for, but it is still a welcome and helpful addition to its product lineup.
AWS Well-Architected Partner Program
To complement the Well-Architected Tool, AWS also announced a program for its APN partners that can be used when evaluating their clients who run workloads on AWS. By training its partners in best practices, AWS exponentially increases the reach of the Well-Architected program.
AWS Control Tower
Many companies use different AWS accounts for different projects, environments, and teams (which is a recommended best-practice). A challenge of having so many AWS accounts is that is can be difficult to provision them with the same settings and configurations. Many organizations have relied on custom-built scripts or even manual setup of new accounts which is both error-prone and time-consuming. Control Tower allows these organizations to rapidly provision new accounts, pre-configured with operational and security best practices, and then monitor them for changes in the future.
AWS Transfer for SFTP
While not directly a security service, AWS Transfer does provide a managed solution for something many users were doing quite insecurely on their own. With Transfer for SFTP, users can now SFTP files directly to and from S3 without having to manage any servers or additional self-deployed infrastructure.
AWS Security Hub
There are many different aspects to security on AWS — the configuration of the AWS environment itself (something CloudSploit focuses on), firewalls, application security, network security, etc. AWS also has numerous security or configuration products, including CloudTrail, ConfigService, VPC Flow Logs, and Macie. In addition, there are thousands of third-party vendors, each of which produce their own security findings. Security Hub aims to be an aggregator of all of these products, allowing users to import and analyze the findings from many sources to quickly find security risks within their environments.
KMS Custom Key Store
Users who have strong compliance requirements around key storage can now use KMS Custom Key Store to manage their own keys while still utilizing KMS features and integrations. Using CloudHSM and a custom key storage location, users can guarantee that only they have access to the key material used to encrypt their data.
S3 Object Lock
One critical aspect of compliance is data retention. Previously, when objects were stored in AWS S3, any user with access could delete them. S3 Object Lock allows you to specify a bucket-wide retention policy that prevents objects from being deleted or overwritten during the retention period.
The CloudSploit team had an amazing time at Re:Invent. Besides the above security and compliance-focused solutions, AWS announced scores of other products and features that we’ll be evaluating for inclusion in our security auditing service. We’re looking forward next year’s conference!
