security

New AWS security tools, updates help IT protect cloud apps – TechTarget


Last week in Anaheim, Calif., around 6,000 attendees gathered for AWS re:Inforce to share security best practices and learn about the latest security features and updates from AWS. Organizations across industries use AWS to build and deliver software applications. Because they are responsible for securing what they put in the cloud, they need effective security strategies to protect their cloud applications.

TechTarget’s Enterprise Strategy Group’s research shows that while moving applications to public cloud services increases productivity and speeds time to market, the top challenges are security, followed by compliance. Organizations not only need to address security, but they need to ensure they can scale to support the increased productivity and scale that cloud-native development brings.

AWS released a slew of security updates to meet this need. Here’s my recap of the top themes and technologies launched during the conference.

AWS’s role in security

CJ Moses, chief Information security officer and VP of security engineering at AWS, kicked off the conference with a refresher on the Shared Responsibility Model: AWS is responsible for security of its cloud, whereas customers are responsible for security in the cloud. He pointed out that “if you have access, you have responsibility,” adding that AWS wants to make security affordable, effective, and straightforward.

He shared updates for Nitro and Firecracker to cover the platform improvements for AWS’ responsibility for security of the cloud. He pointed out that the company’s large global presence makes it a target, but described how scale breeds intelligence that helps with defense.

The top priority: prevent security issues from causing business disruption. This means collecting threat intelligence, using AWS’s globally distributed network of sensors to monitor environments, gaining an understanding of threat actor tactics and procedures, and using that intelligence to build new security mechanisms. This includes their reported 300GB of VPC flow logs per second, 350B requests on Amazon Managed Rules on AWS WAF, and 700 DDoS attacks mitigated per year.

This is where the shared responsibility model lines blur. As I’ve pointed out before, although customers are responsible for securing what they put in the cloud, cloud service providers are motivated to help them with tools, features, and capabilities integrated with how security features are architected into each platform and their service offerings.

New AWS tools

To that end, AWS has been rolled out updates and new features to help with security.

Amazon Verified Permissions enables developers to add fine-grained authorization to their applications without developing complex code. It uses Cedar, a new open-source language for access control, to make it easy to create policies that define who is allowed to access a resource by defining the who (a principle), the allowed actions, and the resource., Open Policy Agent OPA, which uses the rego language, is a widely used open source tool for policy and authorization, but Cedar may be a simpler alternative to use.

EC2 Instance Connect Endpoint (EIC Endpoint) provides SSH and RDP connectivity to their EC2 instances without using public IP addresses. This eliminates the need to assign public IPS for their EC2 instances for remote connectivity and saves the time, complexity and cost of having to set up and maintain bastion hosts to tunnel SSH and RDP connections to instances with private IP addresses. EIC Endpoint  uses AWS Identity and Access Management (IAM)-based access controls and network-based controls such as Security Group rules for authorization and authentication before reaching the host, and provides an audit of any connections via AWS CloudTrail. 

Amazon Code Inspector Scans for Lambda provide code scanning for Lambda functions and associated layers to identify software vulnerabilities, including injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices. The findings are aggregated in the Amazon Inspector console along with details, such as security detector name, impacted code snippets, and remediation suggestions. The findings are also routed to AWS Security Hub, and pushed to Amazon EventBridge to automate workflows.

Software Bill of Materials (SBOM) Export Capability in Amazon Inspector gives customers a free tool that works from the Amazon Inspector console to generate SBOMs to manage software supply chain security with an inventory of software packages and any associated vulnerabilities. Amazon Inspector exports the SBOMs to an Amazon S3 bucket, with options to download the SBOM artifacts and use Amazon Athena or Amazon QuickSight to analyze and visualize software supply chain trends.

Amazon CodeGuru Security helps developers identify and remediate code vulnerabilities. There has been much discussion about ways to use AI, and this is a great application to use ML with static application security testing to detect vulnerabilities with a low false positive rate, flagging issues such as log injection, hardcoded credentials, and resource leaks, and provide the code patch information needed for remediation. This feature is in preview mode.

Amazon Detective Findings Groups from Amazon Inspector collects findings from Amazon Inspector, GuardDuty, and AWS security services such as AWS Security Hub for situational analysis of security events. It looks at patterns, movement, and mapping to the MITRE ATT&CK framework and supports faster detection and response.

Amazon GuardDuty Findings Summary View is a new feature in the console to help users identify and act on what to remediate to reduce security risk, helping with cloud security posture management. It provides a central view of findings by severity and type, gathering data across sources including Amazon EC2 instances, Amazon S3 buckets, Amazon RDS databases, AWS Lambda functions, and Amazon EKS clusters.

Using generative AI and automated reasoning

AI, particularly generative AI, is a hot topic this year with the emergence and buzz around tools like ChatGPT and Copilot that can simplify application development by generating code. AWS’s Moses described how the company leverages generative AI to build more secure code and enhance productivity. AWS applies it to solve problems, including alert fatigue and to speed up detection and response.

AWS also described its approach with what it calls provable security, which leverages automated reasoning from curated facts to compute verifiable outcomes. They contrasted its high assurance and accuracy with generative AI, which could generate errors from hallucinations via large language models. They apply automated reasoning to key security areas, including storage, networking, identity, and cryptography, and for security capabilities in Amazon CodeGuru, AWS IAM, and Amazon Verified Permissions.

AWS also works with security vendors to better use the platform and services to serve joint customers with added benefits. Vendors including Palo Alto Networks, Trend Micro, Wiz, Orca, Lacework, Snyk, Sysdig, and Uptycs use AWS security integrations and features to help their customers manage security for their applications across cloud and on-premises environments, and are helping ensure security teams scale with faster development cycles.

Senior Analyst Melinda Marks covers application and cloud security for the Enterprise Strategy Group, a division of TechTarget.

Editor’s Note: Enterprise Strategy Group analysts have business relationships with technology vendors.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.