Cloud security updates you need to know from re:Invent 2022
December 21, 20220 min read
After a two-year hiatus (virtual in 2020 and hybrid in 2021), AWS re:Invent was back in person this year in its full glory. Over 52,000 people attended — more than we saw at RSA (26,000) and Blackhat USA (21,000) combined this year.
re:Invent had over 2,000 sessions, with keynotes, leadership sessions, chalk talks, breakout sessions, workshops, and other activities to entertain and educate all those who attended (and we've already covered a few of them in our top takeaways from re:Invent 2022 blog). Most of the sessions are available to watch on YouTube, barring the chalk talks and workshops. So next year, if you're trying to maximize your time, attend any chalk talks or workshops you are interested in, and then catch up on the other sessions online.
And in our opinion (which happens to also be shared by Corey Quinn), I'd recommend making the most of meeting people! This is the perfect time to connect and learn, as this is one conference that brings developers, security folks, leadership, entrepreneurs, and more all together around their shared interest in all things AWS.
Unlike other conferences, re:Invent doesn't just have one or two keynotes. No, it has six. So if you're the type of attendee who ducks out of keynotes to grab a coffee, you'll be extremely caffeinated.
The event kicked off with the Monday night keynote from Senior Vice President, AWS Utility Computing, Peter DeSantis, where he spoke about how AWS refuses to compromise in the tug of war between low cost, high performance and security.
There was also a keynote from Vice President, Data and Machine Learning, AWS, Swami Sivasubramanian, who spoke about how AWS can help organizations transform their data into meaningful insights and actions for your business. If you are interested in the advances AWS is making in the space of data and machine learning you will definitely want to listen to this.
Vice President of AWS Worldwide Channels and Alliances, Ruba Borna gave a keynote sharing how AWS partners are uniquely positioned to accelerate their customer’s business transformations
However if you are interested in AWS security side of things, the two keynotes you would be most interested in were from CEO of AWS, Adam Selipsky and Amazon.com VP and CTO, Dr. Werner Vogels.
TL;DR. for the CEO keynote
Adam Selipsky’s keynote spoke a lot about sustainability, cloud as a pathway to cost savings, how datais now at the center of everything, and of course, security. Adam shared how AWS is committed to powering their operations by 100% renewable energy by 2025and that they are currently 85% there. They want to lead water efficiency amongst cloud providers and be water positive by 2030.
Adam acknowledged that we are in uncertain times, saying “if you are planning to tighten, the best cloud is the place to do it”, and giving the example of Airbnb, which was able to reduce cloud spending by $63.5 million in times of difficulty. Adam shared how cloud allows us to innovate faster with more efficiency and less spend, as you need to innovate even in uncertain times.
In his keynote, there was also a lot of conversation around data. Namely, there is a lot of data and it's growing, so cloud security is becoming a lot about securing this growing data.
Adam described security as finding the right balance between control and access and shared that security has been AWS’s top priority since the beginning. He shared that security should give us the confidence to explore.In the keynote, he shared that AWS is recognized as a highly secure environment and a testament to that is the Options Clearing Corp (OCC) which serves as the central clearing warehouse for all listed equity options in the US. The OCC will be moving its core workload to the cloud and will be running on AWS. He called this a once-in-a-generation technology decision.
According to Adam, building securely is the path of least resistance, as he displayed the wide range of security focus services AWS has — all 20 of them to be precise.
Adam also gave a nod to the increasing popularity for containers, saying that you need the right tools to keep them secure. (Based on the look our editor is giving us, now's probably a good time for me to mention Snyk Container).
TL;DR. for the CTO keynote
You can argue that Werner Vogel is like the Steve Jobs of AWS, his keynotes are often the favorite amongst those who attend. Inspired by the world of the Matrix franchise, Dr. Vogel spoke about the benefits of building asynchronous, loosely coupled systems and how event-driven architecture enables global scale.
