Working With AWS Security Tools - Snyk
How Snyk integrates with AWS security tooling
What are AWS security tools?
Amazon offers several AWS-native security tools, making it easier for customers to uphold their end of the shared responsibility model. These tools enable AWS users to follow best practices such as identity and access management, data and infrastructure protection, and incident detection. Security vendors like Snyk provide additional support for areas that Amazon doesn’t cover, namely finding and remediating vulnerabilities across the containers, cloud environments, and code running within the AWS environment.
Working With AWS Security Tools - Snyk
With AWS security risks increasing every year in the cloud, it’s more important than ever for cloud/hybrid businesses to establish strong cloud security measures. Even though Amazon provides general “security of the cloud,” their customers assume shared responsibility for “security in the cloud”: identity and access management, operating system, firewalls/network configuration, the application workload, and data security.
Businesses that don’t follow AWS’s cloud security best practices to uphold their end of the shared responsibility model run a high chance of exposing their sensitive data and systems to unauthorized personnel. As a result, there has been a few high profile AWS breaches in the recent years. Fortunately, there’s a variety of AWS security tools to help you strengthen and protect your cloud ecosystem. It’s all about learning which resources are out there, then configuring them to your environment’s specific needs and structure. Learn about AWS Security Best Practices here.
Different types of AWS security tools
AWS security tools fall into two categories: account security and application and service security. These tools work together to protect the workflows and data within an organization’s AWS ecosystem. Amazon’s cloud security posture management tool, AWS Security Hub, falls under both tool categories. It provides general security checks, alert aggregation, and remediation/response automation.
Account security tools
Account security tools mainly provide identity and access management controls, making it easier to manage permissions, user actions, and access levels in a complex cloud environment. Here are a few of AWS’s services for account security:
AWS Identity and Access Management (IAM) enables administrators to specify who or what can access services and resources in AWS.
Amazon Macie uses machine learning and pattern matching to identify and protect sensitive data within your S3 buckets.
Amazon GuardDuty monitors your entire AWS environment for potential threats.
AWS Config monitors resource configuration changes, making change management easier.
AWS CloudTrail keeps tabs on user activity and API usage.
Application and service security tools
On the other hand, application and service security tools focus on identifying and remediating vulnerabilities within development processes. Amazon offers tools for managing application and service security, including AWS Security Hub, Amazon CodeGuru for automated code reviews, and Amazon Inspector for uncovering software vulnerabilities and network exposure. Thanks to our partnership with AWS, Amazon Inspector chose Snyk to be the primary engine of open source vulnerability data powering this security assessment service, offering detailed descriptions and remediation suggestions from Snyk’s database that are directly incorporated into Inspector scan results.
AWS services that require additional security support
While Amazon provides robust account security tools, most AWS development solutions still need additional support from other application and service security tools. Here’s an overview of some commonly-used AWS development tools, along with details on how a vendor like Snyk makes them more secure.
CI/CD pipelines
AWS CodePipeline enables teams to automate their release pipelines with quick and reliable continuous delivery. Amazon has no security measures for flagging insecure open source components within the pipeline. So, teams need to use an external security tool like Snyk’s CodePipeline integration, which scans for open source vulnerabilities and reports results right in the CodePipeline UI.
AWS CodeCommit and AWS CodeBuild are two other pieces to the CI/CD pipeline puzzle. CodeCommit offers scalable, private Git repositories, and Codebuild runs build scripts for compiling, testing, and packaging code. Neither tool performs security checks on the code before it gets passed downstream. To fill this gap, Snyk Code empowers developers to scan their source code as far left in the process as possible – before it even goes into CodeCommit or gets moved downstream by CodeBuild.
Containers
Amazon Elastic Container Registry (ECR) and Amazon Elastic Kubernetes Service (EKS) make it easier for teams to run containers and orchestrations. But, both of these tools require additional security tooling, such as Snyk Container, to identify risk in base image dependencies, Dockerfile commands, and Kubernetes workloads.
Cloud infrastructure
AWS Lambda enables teams to run code without provisioning or managing infrastructure. Many organizations also use Amazon EC2 and Amazon EC2 Reserved Instances to automatically scale Lambda infrastructure. To secure this entire process, teams need to add an additional layer of security, such as Snyk Code, to catch if vulnerable code got deployed in Lambda.
AWS CloudFormation provides infrastructure as code for modeling, provisioning, and managing cloud resources, but it doesn’t monitor for potential vulnerabilities caused by cloud misconfigurations. Snyk IaC scans CloudFormation to locate any misconfigurations, treating it like other code in your software development lifecycle.
Amazon S3 stores and retrieves cloud data. While S3 has built-in security features, it’s also possible for user error to cause risk. Accidentally exposing sensitive data in a public S3 bucket is a common one. Snyk Cloud identifies these types of misconfigurations, empowering engineers to set up cloud environments securely from the start.
Amazon Linux 2 provides a Linux environment for running AWS applications. We optimized Snyk products to run in this environment without slowing anything down.
Security tools for your entire AWS ecosystem
Snyk’s security tools for AWS empower development teams to fix misconfigurations in their cloud ecosystem, and application-level security issues in first-party code, open source dependencies, container images, and IaC. When both the cloud and applications are secure, your entire ecosystem becomes a safer place. And as we found in our 2022 State of Cloud Security report, cloud security also speeds up deployments, frees up cloud engineering teams to innovate in non-security areas, and improves collaboration between teams.
Want to find out more about our AWS security tools? Tune into our recent democast to see our AWS integrations in action.
Up Next
5 cloud application security best practices
Best practices for implementing effective cloud application security, including IaM, encryption, threat monitoring, and more.
Keep reading