Last week gave us the first re:Inforce, AWS' new security focused conference. And naturally this meant a number of security focused releases, including Security Hub, Control Tower, and VPC Traffic Mirroring.

AWS Security Hub

AWS Security Hub was first introduced at re:Invent¹ 2018, and was available as a public preview prior to it becoming generally available at re:Inforce. As a quick recap, Security Hub is designed to be the central point for your security items across multiple accounts. This means that it can collate data from other accounts, and using AWS Config it can run compliance standard checks in all of these accounts as well. It also has integration with tools such as Inspector, GuardDuty, and Macie². Lastly, you can integrate it with some third-party security tools and build your own checks.

This isn’t new though, and not much seems to have changed in the transition from preview to GA, with the exception of the pricing finally being known³. Looking at the pricing page, you can see that you’ll need to do some careful calculations as the examples literally range from 1 dollar per month to nearly 21000. So, have a good think before you jump in, or at least use the first 30 days as an exploration of the costs.

Lastly, keep in mind that while you can run the service in many regions, there is currently no multi-region support in the collection of data. From a data sovereignty perspective it’s nice that all data stays within the region it is created, but if you use multiple regions it does mean you need to run a Security Hub separately in each of those regions.

AWS Control Tower

Like Security Hub, Control Tower too was introduced at re:Invent 2018. In some ways though, the underlying technology is older. If you’re familiar with the Landing Zone solution that AWS still offers, Control Tower is basically a graphical interface around this. To be fair, it offers a bit more than that but in the end it is a nice wrapper around a number of best practices regarding how to build an AWS Organization and manage access⁴ and security.

An important part of the announcement however is this sentence (emphasis mine):

This service automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use.

In other words, you can’t use it with your existing accounts or Organization right now. Well, technically, I’m sure you can make it all work together if you hit it hard enough but you still have to create it in an account that’s not part of an Organization.

VPC Traffic Mirroring

The last announcement I’ll mention is VPC Traffic Mirroring. The name pretty much gives away what this does: it allows you to mirror to or from your instances to a specified location. This allows you for example to send all traffic to a dedicated security instance that can check for attacks and take action based on that. Having this run on a separate machine means that you don’t need to run that security software on your production machines.

Of course, it comes at a price⁵ as it doubles your traffic and the limits for that aren’t increased. It’s also limited to Nitro-backed instances, which is luckily a fair number of types by now. Lastly, while I suspect it’s a coincidence, the fact that it’s available everywhere except for China and Australia⁶ was the source of a lot of jokes regarding surveillance here in Australia.

Ambassador Corner

• Automating AWS Account Deletion