AWS Security Trends 2022: Five Attributes and Why They Matter

Building securely in the cloud can be daunting due to the huge amount of constantly changing information to review, evaluate, and deconflict with your business needs. For example, aWS releases countless updates, new features, and new security services around its summer security conference, re:Inforce. Praetorian analyzed all information regarding new AWS releases and security-related work from Summer 2022 and AWS re: Inforce. In doing so, we have identified the following five main trends: embracing hybrid architectures, evolving access, increasing granular access and access-based controls, expanding security services and offerings, and opinion-based security guides.

DevOps Connect: DevSecOps @ RSAC 2022

AWS Embracing Hybrid Architectures

AWS embraces and simplifies hybrid architectures. Since the release of AWS Outposts in 2018, AWS has gradually supported and adopted the hybrid architecture model. For organizations that are starting their cloud adoption journey or adopting a multi-cloud model; However, challenges remain with managing and scaling hybrid architectures.

So, Praetorian was thrilled when they released AWS IAM Roles Anywhere, a secure way to leverage the benefits of IAM roles for workloads running outside of AWS. Previously, Praetorian has observed that our clients create and manage long-term IAM user credentials, a solution that often includes security and management issues. AWS has also released support for private IP VPNs with AWS Site-to-Site VPN, which enables users to encrypt Direct Connect traffic between local networks and AWS without using public IP addresses.

With these new releases, AWS enables customers to secure their hybrid architectures and improve the integration of workloads, infrastructure, identity, and networks. These releases have the potential to greatly simplify and standardize the hybrid user’s approach to the cloud.

Versions and links

Access Evolution in AWS

AWS first introduced Identity and Access Management (IAM) policies in 2011, providing the foundational mechanism for accessing actions and resources in AWS. Over time, AWS has introduced more features including IAM roles for EC2 instancesAnd the IAM roles for service accounts on EKSManaged policies and support for multi-account environments. This summer, AWS continued to build and replicate its access model by offering AWS Identity Center (AWS SSO) support for managed policies to customers. Additional releases will also support micro access across various AWS services including Neptune and EMR.

Praetorian expects that AWS will continue to evolve its access model and further simplify its IAM offerings, using the rebranded AWS Identity Center as a focal point of identity across all AWS services.

Versions and links

More granular access and attribute-based access control

We have defined Attribute-Based Access Control as a separate topic, because we see improvements in this area as necessary to improve security on AWS. AWS has been standardizing and improving tags across all of its services for several years. For example, in 2018, AWS introduced the global condition key: AWS:RequestedRegion, which allowed standardization about allowing or denying access to certain AWS regions. AWS also added tags for IAM user management and roles in late 2018. In 2019, AWS released session tags that are valid for ad hoc sessions and are useful for granting session-based access. AWS recently released ABAC support for AWS Lambda, which allows users to control access to Lambda actions via tags.

As AWS tagging improves and gains more support, cloud engineers can enable more precise access via attribute-based access control. If done correctly, leveraging ABAC via tag-based permissions is a powerful tool that allows for greater flexibility and efficiency while still granting access securely. Condition keys such as aws:ResourceTag, aws:RequestTag, aws:TagKeys, and aws:PrincipalTag allow users to extend permissions and improve access using attribute-based access control.

Praetorian expects attribute-based access control to gain more traction as organizations harness the power of AWS tags to reduce permissions only to what is necessary. Furthermore, we expect increased adoption of complementary session-based access control for features such as the change from IMDSv2 from IMDSv1, the introduction of Roles Anywhere, enhanced IAM Identity Center features, and session tags.

Versions and links

AWS Expansion of Security Services and Offerings

AWS continued to expand its security and integration service offerings this summer, which will enhance its capabilities in existing security markets and help it gain traction in new security markets. Two that have the greatest potential impact on the industry are the GuardDuty team and the Customer Incident Response Team. The new version of GuardDuty enables AWS security offerings to cover different areas of security, such as malware detection and integration with other services such as Amazon Detective, AWS Security Hub, and EventBridge. The new AWS Customer Incident Response Team also provides access to security personnel to assist with security incidents and expands to a managed service provider model.

Versions and links

AWS Opinionated Security Guides

AWS has added a clear focus on security since then 2019 When they provided custom security documents for each service. With this summer’s updates to their security documentation, AWS is now offering opinion guidance in multiple areas including the latest update AWS Security Best Practices at IAM Best practices with managing multiple accounts with AWS Companies.

Praetorian is pleased to see this as it provides secure foundational best practices to follow when certifying AWS. Starting with a secure foundation offers many benefits to businesses including reducing risk, enhancing security, and allowing safe construction at scale. We expect that AWS will continue to build on customer experience and provide further guidance on how best to build securely in their cloud environment.

Versions and links

This is the first in a series of posts where we’ll dive into updates on AWS security that occurred in 2022. If you’d like to learn more about our cloud service offerings, or other services that Praetorian can offer, please reach out via our Contact us page.

AWS Security Trends for 2022: Five Topics and Why They Matter First in Praetorian.

*** This is a blog compilation of the Blogger Network of Security Bloggers – Praetorian authored by emmaline. Read the original post at: https://www.praetorian.com/blog/aws-security-trends-of-2022/

Leave a Reply

%d bloggers like this: