We hope the last 3 blogs around AWS security series offered valuable insights into the latest releases of AWS Security features/services, particularly in the IAM domain, detective controls and Infrastructure Protection . Continuing the series, Part-4 around data Protection in AWS that were released in the last quarter.
As part of data protection protocols, Amazon has launched some innovations and automated frameworks that help companies to stay protected. These protection controls enable end-to-end security layers thereby enhancing overall operational efficiency.
AWS Verified Access supports FIPS 140-2 compliant endpoints in US and Canada Regions
AWS Verified Access, a service that helps you provide secure VPN-less access to your corporate applications. It is now offers Federal Information Processing Standard (FIPS) 140-2 validated endpoints to help you protect sensitive information including data protection.
These endpoints terminate Transport Layer Security (TLS) sessions using a FIPS 140-2 validated cryptographic software module. Further making it easier for you to use Verified Access for regulated workloads.
Companies contracting with the US and Canadian federal governments can now meet the FIPS security requirement to encrypt sensitive data in these Regions. It is a strategic approach towards data protection.
To use this new capability, select the FIPS endpoint option when creating a Verified Access instance. And all Verified Access endpoints will only use FIPS compliant encryption.
Amazon Macie adds support for discovering more types of sensitive data protection
Amazon Macie has introduced new managed data identifiers to expand its capabilities. These capabilities are for discovering and identifying Stripe API keys, Google Cloud API keys, Driver’s license numbers (India) and national identification numbers (India) in Amazon Simple Storage Service (Amazon S3).
Understanding the presence and location of such data in your S3 storage helps you to better plan data security, governance, and privacy of your organization. With over 100+ managed data identifiers, Macie helps for data protection at scale.
Moreover, Amazon Macie now offers a new default set of managed data identifiers specifically recommended for sensitive data discovery jobs. You can also configure the job to use a custom set of managed data identifiers with a few steps on the Macie console or with the Macie API. This enhances your overall data protection thus securing you from otherwise breaches.
Macie provides continual, cost efficient, organization-wide visibility into where sensitive data resides across your Amazon S3 estate. Macie automatically and intelligently samples and analyzes objects across your S3 buckets.
Furthermore, inspecting them for sensitive data such as personally identifiable information (PII), financial data, and AWS credentials. Macie builds an interactive data map of where your sensitive data in S3 resides across accounts. Thus, provides a sensitivity score for each bucket.
Amazon Elastic Block Store: A Data Protection Model supports Block Public Access for EBS Snapshots
Amazon Elastic Block Store (EBS) now supports Block Public Access for EBS Snapshots, an account-wide security setting. However, it allows customers to block public sharing of EBS Snapshots in an AWS Region. For instance, customers managing EBS Snapshots at scale now have a simple and proactive way of safeguarding their data from inadvertent access by unauthorized users.
Customers use EBS Snapshots as a data protection platform to back up their EBS volumes for disaster recovery, data migration, and compliance purposes. Block Public Access for EBS Snapshots provides an additional layer of security for EBS Snapshots. Moreover, it helps prevent unauthorized access as well as potential misuse of snapshot data. The Block Public Access setting can be enabled in one of two modes, ‘block new sharing’ or ‘block all sharing’.
When Block Public Access is enabled in either of the two modes, all future attempts to make a snapshot public are automatically blocked. Additionally, with ‘block all sharing’ mode enabled, customers can prevent public access to any existing public snapshots. Along with the recent release of Block Public Access for EC2 AMIs, customers can use this setting to prevent public access to their EBS Snapshots.
Block Public Access for EBS Snapshots is currently disabled by default for all AWS accounts. Customers can enable the setting through the AWS Console, AWS Command Line Interface (CLI), and AWS SDKs.
AWS IoT Device Defender now supports export of Detect metrics to other services
AWS IoT Device Defender announces the capability to export cloud-side and device-side metrics to your own data lake running on AWS or outside. IoT Device Defender continuously monitors device fleets to detect any abnormal device behavior, alerts about security issues, and provides built-in mitigation actions. Enabling IoT Device Defender is a sophisticated way of data protection that scales your operational efficiency.
Using Detect feature, you can evaluate device and cloud-side metrics against a pre-defined threshold and receive alerts when deviations are detected. With the new export capability, you can easily transfer Detect metrics. These include number of messages received, network signal strength, CPU and memory usage, to other AWS and third-party services for further analytics.
In addition, fleet operators often need to analyze an IoT solution’s usage and performance metrics to help streamline their operations. Using the new metric export feature in conjunction with AWS IoT Core Rules Engine, you can enhance your solution to cost-effectively.
Also, you can extract and transfer cloud-side, device-side, and custom metrics into other services to gain additional insights. The implementation of metrics export functionality simply requires cloud-side configuration changes and does not require firmware changes on edge devices.
The metric export feature can be configured and accessed in AWS IoT console and AWS CLI. The feature is available in all AWS Regions where AWS IoT Device Defender is available.
Amazon EBS announces Snapshot Lock to protect snapshots from inadvertent or malicious deletions
Amazon EBS announced the availability of Snapshot Lock, a new security feature that helps customers comply with their data retention policies. In addition, you can add another layer of protection against inadvertent or malicious deletions of data. Customers use EBS Snapshots to back up their EBS volumes for disaster recovery, data migration, and compliance purposes.
Customers can set up multiple layers of data protection for EBS Snapshots, including copying them across multiple AWS regions and accounts, setting up IAM access policies as well as enabling Recycle Bin. With Snapshot Lock, customers can configure locks on individual snapshots so that they cannot be deleted by anyone, including the account owner, for a specified period.
Customers have the flexibility of granting certain users access to modify snapshot lock configurations per their data governance guidelines. This can be done by ensuring that the lock configuration cannot be modified by anyone, including privileged users. Customers can also rely on this feature to store EBS Snapshots in a WORM (Write-Once-Read-Many) compliant format.
Snapshot Lock has been assessed by Cohasset Associates for use in environments that are subject to SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31. A copy of the assessment report can be downloaded from the technical documentation.
Snapshot Lock is available in all AWS commercial Regions and the AWS GovCloud (US) Regions, through the AWS Console, AWS Command Line Interface (CLI), and AWS SDKs. However, there are no additional charges for using EBS Snapshot Lock.
Amazon S3 now supports enabling S3 Object Lock on existing buckets
Amazon S3 now allows you to enable S3 Object Lock for existing buckets. With just a few clicks, you can enable S3 Replication for buckets using S3 Object Lock. These improvements make it even easier to adopt S3 Object Lock, which protects objects from being overwritten or deleted.
S3 Object Lock makes objects immutable for a fixed amount of time by assigning a Retain Until Date or indefinitely by applying a Legal Hold. Once you enable S3 Object Lock on an existing bucket, you can apply a default retention period for all new objects that you create.
To lock existing objects, you can add retention parameters to each object in that bucket. On the other hand, you can use S3 Batch Operations to configure retention for tens to billions of objects at a time. Additionally, you can enable S3 Replication for buckets with S3 Object Lock enabled to create immutable copies of your data in the same or different AWS account or Region.
S3 Object Lock has been assessed for SEC Rule 17a-4(f), FINRA Rule 4511, and CFTC Regulation 1.31 by Cohasset Associates. It can be used to meet regulatory and compliance requirements.
AWS Secrets Manager now supports batch retrieval of secrets
AWS Secrets Manager now supports a single API call to identify and retrieve a group of secrets for your application. The new API, BatchGetSecretValue, offers greater simplicity to common developer workflows. This is where you need to bring multiple secrets into your application for data protection. With this feature, you no longer need to make iterative calls to retrieve one secret at a time or account for partial failures when pulling multiple secrets, enhancing the overall efficiency.
With the BatchGetSecretValue, you can input a list of secret names or ARNs, or filter criteria, such as tags. The API returns a response for all secrets meeting the criteria in the same format as the existing GetSecretValue API. This allows you to optimize your workloads while reducing the number of API calls.
Amazon Redshift now supports metadata security to simplify multi-tenant applications
Amazon Redshift now supports metadata security that enables administrators to restrict the visibility on their catalog data based on user roles and permissions. Users can now see only the metadata for databases, schema, and tables/views that they have access to. It enables customers to deploy multi-tenant applications on a provisioned cluster or Serverless namespace.
You can enable metadata security for your provisioned or serverless data warehouses by running a simple “ALTER SYSTEM set METADATA_SECURITY=true” command. You can leverage this feature using native or third-party tools that leverage JDBC/ODBC/Python drivers or the Redshift Data API.