AWS ReInvent and PreInvent security recap

Keeping up with the sheer number of releases that come out of both Re:Invent and Pre:Invent is almost an impossible task, as well as trying to find the ones relevant to you. I compiled all security-relevant AWS announcements and tried to highlight the ones I found the most interesting. Happy reading!

Categories

• Categories
• Generative AI
• Logging and Threat Detection
• Identity and Access
• Network Security
• Governance, Risk, and Compliance
• Otherwise Interesting
• Conclusion

Generative AI

Natural Language Querying for Everyone!

Several existing security-relevant AWS services received support for querying via Natural Language Processing. I think this is an awesome use case for security, as it makes querying of logs accessible for more individuals. I see this being compelling for personas like Security Operations Center (SOC) analysts or even governance, risk, and compliance (GRC) professionals who know what they are looking for but may not want to fight with SQL or Cloudwatch Logs queries.

Release of Amazon Q

While not entirely security related, Amazon released Amazon Q, a generative AI-powered assistant that is trained specifically on your company’s data. I have yet to take it for a spin. The interesting part from a security perspective is that the service claims to “understand and respect your existing governance identities, roles, and permissions and use this information to personalize its interactions.” My mind jumps to what we have seen with OpenAI Custom GPTs, and individuals being able to convince them to dump their knowledge file or do other unintended things. A pretty impressive feat if Amazon has managed to tackle this problem safely.

AI Guardrails!

Amazon Bedrock, a service for building generative AI applications, hit general availability back in September. Now we get a service to protect these workloads in Guardrails for Amazon Bedrock. It supports denied topics and content filters out of the box, with PII redaction planned in the future.

Links:

• Amazon Q generative SQL is now available in Amazon Redshift Query Editor (preview)
• AWS announces Amazon Q (Preview)
• Amazon Q in QuickSight simplifies data exploration with Generative BI capabilities (Preview)
• Safeguard generative AI applications with Guardrails for Amazon Bedrock (Preview)
• AWS Config launches generative AI-powered natural language querying (Preview)
• Amazon CloudWatch announces AI-powered natural language query generation (in preview)
• Amazon Detective introduces finding group summaries using generative AI

Logging and Threat Detection

GuardDuty Runtime Expands to ECS, ECS Fargate, and EC2

Earlier this year, AWS released GuardDuty Runtime support for Elastic Kubernetes Service (EKS) workloads. GuardDuty runtime provides 30+ detections for potentially malicious activity in your containers — think stuff like popping a reverse shell, cryptomining, or process injection as examples. AWS expanding this to EC2, ECS, and ECS Fargate workloads is a welcome addition and gives AWS an EDR-like play for EC2 workloads. The new runtime capability requires an agent that is either deployed to the EC2 Instance, ECS Cluster, or as a sidecar container for Fargate workloads.

Amazon Inspector Now Supports Agentless Scanning

AWS has finally followed in the steps of some of the larger cloud-native application protection platform (CNAPP) players by adding an agentless vulnerability scanning capability to AWS Inspector. This capability relies on snapshotting the EBS Volume of the EC2 Instance in question. In a perfect world, everyone would use the golden AMI (or not use EC2 at all) with their vulnerability management agent of choice baked in, but that doesn’t always match reality. Having the ability to ensure we have coverage regardless of having the inspector agent installed is a nice touch.

General Logging Improvements Across Services

Several smaller improvements made it across the finish line for logging capability. S3 Server Access logs now support automatic date-based partitioning, which will make the lives of those attempting to do useful things with them in services like Athena easier.

Prior to this Re:Invent, read-only events (e.g. secretsmanger:ListSecrets) could not be accessed from Cloudtail to Eventbridge. This is no longer the case, and opens more use cases for time-sensitive security detections. I also appreciate AWS eliminating edge cases and one-offs across their services to make it easier to build on without discovering things like CloudTrail not exposing read-only events to EventBridge.

Finally, SQS gets support for data plane logging, joining S3 and Lambda. Any managed service that processes data should offer this option, and doing so allows customers to better secure their side of the shared responsibility model. SQS data event logging is managed via CloudTrail.

Links:

• Amazon GuardDuty now supports runtime monitoring for Amazon EC2 (Preview)
• Introducing Amazon GuardDuty ECS Runtime Monitoring, including AWS Fargate
• Amazon Detective supports security investigations for Amazon GuardDuty ECS Runtime Monitoring
• Amazon Detective now supports log retrieval from Amazon Security Lake
• AWS announces CloudWatch Logs Anomaly Detection and Pattern analysis
• AWS CloudTrail Lake data now available for zero-ETL analysis in Amazon Athena
• Amazon S3 server access logging now supports automatic date-based partitioning
• Amazon EventBridge EventBus announces support for read-only API events from CloudTrail
• Amazon SQS announces support for logging data events in AWS CloudTrail
• Amazon GuardDuty introduces new machine learning capability to enhance threat detection for Amazon EKS detections

Identity and Access

IAM Policy and Preventative Controls Enhancements

There were a few notable IAM policy releases. The two most relevant being new condition key support for enforcing particular security and access policies upon creation of new Elastic Load Balancers, as well as support for enforcing that only AWS services (such as AWS Cloudtrail) from your organization can take actions on your behalf via the aws:SourceOrgID condition keys. Pre-Invent also brought us the ability to outright block public AMIs, much like the existing control for S3.

