I didn’t attend any AWS reInvent or reInforce conferences to date, however, I never missed any AWS reInvent Security Announcements !! Even this year I watched the reinvent sessions and keynotes while relaxing at home with some popcorn and drinks 😀

Major announcements for Identity, Security, and Governance during this year’s AWS reInvent:

  1. AWS Security Hub integrates with the AWS Identity and Access Management (IAM) Access Analyzer
  2. Introducing Amazon Detective
  3. Amazon S3 Access Points makes it simple to manage access at scale for applications using shared data sets on S3
  4. Introducing Access Analyzer for Amazon S3 to review access policies
  5. Amazon Web Services Announces AWS Transit Gateway Network Manager to Centrally Monitor Your Global Network (not purely security-related, but provides a nice central pane of view of transit gateways, devices connects, tunnels information, etc.)
  6. AWS announces Amazon CodeGuru for automated code reviews and application performance recommendations
  7. Introducing Amazon Fraud Detector
  8. Amazon ECS now supports Active Directory Authentication using Windows Accounts gMSA
  9. Introducing EC2 Image Builder

AWS reInvent Security Announcement: AWS announces Amazon CodeGuru for automated code reviews and application performance recommendations

Personal Thoughts: If you’re trying to think that you can replace commercial SAST tools with CodeGuru, it’s not worth to try(as of now). In terms of security code review, this is still a half-baked product from AWS. However, I believe AWS learns from customer feedback and improves this product very soon and customers can leverage this for secure code reviews as it has out of the box integrations with code commit, GitHub and security hub. I scanned a DVWA type of app using CloudGuru and noticed two limitations, Cloudguru only supports Java Language and it didn’t identify the hardcoded credentials vulnerability.

                Amazon CodeGuru is a new machine learning service for development teams who want to automate code reviews, identify the most expensive lines of code in their applications, and receive intelligent recommendations on how to fix or improve their code. Even for the most seasoned engineers, it can be difficult to detect some types of code issues even through peer code reviews and unit testing. It can also be challenging to identify the most resource-intensive code methods without needing performance engineering expertise. CodeGuru helps you catch code issues faster and earlier, and improve application performance.

CodeGuru Reviewer detects and flags wide-ranging issues in source code such as thread safety issues, use of un-sanitized inputs, inappropriate handling of sensitive data, and resource leaks. It also detects deviation from best practices for using AWS APIs and SDKs, flagging common issues that can lead to production issues, such as detection of missing pagination or error handling with batch operations. CodeGuru Profiler is always searching for application performance optimizations, recommending ways to fix issues such as excessive recreation of expensive objects, expensive deserialization, usage of inefficient libraries, and excessive logging. CodeGuru Profiler runs continuously in production, consuming minimal CPU capacity so it does not significantly impact application performance.

Associated a repo with CloudGuru

Tested for Security Findings in a Damn Vulnerable Java App: <Found None>

Official Announcement: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-announces-amazon-codeguru-for-automated-code-reviews-and-application-performance-recommendations

AWS reInvent Security Announcement: Introducing EC2 Image Builder

                Amazon Web Services (AWS) announces the availability of EC2 Image Builder, a service that makes it easier and faster to build and maintain secure images. Image Builder simplifies the creation, patching, testing, distribution, and sharing of Linux or Windows Server images.

https://d1xyzfov5e8mpq.cloudfront.net/1575429512359/assets/img/How-it-works.png

Keeping server images up-to-date can be time-consuming, resource-intensive, and error-prone. Currently, customers either manually update and snapshot VMs or have teams that build automation scripts to maintain images. 

Image Builder significantly reduces the effort of keeping images up-to-date and secure by providing a simple graphical interface, built-in automation, and AWS-provided security settings. With Image Builder, you can easily build your automated pipeline that customizes, tests, and distributes your images in addition to keeping them secure and up-to-date.

