AWS re:invent 2019 : Security announcements Recap — including updates that were not called security updates but you should know

Recap from AWS re:invent 2019 in Las Vegas #reinvent of all the cloud security updates by the service provider, including the region availability and current limitations.

AWS is the oldest and probably the only public cloud service provider compared to microsoft azure, google cloud with the largest application workload. Their yearly conference AWS re:invent is definitely the event of the year for all the consumers of the services. Last year, there were 70 new products were announced at AWS Re:invent 2018. The expectation was the number would be higher this years since now there are about 165 services and products currently being served on the AWS platform.

NOTE: This blog only has the security product annoucements from the event, there are plenty of other sources where you can find a broader coverage of all the annoucements. All the updates from AWS re:invent can be found here.

This blog is divided into 3 categories to cover the type of releases from the event and inclues region availability, service GA status and where relevant use case for the release.

  • AWS Security Product Release — new security products from AWS
  • AWS Security Products Updates — new features to existing security products
  • AWS Security features to existing products — security features to existing products

Let’s go:

NOTE: Services in preview mode i.e not available for all AWS customer are marked as (Preview). There is limited information on these services due the service being gated. If you would like to access any of these services contact your AWS Account Manager to get access to service for you to test while in preview mode.

AWS Security Product Release

  • IAM Access Analyzer:
    This is a region based service which continuously monitors and analyze permissions granted using policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions. This service uses algorithms created by the “automated reasoning” team in AWS, which allows this service to detect permissions that grant public or cross-account access. Full video here.
    Region Availability: Available in all AWS commercial regions including AWS GovCloud (US).
    Use Case:
    Saves time scavenging for possibly over privileged permissions.
  • AWS Detective (Preview)
    Amazon Detective will help you to analyze and visualize trillions of events from multiple data sources to quickly identify the root causes of potential security issues or suspicious activities. It automatically collects log data from your AWS resources like CloudTrail logs, VPC Flow Logs & Amazon Guardduty Findings and uses machine learning, statistical analysis, and graph theory to build a linked set of data that will accelerate your security investigation. Only limitation so far, yet another service for triaging and collecting AWS logs in addition to AWS Security Hub.
    Region Availability: US-East (N. Virginia), US-East (Ohio), US-West (Oregon), EU (Ireland), and Asia Pacific (Tokyo)
    Use Case: Triage Security Findings, Incident Investigation, Threat Hunting
  • AWS Nitro Enclaves (Preview)
    This service is an EC2 instance capability that will let you create isolated compute environments to isolate, protect and securely process highly sensitive data like PII, health, finance etc within your Amazon EC2 instances. Nitro Enclaves uses Nitro Hypervisor technology to provides CPU and memory isolation for EC2 instances. No limitations stood out for the preview mode. Comment below, if you know of any.
    Region Availability: Information available early next year
    Use Case: Additional Isolation and security for highly sensitive data, cryptographic attestation of the origin, Flexibility with resource allocation of CPU cores and memory.
  • Amazon Code Guru (Preview)
    It’s a “machine learning” service for automated code review and application performance profiling. This service only supports Java language for the moment and fixes code issues like resource leaks, potential concurrency race conditions, and wasted CPU cycles at low on demand pricing. This service has potential to do secure code reviews similar to what Github and some of other SVN services are doing.
    Region Availability: US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney)
    Use Case: Reduce code performance issues, the model is build on years of amazon code so “It’s like having a distinguished engineer on call, 24x7”, low cost investment to catch an expensive line of code.
  • Amazon Fraud Detector (Preview):
    Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts. No limitations stood out for the preview mode. Comment below, if you know of any.
    Region Availability: US East (N. Virginia)
    Use Case:
    This services does the machine learning heavy lifting to create a fraud detection model based on your existing historical fraud data using pre-built fraud detection model templates.
  • AWS Local Zones (Preview)
    AWS Local Zones are a new type of AWS infrastructure deployment that places AWS compute, storage, database, and other select services closer to large population, industry, and IT centers where no AWS Region exists today. AWS Local Zones provide a high-bandwidth, secure connection between local workloads and those running in the AWS Region.
    Region Availability: This services is only available by invitation only and is currently only available in Los Angeles.
    Use Case: Low latency applications, Flexibiliy and scalability of AWS infrastructure with AWS APIs for local locations with no AWS region

