Banner Image: Las Vegas sunrise

AWS re:Invent Wrap: New in Security and Compliance

Every AWS re:Invent brings a plethora of announcements from the AWS team. The cloudtamer.io team was onsite to share our solution with attendees in the expo, check out sessions, and learn more about what's new in AWS. In this post, I'll give you a deep dive into a few of the AWS announcements in the security and compliance areas.

Security and Compliance News

Access Analyzer

AWS released features intended to simplify security and administration of the cloud. Access Analyzer, for both IAM policies and S3 bucket policies, is a great step forward in securing your cloud while limiting the undifferentiated heavy lifting that comes from validating that policies aren’t granting access to other AWS accounts unexpectedly. The Access Analyzer features use automated reasoning, which is a mathematical way to make sense of complex configuration options and prove your security posture. AWS provides these features at no additional cost.

While a helpful feature, Access Analyzer is currently limited in scope to certain resources and the only analysis is whether or not resources are exposed to additional AWS accounts. In order to best manage identity and access management boundaries, there is no substitute for a comprehensive solution to deliver governance at scale across your environment.

Cloudtrail Insights

CloudTrail Insights is a new feature that helps customers with anomaly detection based on CloudTrail trails. The integration with CloudWatch events allows you to create alerts, automate remediation, and integrate with existing workflows to react to detected activity. Enabling CloudTrail is a crucial step in securing your AWS accounts; adding automated anomaly detection is a great use of that data.

Shared VPC - NLB Support

Shared Virtual Private Clouds (VPCs) are an awesome way to manage your networking while adhering to the governance at scale best practices of having only one workload in each account. Network load balancers (NLBs) were the last major missing piece of functionality that couldn't be created in a shared VPC by a participant in the share. With this constraint lifted, a shared network for multiple workloads - while adhering to governance at scale - just got more feasible.

More PrivateLink Support

AWS PrivateLink is a real leap forward in terms of cloud networking, ensuring you can access AWS or your own services while limiting the amount of complicated networking required. When building a network, much consideration needs to be given for how to provide outbound Internet access. The safest way to provide outbound Internet access is to not need it! PrivateLink enables that by providing access to AWS services without having to hit the public API endpoint. More support for PrivateLlink is a good thing for protecting accessibility to sensitive workloads while providing necessary communication paths.

Conformance Packs

Amazon Config is a great cloud-native way to manage the security and compliance of an AWS footprint. Recently announced, conformance packs seem to be a good way to pull together multiple Config rules and remediations under one configuration to roll out across your organization.

While a nice feature, the limited regional availability and the ability to manage config rules across fabrics (commercial, GovCloud, C2S, and SC2S) are missing.

Tag Policies

Tagging is a common way to identify and track resources within an AWS account. However, managing tagging at an organizational level is laborious. Tag policies help to alleviate some of that managerial overhead by creating a mechanism to enforce and report on tagging at the organization level.

Although tag policies help, there are still significant challenges in using tags to enforce security, budgetary, and identity and access management boundaries when running multiple workloads within a single account. In addition, for enterprises that have multiple master payers or AWS organizations, including those that operate across commercial and GovCloud fabrics, you'll have to manage tag policies in one place. Compared with the ability in cloudtamer.io to manage multiple organizations, AWS fabrics, and cloud providers with a single pane of glass, tag policies still leave functionality to be desired.

View from the Expo Floor

As our team took some time out from booth duty to walk the show floor, we compiled a list of some prominent themes:

  • Containers debugging, monitoring, security, and orchestration
  • Serverless debugging, monitoring, and security
  • Software release solutions
  • Logging Solutions
  • Data Analytics
  • Cloud Migrations
  • Data Protection
  • Hybrid Data Storage

We also got an opportunity to chat with the AWS team and get a deeper look into their new Savings Plans feature that gives customers greater flexibility and lower prices on Amazon EC2 instances usage.

View from the Booth

At the cloudtamer.io booth, budget enforcement was the hot topic. Many visitors were familiar with budget analysis tools, but less so with the ability to enforce budgets. The oohs and aahs came out when we demoed our ability to freeze or shut down resources.

cloudtamer team at AWS re:invent booth

Thanks to those who stopped by the booth to chat. We look forward to sponsoring a big list of AWS events in 2020!


Chris Pollard is a technical delivery manager at cloudtamer.io.