New AWS Offerings Focus on Security -- AWSInsider

New AWS Offerings Focus on Security

By David Ramel
04/09/2018

Security was the focus of several new Amazon Web Services Inc. (AWS) offerings announced during last week's AWS Summit in San Francisco.

While always a top-of-mind concern for AWS and its corporate customers, security has received even more attention following many data breaches of late, along with a spate of well-publicized discoveries of wide-open, unencrypted data stores housed in the AWS Cloud.

Here's a look at new security-related announcements made last week, among a bevy of others:

Encryption of Data in Transit for Amazon EFS
AWS increased its encryption guidance and services following last year's string of announcements by security companies, who went looking for wide-open data stores typically resulting from user misconfigurations, rather than any platform flaws.

Encryption is still a focal point, as demonstrated by new encryption-in-transit functionality announced for the Amazon Elastic File System, designed for cloud-native applications requiring shared access to file-based storage.

Combined with the already-in-place support for encrypting stored data, this new functionality provides even tighter protection, said spokesperson Jeff Barr in a blog post.

"Today we are making EFS even more useful with the addition of support for encryption of data in transit," he said. "When used in conjunction with the existing support for encryption of data at rest, you now have the ability to protect your stored files using a defense-in-depth security strategy."

A new tool, called an EFS mount helper, makes it easier to use the new capabilities, as it set ups a Transport Layer Security (TLS) tunnel to EFS, letting users mount file systems based on their IDs. The tool runs on Amazon Linux, though users can clone the Utilities for Amazon Elastic File System GitHub repository to build their own RPM Package Manager (RPM).

Although complementary, encryption in transit and the mounting tool can be used independently.
AWS Secrets Manager
This lets users better manage their AWS secrets, such as: database, OAuth or other credentials; passwords; API keys; or any other data they want to keep private.

Doing that is easy for single machines or applications, AWS's Randall Hunt said in a blog post, but it becomes much harder when leveraging scaled-out, distributed microservices.

"Today we're launching AWS Secrets Manager which makes it easy to store and retrieve your secrets via API or the AWS Command Line Interface (CLI) and rotate your credentials with built-in or custom AWS Lambda functions," Hunt said.

Without the Secrets Manager, AWS users need to provision specific infrastructure to do those tasks, resulting in possible increased costs and more system complexity.

The new tool does incur some additional costs of its own, however, with pricing for secrets pegged at $0.40 per month per secret and $0.05 per 10,000 API calls.

The service is available in a number of AWS regions worldwide.
AWS Firewall Manager
This new tool reportedly resulted from customers asking for centralized management of various AWS security services in their Web application portfolios. It addresses the typical give-and-take divide between the advantages of distributed control -- agility in responding to specialized local needs -- and centralized control, which helps manage the oversight of global initiatives spanning multiple teams.

"It gives them the freedom to use multiple AWS accounts and to host applications in any desired region while maintaining centralized control over their organization's security settings and profile," Barr said. "Developers can develop and innovators can innovate, while the security team gains the ability to respond quickly, uniformly, and globally to potential threats and actual attacks."

The new offering comes with these prerequisites:
- AWS Organizations -- An organization must be using AWS Organizations to manage accounts and all features must be enabled.
- Firewall Administrator -- Enterprises need to designate one of their AWS accounts as the administrator for Firewall Manager. This gives the account permission to deploy AWS WAF rules across the organization.
- AWS Config -- AWS Config must be enabled for all accounts in an Organization so that Firewall Manager can detect newly created resources.
Available now, AWS Firewall Manager comes free for users signed up for AWS Shield Advanced, otherwise it incurs a monthly fee for each policy in each region, along with the usual charges for WAF WebACLs, WAF Rules, and AWS Config Rules, Barr said.