In the first of our AWS re:Invent 2021 announcements round up, we look at new services and updates from the first 2 days. These are our top 5 favourites for our customers, selected from a bunch of very exciting new services and announcements that could really help your business! We’ve left one out intentionally as we belief it deserves it’s own blog – stay tuned for that one!
Let’s get started on our picks.
Amazon CodeGuru Secrets Detector
What is it?
Amazon CodeGuru was released last year. It’s a machine learning service that can scan your code for best practice and adherence to security standards such as the OWASP top 10. Today, AWS announced an additional capability for CodeGuru. This new capability, called Secrets Detector, adds scanning of code for secrets such as passwords and API keys.
Why should I care?
Exposing secrets in code is an all too familiar way for threat actors to compromise your environment or application. Secrets should always be stored in secure vaults, such as AWS Secrets Manager, and retrieved by your code at run time.
How can I use it?
Secrets Detector hooks into your code repository of choice. Supported repos include CodeCommit, GitHub and BitBucket. Once run it will report on any discovered secrets. Don’t just run it once, however! Also look to hook it into you pipeline process to scan your repos at commit time and schedule a regular scan of your repos. It’s a simple feature that might save you an immense amount of pain!
Amazon CloudWatch Realtime User Monitoring
What is it?
Amazon CloudWatch has been around for an age! It’s been expanding over the years and has been adding heaps of new capability around metrics, observability and performance of the underlying resources that make up a service. What about the end user experience? Until now, tools such as New Relic have been the choice for understanding the real world user experience. With Amazon CloudWatch RUM, you can now do that natively using AWS services.
Why should I care?
Understanding your resource performance, and particularly deviation from normal, is important for service delivery. However, you really need to understand your users true experience. How does you web application perform in the real world with a patchy 4G connection? Are there metrics you can monitor to understand issues or identify opportunities to improve the experience? RUM will provide you that insight.
How can I use it?
When you setup your RUM environment, you simply need to add some Javascript to your code. Soon you will be able to see metrics and performance data in the AWS Console. Now you can see what your users see!
AWS Backup for Amazon S3
What is it?
AWS Backup was introduced several years ago and has been slowly adding services. It can be used to create a unified backup plan for resource such as EC2, RDS, EFS and DynamoDB. Until today, backing up your S3 buckets was up to you. Typically, people would use either bucket replication in combination with versioning or the S3 API to make copies of objects to a backup bucket. AWS Backup has now added the ability to backup S3. This means that you can use the same backup retention and vault as your other assets. You can even lock the copies in the vault so that they can’t be deleted and replicate the copies to a second account.
Why should I care?
For more and more organisations, Amazon S3 is becoming the default storage platform due to its low cost, high durability and massive scale. Wouldn’t you want to be able to manage and lifecycle the backups of your S3 buckets like your other storage, compute and database assets? Do you really want to build and manage a solution yourself? Are you concerned about unintended or malicious changes to the objects in your buckets? AWS Backup’s new support for S3 has just made all this a whole heap easier!
How can I use it?
AWS Backup for Amazon S3 is in public preview now. Once you are enabled for the preview, it’s a simple case of turning on S3 backups in AWS Backup and then allocating the buckets to backup. We recommend setting up your backup plans to use tags. That way, you just need to tag your buckets and the backups will be enabled. Note that for S3, you can either schedule backups (say daily) or set it up to provide point in time restore (so every object change will be backed up when it happens). Don’t forget that you will need to enable bucket versioning for the targeted buckets for AWS Backup to manage them.
New Amazon Inspector
What is it?
Amazon Inspector is a service that automates security assessment of EC2 instances. Amazon Inspector scans for unintended network exposure, software vulnerabilities, and deviations from application security best practice. It has been in the AWS portfolio since 2015.
Today AWS has launched a brand new Inspector which adds a heap of new features including support for containers. It also includes enhanced reporting with integration into Security Hub and AWS Organizations! One thing we particularly like is the removal of the requirement for an Inspector agent. Inspector now uses the standard SSM agent. All AWS standard images already have this agent installed.
Why should I care?
Vulnerability management and understanding the patch status of your EC2 instances is critical to maintaining the security of your environment. The new Amazon Inspector collects events from over 50 vulnerability intelligence sources, including CVE, the National Vulnerability Database (NVD) and MITRE. When a new CVE notification is released, Inspector will automatically rescan affected instances or containers. Effectively, it provides a one-stop shop for near realtime visibility of any vulnerabilities in your EC2 and ECS fleet. You can even then integrate that into an auto-remediation stream where a critical vulnerability discovery can kick of a patch cycle for that instance!
How can I use it?
To start discovery, scanning and reporting on vulnerabilities, simply enable the new Inspector. Support for Linux based instances in included in this initial launch. However, Windows support is not too far away!
AWS Control Tower Region Deny
What is it?
AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-account AWS environment. It creates a landing zone using AWS Organisations, bringing ongoing account management and governance. It implements standard guardrails for all accounts. This means all new accounts adhere to a set of best practice standards, including centralised logging and enforced implementation of security services such as GuardDuty.
In addition to wanting standard security guardrails, many organisations are operating in highly regulated industries where guaranteed data residency is critical. Today, AWS has added region restrictions as new guardrails in Control Tower. You can easily control which regions you can spin up services. It also provides you the ability to control cross-region networking. As a result, no more managing policy!
Why should I care?
Ensuring their data remains in Australia is an obligation for many of our customers . This means today that they need to ensure all services they operate are in the Sydney (ap-southeast-2) region. While you can enable this through SCPs and IAM and resource policies, it’s always been complex to manage. These new guardrails in ControlTower remove that complexity.
How can I use it?
If you are already using AWS Control Tower, you can find the new Guardrails in the Control Tower console. Filter by the Data Residency category and enable the ones that matter to you. As a start, you will most likely want to enable the guardrail Deny access to AWS based on the requested AWS region. There’s nothing more to do!
Wrapping up
What do you think of our favourite AWS re:Invent 2021 announcements from the first two days? Do you have other favourites? Share you thoughts with us on Twitter.
If you want to know more about these and other announcements from re:Invent, contact us at RedBear!
