AWS’s largest event of the year is re:Invent, which occurred just after Thanksgiving from Dec 2-6 this year. The weeks prior are referred to as “pre:Invent” where an uptick in announcements happens and then during the conference further announcements are made. There have been over 500 announcement articles posted in the AWS’s What’s New feed since the start of November (nearly 23% of the year’s total of 2200), so we’ve chosen just our favorites here due to their benefits for security teams.
Resource Control Policies (RCPs)
RCPs are very similar to SCPs, but applied to resource policies. These allow for Organization-wide rules that can impact all resources of different types, to ensure they can’t be shared outside of the Organization, or limit how they can be accessed. We published How to use AWS Resource Control Policies as our guidance on some interesting use cases for this feature and how to deploy them safely. Read AWS’s blog here.
Declarative Policies
Another Organization level policy concept is the new Declarative Policies. These provide a set of 6 EC2 related settings that have security benefits. These include enforcing IMDSv2, specifying what accounts your users can use AMIs from, and more. These features could previously be accomplished by configuring each account and setting SCPs to ensure the settings don’t change, but with this new capability you can more easily specify these settings across an Organization or groups of accounts. These are limited to specific settings, but this simplifies this service. As a result, for the first time, AWS is supporting custom error messages and is providing an auditing capability to identify what will be impacted by these settings. This makes it easier to deploy this capability with better confidence that it won’t disrupt existing workflows, and if it does cause disruptions the custom error messages will make it easier for engineers to trouble-shoot . Read AWS’s blog here.
VPC Block Public Access
If you want to allow your employees to have access to networking related functionality of AWS, but don’t want them to make an EC2 publicly accessible, it has historically been awkward as it involved setting up some networking and then preventing modifications or additions to that network setup with SCPs. With the new VPC Block Public access feature this has become much easier and is already integrated into the aforementioned Declarative Policies. Read AWS’s blog here.
Centrally managed root access
AWS accounts all have an email address and password associated with them due to the root user of the account, which bypassed the desired identity provider access most want their accounts accessed through. Customers could associate an MFA device, or block access with an SCP, but there have always been fears of disruptions that could only be undone by the root user, such as a misconfigured S3 bucket policy. AWS has now released a capability to manage root access and allow tightly controlled tasks to be performed, such as fixing an S3 bucket with a bad policy. Read AWS’s blog here.
Other big announcements
Some other big announcements worth mentioning are a new Incident Response service, a new multi-region serverless relational database called DSQL, Aurora Serverless v2 now supporting scaling to zero, and a way to make S3 more like a database via S3 Tables.
Some useful security features that were announced are:
CloudFront VPC origins so that EC2s, ALBs, and NLBs, can be fronted by CloudFront but kept in a private subnet.
ALB header modification so that you can add HSTS headers or make other header modifications.
Share private resources across VPC and account boundaries with PrivateLink, VPC Lattice, EventBridge, and Step Functions.
With so many announcements you might have others that you liked as well, but we think these are the main ones to pay attention to for security teams.
