AWS re:Inforce 2023 is done! It was a packed couple of days in Anaheim! Between all the sessions and meeting familiar faces, it was an blur of a couple of days.
Now that the event has settled in my mind (and no more Californian sun!), it’s time to reflect on the key takeaways.
Security of the Cloud
The AWS shared responsibility model is an crucial tool in understanding how to securely build and operate your AWS hosted workloads. It is formed of 2 pieces. Security of the Cloud and Security in the Cloud. AWS takes care of the Security of the AWS Cloud. Think networks, hardware, data centres etc. You are responsible for the Security in the Cloud. This means what services you use, how you configure them and how you encrypt data, for example. We often think about the myriad of AWS security focused services but little about the underlying architecture of the platform that provides the Security of the Cloud.
CJ highlighted some of the innovations that AWS has bought to this problem. From custom isolation software and hypervisors through to Amazon developed hardware and chips. Day to day, we don’t think about this stuff because, quite rightly we don’t have to (or want to). In addition AWS’s scale means that the see pretty much all the security events. This insight into potential threats allows them to build solutions that benefit all of us. Take, for example, Cedar. It is a policy language and authorization engine. AWS created and open-sourced Cedar for the broader community. GuardDuty is another example. It offers managed threat intelligence reporting for your AWS environments. New threat detections are added constantly.
More and more customers are adopting AWS managed services, such as RDS. After all, who wants to manage the underlying OS and software if you don’t need to? Similarly, serverless and containers continues to evolve. They have become core tenants for thousands of AWS hosted workloads. Customer are adopting these services knowing that AWS has their security covered.
Security in the Cloud
As above, Security of the Cloud is only half the story. What about the part that you are responsible for?
AWS offers a rich workshop of security tools that you can use. From your application development through to your Cloud Security operations and everything in between, there’s probably a service for that. Some are simple and obvious, other require a little more craft to maximise. AWS recognises that every customer is different and not all workloads are the same. The strength of the AWS security capability is how broad and flexible it is. The weakness of the AWS security capabilities is how broad and flexible it is!
How do you know if you are doing it right? Tools such as the Well Architected Framework and AWS Security Hub can help you benchmark your risk posture against recommended practice. What happens if you also need to integrate a third party tool? With so much choice, you have to ask yourself if your organisation wants to or even can be the security experts, building the relevant teams, experience and skills. Maybe you would be better off phoning a friend. Which is why AWS created the AWS Level 1 MSSP to help customers find the right AWS security partners to secure and manage their AWS workloads.
There’s always time for some new stuff!
Of course, it wouldn’t be re:Inforce 2023 without some announcements! Here are our brief highlights.
Amazon CodeGuru for Security
AWS announced the preview of Amazon CodeGuru for Security. It is a static application security testing (SAST) tool that uses Machine Learning to help identify vulnerabilities in your code. We are big fans of code scanning and use Snyk to do that. CodeGuru integrates with a variety of pipelines and IDEs. It supports Java, Javascript and Python today. We will be running a bake-off of it against Snyk. Stay tuned!
Amazon Verified Permissions
Zero trust. So hot right now (and rightly so). Amazon Verified Permissions was announced at re:Invent 2022. It is now generally available. It’s a fine-grained permissions management and authorization engine for your applications. Provide granular access without having to build and run you own policy engine. Alternatively, couple it with Amazon Verified Access to provide secure VPN-less access to your business applications. The old VPN way relies on a hard boundary and often a soft centre once inside the network. With AVA and AVP, you can allow access based on policy – think end device, location, time of day – without compromising access to any other service.
Inspector Code Scan for Lambda
No servers, no worries? What about your code? Amazon Inspector Lambda scanning was introduced last year. It scans dependencies in your functions for vulnerabilities. Amazon Inspector Lambda code scanning extends that by adding scans of the your custom developed code against security best practice. It’s very much complementary to the new CodeGuru for Security feature above. It’s a great way to double down on the security of your Lambda function code. Scan it at deploy time in your pipeline and scan it at runtime in case of modifications (which you can also prevent should you need to!).
Inspector SBOM
The software bill of materials (SBOM) is an excellent tool as part of your supply chain security. Much as someone with a nut intolerance want to know what’s in a particular food item, you should know all the ingredients that make up your applications. But, an SBOM is only useful if it is up to date. Modern applications are complex. They often have hundreds of services and thousands of components. Amazon Inspector now provides the ability to export an SBOM for your resources. You can then use this to make sure that you are using supported, patched and non-vulnerable components. Should a zero-day vulnerability be released, you can immediately determine if you are at risk using the SBOM.
AWS Payment Cryptography
Cryptography is hard. Writing your own is generally a bad idea. Of course, in the payments space, cryptography is everywhere. The new AWS Payment Cryptography services aims to simplify the implementation of cryptography operations and key management for card payment processing applications. The service introduces new CLI commands and APIs to manage keys. The same APIs can be used to verify and generate PIN and card data. No more custom code and key management required!
AWS Cyber Assurance Program
This is an interesting one. AWS is stepping into the Cyber Insurance space by offering an assurance program to simplify the process of obtaining a policy. It has partnered with a number of insurance companies to offer insurance for AWS customers. By simplifying and speeding up the approach, AWS is looking to increase the access to cyber insurance, particularly for small and medium businesses. The insurance companies have been training to take a security posture report from AWS (powered by Security Hub). The customer and insurer can then work together with an AWS security partner to implement recommendations and reduce insurance premiums.
It will be fascinating to see this one play out. We think it could be a game changer for the cyber instance industry.
Wrapping up
If you’d like to know more about any of these topics from re:Inforce 2023 or understand how you can securely manage you AWS based applications, please get in contact with us here at RedBear.
