After finally having time to watch some AWS reInvent 2020 sessions over the holidays, I decided to make some notes and share them in case someone will find this useful.
My notes on "Where we’ve been, where we’re going" reInvent 2020 session by Steve Schmidt :
1) 2020 security highlights
2) Security product launches
3) Enabling Zero Trust
4) Ten places to focus on today
2020 security highlights (new features):
- new threat and service coverage
- S3 data advance (s3 protection)
- better organization support (designated account to manage GD in the organization)
- support for AWS WAF and AWS Managed Rules
- supports centralized logging (for WAF)
AWS IAM Access Analyzer works the awesome way in the organization (very useful with huge amount of the use cases)
AWS Single SignOn adds AWS CloudFormation support
- Using AWS ACM private CA could be shared (using AWS RAM) with other accounts to allow them to provision, manage, and deploy private certificates.
- Better integration of the certificate lifecycle for the private CA with supported AWS services (LB, API GW, IoT..)
- ACM supports 5X more APIs (performance )
- ACM support for the AWS S3 bucket encryption (looks like only for CRL and audit report exports)
AWS Nitro Enclaves is GA: use case: an isolated environment for very sensitive data .
AWS Macies reduces the costs to up 80% and dashboard redesign.
- auto-remediation support
- CIS, AWS best practices and PCI DSS security standards
- prepackaged with 10 playbooks
- Single dashboard for the patching status in the Security Hub using AWS patch manager (part of system manager)
AWS Detective now supports VPC flow logs and does aggregations and dashboarding for this.
Security product launches
AWS Nitro Enclaves:
AWS Audit Manager:
- continuously assess control for the risk and compliance (helps with evidence collection for the Auditors and proactively collects evidences)
- Currently supports following frameworks: CIS, GDPR, PIC DSS + build own assessment templates
- Highlights: known and custom assessment templates, automated evidence collection, built-in audit workflow.
AWS Network Firewall (based on the docs looks like managed Suricata IPS):
- inspect all traffic entering or leaving VPC.
- zonal service with AZ isolated inspection points
- basically, a fleet of AWS managed firewall ec2 instances behind a load balancer
- supports DNS names in the firewall rules.
- IDS/IPS functionality as well
Enabling Zero Trust
Zero Trust - augmenting network-based controls with identity-based controls
- First dimension
- Security above network?
- Gateways or proxies?
- More dynamic VPNs?
- Second dimension
- Software components?
Avoid binary choice: just identity or just network controls.
One size doesn't fit all in each case Zero Trust might and will be implemented differently.
Ten places to focus on today:
- Accurate account info
- Use MFA
- No hard-coding secrets
- Limit security groups
- Intentional data policies
- Centralize AWS CloudTrail logs
- Validate IAM roles
- Take action on GuardDuty findings
- Rotate your keys
- Be involved in dev cycle
- Use AWS Organizations
- Understand your usage
- Use cryptography services
- Federation for human access
- Block public access on accounts
- Edge protect external resources
- Patch and measure
- No hard / soft defense (perimeter is both: Network and Identity)
- Transparent leadership reviews
- Diverse hiring