Amazon's AWS launches three new services to simplify security configuration

News by Tom Reeve

Three new security services have been launched by Amazon Web Services (AWS) to streamline workflows for its customers and help avoid misconfiguration.

Andy Jassy, CEO, AWS
AWS CEO Andy Jassy unveiled three new security services for the cloud platform at AWS re:Invent 2018 (pic: AWS)

Three new security services from Amazon Web Services promise to provide automation and prescriptive guidance for managing cloud services.

Responding to a slew of data leaks that many blamed on misconfiguration of AWS buckets, the company has simplified set-up and increased automation with the launch of three new services at the AWS re:Invent conference in Las Vegas, USA on Wednesday by AWS CEO Andy Jassy.

The services are:

  • AWS Control Tower – which automates the set-up of multi-account environments and applies rules for security, operations and compliance to workloads
  • AWS Security Hub – aggregates information from other security services provided by AWS and third parties and provides a view of the overall security posture
  • AWS Lake Formation – facilitates the migration of data from multiple sources and formats, reducing the time to create a ‘data lake’ from months to days and helps to identify and protect critical data assets

Jassy told an audience of developers that the three services were introduced in response to customer demand for tools to enforce security policies and safely create new web service buckets.

It follows numerous instances of AWS buckets being deployed with no access restrictions. In a recent report, McAfee claimed that 5.5 percent of all S3 storage buckets had world read permissions leaving them open to the public. Meanwhile, Skyhigh Networks says that seven percent of AWS buckets were found to be leaking data.

However, these figures were disputed by AWS CISO Steve Schmidt in an interview with SC Media UK.

Steve Schmidt, CISO, AWS (pic: AWS)

Schmidt said he didn’t know where they would have obtained those figures but said that internal information indicated that the number of unsecured buckets was a fraction of one percent. "I don’t know where they get those numbers from," he said. "I’ll tell you that they are wrong. The real number would be a very small component of one percent – very, very small."

"The important thing there is that although there have been very public problems with some people with data, we took steps almost a year to make it super obvious when people were altering the default config. The default config has always been closed, not just for the S3 [bucket]," he said.

The new security services announced by Amazon are designed to ensure that customers can provision the security controls around their organisations that they need, said Schmidt.

Control Tower can set specific controls such as ensuring that no one outside the finance department can have access to financial data, or the only people that can have open S3 buckets are users in the marketing department, he said.

"Control Tower gives you the ability to programmatically enforce restrictions on behaviour in accounts and help you meet compliance requirements if your organisation is subject to these," he said.

Security Hub is about helping security providers visualise and prioritise their work, he said. It aggregates data from other security services, be they AWS services or third party services, so that customers no longer have to switch between multiple applications in order to review all the alerts that are coming in.

While it may seem like an obvious development which could have been created sooner, he said that developing other security services had taken priority over this due to customer demand.

Crucially, Security Hub evaluates the security posture of an installation against the Center for Internet Security (CIS) AWS Foundations Benchmark, a set of advanced security configuration best practices for AWS.

Lake Formation is about building a data lake with right controls around it and doing data discovery to identify where the sensitive data is, he said.

"When we talked to customers, they told us that the average large enterprise had between 20 and 80 security products that they were using across their estate, and that becomes difficult to manage, so they wanted to be able to look in one place for all their AWS assets," he said.

As of the launch of Security Hub, 26 third-party security providers had integrated their services with it, a fraction of the approximately 700 security service providers that work with AWS. Schmidt expects the vast majority of these unintegrated services will move quickly to become integrated.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews