Amazon made incremental improvements to AWS security features in Lambda and the Relational Database Service last week that largely flew under the radar, but which will significantly affect how AWS environments can be locked down.
AWS users say these additions, and other incremental but significant updates over the last six to nine months, substantially beef up AWS security. Features include the ability to encrypt Elastic Block Store boot volumes as well as changes and improvements to the AWS Key Management System (KMS) that give customers greater control over encryption keys.
"They're starting to really catch up and give people the controls they need," said Erik Peterson, director of technology strategy in the office of the CTO at Veracode, makers of a cloud-based Web application risk assessment service that runs on AWS.
"Before this, if you wanted to use AWS and you were concerned about data privacy, it was really complex," Peterson said. "You would have to manage all the keys yourself, come up with some kind of customized solution that you developed, or try to purchase something which may or may not work with your use case."
The latest changes include new support for encrypting shared snapshots in the Relational Database Service (RDS), the ability to encrypt existing databases within RDS, support for Lambda to access resources behind a Virtual Private Cloud (VPC), and the addition of custom authentication to API Gateway through Lambda functions.
Lambda VPC support out now
Peterson was particularly interested in the ability for AWS Lambda to access resources that live in VPCs.
"No doubt [not having] that was slowing down adoption," he said.
Lambda VPC support was promised last October at re:Invent 2015, but only became available last week.
"Lack of VPC support has prevented us from fully committing to Lambda's use," echoed Kevin Felichko CTO of PropertyRoom.com, an online auction company based in Frederick, Md. The most important resources for Lambda to access in PropertyRoom's environment are non-RDS database servers; this new addition will let the company move more scheduled tasks to Lambda.
"It also helps us implement new microservices via a Lambda and API Gateway combination without having to swap our data store or implement some other workaround," Felichko said.
This addition also puts the puzzle pieces in place to take advantage of the fact that API Gateway recently added custom Authentication via Lambda functions.
"The two of those together means that you can do things like using Memcached or RDS resources for authentication," said Chris Moyer, vice president of technology with ACI Information Group, a Web content aggregator based in New York, and a TechTarget contributor. "It's pretty slick what they're doing lately."
The custom authorizer has a maximum cache of one hour, but allowing access to Memcached lets users easily increase this and store other session-based information in Memcached, which Moyer said is still the de facto standard for session-based authentication.
"This brings the ability to do traditional Memcached-style authentication that people are used to," Moyer said. "Also, if you're storing user information in RDS, as many people still do, it makes sense to be able to query that to check a user's credentials."
Technically it's better to do session-based authentication in something like DynamoDB, but this allows a sort of bridge to interact with legacy systems, according to Moyer.
"If you're starting from scratch with a new system, you wouldn't want to store user info in RDS," Moyer said. "But if it's already there and you need to access it, this is perfect."
RDS encryption gets crucial updates
Amazon also enhanced AWS security with new encryption options for RDS, including the ability to encrypt shared snapshots -- an item prominent on users' wish lists when RDS shared snapshots first became available last November. Additionally, users now can add encryption to an existing RDS database, which before wasn't possible.
"Adding encrypted snapshots is a great security feature enhancement," said Adam Book, principal engineer and senior cloud architect for Relus Technologies, a cloud consulting firm.
However, customers must be aware that KMS keys work in only one region, Book added.
"There are many use cases where snapshots are being used to rehydrate databases in a secondary region," he said. In that scenario, "if the snapshot is encrypted with KMS, then it will have issues being un-encrypted," he added.
Users should take advantage of Amazon's other security features when sharing snapshots to ensure the correct person receives them, advised Edward Haletky, CEO of the Virtualization Practice LLC in Austin, Texas.
"This is where two-factor authentication is an absolute necessity, if you're doing RDS snapshot sharing, because you don't want the wrong person to have it," he said.
AWS security features such as AWS CloudTrail can also be used to report on whether the right workflows have been followed in accessing the shared snapshot. Users interested in RDS snapshot sharing can also follow instructions in the AWS documentation to revoke access to a shared snapshot if a business partnership or the employment of the recipient ends. This is done by removing the person from the access policy on the snapshot or the key.
Still, Haletky would like to see this taken a step further, so that a change in an HR or accounting management application that accesses the data or shared snapshots automatically revokes access when the change is made.
"Providing the technology is one thing," he said. "Providing the workflow processes around it is another."
This can be done, theoretically, through configuration management and scripting tools such as Puppet or Chef, but Haletky wonders, "is it tied in to enough places that people will use it?"