HanaByte attended AWS re:Invent 2024, which was a hub for groundbreaking innovations. As an AWS Partner since 2022, we have been focused on being at the forefront of technology advancements as organizations choose HanaByte for their security, governance, and compliance goals. Here are the announcements we’re most excited about!
Top Announcements from AWS re:Invent 2024
AWS Security Incident Response
AWS Security Incident Response is a service launched during AWS re:Invent 2024 that is designed to help organizations swiftly prepare for, respond to, and recover from security incidents within their AWS environments. It integrates automated monitoring, streamlined communication, and expert support to enhance incident management.
Here are some highlights from the AWS Security Incident Response announcement:
- Automated Monitoring and Investigation: AWS Security Incident Response integrates with other AWS services such as Amazon GuardDuty and AWS Security Hub to monitor and triage security findings. It utilizes automation and customer-specific data to filter and suppress findings based on expected behavior, allowing teams to focus on critical alerts.
- Accelerated Communication and Coordination: AWS Security Incident Response centralizes communication and coordination, streamlining security incident response. Through this service, security cases are used to initiate security incident response processes, security playbooks are easily ready, and dashboards are ready to track key metrics such as mean time to resolution (MTTR).
- 24/7 Access to AWS Security Experts: AWS Security Incident Response allows customers to get 24/7 access to the AWS Customer Incident Response Team (CIRT), which is a team of AWS security subject matter experts to assist with response and recovery operations.
- Post-Incident Reporting and Analysis: AWS Security Incident Response provides capabilities to create detailed reports that summarize case activities and recommended remediation actions, accelerating insights to improve security posture moving forward.
AWS GuardDuty Extended Threat Detection
Under the hood, AWS GuardDuty uses Artificial Intelligence (AI) and Machine Learning (ML) that are trained by AWS at scale in order to detect threats in AWS environments. With the introduction of GuardDuty Extended Threat Detection, new attack sequence findings are introduced and new information is given into existing findings, providing new insight in areas such as credential exfiltration, privilege escalation, and data exfiltration.
Here are some highlights from the GuardDuty Extended Threat Detection announcement:
- AI/ML-Powered Detection: Sophisticated AI and machine learning algorithms are implemented to automatically correlate security signals across AWS services, enabling the detection of complex, multi-stage attacks that may span various resources and time periods.
- Attack Sequence Findings: Historically, GuardDuty did not have critical severity findings, however, this has now been introduced along with a natural language summary of the threat for a given detection, mapping observed activities to the MITRE ATT&CK Framework, offering actionable prescriptive guidance for remediation activities.
- Comprehensive Threat Analysis: By correlating events across multiple data sources, including API activities and existing findings, GuardDuty Extended Threat Detection identifies potential in-progress or recent attack behaviors within a 24-hour rolling time window.
Geographic IP Filtering with AWS Network Firewall
AWS Network Firewall now has the ability to filter network traffic based on the geographic location of IP addresses, enhancing security and compliance for both IPv4 and IPv6 traffic.
Here are some highlights from the Geographic IP Filtering announcement:
- Geographic Traffic Filtering: Administrators can specify countries to allow or block traffic to and from, using country codes in firewall rules. This capability simplifies compliance with regional regulations and helps mitigate threats originating from specific locations.
- Integration with Suricata Rules: The feature supports integration with Suricata-compatible rule groups, allowing for the use of geographic IP filtering within existing security frameworks. Administrators can define rules using the geoip keyword to filter traffic based on source and destination countries.
Governance with Declarative Policies
Declarative policies is a feature designed to streamline governance by allowing cloud practitioners and administrators to specify and enforce desired configurations across environments via management policy – different from service control policies (SCPs) and resource control policies (RCPs). This approach affords the ability to reduce maintenance overhead and ensure consistent governance across accounts.
Here are some highlights from the Declarative Policies announcement:
- Simplified Governance: Administrators can declare desired configurations for AWS services, and Declarative Policies will enforce these settings across the organization, preventing non-compliant actions regardless of how they are invoked.
- Enhanced Visibility: Provides administrators with insights into the current state of service attributes across their environment, facilitating better compliance monitoring and management.
- Customizable Error Messages: Allows administrators to configure custom error messages that guide end users when a restricted action is attempted, reducing frustration and directing them to appropriate resources or support channels.
