fbpx

Top 2021 AWS service launches security professionals should review – Part 2

In Part 1 of this two-part series, we shared an overview of some of the most important 2021 Amazon Web Services (AWS) