04 December 2022

AWS Re:Invent 2022 Security Recap and Top 5 Releases

We collected the security relevant AWS releases and announcements from this years reinvent!

Dakota Riley
Dakota Riley Principal Security Engineer LinkedIn

AWS Re:Invent wrapped up last week. This time of the year tends to be an “early Christmas” for cloud enthusiasts with the sheer number of new AWS releases that get dropped. As awesome as it is, it can be pretty difficult to keep up with everything, especially whats going to be relevant for you. In this blog, we highlight what we think are the top 5 most interesting security announcements, and include a listing of the other security related announcements below. Enjoy!

Top 5 Most Interesting Announcements

AWS GuardDuty RDS Protection (Preview) and Container Runtime Threat Detection (Coming soon)

Source: GuardDuty RDS Protection Now In Preview and AWS Security Tweet about GuardDuty Runtime Protection

New enhancements to AWS GuardDuty are always exciting, and this Re:Invent brought us two interesting announcements.

GuardDuty for RDS adds two additional finding types related to anomalous login activity on both successful and failed logins. Currently only certain versions of RDS Auroura are supported, so take a look here before you get started.

GuardDuty Container Runtime Threat Detection was announced as “Coming Soon” during Adam Selipskys keynote (see here). With EKS GuardDuty released earlier this year covering K8s Control Plane level malicious activity, detecting malicious activity inside the containers themselves was a natural next step. It will be interesting to see what level of customization this will allow with the detections. Engineers often employ tools like Falco to serve this usecase with a full fledged rules engine, but it requires operations effort. Stay tuned for more!

Amazon Verified Permissions

Source: AWS Announces Amazon Verified Permissions

One of the more surprising releases, Amazon Verified Permissions, is a service to help developers implement authorization mechanisms into custom applications. It saves a development team from having to develop a policy/authorization engine when required to implement access control into their applications. It also appears to be an interesting alternative to something like Open Policy Agent for application authorization usecases that doesn’t require hosting infrastructure. In short - think of it as your own implementation of AWS IAM, but for your application!

Amazon Verfied Permissions policies utilize the Cedar Policy Language. AWS also put out a blog on using the new service: https://aws.amazon.com/blogs/security/get-the-best-out-of-amazon-verified-permissions-by-using-fine-grained-authorization-methods/

Currently - you have to request access to the preview to use it.

VPC Lattice

Source: Introducing VPC Lattice

VPC Lattice (in preview) as described by AWS, seeks to “simplify service-to-service connectivity, security, and monitoring”. Taking a deeper look, this seems to almost be an Amazon managed service mesh style product that is tightly integrated with VPC and IAM. Moving past buzzwords, it provides a few different capabilities. The most interesting of these being the ability to treat various flavors of AWS Compute (Lambda, containers, EC2) as “Services”, which can then make use of many of Lattices feature, such as routing/traffic policies, and even the ability to apply Resource policies to enforce access control via AWS IAM on them. For example - you could enforce that a VPC Lattice service is only accessible via AWS Identities in a particular OU of your AWS organization. It also appears to target those wanting to reduce network complexity, from the release blog: “VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses.” This appears to be only scratching the surface of the possibilities with this service - it will be interesting to see how real world implementations play out.

Security Lake

Source: Introducing Amazon Security Lake (Preview)

Amazon Security Lake is a managed Security Data Lake service that aims to allow you to centrally aggregate various security related datasets (both AWS specific and custom/external sources), control access to them, and automatically transform them to a query friendly and standard format. Diving a little deeper:

  • Makes usage of the Open Cybersecurity Schema Framework, which is a standard schema for common security events. Also worth noting that data is stored using Parquet file formatting
  • Supports AWS integrations with Security Hub, and a staggering number of third party integrations, with CrowdStrike, Okta, and Falco to name a few
  • Can also collect directly from cloudtrail, Route53 query logs, and VPC flow Logs
  • Supports the ability to roll up multi-region Security Lakes to a single region

If you are considering Security Data Lake, probably worth paying a visit to the pricing page. The preview period waives costs for the service, and could be a solid way to get an idea of what you would pay running it. Important to note that while Security Data Lake is free during the preview period (and eventual 15 day free trial), the underlying AWS Services may incur a charge (S3, SQS, Eventbridge).

Catch Adam Selispky talking about it during keynote here for more info!

Inspector support for AWS Lambda

Source: Amazon Inspector Now Scans Lambda Functions For Vulnerabilities

Amazon Inspector now supports scanning Lambda Functions for vulnerabilities! This is a very welcome enhancement to scan deployed Lambda functions for known dependency vulnerabilities. This appears to have a few different triggers:

  • Upon initially enabling inspector and it discovering new Lambdas
  • New deployments and updates of Lambdas
  • Inspector adding new CVEs to its database The documentation also states that Inspector will continuously scan existing Lambda functions even if none of the above are met.

This covers a valuable blind spot for lambda functions that may go a while without a deploy, or for new CVEs released between deploys. It also has value if you aren’t currently doing pipeline scanning as a quick solution to get running.

Releases by category

See below for a more comprehensive list of AWS releases that may be of interest to cloud security pros! We’re also including some recent releases pre-reinvent (aka “preInvent”).


Payload based message filtering for sns

AWS Backup Organizations Delegated Administration

AWS Organizations Delegated Administration

ABAC support for Lambda in GovCloud

Identity Center Session Duration Management for CLI/SDK

CloudFormation support for AWS Organizations OUs, Accounts, Policies

Support for Multiple MFA Devices

Tag Policies Available in GovCloud


New Service - AWS Verified Access

Cross Account Support for Amazon VPC Reachability Analyzer

Cloudfront Supports JA3 Fingerprint Headers

Data Protection

External Key Store for KMS

Automated Sensitive Data Discovery

Redaction for Sensitive Data in Cloudwatch logs

EKS/K8s Support for Nitro Enclaves

Redshift support for Lake Formation

Cross Account Support for S3 Access Points

AWS Backup Support for Amazon Redshift

Request Level Information For S3 Access Control Lists in CloudTrail

Security Automation

AWS Config Proactive Compliance

Cross Account Support For Step Functions

Cloudtrail Lake Support for AWS Config Configuration Items

Account Customization For Control Tower

Comprehensive Controls Management for Control Tower


AWS Backup support for Centralized Reporting Of Your Organization

AWS Backup Legal Hold Support

Vendor Risk Assessments For AWS Marketplace

Happy Building!

The information presented in this article is accurate as of December 05, 2022.

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.


Security AWS