The Five Most Interesting AWS (p)re:Invent Announcements for Cloud Security
At re:Invent or attending remotely? Check out my “Ultimate Guide to AWS re:Invent 2022” post for some tips and tricks to get the most out of the show.
Every year, AWS launches a lot of new features and functionality leading up to and during AWS re:Invent.
As we kick off day one of this year’s show, here are my top five cloud security-related announcements for pre:Invent.
1. More Flexibility Administering AWS Organizations
AWS Organizations is the only thing that keeps me sane when managing all of my AWS accounts. I have a few personal accounts, but it’s enough to see the benefits of the central management through AWS Organizations.
Multiple that challenge/relieve by a few hundred and you’ll quickly start to grasp the challenge of most businesses.
An AWS account is a wonderful, free security boundary. You should be using a lot of them.
This should make things a lot easier and help you maintain separation of duties within your security practice.
2. Amazon CodeWhisperer Gets Much Needed Identity Controls
As is the case with any new AWS service, Amazon CodeWhisperer has been steadily improving since its announcement.
It’s getting to the point where more and more builders are going to want to try it out. That raises some interesting questions within your organization. Questions that are well worth debating.
See the discussions and posts around GitHub CoPilot for more.
This latest feature release allows you enable CodeWhisperer within your Single Sign-On (SSO) authentication systems. They’ve also added the ability to deliver this service to users that don’t have an AWS account via AWS Builder ID.
These are much needed to controls to help you enable builders within your organization safely.
3. A Safety Net For Log Data
“I would never log sensitive information”, said the developer about to inevitably 🤦.
It happens. We’ve all done it at some point.
Once found, the service will automatically mask the data based on the policy you configure.
IAM policies dictate who can get the unmasked data with a specialize query via CloudWatch Logs.
I love features like this. There’s a minimal impact on workflow, but a huge boost to your security posture.
4. Watch Across Accounts…Finally
Sticking with Amazon CloudWatch, you can now (finally) search analyze, and correlate telemetry accounts accounts!
You can declare an AWS account a monitoring account and connect other accounts (source accounts) to view their data.
This integrates with AWS Organizations and IAM to give you a ton of flexibility right out of the gate.
Better still, no extra charges for logs or metrics. Tracing does have additional charges cross-account though.
5. AWS Backup Matures
A trifecta of improvements from AWS Backup. And yes, that’s an actual service name.
Side note, the most amazing AWS service name hands-down is: AWS Managed Services. Which expands to Amazon Web Services Managed Services the service 👨🍳
AWS Backup now:
- Offers delegation of organization-wide administration
- Adds legal holds for extended data retention
- Provides application-aware data protection for AWS CloudFormation stacks
Each of these helps integrate AWS Backup into your cloud environment. Backups are a critical part of resiliency and anything that makes that process easier to manage (and test!) is a welcome addition.
More To Come…
These are just a few of the announcements from the pre:Invent build up. I expect more security announcements during the week.
Remember, with few exceptions, these announcements are usually laser focused on solving a specific problems. We’re at the point now where I don’t expect too many completely new services…though I’m happy to see new ones launch!
Realistically, every new feature that makes it easier to implement key features of a security practice are a welcome addition.
In addition to these features, AWS announced the AWS Digital Sovereignty Pledge.
This is a clear statement of how your data moves in the AWS Cloud and where it is stored. It’s worth reading through it to understand what AWS has been building for the past 15+ years. None of this happened overnight, but where the state of security is the cloud is now is a very good place.