AWS re:Inforce 2022 is a wrap. It was a whirlwind 2 days in Boston, only the second time (since the first edition in 2019) that it has been held in person! Between sessions and New England IPA, it was an exhausting and exhilarating time.
Now that the dust has settled (and we are back in winter!), it’s time to reflect on the key takeaways.
The scale of AWS
From a security event perspective, AWS has probably seen it all. The scale of their operation, billions of events per second, means that they see those “edge cases that will never happen” that other folks (like ourselves) maybe model or discuss. Their approach to the security of the Cloud isn’t an accident! With the scale of activity, they have had to develop automation, deep visibility and observability and an efficiency and speed of security operations that we all get to benefit from!
We see the evidence of that in tools such as GuardDuty.
Building security into the foundations
Security should not be an afterthought. You need to plan for it and bake it into your design, implementation, testing and operations.
This means starting with your design. Have you considered the potential threats to your application and environments (an exercise known as threat modelling)? How are you mitigating those? Don’t just think about the environment protection controls. In 2022, supply chain is a huge threat vector? How do you secure you coding pipeline? Are you scanning your code and container images? Are you third party dependencies validated? Do you security test before deploy to any environment?
You should consider these at every step. Don’t back load your security design to running a penetration test two weeks before go live! Tools such as Amazon Inspector and Snyk can help with these tasks.
More secure together
AWS has a massive security team but they can’t cover every customer requirement out there. That’s where the partner community come in to play.
In the security space, AWS created the MSSP Level 1 competence to help their customers. AWS’s customers needed guidance in finding partners who understood AWS to securely operate their Cloud based applications. RedBear IT were one of the launch partners for this competency in 2021. This year, AWS added a number of specialization categories on top of the MSSP Level 1 competence. Again, we were a launch partner for these specializations, in our case for Modern Compute Security.
AWS are savvy enough to know that many organisations are using solutions outside of the AWS toolset to deliver a managed security service. Partners are able to help with that. In fact, we use a number of additional products to support our customers. This way, we are able to build on what AWS already provides by bringing our curated toolset, our skills and our experience to our mutual customers.
It starts with visibility
In business, we say if you can’t see it, you can’t measure it. It’s no different with security.
Having visibility of what is going on in your environments and applications is fundamental to being able to manage them. Fortunately, AWS services produce a heap of logging data and instrumentation that you can use to understand your environment. In our case we ingest this data into our Sumologic platform. Once you are collecting data, you can analyse it and use it for dashboards, triggering alerts or kicking off an automated response.
If you are running a modern highly distributed container or serverless based solution, you probably need to go further. Observability provides you that greater end to end visibility. You can use AWS native tools such as Amazon OpenSearch, or third party tools, such as Sumologic as previous mentioned.
We always love a few announcements
It wouldn’t be re:Inforce 2022 without an announcement or two! So here’s three that drew our attention!
The first one that caught our eye was the addition of malware protection to GuardDuty. Should an instance or a container be involved in a GuardDuty alert, the underlying storage will be automatically scanned for malware as part of the investigation process. GuardDuty will take a snapshot of the volume and scan the contents. No agent is required on the EC2 instance. For sensitive storage, where you don’t want the scans to happen automatically, you can simply tag the instance or volume to exclude it. It’s so simple to enable and you only pay for storage that is scanned.
Amazon Detective has been extended to add EKS support for Kubernetes based workloads. Amazon Detective is a security investigation tool. It now ingests audit logs from EKS to capture control plane changes. This means that you can now correlate actions in EKS against CloudTrail and VPC Flow logs to investigate any potential incidents.
Finally, AWS Config has added compliance score to it’s conformance packs. Conformance packs are a curated set of AWS Config rules that you can apply to your AWS implementation. Examples include packs for APRA CPG 234. Once enabled, Config can notify you of non-compliant resources. With compliance scores, you can see as a metric where you configuration stands against the compliance pack.