Image Builder is available in all AWS regions and offered at no cost, other than the cost of the underlying AWS resources used to create, store, and share the images. 

Process:

  • Define Recipe
  • Configure Pipeline
  • Configure Additional Settings
  • Review and Create

Defining recipe for the “Golden Image”:

Adding Build Components and Test cases for the “Golden Image”:

Official Source: https://aws.amazon.com/image-builder/

AWS reInvent Security Announcement: AWS Security Hub integrates with the AWS Identity and Access Management (IAM) Access Analyzer

                AWS Security Hub now integrates with AWS Identity and Access Management (IAM) Access Analyzer. IAM Access Analyzer is an IAM feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources. The IAM Access Analyzer integration with Security Hub will send findings to Security Hub when policies allow public or cross-account access to resources. Security Hub will automatically enable this integration if you are already using IAM Access Analyzer, and you will begin receiving findings from IAM Access Analyzer without any action needed on your end.

Creating an Analyzer:

Access Analyzer:

Details regarding individual findings:

Official Source: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-security-hub-integrates-with-the-aws-identity-and-access-management-iam-access-analyzer/

AWS reInvent Security Announcement: Introducing Amazon Detective

Amazon Detective is a new service in Preview that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Personal thoughts: I thought GuardDuty analyzes cloudtrail and vpc flow logs by default, not sure why AWS made it look like Amazon Detective analyzes logs that are already analyzed by GuardDuty.

https://docs.aws.amazon.com/detective/latest/userguide/images/diagram_graph_ingest_analytics.png

The work-flow is pretty interesting and it looks like AWS is entering the Cloud-native SIEM world slowly:

https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-amazon-detective

AWS reInvent Security Announcement: Amazon S3 Access Points makes it simple to manage access at scale for applications using shared data sets on S3

A lifesaver for security folks who have centralized logging by creating an organization-wide S3 data lake (cloudtrail, cloudwatch, VPC Flow Logs, Server Logs, API Requests, Load balancer logs etc..) and running a commercial SIEM on top on these logs. In a few organizations, it’s a nightmare to manage this access at scale when multiple Business Units request data that belong to their Apps/Servers and security team have to ensure they don’t have access to data that belongs to other BU’s.

Amazon S3 Access Points is a new S3 feature that simplifies managing data access at scale for shared data sets on Amazon S3. With S3 Access Points, you can easily create hundreds of access points per bucket, each with a name and permissions customized for the application. This represents a new way of provisioning access to shared data sets. Whether creating an access point for data ingestion, transformation, restricted read access, or unrestricted access, using S3 Access Points simplifies the work of creating and maintaining access to shared S3 buckets.

You can easily add access points as your application set and storage scales, and you no longer have to worry about managing access through a single bucket policy that spans dozens or hundreds of use cases. S3 Access Points are unique hostnames that you can create to enforce distinct permissions and network controls for any request made through the access point. S3 Access Points policies allow enforcing permissions by prefixes and object tags, allowing limits on the object data that can be accessed. Any S3 Access Points can be restricted to a Virtual Private Cloud (VPC) to firewall S3 data access within your private networks, and AWS Service Control Policies can be used to ensure all access points in an organization are VPC restricted.

Limitation as of today: Access points can be used to provide access to your bucket. The S3 console doesn’t support using virtual private cloud (VPC) access points to access bucket resources. To access bucket resources from a VPC access point, you’ll need to use the AWS CLI, AWS SDK, or Amazon S3 REST API

Creating an S3 Access Point:

Configuring the ACLs and Bucket Policy:

Official Source: https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-s3-access-points-manage-data-access-at-scale-shared-data-sets

AWS reInvent Security Announcement: Introducing Access Analyzer for Amazon S3 to review access policies

Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources. Access Analyzer for S3 evaluates your bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access.

Access Analyzer for S3 alerts you when you have a bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. You receive insights or ‘findings’ into the source and level of public or shared access. For example, Access Analyzer for S3 will proactively inform you if read or write access were unintendedly provided through an access control list (ACL) or bucket policy. With these insights, you can immediately set or restore the intended access policy.

When reviewing results that show potentially shared access to a bucket, you can Block All Public Access to the bucket with a single click in the S3 Management console. You can also drill down into bucket level permission settings to configure granular levels of access. For specific and verified use cases that require public access, such as static website hosting, you can acknowledge and archive the findings on a bucket to record that you intend for the bucket to remain public or shared. You can revisit and modify these bucket configurations at any time. For auditing purposes, Access Analyzer for S3 findings can be downloaded as a CSV report. Access Analyzer for S3 is available at no additional cost in the S3 Management Console.

Official Source: https://aws.amazon.com/blogs/storage/protect-amazon-s3-buckets-using-access-analyzer-for-s3/

AWS reInvent Security Announcement: Amazon Web Services Announces AWS Transit Gateway Network Manager to Centrally Monitor Your Global Network

AWS Transit Gateway now enables you to centrally manage and monitor your global network across AWS and on-premises, with network manager. Transit Gateway network manager reduces the operational complexity of managing networks across AWS Regions and remote locations.

Most global networks today include resources that are both located in the cloud and on one or multiple on-premises locations. To monitor that entire global network, you often have to stitch together data from the cloud and your premises. This results in an inconsistent management and monitoring experience. You need a simple solution to build and manage your global network across the cloud and on-premises.

AWS Transit Gateway network manager provides a single global view of your private network. Start by registering your AWS Transit Gateways and defining your on-premises resources. You can then visualize and monitor your global network from a centralized, operational dashboard. This enables you to visualize your global network in a topology diagram and in a geographical map. You can monitor your network using CloudWatch Metrics, as well as CloudWatch events for network topology changes, routing updates, and connection status updates. There are no additional fees for using Network Manager. You are charged the standard fees for the network resources that you manage in your global network (such as transit gateways).

Official Source: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-announces-aws-transit-gateway-network-manager

AWS reInvent Security Announcement: Introducing Amazon Fraud Detector

                Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts. Fraud Detector uses machine learning (ML) and 20 years of fraud detection expertise from AWS and Amazon.com to automatically identify potentially fraudulent activity so you can catch more fraud faster. With Fraud Detector, you can create a fraud detection model with just a few clicks and no prior ML experience because Fraud Detector handles all of the ML heavy liftings for you.

https://d1.awsstatic.com/re19/Hawksnest/trigger_rules.ed9d347d3c009622353611805f9557b6a3030e0f.png
https://d1.awsstatic.com/re19/Hawksnest/search_past_evaluations.825a86083abdd96aaa9a041ce8181dc579797d31.png

https://aws.amazon.com/fraud-detector/

AWS reInvent Security Announcement: Amazon ECS now supports Active Directory Authentication using Windows Accounts gMSA

                Amazon Elastic Container Service (ECS) now supports Windows group Managed Service Account (gMSA), a new capability that allows ECS customers to authenticate and authorize their Windows containers with network resources using an Active Directory (AD). Customers can now easily use Integrated Windows Authentication with their Windows containers on ECS to secure services.

ECS support for Windows gMSA allows customers to keep user account identity configuration separated from the container image while at the same time easily adopt an Active Directory security context across multiple services in the customer’s application. Customers that wish to containerize and deploy .Net applications on ECS can use gMSA for service to service authentication to the application like SQL server without having to provide the password.

Customers can configure their containers to use one or more gMSA already registered with their AD by passing the credential spec file through the dockerSecurityOptions field in ECS task Definition. See our blog post for more information on using ECS Support for Windows gMSA.

https://aws.amazon.com/blogs/containers/how-to-run-ecs-windows-task-with-group-managed-service-account-gmsa/

Thank you for reading! – Setu Parimi

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]

Categories: Uncategorized

0 Comments

Leave a Reply

%d bloggers like this: