Recent AWS Security Launches

This post came out of a need for me to review my Cloud Security Standards after re:Invent. I knew of the re:Invent announcements, I didn’t recall all the other things that have happened recently. Drop me a tweet, LinkedIn or email if this is useful and I should do this again in a few months. This list is sorted chronologically and categorized as good, bad and ugly.

The Good

Amazon GuardDuty Optimizes AWS CloudTrail Analysis Reducing Cost for Customers

Announced On: Nov 1, 2018

GuardDuty stopped processing global events in multiple regions thus reducing the number of events processed and your cost. I’ve seen a good 10-15% drop in my costs. Go AWS!

Amazon API Gateway Adds Support for AWS WAF

Announced On: Nov 5, 2018

You can now enable AWS WAF for your APIs in Amazon API Gateway, making it easier to protect your APIs against common web exploits.

All in all this is a good thing and you can start to encourage your developers to leverage this feature

AWS CloudFormation Now Supports Drift Detection

Announced On: Nov 13, 2018

AWS CloudFormation now allows you to detect if configuration changes were made to your stack resources outside of CloudFormation via the AWS Management Console, CLI, and SDKs. Drift is the difference between the expected configuration values of stack resources defined in CloudFormation templates and the actual configuration values of these resources in the corresponding CloudFormation stacks. This allows you to better manage your CloudFormation stacks and ensure consistency in your resource configurations.

This has been a long time coming. Drift detection isn’t automatic, you have to issue a cloudformation API call to trigger the drift detection, then you can go back later and query for it. If you’re like me and use CFT as the method to roll out your security controls, adding drift detection to your inventory process will tell you if someone inside the account has modified things.

Introducing Amazon S3 Block Public Access

Announced On: Nov 15, 2018

AWS must still be feeling the bad press that comes from their customers still not understanding the shared responsibility model. With this service you can set account-wide limits on the existence or enablement of new public buckets or objects. This seems a bit heavy handed, but if you had highly sensitive accounts or lived in a highly regulated environment this would be valuable. Be warned, enabling this without due diligence could cause a production outage.

AWS Systems Manager Now Supports Multi-Account and Multi-Region Inventory View

Announced On: Nov 15, 2018

AWS Systems Manager, which provides information about your instances and the software installed on them, now supports a multi-account, multi-Region view. With this enhancement, you can simplify your workflow by centrally viewing, storing, and exporting inventory data across your accounts from a single console.

I’ll be honest. I’ve not used this service, don’t know what it does, etc. However whenever AWS consolidates inventory data cross-region and into a single account, I think that’s a great thing.

AWS CloudTrail Adds Support for AWS Organizations

Announced On: Nov 19, 2018

You can now create, manage, and deploy AWS CloudTrail trails across an organization from a single account. Through integration with AWS Organizations, this organization trail enables you to define a uniform event logging strategy for your organization that is applied automatically to each member account in an organization. Users in member accounts are able to see these trails, but they can’t modify them. This helps you uniformly apply and enforce your event logging strategy across the AWS accounts in your organization.

Using your organization’s master account, you can set up a trail and mark it for deployment across the member accounts. Then, AWS CloudTrail automatically copies the trail definition to each member account upon creation and propagates changes to the member accounts when the trail in the master account is updated. Organization trails capture events for all accounts in the organization and log them to the same Amazon S3 bucket as defined by the organization trail in the master account.

Most organizations already have a setup for master logging to a central security or logging account. In this scenario the trail lives in the payer, I would assume the bucket can live in the security/logging account. I have not tested this new feature.

If you have different requirements around S3 and Lambda invocation logs, this new feature could require you to enable the logging everywhere and generate increased cloudtrail costs. Caveat Emptor.

Amazon Neptune Now Supports HTTPS for Encrypted Client Connections

Announced On: Nov 20, 2018

I’m kinda surprised it took almost a year for them to flip this on. If encryption in transit is a corporate requirement this service is now available to your developers.

Introducing AWS Transfer for SFTP, a Fully Managed SFTP Service for Amazon S3

Announced On: Nov 26, 2018

This is an AWS Managed SFTP front-end for S3. I’ve not kicked the tires on it yet, but it could be a good server-side replacement for CyberDuck and the like. One of my Cloud Architects said it was a lot more expensive that a t2.micro running Linux, but it does offload the security and patching to AWS.

Introducing AWS Cloud Map

Announced On: Nov 28, 2018

This was a re:Invent launch that I missed.

AWS Cloud Map is service discovery for all your cloud resources. With Cloud Map, you can define custom names for your application resources, and it maintains the updated location of these dynamically changing resources. This increases your application availability because your web service always discovers the most up-to-date locations of its resources.

This service seems to be less about “what is hiding in the dark corners of my cloud”, and more of a “given an application, what does it look like”.

Introducing Notifications for New Amazon GuardDuty Finding Types and Feature Releases

Announced On: Dec 6, 2018

You can now subscribe to an SNS Topic to get notifications when new GuardDuty findings are available.

New IAM Access Advisor APIs

Announced On: Dec 7, 2018

Access Advisor has been available via the console for awhile. It looks like you can now use it in scripts. I think the work-around has been the Credential report. No more CSVs for me!

Introducing AWS Backup

Announced On: Jan 16, 2019

AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services in the cloud as well as on premises. With AWS Backup, protecting your AWS resources, such as Amazon EFS file systems, is as easy as a few clicks in the AWS Backup console. Customers can configure and audit the AWS resources they want to back up, automate backup scheduling, set retention policies, and monitor all recent backup and restore activity.

As the first new security launch of 2019, I’m not entirely sure what problem they are looking to solve here. If you have enterprise policies around backups that aren’t being met, this is probably good news to you.

Find And Update Access Keys, Password, And MFA Settings Easily Using The AWS Management Console

Announced On: Jan 24, 2019

I remember when I first tried getting everyone to configure MFA (back in 2015) the instructions were highly complicated. “Go to IAM, Click on Users, find your username, click on Security Credentials, etc…”. I’m surprised it took AWS 4 years to put MFA on the same page as “Change my Password”, but it’s finally here.

The Bad

Introducing AWS Transit Gateway

Announced On: Nov 26, 2018

AWS Transit Gateway is a new service that enables customers to connect thousands of Amazon Virtual Private Clouds (VPCs) and their on-premises networks using a single gateway.

With no layer-7 fire-walling, no intelligent packet filtering, just one big flat network. Anyone with ec2:AuthorizeSecurityGroupIngress can open up your entire corporate network to the world. What could go wrong?

Keep an eye on how your cloud networking team plans to leverage this service, and make sure you have a well documented Network Segmentation Policy or Standard to guide how this service is used.

Amazon EFS now Supports Access Across Accounts and VPCs

Announced On: Nov 28, 2018

You can now connect to an Amazon EFS file system from EC2 instances in a different AWS account or Amazon Virtual Private Cloud (VPC).

Whenever I see shared across accounts I think “This is the next data breach to show up on El Reg”. In this case it looks like EFS requires a TransitGateway or VPC Peer to be able to access the EFS which means publicly mountable EFS clusters are probably not a thing. However it is still something to keep an eye out for as developers might choose to cross environment or security boundaries using this capability.

Application Load Balancer can now Invoke Lambda Functions to Serve HTTP(S) Requests

Announced On: Nov 29, 2018

Another re:Invent launch announcement from Werner that I’m also including there. If your developers are big into serverless, or if they want to be serverless and API Gateway was too much of a pain in the butt, this is their new path forward. Keep an eye out for how folks are building RCE, SSRF and SQLi attacks against lambda. And require all ALBs to run an AWS WAF.

Amazon Virtual Private Clouds can now be shared with other AWS Accounts

Announced On: Dec 4, 2018

You can now allow other AWS accounts to create their application resources, such as EC2 instances, Relational Database Service (RDS) databases, Redshift clusters, and Lambda functions, into shared, centrally-managed Amazon Virtual Private Clouds (VPCs).

How private can a Virtual Private Cloud be when you share it with everyone in your organization?

See my comments above about having a strong network segmentation strategy. Setting up a DirectConnect is not simple and typically requires some hands-on work, either in the on-prem router or in the AWS console. Don’t let your networking team get the easy way out with a single huge /16 direct connected VPC that everyone uses.

Introducing AWS Resource Access Manager

Announced On: Dec 6, 2018

AWS Resource Access Manager (RAM) provides customers a simple way to share their resources across AWS accounts or within their AWS Organization. Many AWS customers use multiple AWS accounts to provide administrative and billing autonomy to their teams. These customers can now centrally create resources and use RAM to share them across accounts, leading to a reduction in operational overhead for customers while maintaining the benefits of a multi-account strategy. Using RAM to share resources eliminates the need for customers to create duplicate resources in each of their accounts and drives down costs. Consumption of shared resources is governed by access control policies in AWS Identity & Access Management and Service Control Policies in AWS Organizations, enabling customers to leverage their existing investments in security and governance controls. At this time, customers can share Amazon Route 53 Resolver Rules, AWS Transit Gateways, Subnets, and AWS License Manager Configurations using RAM.

