New AWS security tools, updates help IT protect cloud apps
AWS released a slew of updates to improve security as IT pros develop and deploy more enterprise applications via public cloud services.
Last week in Anaheim, Calif., around 6,000 attendees gathered for AWS re:Inforce to share security best practices and learn about the latest security features and updates from AWS. Organizations across industries use AWS to build and deliver software applications. Because they are responsible for securing what they put in the cloud, those organizations need effective security strategies to protect their cloud applications.
Research from TechTarget's Enterprise Strategy Group has shown that while moving applications to public cloud services increases productivity and speeds time to market, security is the top challenge -- followed by compliance. Organizations not only need to address security, but they need to ensure they can adapt to support the increased productivity and scale that cloud-native development brings.
AWS released a slew of security updates to meet this need. Here's my recap of the top themes and technologies launched during the conference.
The role of AWS in security
CJ Moses, chief information security officer and vice president of security engineering at AWS, kicked off the conference with a refresher on the shared responsibility model: AWS is responsible for security of its cloud, whereas customers are responsible for security in the cloud. He pointed out that "if you have access, you have responsibility," adding that AWS wants to make security affordable, effective and straightforward.
Moses shared updates for Nitro System and Firecracker regarding the platform improvements for AWS's cloud security responsibilities. He pointed out that the company's large global presence makes it a target but described how scale breeds intelligence that helps with defense.
The top priority: preventing security issues from causing business disruption. This means collecting threat intelligence, using AWS's globally distributed network of sensors to monitor environments, gaining an understanding of threat actor tactics and procedures, and using that intelligence to build new security mechanisms. This includes its reported 300 GB of virtual private cloud flow logs per second, 350 billion requests on Amazon Managed Rules for AWS WAF and 700 DDoS attacks mitigated per year.
This is where the shared responsibility model lines blur. As I've pointed out before, although customers are responsible for securing what they put in the cloud, cloud service providers are motivated to help them with tools, features and capabilities integrated with security features architected into each platform and its service offerings.
New AWS tools
To that end, AWS has been rolled out updates and new features to help with security.
- Amazon Verified Permissions. Enables developers to add fine-grained authorization to their applications without developing complex code. It uses Cedar, a new open source language for access control, to make it easy to create policies that define who is allowed to access a resource by defining the who (a principal), the allowed actions and the resource. Open Policy Agent, which uses the Rego language, is a widely used open source tool for policy and authorization, but Cedar can be a simpler alternative to use.
- EC2 Instance Connect Endpoint. EIC Endpoint provides SSH and remote desktop protocol (RDP) connectivity to EC2 instances without using public IP addresses. This eliminates the need to assign public IPs for EC2 instances for remote connectivity and saves the time, complexity and cost of having to set up and maintain bastion hosts to tunnel SSH and RDP connections to instances with private IP addresses. EIC Endpoint uses AWS Identity and Access Management-based access controls and network-based controls such as Security Group rules for authorization and authentication before reaching the host. It also provides an audit of any connections via AWS CloudTrail.
- Amazon Code Inspector scans for Lambda. Provides code scanning for Lambda functions and associated layers to identify software vulnerabilities -- including injection flaws, data leaks, weak cryptography or missing encryption -- based on AWS security best practices. The findings are aggregated in the Amazon Inspector console along with details such as security detector name, impacted code snippets and remediation suggestions. The findings are also routed to AWS Security Hub and pushed to Amazon EventBridge to automate workflows.
- Software bill of materials (SBOM) export capability in Amazon Inspector. Gives customers a free tool that works from the Amazon Inspector console to generate SBOMs to manage software supply chain security with an inventory of software packages and any associated vulnerabilities. Amazon Inspector exports the SBOMs to an Amazon S3 bucket, with options to download the SBOM artifacts and use Amazon Athena or Amazon QuickSight to analyze and visualize software supply chain trends.
- Amazon CodeGuru Security. Helps developers identify and remediate code vulnerabilities. There has been much discussion about ways to use AI, and this is a great application to use machine learning with static application security testing to detect vulnerabilities with a low false positive rate, flagging issues such as log injection, hardcoded credentials and resource leaks, and provide the code patch information needed for remediation. This feature is in preview mode.
- Amazon Detective findings groups from Amazon Inspector. Collects findings from Amazon Inspector, GuardDuty and AWS security services such as AWS Security Hub for situational analysis of security events. It looks at patterns, movement and mapping to the Mitre ATT&CK framework and supports faster detection and response.
- Amazon GuardDuty findings summary view. This new feature in the console helps users identify and act on what to remediate to reduce security risk, augmenting cloud security posture management. It provides a central view of findings by severity and type, gathering data across sources including Amazon EC2 instances, Amazon S3 buckets, Amazon RDS databases, AWS Lambda functions and Amazon EKS clusters.
Using generative AI and automated reasoning
AI, particularly generative AI, is a hot topic this year with the emergence and buzz around tools such as ChatGPT and Copilot that can simplify application development by generating code. Moses, of AWS, described how the company uses generative AI to build more secure code and enhance productivity. AWS applies it to solve problems, including alert fatigue, and to speed up detection and response.
AWS also described its approach with what it calls provable security, which uses automated reasoning from curated facts to compute verifiable outcomes. The company contrasted its high assurance and accuracy with generative AI, which could generate errors from hallucinations via large language models. It applies automated reasoning to key security areas, including storage, networking, identity and cryptography, as well as for security capabilities in Amazon CodeGuru, AWS Identity and Access Management and Amazon Verified Permissions.
AWS also works with security vendors to better use the platform and services to serve joint customers with added benefits. Vendors including Palo Alto Networks, Trend Micro, Wiz, Orca, Lacework, Snyk, Sysdig and Uptycs use AWS security integrations and features to help their customers manage security for their applications across cloud and on-premises environments and are helping ensure security teams scale with faster development cycles.
Senior Analyst Melinda Marks covers application and cloud security for Enterprise Strategy Group, a division of TechTarget. Enterprise Strategy Group analysts have business relationships with technology vendors.