SAN FRANCISCO -- A batch of additional AWS security tools aims to help users better protect sensitive data, as...
the cloud service provider continues to hammer on the importance and value of security on its platform.
Security is one of the first topics corporations ask about as they explore a move to the public cloud. Initial concerns about the underlying infrastructure have subsided. But many organizations are still challenged to adequately lock down data on top of the platform, which has led to the exposure of their sensitive data.
To that end, AWS has emphasized additional products and features to safeguard user data over the past year, and it continued that push here this week with several more security tools.
Among those released at AWS Summit was AWS Secrets Manager, which protects a broader range of "secrets" than tools such as AWS Key Management Service, including database credentials, passwords and API keys. Users can retrieve this information via an API or the AWS CLI rather than write that information directly into their source code. Also, they can rotate credentials with Lambda functions.
Secrets management is often more complicated in a microservices-oriented architecture where information is more distributed and various teams share resources. The problem isn't unique to AWS, and it's a gap in the major cloud platforms that has driven users to products such as HashiCorp Vault. Secrets Manager is available in most regions and costs $0.40 per month per secret, and $0.05 per 10,000 API calls.
John-Ashley Paul, president of Cubus Solutions, which makes online banking software for credit unions, has evaluated a possible migration to AWS, with security and compliance as top considerations.
"Bringing together a set of security services that can be applied at many levels without having to set up infrastructure can help avoid Equifax kind of problems," he said. "Working with financial companies, we have to be security-focused."
Some industry observers criticize the lack of cohesion among the extended AWS security tools. AWS Firewall Manager doesn't fully address the issue, but it does centralize some tasks based on WAF rules and AWS Shield settings. Users can deploy applications in any regions or host multiple accounts and still have a hub for policy enforcement. Users can also narrow down those policies to a range of resources or accounts, or tether them to on-premises security settings via AWS partners.
Firewall Manager is AWS' latest response to problems created when users try to spread workloads across multiple regions, development teams and accounts. This issue has become more pronounced as large enterprises migrate to the public cloud, and as born-in-the-cloud startups expand their footprint.
John-Ashley Paulpresident, Cubus Solutions
There are several prerequisites to the Firewall Manager service. Customers must use AWS Organizations with all features enabled, designate a firewall administrator and enable AWS Config for all accounts within an Organization. Customers that use AWS Shield Advanced will see no additional charge for Firewall Manager, while all others will be charged a monthly fee for each policy in each region.
Private Certificate Authority is another added service within AWS Certificate Manager that centralizes the management of private certificates for identity and access management (IAM) without specialized infrastructure. It stores keys in AWS managed hardware security modules and administrators can control IAM policies for developers, which can provision certificates via API calls. The service costs $400 per month for each private certificate and is available in select regions.
Other AWS updates fine-tune security, storage, machine learning
AWS added several other features to its platform to coincide with the AWS Summit:
- Config Rules users can now aggregate compliance data created across multiple accounts and regions into a single dashboard, at no additional cost, although currently limited to select regions. This follows a trend by AWS to improve interoperability across regions and accounts for companies with global footprints and triple-digit accounts.
- As the name implies, Amazon S3 One Zone-Infrequent Access can save users up to 20% for infrequently accessed data that doesn't require a high level of redundancy and durability. This S3 tier is limited to a single availability zone and is designed for 99.5% availability, unlike S3 Standard, which provides 99.99% availability.
- Several previously disclosed services became generally available: machine learning tools Amazon Transcribe and Amazon Translate, S3 Select for retrieval of a subset of data within a bucket, and AWS Greengrass ML inference for edge and IoT devices.
- Amazon SageMaker, the managed service to build, train and deploy machine learning models, added support for a range of instance types. In addition, the TensorFlow and MXNet containers that support the SageMaker SDK are now open sourced so developers can test models locally before deploying them in AWS.
- Less than a year after AWS enabled encryption at rest to Amazon Elastic File System, the company added encryption in transit for the service, too.
Free certificates will be a big help for William Nguyen, a senior scientist at TE Connectivity, which designs and builds organic electronic devices. Nguyen said he was also impressed by the breadth of AWS security services and configuration management tools, as well as Secrets Manager.
"When you're dealing with a lot of client data, you want to be sure you safeguard it properly," he said.
James Willey, senior software engineer at Cisco, said the issues of secrets management are a big problem, particularly when development is done in container environments.
Features writer Jan Stafford contributed to this story.