Top 10 Curated Security Takeaways From AWS re:Invent 2022
I went through all the re:Invent announcement and put together a list of the Top 10 relevant items for security minded teams.
AWS re:Invent is an annual conference for all things AWS where AWS waits to make some major announcements. Well here’s an amazing list…
1. Amazon Security Lake
Probably one of the most significant takeaways this re:Invent is the Amazon Security Lake.
If you’ve been reading this blog, you know already that I’ve been saying for years to build a security data lake before investing into a SIEM. I even did a video on it:
Takeaway: Build your own security data lake in AWS.
2. Amazon OpenSearch Serverless
A big tie for first place imho is this announcement. I mean who wants to deal with managing clusters in 2022?? This announcement will really make under-resourced security teams (i.e all of them) to standup and manage their own cloud based SIEM with more ease.
Takeaway: Standup an instance of Opensearch without the headache of managing servers, clusters, and capacity planning.
3. AWS KMS External Key Store (XKS)
For some time, beginning with AWS Outposts, AWS has been putting efforts into making it’s infrastructure compatible with On-Premise networks. This is one of those steps.
Takeaway: This new capability allows you to store AWS KMS customer managed keys on a hardware security module (HSM) that you operate on premises or at any location of your choice.
4. AWS Control Tower – Comprehensive Controls Management
To be honest, AWS Control Tower has taken a LONG time to mature and even still, a little longer to adapt it to existing environments. However this new feature seems pretty promising. Centralizing the controls available (it can get unwieldy) is a bit cumbersome, so anything to help simplify helps.
Takeaway: Ease the management of AWS Control Tower controls.
5. Amazon Inspector Now Scans AWS Lambda
Lambda and other serverless was revolutionary for the cloud, but it was a huge blind spot for security teams everywhere. With the astronomical increase in supply chain issues, this is even more important.
Takeaway: Security teams can now have vulnerability insights into AWS Lambda
6. AWS Config Rules Now Support Proactive Compliance
Takeaway: For those teams heavily invested in AWS Config, this provides additional options for making sure CI/CD pipelines are security compliant.
7. AWS Wickr – A Secure, End-to-End Encrypted Communication Service For Enterprises
This announcement is very fascinating. Now any company can standup it’s own version of a highly encrypted messaging app similar to Slack. I’m really curious on how well this can be implemented and if there’s a way for anyone to bypass the security either accidentally or maliciously.
Takeaway: Standup your own version of Slack or WhatsApp and tell your customers you can’t see their conversations.
Get more posts like this straight to your inbox!
8. Amazon CloudWatch Logs Can Mask Sensitive Data
Masking sensitive data is the bane of my existence sometimes. I remember a client one time having debug enabled full-time on their webapp and capturing every user’s password in their Splunk instance. If you know anything about any log solution, including Splunk, purging data is not easy.
Takeaway: Developers make mistakes, this is a way to reduce the impact of those mistakes, proactively.
9. Backup and Restore Your CloudFormation Stacks
Where was AWS Backup in 2016? I wish I had this service available to me. In fact, imagine if it was enabled by default for AWS Prod Accounts, or even gave the user a prompt in the beginning or every so often “Would you like to have your stuff backed up?”.
It’s amazing how many people and organizations using the cloud don’t realize their cloud is NOT backed up by default!
Takeaway: Your CF source code is critical, and can now be backed up automatically.
10. VPC Lattice – Simplify Networking for Service-to-Service Communication
Networking was always at the forefront of security, but has taken a backseat to Identity as the new perimeter. However, with containers and k8s usage ever so increasing we’re back to having critical communication within a VPC unencrypted. Ever since Operation Aurora it’s been a security standard to have all communications encrypted.
I have to be honest, getting DevOps teams to encrypt container communications has been a struggle.
Takeaway: VPC Lattice seems to reduce the attack surface and help enable end-end encrypted communications for all types of workloads, EC2, k8s, Lambda, etc.
Alright, that’s it for today. If you found this post helpful, the best thing you can do is share it with your networks, that would help a ton!
If you want to see all re:Invent posts, here’s the link.