AWS Security Products Updates

  • AWS WAF vs WAF Classic
    With the release of managed AWS WAF rules last month, the AWS WAF as we all knew it has been made AWS WAF Classic till now, similar to what happened with AWS ELBs in the past. The new and shiny AWS WAF allows for AWS Managed WAF rule group while continuing to support the previous WAF model. Bonus point, no additional cost for using a AWS Managed rule group unlike a “aws partner” managed rule group.
    Region Availability:
    All regions.
    Use Case:
    Same use cases as before for AWS WAF Classic.

AWS Security features to existing products

  • Amazon VPC Ingress Routing
    AWS now allows you to associate route tables with internet gateway and virtual private gateway, and redirect incoming and outgoing Amazon Virtual Private Cloud (Amazon VPC) traffic through virtual appliances in your VPC. No additional charges for this service similar to VPC.
    Region Availability: All regions.
    Use Case:
    Inspecting VPC traffic with a virtual appliance, fine grained network and security policies for each workload
  • Access Analyzer for AWS S3:
    This service monitor and evaluates bucket access policies and alerts on a bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. It shares insights or ‘findings’ into the source and level of public or shared access to discover and swiftly remediate buckets with potentially unintended access.
    Region Availability:
    All regions ,except AWS China (Beijing) Region and the AWS China (Ningxia) Region.
    Use Case:
    Swift remediation of potential malicious changes to S3 bucket policies
  • AWS S3 Access Points:
    With S3 Access Points, you can easily create hundreds of access points per bucket to simplify managing data access at scale for shared data sets on Amazon S3.
    Region Availability: All regions
    Use Case: Limit access of large data sets to specific Account IDs, Limit access of large data sets to specific VPCs.
  • Next-Generation ARM based AWS Graviton2 processor with memory encryption (Preview)
    This new processor powering the C6g, M6g, R6g type instances come with always-on fully encrypted DDR4 memory to further enhance security and 50% faster per core encryption performance
    Region Availability:
    No information on this when I checked last.
    Use Case:
    Building Arm based applications in cloud which require lot more compute/memory juice.
  • Amazon EventBridge Schema Registry (Preview):
    This service provides a central location for schema definitions for an event driven architecture build on EventBridge (serverless event bus service from AWS).
    Region Availability:
    US East (Ohio), US West (Oregon), US East (Northern Virginia) Asia Pacific (Tokyo) Region, and Europe (Ireland) Regions
    Use Case:
    Schema definition for security events being monitored or analyzed.
  • AWS Transit Gateway — Network Manager :
    Network Manager is a free service that reduces the operational complexity of managing a global network across AWS and on-premises. With Network Manager, you set up a global view of your private network simply by registering your Transit Gateways and on-premises resources. Your global network can then be visualized and monitored via a centralized operational dashboard. Additional cost to consider — the network resources you use, like Transit Gateways, VPNs, and so on.
    Region Availability: US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), Europe (Ireland), Europe (Frankfurt), Europe (London), Europe (Paris), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Sydney), Asia Pacific (Mumbai), Canada (Central), South America (São Paulo).
    Use Case: Operations team managing a global AWS network and on-premise environment.

Honorary Mentions for services that were released in November,2019 but were close enough to be considered AWS re:invent updates. :)

If you liked this article or got value from it, please push the clap👏 icon. Leave a comment on how this article helped you, I would appreciate that.

Originally published on my blog at kaizenteq.com

Security expert with a goal to make security an enabler instead of a blocker in the exciting world of cloud and machine learning. www.ashishrajan.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store