Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Amazon Web Services (AWS) today announced several new features for improving and automating the management of vulnerabilities on its platform, in response to evolving security requirements in the cloud.
Newly added capabilities for the Amazon Inspector service will meet the “critical need to detect and remediate at speed” in orclder to secure cloud workloads, according to a post on the AWS blog, authored by developer advocate Steve Roberts. The announcement came in connection with the AWS re:Invent conference, which began today.
In a second security announcement, AWS unveiled a new secrets detector feature for its Amazon CodeGuru Reviewer tool, aimed at automatically detecting secrets such as passwords and API keys that were inadvertently committed in source code.
The security updates from AWS come as enterprises continue their accelerated shift to the cloud, even as security teams have struggled to keep up. Gartner estimates 70% of workloads will be running in public cloud within three years, up from 40% today. But a recent survey of cloud engineering professionals found that 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months.
Changing cloud security needs
In the post about the Amazon Inspector updates, Roberts acknowledged that “vulnerability management for cloud customers has changed considerably” since the service first launched in 2015.
Among the new requirements are “enabling frictionless deployment at scale, support for an expanded set of resource types needing assessment, and a critical need to detect and remediate at speed,” he said in the post.
Key updates for Amazon Inspector announced today include assessment scans that are continual and automated—taking the place of manual scans that occur only periodically—along with automated resource discovery.
“Tens of thousands of vulnerabilities exist, with new ones being discovered and made public on a regular basis. With this continually growing threat, manual assessment can lead to customers being unaware of an exposure and thus potentially vulnerable between assessments,” Roberts wrote in the post.
Using the updated Amazon Inspector will enable auto discovery and begin a continual assessment of a customer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads—ultimately evaluating the customer’s security posture “even as the underlying resources change,” he wrote.
More feature updates
AWS also announced a number of other new features for Amazon Inspector including additional support for container-based workloads, with the ability to assess workloads on both EC2 and container infrastructure; integration with AWS Organizations, enabling customers to use Amazon Inspector across all of an their organizations’s accounts; elimination of the standalone Amazon Inspector scanning agent, with assessment scanning now performed by the AWS Systems Manager agent (so that a separate agent doesn’t need to be installed); and enhanced risk scoring and easier identification of the most critical vulnerabilities.
A “highly contextualized” risk score can now be generated through correlation of Common Vulnerability and Exposures (CVE) metadata with factors such as network accessibility, Roberts said.
Meanwhile, with the new secrets detector feature in Amazon CodeGuru Reviewer, AWS addresses the issue of accidental committing of secrets by developers to source code or configuration files, including passwords, API keys, SSH keys, and access tokens.
“As many other developers facing a strict deadline, I’ve often taken shortcuts when managing and consuming secrets in my code, using plaintext environment variables or hard-coding static secrets during local development, and then inadvertently commit them,” wrote Alex Casalboni, developer advocate at AWS, in a blog post announcing the updates for CodeGuru Reviewer. “Of course, I’ve always regretted it and wished there was an automated way to detect and secure these secrets across all my repositories.”
The new capability leverages machine learning to detect hardcoded secrets during a code review process, “ultimately helping you to ensure that all new code doesn’t contain hardcoded secrets before being merged and deployed,” Casalboni wrote.
AWS re:Invent 2021 takes place today through Friday, both in-person in Las Vegas and online.