While some people are checking email to get the best deals on holiday shopping, we’re watching the AWS re:Invent keynotes to find out what new AWS features will change the way we use the most popular cloud computing service. As we’ve come to expect, Amazon announced more than a dozen new services and major upgrades this year. We’ve selected three that we think are the most important due to their broad applicability and – no surprise – they’re all related to security.
- S3 Access Analyzer. The S3 object storage service is a tremendously useful way to store data in the cloud for everything from public website content to processing large sets of private data. However, the S3 security model is complex. Misconfigured S3 access rules have been implicated in a large number of data breaches. Up to now, a comprehensive review of security configuration across a large number of S3 buckets has required a tedious bucket-by-bucket review. The new S3 Access Analyzer tool addresses that problem by providing a dashboard for highlighting buckets that allow access from outside the owner’s AWS account.
- IAM Access Analyzer. In addition to the S3 Access Analyzer, AWS now offers a tool that automatically reviews access rules for other entities that are commonly granted public access. This list includes KMS keys, SQS queues, IAM roles, and Lambda functions. Like the S3 access analyzer, this tool highlights public access rules and allows you to modify the rules quickly when you find that the entity should not have public access. This tool should be used in conjunction with the Access Advisor information available for IAM users, groups, policies, and roles to ensure that you’re adhering to the principle of least privilege for security access
- EC2 Image Builder. Many organizations need to deploy a fleet of EC2 virtual machines to run their workloads. Managing software updates and security configuration on these images can become more than a full-time job once the fleet grows beyond a handful of virtual machines. The new EC2 Image Builder tool offers a web-based point-and-click tool for defining the software and security configuration on a virtual machine image, and running a set of tests to ensure that the configuration meets expectations. Currently the tool offers a very small set of pre-configured options, but it has the potential to drastically reduce workloads for small organizations.
If you use AWS, you should explore these tools in detail and determine how they can help you improve your security posture. Cloud computing has brought great power to small organizations, but as the Spider-Man franchise reminds us, with great power comes great responsibility. You owe it to yourself and your customers to ensure that you’re taking appropriate steps to secure your data and infrastructure in AWS.