Last week gave us the first re:Inforce, AWS' new security focused conference. And naturally this meant a number of security focused releases, including Security Hub, Control Tower, and VPC Traffic Mirroring.
AWS Security Hub
AWS Security Hub was first introduced at re:Invent
This isn’t new though, and not much seems to have changed in the transition from preview to GA, with the exception of the pricing finally being known
Lastly, keep in mind that while you can run the service in many regions, there is currently no multi-region support in the collection of data. From a data sovereignty perspective it’s nice that all data stays within the region it is created, but if you use multiple regions it does mean you need to run a Security Hub separately in each of those regions.
AWS Control Tower
Like Security Hub, Control Tower too was introduced at re:Invent 2018. In some ways though, the underlying technology is older. If you’re familiar with the Landing Zone solution that AWS still offers, Control Tower is basically a graphical interface around this. To be fair, it offers a bit more than that but in the end it is a nice wrapper around a number of best practices regarding how to build an AWS Organization and manage access
An important part of the announcement however is this sentence (emphasis mine):
This service automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use.
In other words, you can’t use it with your existing accounts or Organization right now. Well, technically, I’m sure you can make it all work together if you hit it hard enough but you still have to create it in an account that’s not part of an Organization.
VPC Traffic Mirroring
The last announcement I’ll mention is VPC Traffic Mirroring. The name pretty much gives away what this does: it allows you to mirror to or from your instances to a specified location. This allows you for example to send all traffic to a dedicated security instance that can check for attacks and take action based on that. Having this run on a separate machine means that you don’t need to run that security software on your production machines.
Of course, it comes at a price
Ambassador Corner
-
Yes, every major AWS conference is named in a way to confuse your email client. ↩︎
-
In case you happen to be in the single region it supports. ↩︎
-
In preview it was all free, which is obviously nicer. ↩︎
-
It uses AWS SSO for this. I’m in the process of writing an article about that, and let’s just say that I hope including it in Control Tower will make them take that product more serious. ↩︎
-
Aside from the literal cost ↩︎
-
Where we have the wonderful Assistance and Access Act, one of the laws I’ve complained about here. ↩︎
Read more like this:
- Week 9, 2020 - Lambda in Savings Plan; IAM CalledVia
- Week 26, 2019 - AWS App Mesh and Cloud Map; IAM Access Advisor; Azure Bastion
- Week 14, 2019 - ALB Advanced Request Routing; Service Control Policies in Organizations
- Week 46, 2018 - AMD on AWS; Inspector Network Assessments
- Week 18, 2018 - ACI Generally Available; Aqua MicroScanner; Netflix Titus
Or always get the latest by subscribing through RSS, Twitter, or email!