He shared how the cloud is enabling customers to build more immersive experiences using 3D and how simulation allows customers to experiment and innovate in new ways. He spoke about Amazon EventBridge Pipes, AWS Application Composer, and Amazon Code Catalyst which have security implications. We will cover these below in the security updates.
Security updates from re:Invent 2022
This year at re:Invent, AWS made it clear how important security still is by making a ton of announcements around new security products, updates, and features. Buckle up, because here we go!
AWS security product releases (new security products from AWS)
AWS Security Lake was launched in preview– This may be one of the services people are most excited about. It is a managed security data lake that combines various security datasets (AWS or external) and then controls and transforms them.
Security Lake is making use of Open Cybersecurity Schema Framework (an open source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema) which supports AWS integrations with Security Hub, and collects directly from VPC logs, CloudTrail, Route53 logs.
AWS Verified Access in preview– This is a new secure connectivity service that allows you to enable local or remote secure access to applications without a VPN.
Amazon Verified Permissions in preview –This allows users to manage fine-grained permissions and authorization within custom applications. Fine-grained control is meant to combine the best of RBAC and ABAC (role-based vs attribute-based). Some people are saying that this could be an interesting alternative to OPA (Open Policy Agent)
AWS security products updates (new features to existing security products)
Amazon Inspector now scans AWS Lambda functions for vulnerabilities – Amazon Inspector is AWS’s automated vulnerability management service for applications and configs like EC2. It was previously used to analyze mixed workloads (including EC2 instances, container images, and Lambda functions) against common vulnerabilities, and needed to use AWS and third-party tools. Now you can do it all in AWS, this allows vulnerability scanning in near real time. Those in the security community are calling this a welcome change.
Amazon GuardDuty RDS Protection (in preview) with container runtime threat detection (coming soon) –Amazon GuardDuty is the threat detection service that scans your entire AWS environment. It monitors access activity to databases in your account, using machine learning to detect suspicious logins. It now allows threat detection for Amazon Aurora (built-in security, continuous backups, serverless compute) to find threats in data stored in Aurora. They have added a couple of additional findings types but only some versions of RDS Aurora are supported
With container run time threat detection, you can detect threats in your containers itself (with Amazon GuardDuty runtime threat detection). This is a lightweight, fully managed security agent that monitors on-host operating system-level behavior, such as file access, process execution, and network connections.
If you recall ourAWS re:Inforce 2022 recap,AWS has been making several upgrades to GuardDuty this year, kicking off withAmazon GuardDuty EKS protection +Amazon GuardDuty Malware Protection for EBS volume + Integrations with Security Hub announced earlier at re:Inforce.
Automated Data Discovery for Amazon Macie– Amazon Macie is AWS’s data security service and this update will allow you to gain visibility into where your sensitive data resides on (Amazon S3) at a lower cost. Amazon Macie was another service that received another update at re:inforce with the addition ofNew Amazon S3 Objects Validation Capability.
New controls in AWS Control Tower (in preview) – AWS Control Tower allows you to enforce and manage governance rules on your console. There is now a new controls library section with more than 300 controls available to apply managed preventative, detective, and proactive controls. You can now also turn on security hub detective controls through AWS control tower. If you were watching the updates from re:inforce earlier this yearAWS Control Tower also adopted AWS CloudTrail Organisation Logging.
AWS Config Rules now support proactive compliance – In the console, you can pick the proactive mode for the standard resource template to test for compliance before being rolled out. This is in addition to the update toAWS Config earlier this year to support compliance scores.
AWS KMS (Key management service) External Key Store (XKS) – If you have a regulatory requirement to use and store your encryption keys on-prem or outside of AWS, you can now do so.
Amazon VPC (Virtual Private Cloud) has VPC Lattice in preview– This is a consistent way to connect, secure, and monitor communication between your services.
Amazon CloudWatch now has cross-account observability – Amazon CloudWatch is the service you can use to monitor your entire stack and take automated actions using alarms, logs and events. With this update you can now bserve and monitor resources and applications on AWS, on premises, and on other clouds and search, analyze, and correlate cross-account telemetry data.
