AWS Re:Invent wrapped up last week. This time of the year tends to be an “early Christmas” for cloud enthusiasts with the sheer number of new AWS releases that get dropped. As awesome as it is, it can be pretty difficult to keep up with everything, especially whats going to be relevant for you. In this blog, we highlight what we think are the top 5 most interesting security announcements, and include a listing of the other security related announcements below. Enjoy!
New enhancements to AWS GuardDuty are always exciting, and this Re:Invent brought us two interesting announcements.
GuardDuty for RDS adds two additional finding types related to anomalous login activity on both successful and failed logins. Currently only certain versions of RDS Auroura are supported, so take a look here before you get started.
GuardDuty Container Runtime Threat Detection was announced as “Coming Soon” during Adam Selipskys keynote (see here). With EKS GuardDuty released earlier this year covering K8s Control Plane level malicious activity, detecting malicious activity inside the containers themselves was a natural next step. It will be interesting to see what level of customization this will allow with the detections. Engineers often employ tools like Falco to serve this usecase with a full fledged rules engine, but it requires operations effort. Stay tuned for more!
One of the more surprising releases, Amazon Verified Permissions, is a service to help developers implement authorization mechanisms into custom applications. It saves a development team from having to develop a policy/authorization engine when required to implement access control into their applications. It also appears to be an interesting alternative to something like Open Policy Agent for application authorization usecases that doesn’t require hosting infrastructure. In short - think of it as your own implementation of AWS IAM, but for your application!
Amazon Verfied Permissions policies utilize the Cedar Policy Language. AWS also put out a blog on using the new service: https://aws.amazon.com/blogs/security/get-the-best-out-of-amazon-verified-permissions-by-using-fine-grained-authorization-methods/
Currently - you have to request access to the preview to use it.
Source: Introducing VPC Lattice
VPC Lattice (in preview) as described by AWS, seeks to “simplify service-to-service connectivity, security, and monitoring”. Taking a deeper look, this seems to almost be an Amazon managed service mesh style product that is tightly integrated with VPC and IAM. Moving past buzzwords, it provides a few different capabilities. The most interesting of these being the ability to treat various flavors of AWS Compute (Lambda, containers, EC2) as “Services”, which can then make use of many of Lattices feature, such as routing/traffic policies, and even the ability to apply Resource policies to enforce access control via AWS IAM on them. For example - you could enforce that a VPC Lattice service is only accessible via AWS Identities in a particular OU of your AWS organization. It also appears to target those wanting to reduce network complexity, from the release blog: “VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses.” This appears to be only scratching the surface of the possibilities with this service - it will be interesting to see how real world implementations play out.
Amazon Security Lake is a managed Security Data Lake service that aims to allow you to centrally aggregate various security related datasets (both AWS specific and custom/external sources), control access to them, and automatically transform them to a query friendly and standard format. Diving a little deeper:
If you are considering Security Data Lake, probably worth paying a visit to the pricing page. The preview period waives costs for the service, and could be a solid way to get an idea of what you would pay running it. Important to note that while Security Data Lake is free during the preview period (and eventual 15 day free trial), the underlying AWS Services may incur a charge (S3, SQS, Eventbridge).
Catch Adam Selispky talking about it during keynote here for more info!
Amazon Inspector now supports scanning Lambda Functions for vulnerabilities! This is a very welcome enhancement to scan deployed Lambda functions for known dependency vulnerabilities. This appears to have a few different triggers:
This covers a valuable blind spot for lambda functions that may go a while without a deploy, or for new CVEs released between deploys. It also has value if you aren’t currently doing pipeline scanning as a quick solution to get running.
See below for a more comprehensive list of AWS releases that may be of interest to cloud security pros! We’re also including some recent releases pre-reinvent (aka “preInvent”).
The information presented in this article is accurate as of December 05, 2022.