Some ideas on safety bulletins to this point at AWS re:Invent
Extra posts on AWS Safety
On this publish I’m simply compiling among the safety bulletins at AWS re:Invent. I’ll have to return and check out them extra intimately later as, sadly and fortuitously, somebody employed me to show a category throughout re:Invent.
Undecided when I’ll get out to talk at a big convention once more however I attempt to hold tabs on what individuals are speaking about primarily based on the data I discover on-line. Today I are likely to prioritize what drives enterprise and makes cash to be trustworthy, as I’m touring much less. However I miss seeing pals at re:Invent very a lot!
Right here’s my preliminary response to the bulletins however once more, with out all the main points and it’s a lady’s prerogative to vary her thoughts. 🙂
VPN-less Safe Community Entry to Company Functions
Many options are taking totally different approaches to distant entry. There are lots of options making an attempt to attach folks on the utility layer, somewhat than the community layer within the OSI mannequin. Some are fascinating, others not a lot. With out diving into the answer here’s what you wish to ask:
- If somebody obtains your credentials or an energetic session, can they use it from an alternate community location to get to the host the place you finally are logged into and dealing? If that’s the case, it’s an identification resolution, not a community resolution.
- Does the encryption used to connect with the distant host encrypt all community visitors to the distant host or solely visitors on a selected protocol? As I’ve written about earlier than some VPNs are higher than others in that regard (SSL vs. IPSEC).
- Does the answer permit you to examine all community visitors — accepted, rejected, or failed — on all ports between the distant host and the goal endpoint?
- Are you able to see full packets? Some assaults beneath the applying layer within the OSI Mannequin is probably not seen for those who can’t see all these community packet particulars as I’ve defined in different posts.
- When somebody connects to the distant endpoint, is that distant endpoint accessible through the Web to others? Whenever you hook up with a VPN, the VPN endpoint is uncovered, however no hosts inside the community if you’re not linked to the VPN. I as soon as carried out a penetration take a look at the place one of many goals was to see if the bastion host was weak. I basically reverse engineered the truth that the bastion host was behind a VPN so the one means it might be weak is that if I might first break by means of the VPN. That’s what a VPN does for you. When hosts are uncovered on to the Web with no layer between they’re open to direct assault from the Web.
- Are you able to handle all of the entry from one level or do you need to handle every host uncovered to the Web for distant entry individually? When you can not handle them centrally then you definately’ve exponentially elevated administration and threat. Errors and misconfigurations represented 13% of safety incidents on the 2022 Verizon Information Breach Report so that you wish to cut back the possibility of misconfiguration by lowering what you need to handle. A VPN does that (and so does the automation I wrote about right here for per-user cases that use a single script for deployment to a sure extent — there are professionals and cons to that strategy vs. VPN however higher than exposing each host to the Web). I presume this new service is a centralized resolution however I haven’t seemed into it.
If this new resolution meets the entire above standards then it could be a VPN substitute. More often than not when corporations promote an answer as a VPN substitute they aren’t actually, however possibly Amazon has cracked that nut with this new service.
By way of the brand new application-based safety approaches one fascinating factor about them is that when somebody connects to an utility, they will’t “scan the community” within the conventional sense with a software like nmap. I haven’t inspected this but to see whether it is that sort of resolution or one thing else.
VPC Lattice
This appears very fascinating if it might assist to arrange a zero-trust community for service to service communication. I’ve been writing about serverless networking in my newest weblog collection on automating cybersecurity metrics and this service could assist. I’ll should test it out. For people who find themselves simply getting began constructing purposes , serverless is simpler than all of the configuration it’s good to do to arrange Kubernetes and even EC2. The associated networking, not a lot. Perhaps this may assist.
Once more, you’ll wish to confirm that it meets the identical community necessities because the VPN above to find out whether it is really a community resolution, or an identification resolution.
AWS KMS Exterior Key Retailer
This service appears nice for organizations that must host keys on premises however wish to combine with KMS. Typically prospects wish to management their very own key or they want the important thing to be accessible in a non-public community and on AWS (although I wouldn’t be too enthusiastic about latency probably in that case). This will likely assist some bigger organizations with compliance restrictions or high-security wants.
AWS Inspector — Lambda Vulnerability Scanning
Superior. You’ll want to check out the actual programming languages and vulnerabilities it finds however that is nice information! I’ll positively be making an attempt it out.
