Here are my views on the “Top Ten” AWS Security, Identity and Compliance updates from AWS re:Invent 2020.
1) AWS Nitro Enclaves — Create isolated compute environments to further protect and securely process highly sensitive data. These environments are provably secure, and are not accessible to other applications, users, or processes running on the parent EC2 instance.
2) AWS Audit Manager — Continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and standards. Automate evidence collection to reduce manual effort which enables you to scale your audit capability in the cloud.
3) AWS Network Firewall — A stateful layer 7 advanced virtual firewall inside of Amazon Virtual Private Clouds (VPCs). Includes IPS detection and filtering that can be customized using open source rules. Automatically scales so you do not have to manage infrastructure.
4) AWS Gateway Load Balancer — Makes it easy and cost-effective to deploy, scale and manage the availability of third-party virtual appliances such as firewalls, intrusion detection and prevention systems and deep packet inspection systems in the cloud.
5) VPC Reachability Analyzer — A configuration analysis tool that performs connectivity testing between a source and destination resource in your VPCs. Produces hop-by-hop details of the virtual network path between the source and the destination, or shows what is blocked by configuration issues in a security group, network ACL, route table, or load balancer.
6) Amazon S3 Bucket Keys — Uses bucket-level keys to reduce the request costs of Amazon S3 server-side encryption (SSE) with AWS Key Management Service (KMS) by up to 99% by decreasing the request traffic from S3 to KMS.
7) Attribute-Based Access Control with AWS SSO — Use your workforce’s existing identity attributes (such as cost center and department) from an external identity provider, such as Azure AD, Okta, OneLogin, or Ping Identity, when they federate into AWS.
8) Code Signing for AWS Lambda — A trust and integrity control that helps administrators enforce that only signed code packages from trusted publishers run in their Lambda functions and that the code has not been altered since signing.
9) Amazon CodeGuru Reviewer Security Detectors — Find and remediate security issues in your code before you deploy, including the top ten Open Web Application Security Project (OWASP) categories, security best practices for AWS APIs, and common Java crypto libraries.
10) AWS Config Delegated Aggregation — Use a delegated administrator account to aggregate the change and compliance data from AWS Config from all member accounts in AWS Organizations without additional authorization. Allow different teams, such as auditing, security, and compliance to use distinct accounts to enable the separation of duties.
11) Amazon Route 53 DNSSEC — Provides data origin authentication and data integrity verification for DNS. Route 53 manages the zone-signing key, and you can manage the key-signing key in AWS KMS. Helps you meet government security requirements and other compliance mandates.