AWS re:Invent 2023: Security, identity, and compliance recap

On this publish, we share the important thing bulletins associated to safety, identification, and compliance at AWS re:Invent 2023, and supply particulars on how one can be taught extra by way of on-demand video of classes and related weblog posts. AWS re:Invent returned to Las Vegas in November 2023. The convention featured over 2,250 classes and hands-on labs, with over 52,000 attendees over 5 days. If you happen to couldn’t be part of us in particular person or wish to revisit the safety, identification, and compliance bulletins and on-demand classes, this publish is for you.

At re:Invent 2023, and all through the AWS safety service bulletins, there are key themes that underscore the safety challenges that we assist clients deal with by way of the sharing of data and steady growth in our native safety providers. The important thing themes embody serving to you architect for zero belief, scalable identification and entry administration, early integration of safety within the growth cycle, container safety enhancement, and utilizing generative synthetic intelligence (AI) to assist enhance safety providers and imply time to remediation.

Key bulletins

That can assist you extra effectively handle identification and entry at scale, we launched a number of new options:

Per week earlier than re:Invent, we introduced two new options of Amazon Verified Permissions:

Batch authorization — Batch authorization is a brand new approach so that you can course of authorization selections inside your software. Utilizing this new API, you possibly can course of 30 authorization selections for a single principal or useful resource in a single API name. This might help you optimize a number of requests in your consumer expertise (UX) permissions.
Visible schema editor — This new visible schema editor presents an alternative choice to modifying insurance policies instantly within the JSON editor. View relationships between entity sorts, handle principals and sources visually, and overview the actions that apply to principal and sources sorts on your software schema.

We launched two new options for AWS Identification and Entry Administration (IAM) Entry Analyzer:

Unused entry — The brand new analyzer constantly displays IAM roles and customers in your group in AWS Organizations or inside AWS accounts, figuring out unused permissions, entry keys, and passwords. Utilizing this new functionality, you possibly can profit from a dashboard to assist prioritize which accounts want consideration based mostly on the quantity of extreme permissions and unused entry findings. You’ll be able to arrange automated notification workflows by integrating IAM Entry Analyzer with Amazon EventBridge. As well as, you possibly can mixture these new findings about unused entry along with your current AWS Safety Hub findings.
Customized coverage checks — This characteristic helps you validate that IAM insurance policies adhere to your safety requirements forward of deployments. Customized coverage checks use the facility of automated reasoning—safety assurance backed by mathematical proof—to empower safety groups to detect non-conformant updates to insurance policies proactively. You’ll be able to transfer AWS functions from growth to manufacturing extra shortly by automating coverage evaluations inside your steady integration and steady supply (CI/CD) pipelines. Safety groups automate coverage evaluations earlier than deployments by collaborating with builders to configure customized coverage checks inside AWS CodePipeline pipelines, AWS CloudFormation hooks, GitHub Actions, and Jenkins jobs.

We introduced AWS IAM Identification Middle trusted identification propagation to handle and audit entry to AWS Analytics providers, together with Amazon QuickSight, Amazon Redshift, Amazon EMR, AWS Lake Formation, and Amazon Easy Storage Service (Amazon S3) by way of S3 Entry Grants. This characteristic of IAM Identification Middle simplifies information entry administration for customers, enhances auditing granularity, and improves the sign-in expertise for analytics customers throughout a number of AWS analytics functions.

That can assist you enhance your safety outcomes with generative AI and automatic reasoning, we launched the next new options:

Amazon Inspector expands AWS Lambda code scanning with generative AI-powered remediation — Now you possibly can assess your customized proprietary AWS Lambda code for safety points reminiscent of injection flaws and information leaks. This replace supplies you with actionable safety findings, together with affected code snippets and remediation recommendations, simplifying updates to susceptible code.
Amazon CodeWhisperer supplies code recommendations to assist remediate recognized safety and code high quality points tailor-made to your software code. You need to use this new functionality to assist overview and settle for fixes shortly with confidence. Safety scanning is obtainable for Java, Python, and JavaScript, and is now additionally out there for TypeScript, C#, CloudFormation (YAML, JSON), AWS CDK (TypeScript, Python), and HashiCorp Terraform.
Amazon Detective introduces discovering group summaries utilizing generative AI — With Amazon Detective discovering group summaries, you possibly can extra shortly find and overview key insights on suspicious exercise recognized find teams in pure language. This makes it easier to research and perceive uncommon or suspicious actions.
AWS Config launches generative AI-powered pure language querying (Preview) — With this characteristic, you possibly can simplify your investigation and search of AWS useful resource configurations and compliance metadata.

AWS Management Tower launched a set of 65 purpose-built controls designed that can assist you meet your digital sovereignty wants. In November 2022, we launched AWS Digital Sovereignty Pledge, our dedication to providing all AWS clients essentially the most superior set of sovereignty controls and options out there within the cloud. Introducing AWS Management Tower controls that help digital sovereignty is an extra step in our roadmap of capabilities for information residency, granular entry restriction, encryption, and resilience. AWS Management Tower presents you a consolidated view of the controls enabled, your compliance standing, and controls proof throughout a number of accounts.