Automated Information Discovery for Macie
Macie desires that can assist you discover the place automated knowledge exists the place you won’t remember in S3 buckets. As with knowledge exfiltration instruments I presume it is going to have to be monitored and tuned for false positives. Information exfiltration and figuring out delicate knowledge is at all times difficult. I typically have Burp figuring out random strings as bank cards, for instance, on penetration assessments that aren’t actually bank cards. Be ready to take a position the sources to handle this software but it surely ought to find a way that can assist you discover your delicate knowledge and lock it down.
Amazon Verified Permissions
Amazon calls this new characteristic:
a scalable, fine-grained permissions administration and authorization service for customized purposes
If it’s what I feel it’s I as soon as wrote one thing like this. We had a central automation service that learn in configuration information and allowed or disallowed actions primarily based on configuration information written by builders. The builders didn’t have to put in writing the code to authorize actions however somewhat outline the allowed actions for a selected person sort.
It additionally sounds much like Open Coverage Agent (OPA) which got here out later and is an idea I actually like. I’ll should strive it out to see whether it is what it seems like.
Automated in-AWS Failback for AWS Elastic Catastrophe Restoration
This new characteristic appears fascinating. Should see if it helps with Ransomware.
Backup for CloudFormation Stacks
This additionally appears fairly fascinating. Wanting ahead to making an attempt it out.
Redshift Backup
Useful for these utilizing Redshift to revive when wanted.
New — Failover Controls for Amazon S3 Multi-Area Entry Factors
One other service to take a look at and take a look at for these creating automated failover in case of an AWS outage or safety incident. When S3 has points, many purposes have points. Failover with S3 may be difficult. Hopefully this makes it simpler.
Amazon Safety Lake
Storing knowledge utilizing the OCSF customary. That is positively one thing for safety of us to take a look at who should cope with the all the safety logs in a corporation. When you get in on the preview, you might be able to present precious suggestions to assist drive modifications in the suitable course to satisfy your wants.
Config Guidelines — Proactive Compliance
Proactive is healthier than reactive. That is positively value trying out. In an envirment the place I labored, a community compliance software would revert a non-compliant change inside three minutes. And that was on a regular basis somebody — on the safety workforce — wanted to open up entry to his occasion and make a configuration change he wanted. Once I confronted him about it it he stated it was a “dumb software.” It wasn’t, but it surely reveals the necessity want to stop the change if attainable, somewhat than react after it’s too late.
Management Tower — Complete Controls Administration
Management Tower is such a wanted service however as I’ve written earlier than some issues are a bit difficult once you attempt to use and keep it. However the idea is on level and I’m excited to verify this out.
Amazon EventBridge Pipes
This isn’t precisely a safety characteristic but it surely if it helps enhance consistency and cut back complexity by means of abstraction it could assist the general safety at a corporation when connecting providers in an asynchrous method.
Wickr — Finish to Finish encryption for communication providers
There it’s! I used to be simply searching for extra data on end-to-end encryption in my final weblog publish on Amazon Chime. It’s not clear that the communication is definitely encrypted finish to finish primarily based on the documentation. I’m undecided if Amazon Chime makes use of this service or is end-to-end encrypted or not primarily based on what I discovered but when it’s good to be this service could assist as a result of it clearly is.
New — Amazon ECS Service Join Enabling Straightforward Communication Between Microservices
This service sounds much like Lattice (above) however for ECS.
CloudWatch Logs Information Safety
Seems to detect delicate knowledge in logs. Positively value a glance.
CloudWatch Cross-Account Observability
I wrote about some points with cross-account logging for KMS. I feel that is going to be a really, very helpful characteristic and hope to strive it out and probably weblog about it later in my newest weblog collection the place I’m constructing out a cloud safety structure for batch jobs (and actually the rest).
Container Runtime Menace Detection in Guard Obligation
This was introduced within the AWS keynote by Adam Selipsky. Not seeing it but within the AWS information bulletins however I discovered this publish from November.
I wrote about that and another safety associated options right here after watching the AWS keynote.
I might need missed one thing and there’s a bit extra to go at AWS re:Invent. I’ll replace this publish if I see something new.
Comply with for updates.
Teri Radichel
When you preferred this story please clap and observe:
******************************************************************
Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers through LinkedIn: Teri Radichel or IANS Analysis
******************************************************************
© 2nd Sight Lab 2022
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts