AWS Re:invent 2017 Recap – The Security Version

I would like to share a recap from AWS re:invent 2017, focusing only on the security releases from the conference.

Release 1: AWS Private Link

Features:  1) AWS Private Link allows an AWS customer to extend a TCP connection (network connectivity) between selected AWS services in an AWS account and

·       Other AWS account(s) they own

·       AWS account owned by their customer

·       AWS account owned by their trusted partner

2) These selected service can made available as a service either directly or in AWS Marketplace.

3) Low latency and fault tolerance communication as the traffic will use the AWS Private network.

4) Each connection between the service consumer and service provider will be initiated at the service provider and will need to be accepted by the service consumer.

5) The private link can use the “AWS Direct Connect” to extend services to on-premise networks.

6) The service provider can run the service on EC2 instances, ECS containers or even on-premise servers (configured as IP Target).

6) Network Load Balancers will need to be provisioned 1 ENI per region to have high availability.

Source for AWS Private Link & AWS re:invent Talks

‍

Release 2: AWS GuardDuty

Features: 1) A “one-click enable” AWS threat intelligence service.

2) The service uses machine learning to inform customers of any malicious activities in their “single or multi-account AWS structure”.

3) The service will need to be enabled on the Master AWS account. All the sub-accounts can be invited at this point to be included in the scans.

4) The service uses VPC Flow logs, CloudTrail logs and DNS logs to detect and report malicious activities in the scanned AWS accounts.

5) The logs are analysed to learn trends, patterns and anomalies that are known malicious patterns.

6) Analysis is performed against industry known threat resources and source provided in partnership with Crowdstrike and ProofPoint.

7) The service covers IT infrastructure only within the AWS accounts which includes, credentials, resources, guest operating systems and application communicating on the AWS account.

8) VPC Flow Logs is not required to be enabled to use this service. AWS will generate VPC logs (if not available) to produce the scan results.

9) The results from GuardDuty can be pushed to AWS CloudWatch Events to trigger AWS Lambda functions to perform specific actions based on the type of the issue discovered by GuardDuty.

10) The customer will not notice any drop in performance or reliability of resources, while the service is use.

11) The service is currently available free for the first 30 days.

Source for AWS GuardDuty & AWS re:invent Talks

Release 3: AWS IoT Device Defender

This service will secure a fleet of IoT devices managed by AWS. The service was announced as part of the next phase of IoT for AWS. The service was announced along with IoT device management and IoT Analytics.

It will have the following features — audit device policies, monitor device behavior, identify anomalies and out of compliance behavior and generate alerts.

 

‍

“Out of band” — security releases

There were a few security releases for some of the well known AWS services:

Release 4: AWS Cognito

AWS Cognito now support for MFA.

Source: AWS Cognito setup MFA on User Pool

Release 5: AWS API Gateway

AWS API Gateway now supports private integration to private AWS VPC networks.

Source: Setup API Gateway Private Integration

Release 6: Amazon FreeRTOS

AWS released it’s own version of IoT microcontroller operating system “that simplifies development, security, deployment, and maintenance of microcontroller-based edge devices.”

Source: Amazon FreeRTOS

Release 7: AWS EC2 Bare instances

This is a new type of instance released, this will be especially interesting for anyone who does forensic analysis in cloud. The service is only in preview mode for the moment.

Source: EC2 Bare instance available in preview mode.

Release 8: AWS Time Sync Service

The Amazon Time Sync service has been released and it’s free for use. This means the AWS resources can use the local 169.254.169.123 IP address, instead of internet connections to get their server time synched to Amazon time sync service.

This service is using a variation of NTP service called Chrony.

Source: Keeping time using AWS NTP service

Hopefully, this security update from AWS re:invent 2017 was helpful. I will followup with a presentation with any learnings from using the above services.

Did you like the list of security release, do you think I missed something. Leave a comment to let me know your thoughts.