Application architectures have become more complex over time as applications have spawned across different platforms, regions, cloud providers and sometimes, hybrid architectures spawning your on-prem and the cloud. With that, if your applications are not secure; it will create security threats as the hackers will find ways to overshoot your security measures, find vulnerabilities to get through your tiered defenses. In today’s world, securing your application perimeter against malicious actors is absolute table stakes for your business, your brand and to create trust with your clients.
Today, I want to share the top announcements that came out of re:Invent which will further help you secure your applications:
Automatic application layer DDOS mitigation using AWS Shield Advanced
To help customers mitigate DDOS attacks, AWS Shield Advanced brings automatic application-layer DDoS mitigation to mitigate malicious web traffic that threatens to impact application availability. This feature automatically creates, tests, and deploys AWS WAF rules to mitigate layer 7 DDoS events on behalf of customers.
Improved automated cloud vulnerability management, with *new* AWS Inspector
AWS Inspector will now provide automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure, as opposed to periodic, manual scans before. It also automatically discovers all running EC2 instances and ECR repositories. There is much tighter integration with AWS Organizations, improved risk scoring, do not need to install the Inspector agent on your EC2s anymore and so much more.
Automated Secrets Detector
One of the most well-known security practices is the centralization and governance of secrets, such as passwords, API keys, and credentials. AWS launched a new machine learning-powered ‘secrets detection’ feature that automatically finds confidential system credentials that might be hidden in source code. With the new Amazon CodeGuru Reviewer Secrets Detector, an automated tool that helps developers detect secrets in source code or configuration files, such as passwords, API keys, SSH keys, and access tokens.
Securing containers in Amazon ECS from public registries
Until last week, customers had to manually pull the container images from public registries into their private Amazon Elastic Container Registry and had to do the heavy lifting of ensuring that they are in-sync leading to additional operational complexity and increased maintenance costs. AWS has now announced pull through cache repository support in Amazon Elastic Container Registry, for publicly accessible registries that do not require authentication. Pull through cache repositories offer developers the improved performance, security, and availability of Amazon Elastic Container Registry for container images that they source from public registries. Images in pull through cache repositories are automatically kept in sync with the upstream public registries, thereby eliminating the manual work of pulling images and periodically updating.
Simply access control management for data stored in Amazon S3
This was announced in the storage leadership keynote. Amazon S3 Object Ownership setting that lets you disable access control lists (ACLs) to simplify access management for data stored in Amazon S3. The Amazon S3 console policy editor now reports security warnings, errors, and suggestions powered by IAM Access Analyzer as you author your S3 policies.
The new Amazon S3 Object Ownership setting, Bucket owner enforced, lets you disable all of the ACLs associated with a bucket and the objects in it. When you apply this bucket-level setting, all of the objects in the bucket become owned by the AWS account that created the bucket, and ACLs are no longer used to grant access. Once applied, ownership changes automatically, and applications that write data to the bucket no longer need to specify any ACL. As a result, access to your data is based on policies. This simplifies access management for data stored in Amazon S3.
Threat detection for container workloads
AWS doesn’t usually pre-announces the service roadmaps on a public-stage, but given the ever-increasing need for container security; AWS announced that it plans to launch new threat detection capabilities for container workloads in Q1' 2022. Scanning for unusual resource deployments, unintended or malicious configuration changes, possibly extending the Guard Duty service to EKS logs are some of the things which might be currently in development.
Identify network configurations that lead to unintended network access using Amazon VPC Network Access Analyzer
AWS announced the launch of a new offering, the Amazon VPC Network Access Analyzer, that enables users to identify network configurations that might result in unintended access to the network. It helps you improve your security posture while still letting you and your organization be agile and flexible, as opposed to manually checking your network configurations which is error prone and not a scalable approach. It also uses automated reasoning technology which already powers some other AWS services.
Region Deny and Guardrails to Help You Meet Data Residency Requirements, using AWS Control Tower
AWS Control Tower can now be used to deploy data residency preventive and detective controls, to prevent provisioning in AWS regions where you are not permitted by your business. Using Service Control Policies (SCPs) which are built and managed by AWS Control Tower, content cannot be created or transferred outside of your selected Regions at the infrastructure level.
Secure access to sensitive data
AWS announced new features for providing secure access to sensitive data in the AWS Lake Formation data lake service, with the introduction of row- and cell-level security capabilities. AWS Lake Formation enables the collection and cataloging of data from databases and object storage, but it’s up to users to determine the best way to secure access to different slices of data. To get customized access to slices of data, users had to previously create and manage multiple copies of the data, keep all the copies in sync, and manage “complex” data pipelines. With the new update, you can enforce access controls for individuals rows and cells making it easier and the most secure way to give access to your data.
