Some thoughts on security announcements to date at AWS re:Invent
More posts on AWS Security
Watching Werner Vogel’s Keynote
In this post I’m just compiling some of the security announcements at AWS re:Invent. I’ll have to go back and take a look at them more in detail later as, unfortunately and fortunately, someone hired me to teach a class during re:Invent.
Not sure when I will get out to speak at a large conference again but I try to keep tabs on what people are talking about based on the information I find online. These days I tend to prioritize what drives business and makes money to be honest, as I’m traveling less. But I miss seeing friends at re:Invent very much!
Here’s my initial reaction to the announcements but again, without all the details and it is a woman’s prerogative to change her mind. 🙂
VPN-less Secure Network Access to Corporate Applications
Many solutions are taking different approaches to remote access. There are a lot of solutions trying to connect people at the application layer, rather than the network layer in the OSI model. Some are interesting, others not so much. Without diving into the solution here is what you want to ask:
If someone obtains your credentials or an active session, can they use it from an alternate network location to get to the host where you ultimately are logged into and working? If so, it is an identity solution, not a network solution.Does the encryption used to connect to the remote host encrypt all network traffic to the remote host or only traffic on a particular protocol? As I’ve written about before some VPNs are better than others in that regard (SSL vs. IPSEC).Does the solution allow you to inspect all network traffic — accepted, rejected, or failed — on all ports between the remote host and the target endpoint?Can you see full packets? Some attacks below the application layer in the OSI Model may not be visible if you can’t see all those network packet details as I have explained in other posts.When someone connects to the remote endpoint, is that remote endpoint accessible via the Internet to others? When you connect to a VPN, the VPN endpoint is exposed, but no hosts within the network if you are not connected to the VPN. I once performed a penetration test where one of the objectives was to see if the bastion host was vulnerable. I essentially reverse engineered the fact that the bastion host was behind a VPN so the only way it would be vulnerable is if I could first break through the VPN. That’s what a VPN does for you. When hosts are exposed directly to the Internet with no layer between they are open to direct attack from the Internet.Can you manage all the access from one point or do you have to manage each and every host exposed to the Internet for remote access individually? If you cannot manage them centrally then you’ve exponentially increased management and risk. Errors and misconfigurations represented 13% of security incidents on the 2022 Verizon Data Breach Report so you want to reduce the chance of misconfiguration by reducing what you have to manage. A VPN does that (and so does the automation I wrote about here for per-user instances that use a single script for deployment to a certain extent — there are pros and cons to that approach vs. VPN but better than exposing every host to the Internet). I presume this new service is a centralized solution but I haven’t looked into it.
If this new solution meets all of the above criteria then it may be a VPN replacement. Most of the time when companies advertise a solution as a VPN replacement they aren’t really, but maybe Amazon has cracked that nut with this new service.
In terms of the new application-based security approaches one interesting thing about them is that when someone connects to an application, they can’t “scan the network” in the traditional sense with a tool like nmap. I haven’t inspected this yet to see if it is that type of solution or something else.
VPC Lattice
This looks very interesting if it can help to set up a zero-trust network for service to service communication. I’ve been writing about serverless networking in my latest blog series on automating cybersecurity metrics and this service may help. I’ll have to check it out. For people who are just getting started building applications , serverless is easier than all the configuration you need to do to set up Kubernetes or even EC2. The related networking, not so much. Maybe this will help.
Again, you’ll want to verify that it meets the same network requirements as the VPN above to determine if it is truly a network solution, or an identity solution.
AWS KMS External Key Store
This service looks great for organizations that need to host keys on premises but want to integrate with KMS. Sometimes customers want to control their own key or they need the key to be accessible in a private network and on AWS (though I wouldn’t be too excited about latency potentially in that case). This may help some larger organizations with compliance restrictions or high-security needs.
Announcing AWS KMS External Key Store (XKS) | Amazon Web Services
AWS Inspector — Lambda Vulnerability Scanning
Awesome. You’ll need to take a look at the particular programming languages and vulnerabilities it finds but this is great news! I’ll definitely be trying it out.
Amazon Inspector Now Scans AWS Lambda Functions for Vulnerabilities | Amazon Web Services
Automated Data Discovery for Macie
Macie wants to help you find where automated data exists where you might not be aware in S3 buckets. As with data exfiltration tools I presume it will need to be monitored and tuned for false positives. Data exfiltration and identifying sensitive data is always challenging. I often have Burp identifying random strings as credit cards, for example, on penetration tests that are not really credit cards. Be prepared to invest the resources to manage this tool but it should be able to help you find your sensitive data and lock it down.
