Top AWS re:Invent Announcements for Security Teams in 2024

AWS re:Invent 2024 brought an avalanche of announcements, with over 500 updates since November. Let's spotlight the most impactful ones for security teams, from Resource Control Policies to centrally managed root access.

3 minutes read

AWS’s largest event of the year is re:Invent, which occurred just after Thanksgiving from Dec 2-6 this year.  The weeks prior are referred to as “pre:Invent” where an uptick in announcements happens and then during the conference further announcements are made.  There have been over 500 announcement articles posted in the AWS’s What’s New feed since the start of November (nearly 23% of the year’s total of 2200), so we’ve chosen just our favorites here due to their benefits for security teams. 

Resource Control Policies (RCPs) 

RCPs are very similar to SCPs, but applied to resource policies.  These allow for Organization-wide rules that can impact all resources of different types, to ensure they can’t be shared outside of the Organization, or limit how they can be accessed. We published How to use AWS Resource Control Policies  as our guidance on some interesting use cases for this feature and how to deploy them safely. Read AWS’s blog here

Declarative Policies 

Another Organization level policy concept is the new Declarative Policies.  These provide a set of 6 EC2 related settings that have security benefits. These include enforcing IMDSv2, specifying what accounts your users can use AMIs from, and more.  These features could previously be accomplished by configuring each account and setting SCPs to ensure the settings don’t change, but with this new capability you can more easily specify these settings across an Organization or groups of accounts.  These are limited to specific settings, but this simplifies this service. As a result, for the first time, AWS is supporting custom error messages and is providing an auditing capability to identify what will be impacted by these settings.  This makes it easier to deploy this capability with better confidence that it won’t disrupt existing workflows, and if it does cause disruptions the custom error messages will make it easier for engineers to trouble-shoot . Read AWS’s blog here

VPC Block Public Access 

If you want to allow your employees to have access to networking related functionality of AWS, but don’t want them to make an EC2 publicly accessible, it has historically been awkward as it involved setting up some networking and then preventing modifications or additions to that network setup with SCPs.  With the new  VPC Block Public access feature this has become much easier and is already integrated into the aforementioned Declarative Policies.  Read AWS’s blog here

Centrally managed root access 

AWS accounts all have an email address and password associated with them due to the root user of the account, which bypassed the desired identity provider access most want their accounts accessed through.  Customers could associate an MFA device, or block access with an SCP, but there have always been fears of disruptions that could only be undone by the root user, such as a misconfigured S3 bucket policy.  AWS has now released a capability to manage root access and allow tightly controlled tasks to be performed, such as fixing an S3 bucket with a bad policy. Read AWS’s blog here

Other big announcements 

Some other big announcements worth mentioning are a new Incident Response service, a new multi-region serverless relational database called DSQL, Aurora Serverless v2 now supporting scaling to zero, and a way to make S3 more like a database via S3 Tables.  

Some useful security features that were announced are: 

With so many announcements you might have others that you liked as well, but we think these are the main ones to pay attention to for security teams. 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management