AWS re:invent 2020 Security announcements Recap of Week 1 — including updates that were not called security updates but you should know

Ashish Rajan
6 min readDec 6, 2020

--

Recap from AWS Virtual re:invent 2020 so far. It’s a 3 week online extravagance this time because COVID but they have done an amazing job so far. This article will cover announcements from Week 1.

For those who have read my AWS Re:invent 2019 Security Recap, or heard it on Cloud Security Podcast, you know I like to keep it honest so there might be some harsh truths here.

AWS RE:INVENT 2020: What’s different this time compared to last few years.

Amazon Web Services (AWS) held their annual event starting with Week 1 finishing this weekend. Unlike previous years where it’s a 1 Week of announcements and later we get to see all (well most) of the videos on YouTube.

This time it’s a 3 week online extravagenca with LIVE Performances, Hands-On Labs and a lot more. This means this is a series so here goes Week 1. There have been 65 announcements in total from AWS so far.

AWS Virtual Re:invent 2020

NOTE: This blog only has the security product annoucements from the event, there are plenty of other sources where you can find a broader coverage of all the annoucements. All the updates from AWS re:invent can be found here.

Announcements from Week 1 of AWS RE:Invent 2020:

Out of the 65 announcements made so far and I would like to cover them in the following order:

This blog is divided into 3 categories to cover the type of releases from the event and includes region availability, service GA status and where relevant use case for the release.

  • AWS Security Product Release — new security products from AWS
  • AWS Security Products Updates — new features to existing security products
  • AWS Security features to existing products — security features to existing products

In the end, I would include links to some of the talks that I enjoyed.

Let’s go:

AWS Security Product Release:

NO NEW SECURITY PRODUCTS FOR IT YET! Yes, nothing in Week 1. Possibly because they are waiting for Steve Schmidt’s “AWS security: Where we’ve been, where we’re going” on December 8,2020. There were however, Operational Technology security products announced for the Industrial sector

I am not an expert in this space so I can’t comment on this. However, if you are reading this and you know more about this space, I would love to talk to you about what this means on my Cloud Security Podcast.

Interestingly enough Week 1 Featured Announcements page didn’t think it was important to mention any of these services (screenshot below).

Featured Announcements of Week 1 at AWS Re:invent 2020. Source: AWS Reinvent Website

AWS Security Products Updates

  • AWS Security Hub — Kube-bench & Cloud Custodian:
    Kube-bench from AquaSec is an open source resources which is popular in the open source community to configure Kubernetes cluster in accordance with the recommendations from the Center for Internet Security (CIS), supporting both the CIS Kubernetes Benchmark and the CIS Amazon Elastic Kubernetes Service (Amazon EKS) Benchmark. You can watch the demo for kube-bench here.
    Cloud Custodian is also open source tool from CapitalOne which you can receive information from in your AWS Security Hub. However, this is only in AWS China (Beijing) Region operated by Sinnet and in the AWS China (Ningxia) Region operated by NWCD.
  • AWS CloudTrail allows for granular control on event logging:
    In AWS CloudTrail you can now choose (well first few characters where applicable) to log only certain kinds of events to get entry only of critical security events that you care about while keeping the cost low. This is available in all regions except the China regions.
  • AMI support tags on creation for better access control:
    Now, instead of waiting for AMIs to be created before you can tag them, it is possible to add tags at the time of creation to have better fine grain control on AMIs.
  • AWS Local Zones Added in Boston, Houston & Miami :
    More AWS Local Zones added to the above location and 12 more to be annouced soon. AWS Local Zones are a type of AWS infrastructure deployment that places AWS compute, storage, database, and other select services closer to large population, industry, and IT centers where no AWS Region exists today using the same AWS APIs.

AWS Security features to existing products

  • ECS Deployments Circuit Breakers to Amazon ECS (Preview mode):
    Now, to maintain higher availability of service, AWS customers can enable ECS deployment circuit breaker at the time of creating or updating the service as part of the deployment configuration of the ECS service. This services automatically rolls back unhealthy service deployments without the need for manual intervention. This empowers customers to quickly discover failed deployments, without worrying about resources being consumed for failing tasks, or indefinite deployment delays.
  • Manage Entitlements in AWS MarketPlace with AWS License Manager:
    Customer can managed Third Party Risk or in some cases Supply Chain Risks using Managed entitlements in AWS License Manager. Managed entitlements enable buyers to govern, track, and distribute entitlements from a software license. Customers can now track and manage their AWS Marketplace-procured products in their AWS organization within AWS License Manager. This goes the other way too, Independent Software Vendors (ISVs) can use AWS License Manager to create, configure, and track licenses for their products used on AWS and on-premises.
  • Private Marketplace APIs for Customers:
    Customer can now programmatically manage a Private Marketplace through a set of publicly available APIs. With Private Marketplace, customers can curate a catalog of approved third-party software available in AWS Marketplace. This enables their organization to easily purchase software from AWS Marketplace knowing that it complies with their internal policies.
  • AWS CloudWatch Lambda Insights for Lambda Functions
    Amazon CloudWatch Lambda Insights enables you to monitor, troubleshoot, and optimize the performance of AWS Lambda functions. You have access to automated dashboards summarizing the performance and health of your Lambda functions that provide visibility into issues such as memory leaks or performance changes caused by new function versions.
  • Security Detector for Amazon CodeGuru:
    CodeGuru Reviewer Security Detectors helps identify security risks from the top ten Open Web Application Security Project (OWASP) categories (OWASP is a standard awareness document for developers and web application security), security best practices for AWS APIs, and common Java crypto libraries. CodeGuru Reviewer Security Detectors can help you identify four categories of the code security issues: (1) AWS API Security Best Practices helps you identify security best practices when using APIs of various AWS services, such as AWS EC2 and KMS (2) Java Crypto Library Best Practices help you check common Java cryptography libraries, such as Javax.Crypto.Cipher, to identify that they are initialized and called correctly (3) Secure Web Applications help you check web app related security issues, such as cross-site scripting, LDAP injection, and path traversal injection (4) AWS Security Best Practices bring internal security expertise, such as AWS Crypto recommendations, to your use cases

Talks that I have liked so far from #AWSReInvent2020 :

Leadership Session

Compute Session:

Security Compliance & Identity Session:

This is the end of annoucements so far for Week 1. I will be back in a week’s time for security insights from Week 2 of AWS Re:invent.

--

--

Ashish Rajan

Security expert with a goal to make security an enabler instead of a blocker in the exciting world of cloud and machine learning. www.ashishrajan.com