Cybersecurity is such a broad-ranging, multi-faceted issue that discussing it in terms of architecting cloud environments or cloud-native applications can’t be adequately covered in a single blog. Just keeping the focus on the cloud security services and best practices available from Amazon Web Services (AWS) could easily comprise a full library.
What we can do, however, is discuss some of the new security products and features announced at AWS’s re:Invent 2021. There were a lot of them, and for good reason. We need them.
Ransomware and other types of cyberattacks continue to put organizations at significant risk for costly data breaches. Regulatory compliance requirements regarding data privacy and access are increasing and becoming more complex. The exponential growth of data, users, and devices are generating more attack surfaces and vulnerabilities.
No single solution or set of solutions can combat all cybersecurity threats, particularly with those threats constantly changing. Security requires a multi-layered, always evolving approach. The new cloud security services and features announced at re:invent 2021 are helping to fulfill that need. They’ll also join the many other AWS security resources ClearScale already uses in developing secure, client-focused solutions for optimal cloud environments and app design.
With the continued growth of IoT devices and applications, it’s not surprising that AWS announced IoT ExpressLink to facilitate the quick and easy development of secure IoT devices. It powers a range of hardware modules developed and offered by AWS Partners.
The connectivity modules include AWS-validated software, making it faster and easier to securely connect almost any device to the cloud and seamlessly integrate with over 200 AWS IoT services, including AWS IoT Core. AWS IoT ExpressLink helps developers with the complex and security-critical code by packaging it into a single hardware component.
AWS also announced a new capability for secure management of IoT Greengrass devices via AWS Systems Manager. An integration between IoT Greengrass and Systems Manager simplifies the management and maintenance of system software for edge devices. When coupled with the IoT Greengrass client software, edge device administrators can remotely access and securely manage devices. They can also automate regularly scheduled operations that maintain edge compute systems without creating additional custom processes. IoT Greengrass was the primary AWS service used in ClearScale’s solution for Spoke Safety.
One of the AWS cloud security services seeing the most updates was Amazon Inspector, a service that automates security assessments. (AWS Inspector played a key role in the modernization and migration solution ClearScale created for J.J. Keller & Associates.) With the addition of automatic vulnerability management, it can now continuously and automatically identify resources instead of explicitly selecting resources for the service to target.
Enabling Amazon Inspector allows it to auto-discover and initiate a continual assessment of customers’ Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads. This facilitates the evaluation of the security posture even as the underlying resources change.
In addition, Amazon Inspector Integration now integrates with AWS Organizations. This allows security and compliance teams to leverage Amazon Inspector across all accounts in an organization. It also integrates with Amazon EventBridge. So it works easily with workflow and event management systems such as Jira and Splunk.
With the removal of the stand-alone Amazon Inspector scanning agent, assessment scanning now uses the widely deployed AWS Systems Manager agent. Therefore, there’s no need for a separate agent installation. In addition, a highly contextualized risk score is now generated for each finding by correlating Common Vulnerability and Exposures (CVE) metadata with environmental factors for resources, such as network accessibility. This makes it easier to identify the most critical vulnerabilities to address as a priority.
Amazon CodeGuru Reviewer
Amazon CodeGuru Reviewer now has an automated secrets detection capability that employs machine learning to detect hard-coded secrets ─ passwords, access tokens, API keys, and more ─ during the code review process. It can also scan configuration and documentation files.
CodeGuru Reviewer suggests remediation steps to secure secrets with AWS Secrets Manager. The new feature supports the most common API providers, including Atlassian, GitHub, HubSpot, Mailchimp, Salesforce, Tableau, and others.
Amazon Elastic Container Registry
AWS also announced pull-through cache repository support in Amazon Elastic Container Registry. Developers using containers from publicly accessible registries now have help in securing the containers. Images in pull-through cache repositories automatically sync with the upstream public registries. That eliminates having to manually pull the images and periodically update them.
This provides the benefits of the built-in security capabilities, such as AWS PrivateLink, which enables keeping network traffic private, and cross-region replication. When enabled, cross-region replication automatically distributes updated images to additional regions. All that is required is to update the pull URL so that the image is downloaded from the relevant region.
Amazon WorkSpaces Web
To help meet the need for more secure remote work operations, AWS now offers Amazon WorkSpaces Web. The low-cost fully managed workspace facilitates secure access to internal websites and software-as-a-service (SaaS) applications from existing web browsers, without the need for special appliances or client software.
Web sites render in an isolated container in AWS and pixel-stream to users. The isolated browsing session protects against attacks packaged in web content. And it prevents potentially compromised end-user devices from connecting with internal servers. No corporate data ever resides on remote devices.
AWS Simple Storage Service (S3)
An update to AWS Simple Storage Service (S3) now simplifies access management for S3 data. The new Amazon S3 Object Ownership setting lets users disable access control lists (ACLs). The Amazon S3 console policy editor reports security warnings, errors, and suggestions powered by IAM Access Analyzer as S3 policies are written.
When the setting is applied, all of the objects in a bucket become owned by the AWS account that created it. ACLs are no longer used to grant access. Ownership changes automatically, and applications that write data to the bucket no longer need to specify any ACL. All data access is policy-based.
More Cloud Security Services From AWS
There were many more security-centric services and features announced that we want to highlight:
- New features in AWS Shield Advanced automatically create, test, and deploy AWS WAF rules and mitigate layer 7 DDoS events.
- AWS Lake Formation now includes row- and cell-level security capabilities for providing secure access to sensitive data in the data lake service.
- Amazon Virtual Private Cloud (VPC) IP Address Manager (IPAM) makes it easier for network administrators to organize, assign, monitor, and audit IP addresses in at-scale networks. This lowers the management and monitoring burden and eliminates the manual processes that can lead to delays and unintended errors.
- Amazon VPC Network Access Analyzer is a new offering that enables users to identify configurations that might result in unintended access to the network.
- New threat detection capabilities for container workloads should launch in the first quarter of 2022.
You’ll find more information on all the new services and features, including those specific to security, on the AWS blog.
The ClearScale Approach to Cloud Security Services
Many companies find keeping up with security best practices and the constant emergence of new cyber threats to be time-consuming – and often overwhelming. Implementing those practices and dealing with ever-changing threats and vulnerabilities can be even more so. Fortunately, ClearScale is available to help.
We’re not just experts in working with AWS services. We have in-depth experience in employing a wide array of security best practices and AWS resources to create secure cloud environments and applications. We also understand regulatory compliance issues. Our experts help customers comply with the data governance and protection standards of PCI-DSS, HIPAA, ISO 27000, SOC reports, FedRAMP, and more.