Week 27, 2019 - AWS Security Hub; AWS Control Tower, VPC Traffic Mirroring

By (4 minutes read)

Last week gave us the first re:Inforce, AWS’ new security focused conference. And naturally this meant a number of security focused releases, including Security Hub, Control Tower, and VPC Traffic Mirroring.

AWS Security Hub

AWS Security Hub was first introduced at re:Invent1 2018, and was available as a public preview prior to it becoming generally available at re:Inforce. As a quick recap, Security Hub is designed to be the central point for your security items across multiple accounts. This means that it can collate data from other accounts, and using AWS Config it can run compliance standard checks in all of these accounts as well. It also has integration with tools such as Inspector, GuardDuty, and Macie2. Lastly, you can integrate it with some third-party security tools and build your own checks.

This isn’t new though, and not much seems to have changed in the transition from preview to GA, with the exception of the pricing finally being known3. Looking at the pricing page, you can see that you’ll need to do some careful calculations as the examples literally range from 1 dollar per month to nearly 21000. So, have a good think before you jump in, or at least use the first 30 days as an exploration of the costs.

Lastly, keep in mind that while you can run the service in many regions, there is currently no multi-region support in the collection of data. From a data sovereignty perspective it’s nice that all data stays within the region it is created, but if you use multiple regions it does mean you need to run a Security Hub separately in each of those regions.

AWS Control Tower

Like Security Hub, Control Tower too was introduced at re:Invent 2018. In some ways though, the underlying technology is older. If you’re familiar with the Landing Zone solution that AWS still offers, Control Tower is basically a graphical interface around this. To be fair, it offers a bit more than that but in the end it is a nice wrapper around a number of best practices regarding how to build an AWS Organization and manage access4 and security.

An important part of the announcement however is this sentence (emphasis mine):

This service automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use.

In other words, you can’t use it with your existing accounts or Organization right now. Well, technically, I’m sure you can make it all work together if you hit it hard enough but you still have to create it in an account that’s not part of an Organization.

VPC Traffic Mirroring

The last announcement I’ll mention is VPC Traffic Mirroring. The name pretty much gives away what this does: it allows you to mirror to or from your instances to a specified location. This allows you for example to send all traffic to a dedicated security instance that can check for attacks and take action based on that. Having this run on a separate machine means that you don’t need to run that security software on your production machines.

Of course, it comes at a price5 as it doubles your traffic and the limits for that aren’t increased. It’s also limited to Nitro-backed instances, which is luckily a fair number of types by now. Lastly, while I suspect it’s a coincidence, the fact that it’s available everywhere except for China and Australia6 was the source of a lot of jokes regarding surveillance here in Australia.

Ambassador Corner


  1. Yes, every major AWS conference is named in a way to confuse your email client. [return]
  2. In case you happen to be in the single region it supports. [return]
  3. In preview it was all free, which is obviously nicer. [return]
  4. It uses AWS SSO for this. I’m in the process of writing an article about that, and let’s just say that I hope including it in Control Tower will make them take that product more serious. [return]
  5. Aside from the literal cost [return]
  6. Where we have the wonderful Assistance and Access Act, one of the laws I’ve complained about here. [return]
comments powered by Disqus