Hey folks! Here we are in 2024, and as someone who’s always been passionate about cloud security, I’m excited to bring you a short series focused on the latest AWS security updates from the last quarter. Keeping up with the continuous stream of new releases from cloud providers can be quite a task, so I thought why not simplify things a bit? I’ve put together a ‘recap’ series that’s aimed at helping all of you managing security in your AWS environments. Let’s dive into the different aspects of AWS Security, starting with IAM Access Analyzer, and moving through Detective Controls, Infrastructure Protection, Data Protection, Incident Response, and wrapping up with the cutting-edge domain of Generative AI & ML. So, buckle up, and let’s explore these updates together!
Here’s an overview of the new features and components introduced by AWS IAM for sophisticated security standards for your organization.
Introducing CloudFormation support for Amazon Connect security profiles
Extending the security credibility, Amazon Connect introduces AWS CloudFormation for security profiles. There are predefined templates in CloudFormation where one can deploy Amazon Connect security profiles. Alongside, AWS infrastructure can also be deployed in repeatable ways, making it secure and efficient. This enables the organizations to consistently apply security policies and maintain these standards across occurring instances as a part of Identity and Access Management.
CloudFormation allows everyone to track changes from time to time and allows you to update the environment in a controlled way through automation. It also includes version controls, allowing your organization to roll back changes whenever needed.
Basic Authentication for Outbound AS2 Messages
Enabling basic authentication is a crucial part of accessing any type of data – be it personal or professional. We have seen how CloudFormation helps you in securing your profiles with its standard protocols; on the other hand, the need for authentication is given next-level importance. Hence, AWS Transfer Family introduced basic authentication, which it embeds username and password credentials.
The basic authentication protocol is implemented when sending Applicability Statement (AS2) messages over HTTPS. Such protocol ensures it relies on AS2 implementations of your business partner where basic authentication turns out to be effective, thereby complying with standard security requirements.
What is AS2? – AS2 works as a messaging protocol for B2B industries. It’s used widely to exchange Electronic Data Interchange (EDI) documents across industries such as industrial machinery, automotive, pharmaceuticals, logistics, and others.
Coming with powerful capabilities, Drummond-certified AS2 by AWS Transfer Family maintains sophisticated security while exchanging AS2 messages bi-directionally. The messages can be transmitted at scale, maintaining compliance and interoperability with your business partners.
Integrate IAM Access Analyzer Policy to Extend Coverage of AWS Services
It became simple for developers to go granular in utilizing policies based on the AWS CloudTrail access activity. It’s because AWS Identity and Access Management (IAM) has expanded its policy generation to detect and track actions of more than 200 AWS services. This new policy includes actions such as Amazon Redshift, AWS Auto Scaling, and Amazon Route 53.
It’s in the hands of developers to enable this policy generation where IAM Access Analyzer performs and generates a policy based on the actions on CloudTrail logs. For instance, developers while creating applications are willing to grant the resources within AWS services. Using policy generation helps them to create a specific set of policies thereby limiting role permissions of the applications to a certain extent. The generated policy grants only the required permissions based on workloads, making the job easy for developers.
One can use IAM Access Analyzer by using APIs with the AWS Command Line Interface or a program-driven company like RiskProfiler.
IAM Condition Keys for Encryption and Access Controls
The use of Elastic Load Balancing (ELB) service with specific condition keys in IAM policies restricts the configurations needed for Transport Layer Security (TLS) Policy and IP-based access. These enhancements direct users to follow defined standards for load balancer configurations. You can restrict users to use listeners that support encryption with the elasticloadbalancing: Listener Protocol Condition key, especially in TLS. And you can permit the use of TLS security policies using elasticloadbalancing: SecurityPolicy condition key.
Additional flexibilities can be enabled by adjusting control access via configuring elasticloadbalancing: SecurityGroup condition key. This restricts users from using other security groups other than only approved security groups that allow IPs. Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB), have all five condition keys whereas Gateway Load Balancer only supports condition key that has subnets only.
Multi-factor Authentication (MFA) Enhancement for New IAM Identity Instances
AWS Identity Center instances have enabled multi-factor authentication (MFA) by default. MFA is the best security practice we recommend and the most effective to secure user accounts on a large scale. With this change in thinking, users of IAM identity centers need to register for an MFA device during the first sign-in. Then additional verification is displayed if their sign-in ways change.
However, the configuration of existing customers remains unchanged as administrators can enable MFA settings for their customers depending on the security requirements. Moreover, the IAM identity center supports standard MFA options suitable for industries, including FIDO2 passkeys and virtual authenticator apps.
Process Authorization Decisions in a Single API Call
Enable processing of more than 30 authorization decisions in a single API call as Amazon Verified Permissions becomes effective with the batch authorization feature. Batch authorization filters authorized actions for the given principal on a specific resource. Even developers have simplified ways of building applications as single user action can authorize multiple actions. Authorize multiple requests as soon as the principal or resource is fixed using Verified Permissions.
Amazon Verified Permissions provides a granular level of authorization in applications that are built. It enables you to implement permissions as policies rather than including them in the application codebase. The application then calls Verified Permissions to authorize access to API calls and resources managed. With the use of batch authorization, developers can effectively use Verified Permissions for user experience (UX) permissions. These UX permissions have control over the user on what they need to act within the application.
Unused Access Inspection Made Simple with IAM Access Analyzer
IAM access analyzer analyzes your accounts and gives a view of unused access thereby creating a centralized dashboard with its observations. It simplifies the job of inspecting unused access and guides you toward the least manual efforts. The dashboard gives the visualization of findings and allows security teams to prioritize accounts to review based on the volume of findings.
The findings give an overview of unused roles, unused access keys for IAM accounts, and unused passwords. If IAM roles and users turn active, these observations provide an overview of unused services and actions.
Once the new analyzer is activated in the IAM console, accounts to be reviewed and prioritized by the security teams based on the excessive permissions. The dashboard provides highlights on AWS accounts that have the major findings and provides a breakdown of findings based on their type. This allows security teams to automate notification workflows that help development teams to identify and remove unused access findings by integrating Amazon EventBridge.
Also, an integration with the AWS security hub gives an aggregated view of external and unused findings in addition to security findings. This way of findings helps you in managing and improving the security of AWS accounts, resources, and workloads.
Centralize all the unused access analysis through an administrator account or enable analysis in each account.
Introducing Automated Reasoning for Custom Policy Checks
AWS Identity and Access Management (IAM) Access Analyzer introduces custom policy checks. The policy checks validate your IAM policies and whether they adhere to your security standards before beginning any deployments. Custom policy checks use automated reasoning – security assurance and mathematical analysis to help security teams detect nonconformant updates to policies. Security teams also use these checks to streamline reviews, approve policies that adhere to security standards, and inspect deeply. This kind of validation optimizes and advances security assurance in cloud platforms.
Moreover, DevSec teams can speed up their innovation by automating and scaling their policies. These policy checks can be integrated into tools and environments including CI/CD pipelines. Developers have the option to modify or create an IAM policy. If custom policy checks adhere to security standards, policy review automation deploys your code and if they are not adhering, developers must review and update the policy before deploying.
Most organizations feel a sense of complexity while implementing all these IAM principles and procedures into their applications or cloud platforms. RiskProfiler takes care of end-to-end implementation of these security protocols thereby securing all your accounts and AWS platforms.