Schlosshotel Kronberg - November 2024

AWS pre:Invent 2024

AWS , CloudSecurity , Technology , AWS re:Invent

It’s once again pre:Invent, that magical season where AWS announces new features related to their legacy products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. Once again, I will be in attendance at re:Invent, although I start to question my life choices every time I get off the plane in Vegas and am hit by the dry air, cigarette smoke, and insanely bright lights. Oh, right, I agreed to do a breakout session with Rich Mogull: DEV401 - Security invariants: From enterprise chaos to cloud order. We’re in Mandalay Bay (which is on the ass end of the strip) and in a silent disco setup, so I won’t be offended if you don’t attend, but if you do, Rich and I will probably set up for lunch somewhere afterward and talk about practical cloud security.

This is also my 5th year doing a pre:Invent round up. I almost decided not to do one. I’m in Germany this Thanksgiving week giving thanks that I’m not in the US for a bit. But at least it is conditioning me for the cigarette smoke onslaught I’ll experience in the casinos.

Pre:Invent wasn’t the GenAI wankshow I expected it to be. In fact, a number of exciting features and services were announced. Of the 340(ish) announcements in November, here are the most interesting 15. There will be at least two more things coming at re:Invent itself, and I’ll update this post after they are announced. These are in no particular order (other than perhaps chronological).

  1. Amazon CloudFront no longer charges for requests blocked by AWS WAF - 11/06/2024
    This has been a more visible issue since the kerfuffle when someone got a massive bill from S3 404 responses. I’m glad to see that the AWS Edge team is responding to customer needs.
  2. AWS Lambda supports Customer Managed Key (CMK) encryption for Zip function code artifacts - 11/11/2024
    Not sure who needs this, but I guess there is one more thing that can be effectively ransomed.
  3. AWS IAM Identity Center now supports search by permission set name - 11/11/2024
    The Identity Center APIs are an ugly mess, so I can see how it took them several years to get to being able to allow for easy searching.
  4. Introducing resource control policies (RCPs) to centrally restrict access to AWS resources - 11/13/2024
    Ok, this is probably the most impactful release this year. RCPs are the missing link in the data perimeter, allowing us to define the security invariants for our resources in addition to our principals (SCPs). Rich Mogull and I will discuss this more in our talk.
  5. Customize scope of IAM Access Analyzer unused access analysis - 11/14/2024
    As awesome as the IAM Access Analyzer external access feature is, the unused access is quite expensive and just adds to the massive finding fatigue that comes with even attempting to do Cloud Security. At least now you have some options to reduce the noise and cost.
  6. Amazon S3 now supports up to 1 million buckets per AWS account - 11/14/2024
    I’m not entirely sure why I’d want this. After 2000 buckets, they will charge per bucket, so exercising this feature will cost you a cool $19,980 per month.
  7. Centrally manage root access in AWS Identity and Access Management (IAM) - 11/15/2024
    The second most awesome release, it’s not super impactful but really simplifies those of us who have many AWS accounts and don’t know how best to deal with root users - MFA or SCP. Now you don’t have to argue with your auditors! We just need the CSPM community to catch up and not report missing MFA on accounts without credentials.
    Note: This feature introduces a new IAM Action: sts:AssumeRoot. If you have a large number of people with access to your payer (aka Organization Management Account), you probably want to lock down who can make that AssumeRoot call.
  8. AWS Organizations member accounts can now regain access to accidentally locked Amazon S3 buckets - 11/15/2024
    One of the capabilities that came with the sts:AssumeRoot is the ability to un-bork an S3 Bucket Policy. This use case is one of the primary reasons for needing root access in an outage scenario.
  9. AWS announces Block Public Access for Amazon Virtual Private Cloud - 11/19/2024
    This is the third coolest announcement. This declarative policy allows you to restrict ingress or all internet traffic. It’s got some interesting nuance, but it can be used to prevent things in public subnets from getting internet traffic, and it can restrict all outbound access to be only though specific NAT Gateways
  10. Amazon CloudFront announces VPC origins - 11/20/2024
    Another exciting announcement. When you have a CloudFront Distribution, you need to have a publicly accessible origin. Well, you used to have to have a public origin. Now, you can keep your origin inside your VPC. CloudFront will create an ENI inside your VPC. An IGW is still required, and it’s not fully clear how this works with Block Public Access for VPCs. As we said in the Universal Cloud Threat Model, shit on the internet is one of the primary ways that AWS incidents happen. This gets shit off the internet. Hooray!
  11. Announcing customized delete protection for Amazon EBS Snapshots and EBS-backed AMIs and Announcing AWS CloudFormation support for Recycle Bin rules - 11/20/2024
    Ensuring that you have immutable backups is critical to surviving a ransomware attack. Just ask CodeSpaces.
  12. AWS CloudTrail Lake launches enhanced analytics and cross-account data access - 11/21/2024
  13. Introducing an AWS Management Console Visual Update (Preview) - 11/21/2024
    I mainly included this to laugh at everyone who now has to take new screenshots for their documentation and classes. Maybe GenAI can translate old console images to new console images.
  14. Amazon EC2 now provides lineage information for your AMIs - 11/21/2024
    One thing that’s always been a concern is some builders grabbing some Bitnami WordPress (plus Cryptominer) AMI and running it in production. My AWS Baselines have always stated that AMIs should be built only from trusted sources. But when you builders bake their own AMIs, it becomes nearly impossible to determine if an AMI is from a trusted source. I look forward to what we can do with this capability to trace an AMI’s lineage back to AWS and ensure that no one has tampered with the base image.
  15. A Bonus last-minute release! AWS PrivateLink now supports cross-region connectivity - 11/26/2024 This one should simplify some network architectures. It’s 5x the cost of an intra-regional VPCEndpoint. Also, it really complicates your multi-region failover planning if you’re accidentally depending on a service provider in a region that fails a lot (looking at you, us-east-1).

There ya go. An acceptable chunk of security-focused product announcements. I normally also try to find things that security folks need to be aware of. These can be a service’s “sharp edges”. The settings where the customers cut themselves and Shared Responsibility sits back and laughs. At this point, I’ve given up trying to save AWS’s customers from the paper cuts and mortal wounds that come from AWS’s penchant for quickly and secretly releasing services without consideration of how customers will accidentally hurt themselves. It’s time to let the shared irresponsibility model take over.