AWS security features for existing products (security features for existing non-security products)
Delegated administrator for AWS Organization– You can now delegate the management of your organization governing policies allowing for more agility and decentralization.
AWS Backup now supports attaching an AWS CloudFormation stack to your data protection policies. (which includes stateless resources in the stack like AWS IAM and Amazon VPC) and also supports Amazon Redshift (protect your data using automatic and manual snapshots).
Amazon EventBridge Pipes is now generally available – This will allow for a simpler, consistent, and cost-effective way to create point-to-point integrations between event producers and consumers, so now EventBridge goes beyond event buses and scheduling. Called by many as pipes on steroids, you can now easily stitch AWS services together and build advanced integrations quickly.
AWS non-security product releases with security impacts
AWS Application Composer (in preview)– Application Composer is a browser-based application to visually compose the task of building serverless applications a drag-and-drop experience from existing IaCs (SAM or CloudFormation files) or starting a new architecture. From within the browser, you can drag and drop the various components of your new application and link it all together. The output will be a deployment-ready infrastructure as code (IaC).It is intended to take the guesswork out of composing applications from serverless-ready AWS services and help users to generate deployment-ready configs and IaC for each service in their architecture.
There is limited information on integrations with popular source code management tools and Terraform, especially if a company already has Terraform templates to deploy applications.
Amazon CodeCatalyst (preview) – Amazon CodeCatalyst is a unified software development service that providessoftware development teams with an integrated project experience that brings together the tools needed to plan, code, build, test, and deploy applications on AWS.
It offers integrations to existing Github repositories, Github Actions, Jira, and a lot more. It's a possible attempt by AWS to be the central source of all things code instead of having custom tooling all through the CI/CD pipeline for an application. This has a free tier, but wouldn’t be a free service.
However, if you are already using existing services that work then this may not make sense but possibly for new projects. It has the potential to simplify everything that goes along with application development and deployments, from the code management to the actual pipelines and application deployments
Our favorite sessions from AWS re:Invent 2022
Now that you are all caught up on the security updates, we thought we will leave you with some of our favorite sessions so far,saying some because there were too many to name them all here and there are some we are still catching up on all the 2000 sessions. Soak it all in, there is lot to learn and share.
Delighting developers: Builder experience at AWS (DOP208-L) - Adam Seligman, Vice President of Developer Experience,
What we can learn from customers: Accelerating innovation at AWS Security - CJ Moses, CISO, AWS
Executive insights panel: Changing your culture in the age of cloud (ENT234-L) - PagerDuty, Expedia Group, Nubank
Your data: How you need it, where you need it, when you need it (DAT224-L) - Disney Streaming, Intuit
Building and scaling a modernization strategy (ENT214) - Baker Tilly US, LLP
Deploying egress traffic controls in production environments (SEC312) - Robinhood
Reimagining multi-account deployments for security and speed (NFX305) - Netflix
Dev-first security: From code to cloud, and back to code (PRT291) - Neiman Marcus
How to monitor applications across multiple accounts (COP316) - JP Morgan Chase
AWS Well-Architected Framework security pillar: Cloud security @ scale (SUP309) - Molex
Best practices for organizing and operating on AWS (COP305) - Warner Bros Discovery - HBO Max
Build securely on AWS: Insights from the C-suite (SEC332) - Delta Airlines, Asurion
AWS security services for container threat detection (SEC329-R1) - Warner Bros Discovery - HBO Max
Idea to production on Amazon SageMaker, with Thomson Reuters (AIM208)
How NAB transformed the self-service experience w/Amazon Connect & ML (BIZ207)
How Commonwealth Bank simplified the compliance journey (COP312)
On top of those favorites, there are several "favourite talks" playlists from speakers that you can check out. And if you want even more, check out the Cloud Security Edition episode of the Cloud Security Podcast.
And don't miss out on the Cloud Security Villains that made their first appearance at re:Invent!
If you were at re:Invent this year, we hope you had fun. And if you weren't, start streaming with the links above. There was just too much security goodness we don't want you to miss out on!