Hear that? That’s the sound of my head spinning after 2 days of re:Invent (half way!). Let’s cover the key AWS re:Invent 2022 security announcements, looking at new services and features from the first two days. We’ve still got 2 more days to go but here’s the ones that caught our attention.
Amazon CloudWatch Logs data protection
What is it?
Gone to all the trouble to make sure that secrets and sensitive data is properly protected? What happens when someone enables debug logging? Does some of that (all of that!) suddenly end up in your logs? Would you even know? Amazon CloudWatch Logs data protection is a new feature that will scan your CloudWatch logs for sensitive data to make sure you aren’t logging what you shouldn’t be!
Why should I care?
Exposing sensitive data in logs is not uncommon and often breaks your compliance statement unwittingly. It might also have you tripping up over privacy laws for your applications!
How can I use it?
It’s a new tab in CloudWatch Logs. You enable it at a log group level, specifying the type of data to look for. The feature will then mask the data for you and you can get notification through CloudWatch alarms (and some other notification options).
AWS Backup for CloudFormation resources
What is it?
When it comes to data protection, backups (or more importantly restores) are one of your friends. In the event of a ransomware event, you can restore all your data from backups (and you’ve tested it right?). What about your configuration, think IAM roles and security groups, required by your applications? If you defined it all as code (yes, you did?) using CloudFormation, you now can. AWS Backup for CloudFormation will now include all the required resources in the stack!
Fear not, AWS people, this is not Cloudformer…
Why should I care?
You backed up all your stateful resources like databases and S3 buckets but you don’t capture your stateless resources (like IAM role). You now have all your data back but the application doesn’t work. Oops. Maybe you can redeploy it from your pipelines, maybe not. With this new feature, you know that if you defined the entire application as a CloudFormation stack, you will now be able to recover all the dependent resources.
How can I use it?
It’s a few simple steps to get started. First enable the feature in AWS Backup. Then select all stacks or an individual stack (what no tag support?). That’s it. Run an on-demand backup to try it out. Simple!
Proactive compliance for AWS Config rules
What is it?
AWS Config has been around for a while. It’s a detective service that can be used to tell you about non-compliant resources and configuration in your AWS environment. We use it as an important source for our managed service to detect and remediate against risky configurations. But, what if you could also use AWS Config to examine a resource configuration before it was deployed into your AWS accounts? As of today you can by enabling the new proactive mode for Config rules!
Why should I care?
There’s no more secure configuration for an asset than when there is for no asset! Much like we recommend for code (including containers), if you can validate the security of a configuration before it lands in an account, you should. This new feature of AWS Config allows you to test the configuration as part of the infrastructure as code pipeline before deploying any resource.
How can I use it?
It’s a simple case of using the AWS Config API to check the compliance of a resource before creating it. If you are deploying using AWS CloudFormation, you can use a CloudFormation hook to proactively check the configuration before the deployment happens.
Amazon Inspector for AWS Lambda
What is it?
Amazon Inspector is a service that automates security assessment of EC2 instances. The service scans for unintended network exposure, software vulnerabilities, and deviations from application security best practice. It has been in the AWS portfolio since 2015 and was relaunched last year with a far more capable version. This v2 release included support for both EC2 and container images in ECR. As of today, Inspector has been extended to provide vulnerability of Lambda functions (including any layers), now covering all the compute options – EC2, containers and serverless!
Why should I care?
Compute ain’t compute. Not in 2022. With a general shift away from a traditional server based approach (in AWS speak that’s EC2) to serverless, you need to understand any risks from vulnerabilities no matter what the compute type. Just because you aren’t worrying about the OS patching doesn’t mean you don’t care about included packages (generally for containers) or libraries and layers (for AWS Lambda). The model changes. Some things get easier. Some things stay the same. Code is still code to be managed and understood from a potential for vulnerabilities.
How can I use it?
If you are already using the new Inspector, it’s enabled today! Nothing required. You can exclude functions using tags but by default all functions are included and any findings reported by Amazon Inspector.
Amazon Macie is now 99% cheaper!
What is it?
Knowing what you have is fundamental to securing your workloads and your data. Amazon Macie has been around for a while. It can be used to scan you S3 buckets for PII and other sensitive data. It helps you build a data classification of what you have, where it is and who can and has accessed it. The problem with Macie is that it is kind of heavyweight and expensive for many organisations. Step forward Automated Data Discovery for Macie. It provides continual discovery of sensitive data and potential data security risks across your entire set of buckets, aggregated at the AWS Organizations level. It does so at a fraction of the cost of full bucket scanning – in this case 1% of the cost!
Why should I care?
Knowing what data you have and where is crucial to protecting your customers. Just as important is to know when data you don’t expect is suddenly stored in unexpected places. This new capability for Amazon Macie will massively help to close that gap.
How can I use it?
It’s one action to enable it. It will include all buckets by default but you can opt to exclude specific buckets (S3 buckets for security data such as VPC Flow Log data would be good candidates to exclude). You can also configure the type of data to look for in the buckets. Pricing is based on number of objects scanned, at $1 for 10 million objects per month!
Amazon Security Lake
What is it?
Have we saved the best of the AWS re:Invent 2022 security announcements to last? Yes we have!
Logging and visibility is fundamental to the security of your Cloud hosted resources. However, you need to enable logging for AWS services, any third party services you use and for your applications. You then need to do something with all that data. This might include ingestion it into a SIEM, such as Sumologic, or building CloudWatch alerts and dashboards using CloudWatch Insights or Amazon Athena. It’s alot of work. Each data source has it’s own format.
Recently AWS announced it was a founding member of the Open Cybersecurity Schema Framework (OCSF) project. It is a collaboration between many organisations with the aim of normalising security data across a wide range of products and services.
Today, AWS released the Amazon Security Lake. This service centralizes your organization’s security data from cloud, third-party and custom sources into a purpose-built data lake stored in your AWS account. Amazon Security Lake automates the central management of security data, normalizing fthe data and managing the lifecycle of data with customizable retention using automated storage tiering.
Why should I care?
Security teams should be spending their time building security use cases, automating responses, threat hunting and dealing with events. Getting data into the right tool in the right format should not be their day to day job. Yet, we still expect these teams to do exactly that. With the new Amazon Security Lake, that tasks is managed by AWS on your behalf!
Now you can spend time on the real security value tasks for your organisation!
How can I use it?
The Amazon Security Lake is in preview today. It has launched with a number of partners. This includes source partners such as Crowdstrike as well as analytics partners such as Rapid7 and Sumologic.
RedBear are excited to be part of this preview along with our partners.
Wrapping up
What do you think of these AWS re:Invent 2022 security announcements? Do you have some other favourites? Share you thoughts with us on LinkedIn
If you want to know more about these and other announcements from re:Invent, contact us at RedBear!