OpenSearch Service and Amazon Security Lake Integration
AWS has announced the general availability of a zero-ETL (Extract, Transform, Load) integration between two services commonly used with security: Amazon OpenSearch Service and Amazon Security Lake. This integration enables organizations to effectively search, analyze, and gain actionable insights from their security data without the need for complex data pipelines.
Here are some highlights from the OpenSearch Service and Amazon Security Lake Integration announcement:
- In-Place Querying: Core to this announcement is the ability to query and analyze security data stored in Amazon Security Lake using Amazon OpenSearch Service, eliminating the need to move or transform data.
- OCSF Compatibility: Utilize the Open Cybersecurity Schema Framework (OCSF) to normalize and combine security data from various sources, facilitating standardized analysis and reporting.
- Enhanced Security Analytics: Leverage the rich analytics capabilities of OpenSearch Dashboards to perform deeper investigations, enhance threat hunting, and proactively monitor security posture.
- Cost and Operational Efficiency: By minimizing data duplication and reducing the operational overhead associated with managing custom data pipelines, organizations can lower analytics costs and streamline security operations.
Queryable Object Metadata for Amazon S3 Buckets
Amazon S3 Metadata is a feature that automatically generates queryable object metadata in real-time. What this allows is simplifying data governance by enabling customers to perform better data discovery and gain further understanding of their data stored in Amazon S3. As an example, the metadata from this service can be used to detect unusual sizes, unexpected source tags, or improper classifications.
Here are some highlights from the Queryable Object Metadata for Amazon S3 Buckets announcement:
- Automatic Metadata Generation: As objects are added or modified in S3 buckets, Amazon S3 Metadata captures system-defined details and stores this information in S3 Tables. This includes size and source tag – information useful for quick metadata searches in a security context.
- Custom Metadata Support: Customers can annotate objects with custom metadata using object tags, incorporating security-specific information like data sensitivity, data classification, or transaction IDs.
- Near Real-Time Updates: The metadata is updated promptly as changes occur, providing an up-to-date view of the data landscape.
Feature Enhancements for Observability in Cloudwatch
Amazon announced many enhancements and new features for observability in AWS during re:Invent 2024. The tighter integration of Cloudwatch Observability offerings allows for easier troubleshooting and quicker time to resolution for issues affecting application and infrastructure performance. Some other notable mentions include ECS Container Insights Enhanced Observability, network performance monitoring with Flow Monitors, and Transaction Search which helps resolve customer issues quicker.
- Centralized Visibility into Telemetry Configuration: This allows you to identify and resolve gaps in monitoring capabilities. You can audit based on tags, resource identifiers, and many other attributes.
- Cloudwatch and Amazon OpenSearch Integrated Experience: Amazon added support for OpenSearch SQL and PPL into the Cloudwatch Log Insights dashboard, allowing for more complex queries to build custom insights.
- CloudWatch Database Insights: Provides a centralized dashboard for DBAs and engineers to troubleshoot issues and drill down to a root cause more quickly. Database Insights are generally available for Aurora Postgres and Aurora MySQL.
New AWS Security Specializations for APN Partners
During the AWS Partner Keynote with Dr. Ruba Borno, four (4) new security specializations were announced, adding to the differentiators that an AWS Partner in the AWS Partner Network (APN) can obtain.
Here are some highlights from the AWS Security Specializations for APN Partners announcement:
- AI Security Category for AWS Security Competency Partners: This category shows that a partner has demonstrated expertise in mitigating AI-specific security risk.
- Digital Sovereignty Competency: This competency recognizes partners that address digital sovereignty requirements regarding data residency and security, operator access restriction, resilience and survivability, and independence and transparency.
- Amazon Security Lake Specialization: This specialization showcases partners who utilize Amazon Security Lake and OSCF as either a source partner (sends logs and events in OCSF) or a subscriber partner (ingests logs and events for analysis in the OSCF format).
- AWS Security Incident Response Partners: These are specialized partners who have the ability to prepare, respond to, and recover from security events utilizing the new AWS Security Response service.
Why Partner With Us?
HanaByte is an Advanced Tier Partner with AWS and is a consultancy focused on cloud security. We stay at the forefront of announcements from AWS and are ready to assist organizations to start on these new announcements to stay ahead of the curve. Contact us for a free consultation to get started!
