AWS Re:Invent 2022 Security Recap and Top 5 Releases
AWS Re:Invent wrapped up last week. This time of the year tends to be an "early Christmas" for cloud enthusiasts with the sheer number of new AWS releases that get dropped. As awesome as it is, it can be pretty difficult to keep up with everything, especially whats going to be relevant for you. In this blog, we highlight what we think are the top 5 most interesting security announcements, and include a listing of the other security related announcements below. Enjoy!
Top 5 Most Interesting Announcements
AWS GuardDuty RDS Protection (Preview) and Container Runtime Threat Detection (Coming soon)
Source: GuardDuty RDS Protection Now In Preview and AWS Security Tweet about GuardDuty Runtime Protection
New enhancements to AWS GuardDuty are always exciting, and this Re:Invent brought us two interesting announcements.
GuardDuty for RDS adds two additional finding types related to anomalous login activity on both successful and failed logins. Currently only certain versions of RDS Auroura are supported, so take a look here before you get started.
GuardDuty Container Runtime Threat Detection was announced as "Coming Soon" during Adam Selipskys keynote (see here). With EKS GuardDuty released earlier this year covering K8s Control Plane level malicious activity, detecting malicious activity inside the containers themselves was a natural next step. It will be interesting to see what level of customization this will allow with the detections. Engineers often employ tools like Falco to serve this usecase with a full fledged rules engine, but it requires operations effort. Stay tuned for more!
Amazon Verified Permissions
Source: AWS Announces Amazon Verified Permissions
One of the more surprising releases, Amazon Verified Permissions, is a service to help developers implement authorization mechanisms into custom applications. It saves a development team from having to develop a policy/authorization engine when required to implement access control into their applications. It also appears to be an interesting alternative to something like Open Policy Agent for application authorization usecases that doesn't require hosting infrastructure. In short - think of it as your own implementation of AWS IAM, but for your application!
Amazon Verfied Permissions policies utilize the Cedar Policy Language. AWS also put out a blog on using the new service: https://aws.amazon.com/blogs/security/get-the-best-out-of-amazon-verified-permissions-by-using-fine-grained-authorization-methods/
Currently - you have to request access to the preview to use it.
VPC Lattice
Source: Introducing VPC Lattice
VPC Lattice (in preview) as described by AWS, seeks to "simplify service-to-service connectivity, security, and monitoring". Taking a deeper look, this seems to almost be an Amazon managed service mesh style product that is tightly integrated with VPC and IAM. Moving past buzzwords, it provides a few different capabilities. The most interesting of these being the ability to treat various flavors of AWS Compute (Lambda, containers, EC2) as "Services", which can then make use of many of Lattices feature, such as routing/traffic policies, and even the ability to apply Resource policies to enforce access control via AWS IAM on them. For example - you could enforce that a VPC Lattice service is only accessible via AWS Identities in a particular OU of your AWS organization. It also appears to target those wanting to reduce network complexity, from the release blog: "VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses." This appears to be only scratching the surface of the possibilities with this service - it will be interesting to see how real world implementations play out.
Security Lake
Source: Introducing Amazon Security Lake (Preview)
Amazon Security Lake is a managed Security Data Lake service that aims to allow you to centrally aggregate various security related datasets (both AWS specific and custom/external sources), control access to them, and automatically transform them to a query friendly and standard format. Diving a little deeper:
Makes usage of the Open Cybersecurity Schema Framework, which is a standard schema for common security events. Also worth noting that data is stored using Parquet file formatting
Supports AWS integrations with Security Hub, and a staggering number of third party integrations, with CrowdStrike, Okta, and Falco to name a few
Can also collect directly from cloudtrail, Route53 query logs, and VPC flow Logs
Supports the ability to roll up multi-region Security Lakes to a single region
If you are considering Security Data Lake, probably worth paying a visit to the pricing page. The preview period waives costs for the service, and could be a solid way to get an idea of what you would pay running it. Important to note that while Security Data Lake is free during the preview period (and eventual 15 day free trial), the underlying AWS Services may incur a charge (S3, SQS, Eventbridge).
Catch Adam Selispky talking about it during keynote here for more info!
Inspector support for AWS Lambda
Source: Amazon Inspector Now Scans Lambda Functions For Vulnerabilities
Amazon Inspector now supports scanning Lambda Functions for vulnerabilities! This is a very welcome enhancement to scan deployed Lambda functions for known dependency vulnerabilities. This appears to have a few different triggers:
Upon initially enabling inspector and it discovering new Lambdas
New deployments and updates of Lambdas
Inspector adding new CVEs to its database The documentation also states that Inspector will continuously scan existing Lambda functions even if none of the above are met.
This covers a valuable blind spot for lambda functions that may go a while without a deploy, or for new CVEs released between deploys. It also has value if you aren't currently doing pipeline scanning as a quick solution to get running.
Releases by category
See below for a more comprehensive list of AWS releases that may be of interest to cloud security pros! We're also including some recent releases pre-reinvent (aka "preInvent").
Identity
Payload based message filtering for sns
AWS Backup Organizations Delegated Administration
AWS Organizations Delegated Administration
ABAC support for Lambda in GovCloud
Identity Center Session Duration Management for CLI/SDK
CloudFormation support for AWS Organizations OUs, Accounts, Policies
Support for Multiple MFA Devices
Tag Policies Available in GovCloud
Networking
New Service - AWS Verified Access
Cross Account Support for Amazon VPC Reachability Analyzer
Cloudfront Supports JA3 Fingerprint Headers
Data Protection
Automated Sensitive Data Discovery
Redaction for Sensitive Data in Cloudwatch logs
EKS/K8s Support for Nitro Enclaves
Redshift support for Lake Formation
Cross Account Support for S3 Access Points
AWS Backup Support for Amazon Redshift
Request Level Information For S3 Access Control Lists in CloudTrail
Security Automation
AWS Config Proactive Compliance
Cross Account Support For Step Functions
Cloudtrail Lake Support for AWS Config Configuration Items
Account Customization For Control Tower
Comprehensive Controls Management for Control Tower
Compliance
AWS Backup support for Centralized Reporting Of Your Organization
Vendor Risk Assessments For AWS Marketplace
Happy Building!
The information presented in this article is accurate as of December 05, 2022.
