AWS Latest Security Enhancements: Keeping Your Data Safe

Amazon Web Services (AWS) makes continuous security enhancements to keep up with security best practices and standards and emerging threats and vulnerabilities. That is why AWS environments are secure from even the most sophisticated attacks.

But AWS is only responsible for the security of the underlying cloud infrastructure. While you’re responsible for securing the workloads you deploy in AWS. This involves staying informed about the latest security updates in AWS cloud development and adhering to best practices. For example, leveraging tools like AWS cloud development kit to enhance your security posture.

An AWS cloud development partner can further augment your security efforts by offering their expertise in designing, developing, and deploying secure cloud environments. Their deep knowledge of AWS services and best practices can help you leverage cutting-edge solutions that keep your data safe and give you valuable insight into optimizing your cloud infrastructure for performance and cost-efficiency.

This article delves into the latest AWS security enhancements you should be aware of to improve your security posture.

Encryption Best Practices for Data at Rest and in Transit

 Key Management Service (KMS) Updates and Enhancements

AWS Key Management Service (KMS) is a service that lets you create, manage, and control cryptographic keys across your applications and AWS services.

KMS now supports External Key Stores. This allows you to store and use your encryption keys on-premises or outside the AWS cloud. The new feature also allows you to store the AWS KMS customer-managed keys (keys you create and manage yourself) on a hardware security model (HSM) that you can operate anywhere.

External key stores can be third-party services or applications that store and manage encryption keys. The AWS KMS forwards API calls to the HSM to communicate with it securely, ensuring your key material never leaves your HSM. This feature is designed for regulated workloads that require encryption keys to be stored and used outside an AWS data center.

Secure S3 Buckets: Access Control and Permission Management

AWS provides Amazon S3 (Simple Storage Service) buckets to securely store and retrieve large amounts of data. They provide a flexible and reliable way to store, back up, archive, and manage data in the AWS cloud environment.

Amazon added the S3 Block Public Access feature in 2018 to prevent the public from accessing buckets without authorization and the ability to disable S3 access control lists (ACL) in 2021 to allow users to use the more secure and recommended Identity and Access Management (IAM) policies.

Now, Amazon has updated S3 to automatically enable S3 Block Public Access and disable access control lists for all new buckets starting in April 2023. This feature applies to all new buckets in all AWS Regions. This means you must deliberately configure your buckets to be public or use ACLs.

Identity and Access Management (IAM) Advancements

AWS IAM is a service that enables you to control access to your AWS resources. You can use it to manage user identities, permissions, and access policies to ensure that only authorized individuals and services can interact with your resources.

Some recent advancements in IAM include:

• Changes to the IAM multi-factor authentication (MFA) feature allow you to enable MFA for all IAM users in your organization. Organizations is a feature of AWS that allows you to manage multiple AWS accounts centrally. Other changes allow you to enable MFA for the AWS account root users. Previously, MFA was only supported for IAM users.
• You can now update an IAM entity or policy. But an AMS operator must review and approve the changes before implementation. This is designed to help you protect your AWS resources from unauthorized changes.
• You can update the IAM role assumed by AWS Config at any time without creating a new one. Previously, you had to create a new IAM role and assign it to AWS Config. This update can make managing the IAM role assigned to AWS Config easier.
• AWS changed role assumption behavior to always require self-referential role trust policy grants from June 30, 2023. Roles used to implicitly trust themselves from a role trust policy perspective if they had identity-based permissions to assume themselves. A role could assume itself even if it was not explicitly granted permission to do so in its trust policy. This update improves the security of IAM roles.

Role-Based Access Control and Least Privilege Principles

New IAM Features for Improved User Authentication and Authorization

The introduction of attribute-based access control in 2022 allows you to define permissions based on user, resource, or request attributes.