One of the security features of AWS was the fact that the AWS Account was the blast-radius protector. Something that went wrong in one account couldn’t impact another. This provided great segmentation between prod and non-prod and between applications or internal customer bases. GCP & Azure had much more flattened access which, in my humble opinion, was less secure than AWS. It seems like reducing the friction of having to design isolated applications was more important to AWS than the security gains from forcing architects and developers to consider where security boundaries occur. VPC Peering, TransitGateway, this new RAM, etc are all attempts by AWS to blur the security segmentation you get from separate AWS accounts.

The Ugly

The Ugly ones are the ones that seem good, but introduce a ton of complexity or governance requirements.

Amazon Route 53 Announces Amazon Route 53 Resolver

Announced On: Nov 19, 2018

Expose your on-prem’s internal DNS View to the VPC. Given that the default solution was to use IP address, use a resolver that wasn’t AWS, or put private IPs on the external view, this is probably a good thing. The AWS DNS Resolver is one of the three primary feeds for AWS GuardDuty so developers who bypassed using it where blinding the security team to some extent. That said, this service probably makes on-prem recon easier if you manage to compromise a cloud instance.

Announcing AWS Outposts

Announced On: Nov 28, 2018

This was an Andy Jassey keynote announcement. I don’t know if it’s good, bad, or ugly, but since I’m a cloud zealot I’ll categorize anything that puts more servers in my datacenter as ugly.

AWS Outposts remove the complexity of hybrid cloud by offering a solution that uses the same software, services, infrastructure, management tools, development, and deployment models on Outposts as you use on AWS for a seamless hybrid cloud solution. You can use the same automation, governance controls, policies, APIs, and developer tools to build and deploy modern cloud-native applications that can be deployed on-premises or in the cloud. Outposts infrastructure is fully managed, maintained, and supported by AWS, and its hardware and software components can be updated to deliver access to the latest AWS services.

Announcing the AWS Europe (Stockholm) Region

Announced On: Dec 12, 2018

New Region, new place for things to hide. Also, as of today, GuardDuty still isn’t available in that region. So if your monitoring strategy relies on GuardDuty, you’re blind to what happens in this region.

Introducing AWS Client VPN to Securely Access AWS and On-Premises Resources

Announced On: Dec 18, 2018

I call this “The allow anyone with DirectConnect to setup their own back-door into your corporate network service”.

It is a managed client VPN that leverages OpenVPN. It’s great if you have developers or DBAs who need to access something in a private subnet of an isolated VPC. However if your VPC is VPN or DirectConnected to on-prem, this allows someone to spin up their own VPN outside of your corporate standard.

The real issue is that the API calls are all inside the EC2 API name space, which means if your IAM policies use NotAction to limit the network commands, you need to add all of these to all your IAM policies.

Introducing Amazon DocumentDB

Announced On: Jan 9, 2019

Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads.

This is a new service to be aware of. MongoDB is popular with developers and having an AWS managed service is a good thing from a cloud security perspective. The service is SOC2, ISO and PCI certified out-of-the-box. It is a VPC-only database, so there is no default public endpoint like DynamoDB or Aurora (however it can be made public via network misconfiguration).

Warning though, one of my Sr. DBAs warned me:

“When creating a new user, the roles field must contain: “[{ “db”:“admin”, “role”:“dbAdminAnyDatabase” }, {“db”:“admin”, “role”:“readWriteAnyDatabase” }, {“db”:“admin”, “role”:“clusterAdmin”}]” :”

AWS Cloud9 Supports AWS CloudTrail Logging

Announced On: Jan 21, 2019

This goes in the ugly category because it took AWS a year (Cloud9 was announced at re:Invent 2017) to get this monitored. I guess attackers need to stick with AppStream if they want to do silent brute force user enumeration.

Related:

Announced On: Jan 23, 2019

I’m putting this in the ugly category mostly because I’ve not vetted it yet. The description seems scary:

Amazon WorkLink is a fully managed service that lets you provide your employees secure, one-click access to your internal corporate websites and web apps using their mobile phones.

On the other hand, I’m sure your developers are already figuring out ways to do this, and they are probably less secure than what AWS offers with WorkLink.

When a user accesses an internal webpage, Amazon WorkLink isolates the page in a browser running in a secure container in AWS. Amazon WorkLink then sends the contents of that page to employee phones as vector graphics while preserving the functionality and interactivity of the page.

Seems reasonable, right?

My advice - play with this and figure out the right design patten for your organizations risk-profile.

Network Load Balancer Now Supports TLS Termination

Announced On: Jan 24, 2019

A last minute entry to this list. I think one of the missing features of the NLB was it’s lack of TLS support. On the other hand, now your NLB design isn’t encrypted end-to-end.