Data Service Access control Improvements

Several of the AWS data services saw improvements to access controls within the services themselves, separate from AWS IAM.

S3 Access Grants aim to provide an option for granular access control to large-scale S3 datasets, whereas Bucket Policies or S3 Access Points wouldn’t provide a scalable approach.

Redshift saw several access control improvements, including metadata security, row-level security, and fine-grained access control to nested objects. LakeFormation also added a capability for granular access control on nested objects. I am very much sensing a theme with all of these large data access releases!

EKS Pod Identity

EKS currently has IAM Roles for Service Accounts (IRSA), which provides a capability to associate IAM roles with Kubernetes workloads. This relied on a properly configured trust policy (using sts:AssumeRoleForWebIdentity) and applying annotations to the Kubernetes Service Account to associate it with the Role. EKS Pod Identity aims to simplify this process by allowing you to manage the identities and associations via the AWS Control plane, as well as eliminating the need for an OpenID Connect (OIDC) provider and trust.

IAM Access Analyzer and Action Last Accessed Info Continue to Expand Service Support

Both IAM Access Analyzer’s policy generation feature and Service/Action last accessed info are not new features. They have often been held back by a lack of service/action support. The policy generation capability from CloudTrail added support for 200 additional services. I see this as a nice feature for dev teams who may not be as comfortable with the IAM Policy language.

I think the compelling feature for security teams here is the continued expansion of more action-level “last accessed” information. Previously, the Last Accessed panel provided only if an Identity has used a particular service, as opposed to a particular API within that service (think knowing that a role uses the DynamoDB Service vs. knowing that a role only uses the dynamodb:UpdateTable API. Initial action-level support was very small, which is why I am excited to see this expanded to more services.

Custom policy checks are also interesting. Access Analyzer provides a new CheckAccessNotGranted API that allows you to utilize Access Analyzer to evaluate a policy for permitted actions. I would love to see support added to the API for resource and condition key evaluation in the future.

Links:

• Amazon Redshift now supports metadata security to simplify multi-tenant applications
• Amazon Redshift announces general availability of row-level security enhancements
• Amazon Redshift announces new fine-grained access control capabilities to nested objects (preview)
• IAM Access Analyzer now simplifies inspecting unused access to guide you toward least privilege
• IAM Access Analyzer introduces custom policy checks powered by automated reasoning
• Amazon EKS introduces EKS Pod Identity
• Amazon S3 Access Grants integrate with identity providers to simplify data lake permissions
• Amazon Verified Permissions now provides an enhanced visual mode for schema editing
• AWS Lake Formation data filters now support permissions on nested data
• Amazon Verified Permissions now supports batch authorization
• AWS IAM Identity Center now provides new APIs to automate access to applications
• AWS IAM Identity Center provides new account instance for faster evaluation and adoption of AWS managed applications
• Announcing AWS IAM Identity Center APIs for visibility into workforce access to AWS
• New organization-wide IAM condition keys to restrict AWS service-to-service requests
• Announcing Policy Assistant for AWS Verified Access
• IAM Access Analyzer policy generation now extends coverage to over 200 AWS services
• AWS Glue announces entity-level actions to manage sensitive data
• AWS Lambda now supports IAM access control for multi-VPC enabled Amazon MSK clusters
• Amazon QuickSight now supports programmatic user access management by assigning groups to roles
• Enforce fine-grained access control via AWS Lake Formation with Open Table Formats on Amazon EMR
• Amazon MSK extends AWS IAM support to all programming languages for new clusters
• AWS Elastic Load Balancing introduces IAM condition keys for encryption and access controls
• Amazon MSK extends AWS IAM support to all programming languages for new clusters
• AWS IAM action last accessed information for more than 60 additional services
• Amazon EKS adds support for customer managed IAM policies
• AMI Block Public Access now enabled for all new accounts and existing accounts with no public AMIs

Network Security

ALB mTLS Support

AWS Application Load Balancers (ALBs) now support authentication via Mutual TLS (mTLS). You can either configure the ALB to pass through the certificate chain to the backend and validate in your application, or have the ALB itself handle validation. It also supports certificate revocation checks. I think this is especially interesting for anyone working on any zero trust initiative in their organization.

