Security Services in a Nutshell at re:Invent 2022

Public cloud is by far the most talked about topic in the infrastructure space today.

According to Gartner, public cloud adoption has grown at an unprecedented rate over the last, and 20.4% in 2022 alone. During COVID, businesses that were offline, have gone online with the intent to stay relevant and public cloud happens to be the choice of infrastructure to enable rapid transformation.

AWS is the public cloud of choice for many enterprises, currently holds 32% market share of the public cloud landscape.

Every year, AWS conducts a one-of-a-kind five day public cloud centric conference in the United States – re:Invent. The event aims at getting people in the public cloud community together to understand and get their hands dirty with the latest in public cloud technology, discuss challenges, explore products and collaborate. Apart from a being a community initiative, AWS as a ritual, launches a host of services across Data, Network, Security, AI / ML, Analytics, Compute during re:Invent.

This year is no different. While the complete list of AWS services launched during re:Invent is available, with this blog post, we intend to look at services that are specifically launched either around the security space or could be leveraged by the security industry.

Let’s break these down!

Security Lake 

With the explosion of digital infrastructure, there is also a significant increase in events generated by network devices, security systems, applications, public cloud and infrastructure in general. For security teams, it’s a daunting task to ingest, process & store events when they run into TBs or even PBs. Even more, analysing these events can seem like a project rather than a task with slow queries, data structure complexities etc.

The AWS Security Lake aims at solving for exactly this challenge by decoupling compute or processing from storage; and more so, moving storage to S3 which inherently would be serverless. Traditional security event processing platforms (or SIEM) store large volumes of events within compute instances, which would restrict scale & slow down retrieval.

AWS Users can now connect a variety of existing AWS event sources such as CloudTrail, GuardDuty, SecurityHub to ingest events.

Once events have been ingested, these are converted into a structured format called OCSF (or Open Cybersecurity Schema Framework) that standardises security events.

Finally, processed events are stored in a Security Data Lake on S3, where users can query or run analytics using services such as Athena or Redshift.

OpenSearch Serverless

ElasticSearch – probably one of the most popular event analytics systems ever, was launched under the OpenSearch title around July 2021. OpenSearch is extremely user friendly with Kibana as it’s interface and scalable to ingest a variety of event classes.

OpenSearch has been the platform of choice for infrastructure, devops and security folks alike to address various use cases.

Specifically from a security standpoint, event analytics, alerting, forensics are only a few of the many use cases that security teams can solve for.

With OpenSearch Serverless, security teams can do all of this, without the need to manage clusters or investing effort in fine tuning them.

Additional Data Centres

In recent times availability has been a cause of concern, especially after the recent incidents where CloudFlare and WhatsApp went down.

AWS has launched support for additional availability zones and regions across multiple locations. See the full list here.

SageMaker Studio

If you’re an ML enthusiast and working on security data, you must have used or heard of Amazon SageMaker at some point. SageMaker let’s you run algorithms, train and test on data without worrying about managing compute or clusters. Even better, it let’s you do that on a Jupyter-like notebook! With re:Invent 2022, AWS has revamped the SageMaker Studio to make it easier for data scientists and machine learning enthusiasts to create, test and deploy ML models with ease using a web based interface.

Config Proactive Compliance

For regulated verticals, compliance is an ongoing security activity. With public cloud deployments, compliance audits can turn into a nightmare in case baseline configurations are not kept under check. While AWS Config has been around for a while and helps organisations manage configuration drift and remediation at scale, Config Proactive Compliance is a useful addition which lets AWS users test configurations before they are deployed on production. This helps security and infrastructure teams in shifting compliance left – during design and development on an ongoing basis.

CloudWatch Logs – Detect Sensitive Data

Logs are great, infact we love logs! But when they start logging sensitive data, they can turn into a compliance and privacy disaster. CloudWatch is the logging destination of choice for AWS customers and thankfully AWS recently launched a feature that let’s users create Data Protection Policies. This feature masks the required information such as Email Addresses by default and makes them available only to privileged users with the required access policy.

AWS Verified Access

Built on Zero Trust principles, AWS Verified Access aims at decentralising network access using fine grained access control. Traditionally, network access to internal enterprise applications is granted via VPN, which open up access to a broad range of services. At times, policies at the VPN layer are also managed by different teams hence opening up possibilities of overly permissive access.

With AWS Verified Access, cloudops teams have the flexibility of granting access to enterprise applications via fine grained access policies that are driven by identity and resources rather than IP address ranges.

Apart from this, in case you’d like to read further about AWS VPC or networking best practices, do check out our post here.

VPC Lattice

As with end user access to enterprise networks, application-to-application connectivity also gets complex with adoption of microservice architectures, service mesh, cloud native service integrations etc. To address and simplify such integration complexities, AWS recently launched the VPC Lattice service, which abstracts network access and brings in the usage of resource access policies, similar to the existing AWS IAM Policy framework. This beings in consistency with the way resources are granted access, whether on network or public cloud.

External KMS Key Store

Encryption is a key requirements for various regulated and un-regulated sectors that deal with sensitive information. Enterprises that look at encryption technologies are often required to implement a key management system that holds the encryption keys, which is essentially the key to sensitive data!

Though most public cloud providers support key management using native services, there is often a requirement, especially in regulated sectors to store encryption keys at an offsite location such as captive data centres. The AWS External KMS Key Store provides a flexibility to customers to store encryption keys at a location within their control.

Scanning Lambda Functions for Vulnerabilities

Security vulnerabilities can surface in any kind of system, whether it is an application running on a server, IoT device, container or serverless functions. Vulnerability scanning for Lambda functions provided by AWS Inspector is a welcome addition to the AWS Security service family. AWS customers can now benefit from scanning their Lambda functions for vulnerabilities similar to EC2 instances of container images.

Automated Data Discovery

With adoption of public cloud and digitisation of business over the COVID era, there is an explosion of data. Organisations store and process significant amounts of PII and sensitive information today. One of the key issues that security teams are faced with today, is visibility of data itself. While AWS Macie has been around for some time, it had certain limitations such as manual configurations and point in time discovery. With re:Invent 2022, AWS has launched Automated Discovery for Macie which enables security teams to automatically discovery sensitive information in their public cloud deployment on an ongoing basis.

Verified Permissions

IAM Policies & Permissions are the foundational building blocks of public cloud security. As opposed to traditional data centres where access was largely governed and controlled by network permissions, public cloud leverages IAM as a gatekeeper for resource access. These policies can get complex to manage at scale when engineering teams develop their applications using cloud native services such as S3, Lambda, API Gateway etc. This often results in to and fro between engineering and cloudops teams to arrive at granular IAM policies that would work.

Verified Permissions empowers engineering teams to evaluate required IAM permissions while they are creating applications. This reduces chances of error development, further, the chances of production issues when there is a mismatch between the policies required vs the ones that were provisioned.

Check out our post on IAM Best Practices in AWS for further details around using AWS Permissions and their best practices.

Conclusion

Security is never 100%, but services such as the ones launched at AWS re:Invent 2022 certainly are a step in the right direction. 

We hope this post on security services during AWS re:Invent 2022 was insightful.