AWS re:Invent is a learning conference hosted by AWS for the global cloud computing community in Las Vegas every year. The in-person event is in my opinion AWS’s showpiece event that features keynote announcements from the likes of Adam Selipsky, Werner Vogels, Peter de Sanctis & Swami Sivasubramanian. In addition, there are opportunities for training and certification as well as access to many technical sessions, plenty of networking opportunities and the infamous re:Play Party.
Unforunately, I was unable to make the event this year for several reasons - both work and personal. However, I endeavour to try and keep up to date with the announcements made during the course of the week, as well as watching the Keynotes of both Adam Selipsky (AWS CEO) and Werner Vogels (Amazon CTO) as they are typically my highlights.
In this post, I’m going to go through some of the service announcements and updates that I think will make both my own and the customers that I engage with jobs easier. This isn’t to say that many of the other announcements aren’t of benefit, but these below I think will complement environments that I see or work with on a regular basis.
AWS Control Tower
At re:Invent 2021, AWS announced its equivalent in Account Factory for Terraform but there are some short comings with that in fundamentally it still requires CloudFormation behind the scenes so it’s not truly terraform. This in my opinion is a long overdue addition to Control Tower. This addition allow’s consumers to customise there AWS Account baselines to meet there specific needs. For example, provision a VPC in an account but obtain the IP CIDR from VPC IP Address Management. Prior to this there were a variety of ways of carrying out Account Customisations, but this has made it more accessible and simpler to implement. Word of caution though in that the AWS docuementation at present needs improvement as there are errors in it. I’ll create a future blog post that walks through the end-to-end process.
One typical activity post deployment of Control Tower is enabling controls (formerly known as GuardRails) on Organization Units to provide a security baseline on the environment from both a Detective and Preventative perspective. This was partially done through the limited number of controls that Control Tower provided (using both AWS Config or Service Control Policies) but was often supplemented by AWS Security Hub. This addition brings the ability to apply controls relating to NIST in addition to both CIS 1.4 and PCI-DSS 3.2.1 with the latter 2 both previously only available via Security Hub. The following blog post by Danilo Poccia provides an overview and brief walkthrough of the service addition. One improvement that I’d like to see made to it though is the better support for filtering of controls. For example, if I was to filter on Establish Logging & Monitoring, it would be good if I could then select on a particular framework or service to understand specifically what I need to implement, rather than needing to scroll through pages of controls - more so when thpe ability to enable multiple controls at once in Control Tower is limited.
GuardDuty extended its threat detection coverage to help protect Amazon RDS databases. The preview release only supports Amazon Aurora. RDS Protection analyses and profiles RDS login activity for potential access threats to Aurora databases (both MySQL & PostgreSQL Compatible Editions). This feature allows you to identify potentially suspicious login behavior.
Macie now provides the capability to carry out sensitive data discovery out-of-the-box. Previously discovery jobs had to be configured on a per S3 Bucket basis and at quite a cost. The capabilities of what Macie can do are great, but it comes at a cost and although this new functionality comes with a reduction in cost to the service - I’m yet to get my hands dirty with it for the fear of ending up with a hefty bill. The following blog post by Sébastien Stormacq provides an overview and brief walkthrough of the service addition.
At re:Invent 2021, AWS said that they had pretty much rebuilt Inspector from the ground up as prior to that the service only really covered EC2 instances. Since then the service has gone from strength to strength by becoming integrated with Amazon ECR for Image Scanning on Push but by providing support for AWS Lambda Functions as well, provides comprehensive vulnerability scanning for all of AWS’s Compute offerings. The following blog post by Marcia Villalba provides an overview and brief walkthrough of the service addition.
CloudWatch now provides the ability to establish a centralised monitoring account and connect other AWS Accounts as sources. Then, you can search, audit, and analyze logs across your applications to drill down into operational issues in a matter of seconds. You can discover and visualize metrics from many accounts in a single place and create alarms that evaluate metrics belonging to other accounts helping you to reduce the time and effort required to troubleshoot issues. The following blog post by Danilo Poccia provides an overview and brief walkthrough of the service addition.
In addition, CloudWatch Logs has introduced data protection that will obfuscate sensitive data that is ommitted based on the data protection policy that is established. The following blog post by Marcia Villalba provides an overview and brief walkthrough of the service addition.
Amazon Security Lake
Security Lake is a fully-managed security data lake service. You use Security Lake to automatically centralise security data from cloud, on-premises, and custom sources into a data lake that’s stored within your AWS account. It helps you analyse security data, so that you can get a better understanding of the security posture across your organisation and improve the protection of your workloads, applications, and data. The following blog post by Channy Yun provides an overview and brief walkthrough of the service addition.