Network Firewall Egress TLS Inspection Support Region Rollout

For those of us who are required to implement strict network security controls like TLS inspection, having an AWS-managed option is always nice. Egress TLS inspection was released for AWS Network Firewall in the Tel Aviv and Europe regions. Hopefully, we will see a quick rollout to other AWS regions.

Links:

• Application Load Balancer can authenticate X.509 certificate based identities with Mutual TLS support
• Application and Network Load Balancer now supports FIPS 140-3 for TLS Termination
• EC2 Security group connection tracking adds support for configurable idle timeouts
• AWS Network Firewall announces support for egress TLS inspection in 2 regions
• Amazon CloudFront announces unified security dashboard

Governance, Risk, and Compliance

Audit Manager Generative AI Framework

This appears to be an out of box framework to evaluate the security posture of Amazon Bedrock usage. It is a custom framework that claims to have 34 fully automated controls and 18 partially automated controls pertaining to the usage of Amazon Bedrock. I haven’t been able to actually take this for a spin, but happy to see compliance automation for even bleeding-edge services like this.

New Checks and Resource Types Across Config, SecurityHub, Resource Explorer, and Trusted Advisor

There were also several smaller announcements pertaining to additional resource support for Config, Config Advanced Query, and Resource Explorer. If you use any of these services, they are definitely worth a glance to see what was missing. AWS Trusted Advisor added a large amount of new checks, which you can now retrieve via their new API.

Links:

• Announcing new finding enrichment in AWS Security Hub
• Announcing major dashboard enhancements in AWS Security Hub
• AWS Control Tower announces 65 new controls to help meet digital sovereignty requirements
• Amazon Inspector agentless vulnerability assessments for Amazon EC2 now in preview
• AWS Trusted Advisor announces new APIs
• AWS Audit Manager launches its first GRC integration with MetricStream
• AWS Resource Explorer supports 86 new resource types
• AWS Trusted Advisor adds 37 Amazon RDS checks
• AWS Control Tower now supports tagging for controls enabled in AWS Control Tower
• AWS Audit Manager introduces framework for generative AI on Amazon Bedrock
• AWS Config launches inventory and compliance dashboards
• AWS Config advanced queries support 41 new resource types
• AWS Trusted Advisor adds 64 new checks powered by AWS Config
• AWS Config now supports 19 new resource types

Otherwise Interesting

Cool Features for Security Builders: Batch Secrets Retrieval, Step Functions HTTPS Endpoints and Testing Improvements, and More!

If you find yourself building security automation on AWS, you might have utilized AWS Step Functions in the past. My co-worker Dustin Whited wrote an awesome blog about this! Step Functions now supports HTTPS endpoint integrations, meaning you can integrate with any third-party service that exposes a webhook without using a Lambda step! They also announced the TestState API, which allows you to test individual states. My biggest hesitation with utilizing this for complex logic/workflows was difficulty in testing. I’m very happy to see improvements to this.

If you have Lambdas utilizing more than one secret in Secrets Manager, you can now retrieve those with a single API call using the BatchGetSecretValue API. Seems nice for limiting additional latency. Those who monitor usage of sensitive APIs in their organization may want to add this one to their list, however.

For those in the DevSecOps world, Amazon Inspector now natively supports integrating with CI/CD pipelines to preform vulnerability scans. You can either utilize a premade plugin (Jenkins and TeamCity to start), or integrate any other CI provider by utilizing the Amazon Inspector SBOMGen tool to generate an SBOM to be fed to the new Amazon Inspector Scan API. This poses a good opportunity for teams already using Inspector to eliminate duplicative tooling just for CI scans.

Finally, AWS Control Tower released APIs for creating and managing landing zones. I have mixed feelings about this, as I perceived the strength of Control Tower to be for an easy-to-use, click-ops-based approach to standing up a Landing Zone. I personally prefer to manage my organizations using tools like Terraform or OrgFormation using an Infrastructure-as-Code first approach, but I understand that approach is not for everyone. I took a look at the CreateLandingZone API, and that API requires a manifest specifying the configurations of the landing zone.

Links:

• Amazon Inspector enhances container image security by integrating with developer tools
• Amazon OpenSearch Service zero-ETL integration with Amazon S3 preview now available
• AWS Step Functions launches support for HTTPS endpoints and a new TestState API
• New from AWS: You can now customize security controls in AWS Security Hub
• AWS Cloud Map now supports AWS CloudTrail data events
• AWS CloudTrail Lake now supports CloudTrail Insights
• Amazon EKS now allows modification of cluster subnets and security groups \
• AWS Secrets Manager now supports batch retrieval of secrets
• Automate AWS Control Tower landing zone operations using APIs

Conclusion

I am very thankful to have the opportunity to attend Re:Invent in person. Even being there, in the process of putting together these recaps, I always find something interesting I somehow missed out on. Hoping this recap does the same for you! And if you’re looking for help navigating security or compliance in the cloud, give us a shout! Happy building!

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.