We introduced two new characteristic expansions for Amazon GuardDuty to offer the broadest menace detection protection:

We launched two new capabilities for Amazon Inspector along with Amazon Inspector code remediation for Lambda operate that can assist you detect software program vulnerabilities at scale:

We launched 4 new capabilities in AWS Safety Hub that can assist you deal with safety gaps throughout your group and improve the consumer expertise for safety groups, offering elevated visibility:

Central configuration — Streamline and simplify the way you arrange and administer Safety Hub in your multi-account, multi-Area organizations. With central configuration, you should utilize the delegated administrator account as a single pane of glass on your safety findings—and in addition on your group’s configurations in Safety Hub.
Customise safety controls — Now you can refine the very best practices monitored by Safety Hub controls to fulfill extra particular safety necessities. There may be help for customer-specific inputs in Safety Hub controls, so you possibly can customise your safety posture monitoring on AWS.
Metadata enrichment for findings — This enrichment provides useful resource tags, a brand new AWS software tag, and account identify data to each discovering ingested into Safety Hub. This consists of findings from AWS safety providers reminiscent of GuardDuty, Amazon Inspector, and IAM Entry Analyzer, along with a big and rising listing of AWS Associate Community (APN) options. Utilizing this enhancement, you possibly can higher contextualize, prioritize, and act in your safety findings.
Dashboard enhancements — Now you can filter and customise your dashboard views, and entry a brand new set of widgets that we rigorously selected to assist mirror the fashionable cloud safety menace panorama and relate to potential threats and vulnerabilities in your AWS cloud atmosphere. This enchancment makes it easier so that you can concentrate on dangers that require your consideration, offering a extra complete view of your cloud safety.

We added three new capabilities for Amazon Detective along with Amazon Detective discovering group summaries to simplify the safety investigation course of:

We launched AWS Secrets and techniques Supervisor batch retrieval of secrets and techniques to determine and retrieve a gaggle of secrets and techniques on your software without delay with a single API name. The brand new API, BatchGetSecretValue, supplies larger simplicity for widespread developer workflows, particularly when it’s good to incorporate a number of secrets and techniques into your software.

We labored intently with AWS Companions to create choices that make it easier so that you can shield your cloud workloads:

AWS Constructed-in Competency — AWS Constructed-in Competency Associate options assist reduce the time it takes so that you can work out the very best AWS providers to undertake, no matter use case or class.
AWS Cyber Insurance coverage Competency — AWS has labored with main cyber insurance coverage companions to assist simplify the method of acquiring cyber insurance coverage. This makes it easier so that you can discover inexpensive insurance coverage insurance policies from AWS Companions that combine their safety posture evaluation by way of a user-friendly buyer expertise with Safety Hub.

Expertise content material on demand

If you happen to weren’t capable of take part particular person otherwise you wish to watch a session once more, you possibly can see the numerous classes which are out there on demand.

Keynotes, innovation talks, and management classes

Catch the AWS re:Invent 2023 keynote the place AWS chief govt officer Adam Selipsky shares his perspective on cloud transformation and supplies an unique first have a look at AWS improvements in generative AI, machine studying, information, and infrastructure developments. It’s also possible to replay the opposite AWS re:Invent 2023 keynotes.

The safety panorama is evolving as organizations adapt and embrace new applied sciences. On this discuss, uncover the AWS imaginative and prescient for safety that drives enterprise agility. Stream the innovation discuss from Amazon chief safety officer, Steve Schmidt, and AWS chief data safety officer, Chris Betz, to be taught their insights on key matters reminiscent of Zero Belief, builder safety expertise, and generative AI.

At AWS, we work intently with clients to know their necessities for his or her vital workloads. Our work with the Singapore Authorities’s Sensible Nation and Digital Authorities Group (SNDGG) to construct a Sensible Nation for his or her residents and companies illustrates this strategy. Watch the management session with Max Peterson, vice chairman of Sovereign Cloud at AWS, and Chan Cheow Hoe, authorities chief digital expertise officer of Singapore, as they share how AWS helps Singapore advance on its cloud journey to construct a Sensible Nation.

Breakout classes and new launch talks

Stream breakout classes and new launch talks on demand to be taught in regards to the following matters:

Uncover how AWS, clients, and companions work collectively to boost their safety posture with AWS infrastructure and providers.
Study tendencies in identification and entry administration, detection and response, community and infrastructure safety, information safety and privateness, and governance, threat, and compliance.
Dive into our launches! Study in regards to the newest bulletins from safety consultants, and uncover how new providers and options might help you meet core safety and compliance necessities.

Contemplate becoming a member of us for extra in-person safety studying alternatives by saving the date for AWS re:Inforce 2024, which is able to happen June 10-12 in Philadelphia, Pennsylvania. We stay up for seeing you there!

If you happen to’d like to debate how these new bulletins might help your group enhance its safety posture, AWS is right here to assist. Contact your AWS account workforce at the moment.

If in case you have suggestions about this publish, submit feedback within the Feedback part under. If in case you have questions on this publish, contact AWS Assist.

Need extra AWS Safety information? Observe us on Twitter.

Nisha Amthul

Nisha is a Senior Product Advertising and marketing Supervisor at AWS Safety, specializing in detection and response options. She has a robust basis in product administration and product advertising and marketing throughout the domains of data safety and information safety. When not at work, you’ll discover her cake adorning, power coaching, and chasing after her two energetic kiddos, embracing the thrill of motherhood.

Himanshu Verma

Himanshu is a Worldwide Specialist for AWS Safety Companies. He leads the go-to-market creation and execution for AWS safety providers, area enablement, and strategic buyer advisement. Beforehand, he held management roles in product administration, engineering, and growth, engaged on varied identification, data safety, and information safety applied sciences. He loves brainstorming disruptive concepts, venturing open air, images, and making an attempt new eating places.

Marshall Jones

Marshall is a Worldwide Safety Specialist Options Architect at AWS. His background is in AWS consulting and safety structure, centered on a wide range of safety domains together with edge, menace detection, and compliance. Immediately, he’s centered on serving to enterprise AWS clients undertake and operationalize AWS safety providers to extend safety effectiveness and scale back threat.