Automated Data Discovery for Amazon Macie | Amazon Web Services
Amazon Verified Permissions
Amazon calls this new feature:
a scalable, fine-grained permissions management and authorization service for custom applications
If it’s what I think it is I once wrote something like this. We had a central automation service that read in configuration files and allowed or disallowed actions based on configuration files written by developers. The developers didn’t have to write the code to authorize actions but rather define the allowed actions for a particular user type.
It also sounds similar to Open Policy Agent (OPA) which came out later and is a concept I really like. I’ll have to try it out to see if it is what it sounds like.
AWS announces Amazon Verified Permissions (Preview)
Automated in-AWS Failback for AWS Elastic Disaster Recovery
This new feature looks interesting. Will have to see if it helps with Ransomware.
Automated in-AWS Failback for AWS Elastic Disaster Recovery | Amazon Web Services
Backup for CloudFormation Stacks
This also looks pretty interesting. Looking forward to trying it out.
New for AWS Backup – Protect and Restore Your CloudFormation Stacks | Amazon Web Services
Redshift Backup
Helpful for those using Redshift to restore when needed.
New – Amazon Redshift Support in AWS Backup | Amazon Web Services
New — Failover Controls for Amazon S3 Multi-Region Access Points
Another service to check out and test for those creating automated failover in case of an AWS outage or security incident. When S3 has issues, many applications have issues. Failover with S3 can be challenging. Hopefully this makes it easier.
New – Failover Controls for Amazon S3 Multi-Region Access Points | Amazon Web Services
Amazon Security Lake
Storing data using the OCSF standard. This is definitely something for security folks to check out who have to deal with the all the security logs in an organization. If you get in on the preview, you may be able to provide valuable feedback to help drive changes in the right direction to meet your needs.
Config Rules — Proactive Compliance
Proactive is better than reactive. This is definitely worth checking out. In an envirment where I worked, a network compliance tool would revert a non-compliant change within three minutes. And that was all the time someone — on the security team — needed to open up access to his instance and make a configuration change he needed. When I confronted him about it it he said it was a “dumb tool.” It wasn’t, but it shows the need need to prevent the change if possible, rather than react after it’s too late.
New – AWS Config Rules Now Support Proactive Compliance | Amazon Web Services
Control Tower — Comprehensive Controls Management
Control Tower is such a needed service but as I’ve written before some things are a bit challenging when you try to use and maintain it. But the concept is on point and I’m excited to check this out.
New for AWS Control Tower – Comprehensive Controls Management (Preview) | Amazon Web Services
Amazon EventBridge Pipes
This is not exactly a security feature but it if it helps improve consistency and reduce complexity through abstraction it may help the overall security at an organization when connecting services in an asynchrous manner.
Wickr — End to End encryption for communication services
There it is! I was just looking for more information on end-to-end encryption in my last blog post on Amazon Chime. It is not clear that the communication is actually encrypted end to end based on the documentation. I’m not sure if Amazon Chime uses this service or is end-to-end encrypted or not based on what I found but if you need to be this service may help because it clearly is.
New — Amazon ECS Service Connect Enabling Easy Communication Between Microservices
This service sounds similar to Lattice (above) but for ECS.
CloudWatch Logs Data Protection
Appears to detect sensitive data in logs. Definitely worth a look.
Protect Sensitive Data with Amazon CloudWatch Logs | Amazon Web Services
CloudWatch Cross-Account Observability
I wrote about some issues with cross-account logging for KMS. I think this is going to be a very, very useful feature and hope to try it out and possibly blog about it later in my latest blog series where I’m building out a cloud security architecture for batch jobs (and really anything else).
New – Amazon CloudWatch Cross-Account Observability | Amazon Web Services
Container Runtime Threat Detection in Guard Duty
This was announced in the AWS keynote by Adam Selipsky. Not seeing it yet in the AWS news announcements but I found this post from November.
I wrote about that and some other security related features here after watching the AWS keynote.
A Few Highlights from Amazon re:Invent 2022
I might have missed something and there’s a bit more to go at AWS re:Invent. I’ll update this post if I see anything new.
Follow for updates.
Teri Radichel
If you liked this story please clap and follow:
******************************************************************
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
******************************************************************
© 2nd Sight Lab 2022
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
Security Announcements at AWS re:Invent 2022 was originally published in Cloud Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