AWS IAM ensures that only authorized users can access your AWS resources. Some of the latest advancements that improve user authentication and authorization include:

• Updates to the IAM Access Analyzer allow it to support AWS organizations. So you can use it to analyze permissions across multiple AWS accounts in an AWS Organization. It also supports cross-account inline policies. This allows you to use it to analyze permissions granted by inline policies in other accounts.
• The introduction of attribute-based access control in 2022 allows you to define permissions based on user, resource, or request attributes. This can help you create more granular permissions to improve authentication. For example, you can grant a salesperson read-write access to the CRM solution and administrator-only view privileges to create a report.
• The open-source Cedar policy language and authorization engine was released in May 2023. You can use it to express fine-grained permissions in an easy-to-understand and enforced manner. It supports common authorization models such as role-based access control (RBAC) and attribute-based access control (ABAC).
• The Amazon Verified Permissions feature is now generally available. You can use it for more granular authorization and permissions management for applications you build with your AWS software development kit. You can use it in conjunction with Cedar.

Integration with Identity Providers and Single Sign-On (SSO) Solutions

Integration with identity providers and single sign-on (SSO) solutions is the ability to allow users to use their credentials from external identity sources to authenticate and access AWS resources. SSO was rebranded to Identity Center. You can think of it as the “Sign in with Google” functionality you might’ve seen on applications and websites.

AWS announced on June 13, 2023, that it now supports Google Workspace as an external identity provider. This integration makes it easier for administrators to simplify access management across multiple accounts. Users can save time through single-click access to all their assigned applications and accounts from the IAM Identity Center user portal.

Other advancements include:

• Administrators who use QuickSight accounts can now use the IAM Identity Center to enable their users to log in using their existing credentials.
• You can configure multiple IAM roles assigned to a single user when using SAML 2.0. This enables you to support user access from various identity providers simultaneously.

Threat Detection and Incident Response

AWS has robust tools to help you continuously monitor your AWS environment, identify signs of suspicious activities, and take actions to address and mitigate them before or after the security incident occurs. Advancements in threat detection and incident response services and tools include the recently released Amazon Transcribe Toxicity Detection.

The Toxicity Detection feature can detect toxicity in audio and text. It classifies toxic content across categories such as sexual harassment, threat, abuse, insult, hate speech, and graphic. This feature reduces the time taken to identify toxic content and take action.

Additionally, Amazon Detective can now detect and investigate more security incidents. It supports security investigations for Amazon GuardDuty EKS Runtime Monitoring, GuardDuty RDS Protection, and Lambda Protection.

AWS CloudTrail and CloudWatch Updates for Comprehensive Logging and Monitoring

AWS GuardDuty and Security Hub: Advanced Threat Detection and Management

The AWS Security Hub provides a centralized view of your security alerts and findings from across AWS services. It also makes it easier to investigate and respond to security incidents. It has seen several updates to advance its threat detection and management capabilities.

For example, it added 6 new security controls on June 14, 2023, to conduct fully automatic security checks against services like Amazon S3 and CloudFront. Two months later, on August 7, 2023, Security Hub launched 12 new security controls, allowing it to support additional AWS services like Amazon Athena, DocumentDB, and Neptune. The update also added control against Amazon RDS.

Apart from the security controls, the recent AWS CloudFormation update allows you to use CloudFormation to deploy Security Hub and manage its controls and standards.

Some GuardDuty improvements that advance its threat detection and management capabilities include:

• The new summary page in GuardDuty helps users act quickly on findings across the AWS environment. The summary page presents a breakdown of findings, trends of findings across time, and other details.
• You can initiate Amazon Elastic Compute Cloud (Amazon EC2) malware scans on demand without deploying security software using the GuardDuty console or API. If the scan detects potential malware, GuardDuty generates actionable security findings with detailed information about it.
• The new GuardDuty Lambda Protection feature of GuardDuty allows you to monitor the Lambda execution environment for threats, improving identification and response.

Streamlined Incident Response with Incident Manager

The AWS Incident Manager service helps you prepare for, respond to, and learn from incidents. It enables you to effectively manage and resolve incidents while minimizing their impact on your operations and AWS environment.

The AWS Incident Manager now supports Microsoft Teams, allowing users to incorporate Microsoft Teams chat channels into their Incident Manager Response Plans. The Incident Manager can send update notifications to Teams during an incident, and channel members can interact with the incidents, streamlining their response.

You can also send events directly from third-party Application Performance Monitoring (APM) tools to AWS Incident Manager via the Amazon EventBridge. The advancement can also ingest events from multiple APM tools for the same application. This update enables faster incident detection, response, and recovery.

The Incident Manager also provides on-call schedules to ensure coverage and responsiveness for critical issues. With this feature, you can configure rotations through a group of on-call contacts to ensure there’s always someone on call. This feature helps teams to quickly engage, respond, and resolve issues when they occur.

Compliance and Governance Innovations

AWS makes continuous innovations to help organizations ensure their cloud deployments meet industry-specific regulations, compliance standards, and security requirements. Some of the latest innovations in compliance and governance include:

• The new AWS Certificate Manager Enterprise Controls for Certificate Issuance ensures your certifications are issued securely and compliantly. This feature allows you to use IAM condition context keys to help ensure that users are issuing certificates that conform to your organization’s public key infrastructure (PKI) guidelines.
• The new AWS Control Tower and Security Hub integration allows you to enable Security Hub in all the accounts in your AWS Control Tower landing zone with a single click. This can save you time and effort and help you ensure that all your accounts comply with your security policies.
• AWS Control Tower added 10 new AWS Security Hub controls to support over 170 detective controls to enhance the security and management of your AWS environment.
• AWS Artifact launched email notifications to alert you when a report or agreement becomes available in AWS Artifact.
• AWS Health now supports delegated administrator, a feature that allows you to delegate accounts other than the management account to view aggregated AWS Health events. This allows you to delegate responsibilities outside the management account.

Updates to AWS Compliance Offerings (e.g., PCI DSS, HIPAA, GDPR)

AWS Config and Control Tower: Enhanced Governance and Policy Enforcement

The AWS Config enables you to assess, audit, and monitor the configurations of your AWS resources. AWS Control Tower simplifies the process of setting up and governing a multi-account AWS environment. Some updates to the two services that can enhance your AWS environment governance and policy enforcement include the following.

• AWS Control Tower launched 28 new proactive controls to enhance its governance capabilities.
• AWS Control Tower achieved FedRAMP High authorization, allowing you to use it with workloads that require FedRAMP High categorization level in GovCloud.
• AWS launched comprehensive controls management in AWS Control Tower to enhance AWS governance capabilities. These new controls enable you to disallow actions that lead to policy violations and detect noncompliance of resources at scale. They also provide a consolidated view of compliance status across a multi-account environment.
• The new AWS Cloud Development Kit (CDK) policies validation feature allows you to validate your AWS CDK templates against a set of policies. This can help you ensure that your templates comply with your organization’s security and compliance policies.

Auditing and Compliance Automation with AWS Config Rules

AWS Config monitors and records the configurations of your AWS resources. With the introduction of AWS Config Rules, you can monitor, configure, and respond to configuration changes, which allows you to automate your auditing and compliance process. The rules evaluate the compliance status of your AWS resources for any violations.

The latest update to Config Rules allows customers to adjust the default response for compliance and auditing violations. You can now choose whether you want AMS to remediate, ask for approval, or add to a monthly report on the alerts. This update allows you to set up multiple responses for a Config Rule based on the tags, resources, and account.

Automating the audit and compliance process reduces manual effort, enhances security, and helps maintain a consistent and compliant environment.

AWS Latest Security: Enhance the Security of Your Cloud Environment with Practicallogix

AWS operates under a shared security responsibility model. They ensure the underlying cloud infrastructure is secure and leave the responsibility of implementing the most applicable security controls for your business functions to you. Keeping pace with the latest AWS security advancements can help you stay ahead of emerging threats and ensure the robust protection of your data and resources.

Working with an AWS cloud development partner can further enhance your security posture and streamline the implementation of best practices. It can enable you to fully leverage AWS’s powerful security features while focusing on your core business objectives because they possess the AWS cloud development tools and expertise to design, deploy, and manage AWS solutions tailored to your unique security requirements.

If you’re looking for an AWS cloud development partner to help you enhance your AWS environment’s security, Practicallogix can help you. We offer cloud design, development, and implementation services. Contact us to know how we can enhance the security of your cloud environment.