Nearly 6,000 attendees gathered at AWS re:Inforce in Anaheim, California last week to share security best practices and learn about the latest AWS security features and updates. Organizations in various industries use his AWS to build and deliver software applications. Because you are responsible for securing what you put in the cloud, you need an effective security strategy to protect your cloud applications.
According to research by TechTarget’s Enterprise Strategy Group, moving applications to public cloud services increases productivity and speeds time to market, but the biggest challenge is security, followed by compliance. Not only do organizations need to address security, they also need to ensure they can scale to support the increased productivity and scale that cloud-native development brings.
AWS has released numerous security updates to meet this need. Here we summarize the main themes and technologies presented during the conference.
AWS Role in Security
CJ Moses, Chief Information Security Officer and Vice President of Security Engineering at AWS, kicked off the conference with a refresher on the shared responsibility model. In other words, AWS is responsible for the security of the cloud, but customers are responsible for the security of the cloud. “If you have access, you have responsibility,” he said, adding that AWS wants security to be affordable, effective, and easy.
He shared the latest on Nitro and Firecracker to cover platform improvements to AWS’ commitment to cloud security. He pointed out that the company is targeted because of its large global presence, but explained how its size creates information useful for defense.
Our top priority is to prevent security issues from causing business disruption. This involves gathering threat intelligence, monitoring your environment using AWS’s globally distributed network of sensors, understanding the tactics and procedures of threat actors, and using that intelligence to build new security mechanisms. means This includes a reported 300GB of VPC Flow Logs per second, his 350B requests for Amazon Managed Rules on AWS WAF, and 700 DDoS attacks being mitigated per year.
This is where the boundaries of the shared responsibility model blur. As pointed out earlier, it is the customer’s responsibility to secure what they put in the cloud, but cloud service providers have tools that are integrated into how they build security capabilities into each platform and service offering. We are motivated to help our customers with , features and capabilities. .
New AWS tools
To this end, AWS has rolled out updates and new features to aid security.
Amazon verified permissions This allows developers to add fine-grained authorization to their applications without developing complex code. Using Cedar, a new open source language for access control, you can easily create policies that define who is allowed to access resources by defining who (principles), allowed actions, and resources. increase. Agent OPA, which uses the open policy rego language, is a widely used open source tool for policy and authorization, but Cedar may be an easier-to-use alternative.
EC2 instance connection endpoint (EIC endpoint) provides SSH and RDP connectivity to EC2 instances without using public IP addresses. This eliminates the need to allocate a public IPS to your EC2 instance for remote connections and eliminates the time, complexity, and cost of setting up and maintaining a bastion host for tunneling SSH and RDP connections to instances with private IP addresses. is saved. EIC endpoints use AWS Identity and Access Management (IAM)-based access control and network-based controls such as security group rules for authorization and authentication before reaching the host, and audit connections via AWS CloudTrail. Offers.
Scanning Lambda with Amazon Code Inspector It provides code scanning of Lambda functions and related layers to identify software vulnerabilities such as injection flaws, data leaks, weak or lack of encryption based on AWS security best practices. Findings are aggregated in the Amazon Inspector console with details such as security detector name, code snippets affected, and remediation suggestions. Findings are also routed to AWS Security Hub and pushed to Amazon EventBridge for workflow automation.
Amazon Inspector’s Software Bill of Materials (SBOM) Export Feature provides customers with a free tool that works from the Amazon Inspector console to generate SBOMs and manage software supply chain security using software package inventories and associated vulnerabilities. Amazon Inspector exports the SBOM to your Amazon S3 bucket. Optionally, download the SBOM artifacts and use Amazon Athena or Amazon QuickSight to analyze and visualize software supply chain trends.
Amazon CodeGuru Security It helps developers identify and fix vulnerabilities in their code. There has been a lot of discussion about how AI can be used, this is using ML in static application security testing to detect vulnerabilities with a low false positive rate, log injection, hardcoded A great application for flagging issues like credentials, resource leaks, etc. Provides code patch information required for remediation. This feature is in preview mode.
Amazon Detective Findings Group in Amazon Inspector Collect findings from AWS security services such as Amazon Inspector, GuardDuty, and AWS Security Hub for contextual analysis of security events. Explore patterns, movements, and mapping to the MITER ATT&CK framework to support faster detection and response.
Summary View of Amazon GuardDuty Findings is a new feature in the console that helps you manage your cloud security posture by helping you identify and act on what to remediate to mitigate security risks. It collects data across sources such as Amazon EC2 instances, Amazon S3 buckets, Amazon RDS databases, AWS Lambda functions, and Amazon EKS clusters, providing a centralized view of findings by severity and type.
Using generative AI and automatic reasoning
AI, especially generative AI, is a hot topic this year with the emergence of tools like ChatGPT and Copilot that can simplify application development by generating code. Moses from AWS explained how the company leverages generative AI to build more secure code and improve productivity. AWS applies this to solve problems such as alert fatigue and speed detection and response.
AWS also explained its approach, its approach. Provable security, It leverages automated inference from hand-picked facts to compute verifiable results. They contrasted its high assurance and accuracy with generative AI, which can produce errors from hallucinations via large-scale language models. Apply automated reasoning to key security areas such as storage, networking, identity, and encryption, as well as security features in Amazon CodeGuru, AWS IAM, and Amazon Verified Permissions.
AWS also works with security vendors to more effectively leverage their platforms and services to provide additional benefits to our mutual customers. Vendors such as Palo Alto Networks, Trend Micro, Wiz, Orca, Lacework, Snyk, Sysdig, and Uptycs use AWS security integrations and capabilities to help customers manage application security across cloud and on-premises environments. and help security teams ensure security. Scale with faster development cycles.
Melinda Marks, Senior Analyst, is responsible for application and cloud security in the Enterprise Strategy Group, a division of TechTarget.
Editor’s note: Enterprise Strategy Group analysts have business relationships with technology vendors.
