Building securely in the cloud can feel daunting given the sheer volume of ever-changing information to review, assess, and deconflict for your business needs. For example, AWS releases countless updates, new features, and new security services around its summer security conference, re:Inforce. Praetorian analyzed all the information pertaining to AWS’s new releases and security related work from Summer 2022 and AWS re:Inforce. In doing so, we identified the following five key trends: embrace of hybrid architectures, evolution of access, increased granular access and access-based controls, expansion of security services and offerings, and opinionated security guides.

AWS Embracing Hybrid Architectures

AWS is embracing and simplifying hybrid architectures. Since the release of AWS Outposts in 2018, AWS has supported and gradually embraced the hybrid architecture model. For organizations starting a cloud adoption journey or adopting a multi-cloud model; however, challenges remained with managing and scaling hybrid architectures.

Praetorian was pleased, therefore, when AWS released IAM Roles Anywhere, a secure method of leveraging the benefits of IAM Roles for workloads running outside of AWS. Previously, Praetorian observed our clients creating and managing long-term IAM User credentials, a solution that often involves security and management issues. AWS also released support for Private IP VPNs with AWS Site-to-Site VPN, which enables users to encrypt Direct Connect traffic between on-premise networks and AWS without using public IP addresses.

With these new releases, AWS is enabling customers to secure their hybrid architectures and improve integrations of workloads, infrastructure, identity, and networking. These releases have the potential to greatly simplify and standardize a user’s hybrid approach to the cloud.

Releases and Links

• Roles Anywhere
• Private IP VPNs

Evolution of Access in AWS

AWS first introduced Identity and Access Management (IAM) policies in 2011, thereby providing the foundational mechanism for access to actions and resources in AWS. Over time, AWS has introduced more features including IAM Roles for EC2 instances, IAM Roles for Service Accounts on EKS, Managed Policies, and support for multi-account environments. This Summer, AWS continued to build and iterate on their access model with the introduction of AWS Identity Center (AWS SSO) support for Customer Managed Policies. Additional releases also will support more fine-grained access across different AWS services including Neptune and EMR.

Praetorian anticipates that AWS will continue to evolve their access model and further streamline their IAM offerings, using the rebranded AWS Identity Center as the focal point for Identity across all of AWS.

Releases and Links

• AWS SSO Supports Customer Managed Policies
• AWS Identity Center (Previously AWS SSO)
• AWS Neptune Support for Fine-Grained Access Control
• EMR Support for Fine-Grained Access Control

More Granular Access and Attribute-Based Access Control

We identified attribute-based access control as a separate theme, because we see improvements in this area as crucial for improving security in AWS. AWS has been standardizing and improving tags across all their services for several years. For example, in 2018, AWS introduced the global condition key: AWS:RequestedRegion, which allowed for standardization around allowing or denying access to specific AWS Regions. AWS also added tags to manage IAM Users and Roles in late 2018. In 2019, AWS released session tags, which are valid for temporary sessions and are useful in granting session-based access.  AWS recently released ABAC support for AWS Lambda, which permits users to control access to Lambda actions via tags.

As tagging in AWS improves and gains more support, cloud architects can enable more granular access via attribute-based access control.  If done properly, leveraging ABAC via tag-based permissions is a powerful tool that allows for more flexibility and efficiency while still securely granting access.  Condition keys such as aws:ResourceTag, aws:RequestTag, aws:TagKeys, and aws:PrincipalTag allow users to scale permissions and refine access leveraging attribute-based access control. 

Praetorian expects attribute-based access control to gain more traction as organizations harness AWS tagging capabilities to reduce permissions to only what’s necessary. Furthermore, we anticipate increased adoption of session-based access control complementing features such as the change from IMDSv2 from IMDSv1, the introduction of Roles Anywhere, enhanced IAM Identity Center features, and session tags.

Releases and Links

• AWS Lambda Supports ABAC
• AWS IAM User Guide: Attribute Based Access Control

AWS Expansion of Security Services and Offerings

AWS continued to expand upon their security services offerings and integrations this summer, which will bolster their capabilities in existing security markets and help them gain traction in new security markets. Two with the greatest potential impact on the industry are their GuardDuty and Customer Incident Response Team. The new GuardDuty release enables AWS’s security offerings to cover different areas of security, such as malware detection and integrating with other services such as Amazon Detective, AWS Security Hub, and EventBridge.  The new AWS Customer Incident Response Team also offers access to security personnel to assist with security incidents and expands to a managed service provider model.

Releases and Links

• GuardDuty Malware Detection
• AWS Customer Incident Response Team
• Amazon Detective Supports Kubernetes Workloads
• AWS Security Hub Adding Integration Partners
• Malware protection now a feature of Amazon GuardDuty

AWS Opinionated Security Guides

AWS has added explicit focus on security since 2019 when they introduced dedicated security documentation for each service. With this Summer’s updates to their security documentation, AWS now provides opinionated guidance in multiple areas including the recently updated AWS security best practices in IAM and best practices with multi-account management with AWS Organizations.

Praetorian is excited to see this as it provides secure foundational best practices to follow when adopting AWS. Starting with a secure foundation provides many benefits to the business including reducing risk, enhancing security, and allowing for secure building at scale.  We expect AWS will continue to build upon customer experience and deliver more guidance on how best to build securely in their cloud environment.

Releases and Links

• Best practices for AWS Organizations
• Security best practices in IAM – AWS Identity and Access Management
• Migrating Accounts and Networking Between AWS Organizations

This is the first in a series of posts where we will dive into the AWS security-related updates that occurred in 2022. If you want to learn more about our cloud service offerings, or the other services that Praetorian can provide, please reach out via our Contact Us page.