All the Security and Compliance Features Announced at AWS Re:Invent 2018

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Yet another Re:Invent has concluded, leaving behind a trail of announcements, new features, and vendor swag (how many T-shirts can we possibly own?).

Security was a hot topic at this year’s conference; so much so that it was mentioned in-depth within the first 10 minutes of Andy Jassy’s keynote and numerous times afterwards, as well as during Werner Vogel’s keynote the following day.

A number of new security features, products, and changes were announced that piqued our interests. We’ve summarized our notes from the conference below.

AWS Firecracker

Re:Invent had barely started when AWS dropped one of the more interesting announcements of the week: the open sourcing of the virtualization technology behind AWS Lambda and Fargate that enables true, VM-level isolation of workloads. Unlike Docker, Firecracker runs distinct “micro-VMs” that create fully separate kernels, reducing the attack surface for compromised services.

AWS Blog Post

AWS Well-Architected Tool

Designing a secure, highly-available, compliant AWS application can be difficult. AWS seems to have recognized this and released a tool to help users evaluate their workloads in the areas of operations, security, reliability, performance, and cost efficiency. The Well-Architected Tool is more of a questionnaire with recommendations than the type of managed service that AWS is known for, but it is still a welcome and helpful addition to its product lineup.

AWS Blog Post

AWS Well-Architected Partner Program

To complement the Well-Architected Tool, AWS also announced a program for its APN partners that can be used when evaluating their clients who run workloads on AWS. By training its partners in best practices, AWS exponentially increases the reach of the Well-Architected program.

AWS Blog Post

AWS Control Tower

Many companies use different AWS accounts for different projects, environments, and teams (which is a recommended best-practice). A challenge of having so many AWS accounts is that is can be difficult to provision them with the same settings and configurations. Many organizations have relied on custom-built scripts or even manual setup of new accounts which is both error-prone and time-consuming. Control Tower allows these organizations to rapidly provision new accounts, pre-configured with operational and security best practices, and then monitor them for changes in the future.

AWS Product Page

AWS Transfer for SFTP

While not directly a security service, AWS Transfer does provide a managed solution for something many users were doing quite insecurely on their own. With Transfer for SFTP, users can now SFTP files directly to and from S3 without having to manage any servers or additional self-deployed infrastructure.

AWS Blog Post

AWS Security Hub

There are many different aspects to security on AWS — the configuration of the AWS environment itself (something CloudSploit focuses on), firewalls, application security, network security, etc. AWS also has numerous security or configuration products, including CloudTrail, ConfigService, VPC Flow Logs, and Macie. In addition, there are thousands of third-party vendors, each of which produce their own security findings. Security Hub aims to be an aggregator of all of these products, allowing users to import and analyze the findings from many sources to quickly find security risks within their environments.

AWS Blog Post

KMS Custom Key Store

Users who have strong compliance requirements around key storage can now use KMS Custom Key Store to manage their own keys while still utilizing KMS features and integrations. Using CloudHSM and a custom key storage location, users can guarantee that only they have access to the key material used to encrypt their data.

AWS Blog Post

S3 Object Lock

One critical aspect of compliance is data retention. Previously, when objects were stored in AWS S3, any user with access could delete them. S3 Object Lock allows you to specify a bucket-wide retention policy that prevents objects from being deleted or overwritten during the retention period.

AWS Product Page

The CloudSploit team had an amazing time at Re:Invent. Besides the above security and compliance-focused solutions, AWS announced scores of other products and features that we’ll be evaluating for inclusion in our security auditing service. We’re looking forward next year’s conference!

All the Security and Compliance Features Announced at AWS Re:Invent 2018 was originally published in CloudSploit on Medium, where people are continuing the conversation by highlighting and responding to this story.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CloudSploit
Security configuration monitoring for AWS. Founded in 2015 as an open source project, CloudSploit now detects hundreds of thousands of potential security risks each month through its background scanning platform. With each scan, CloudSploit securely connects to an AWS account through the AWS APIs, checking for potential risks and misconfigurations that could compromise the account.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?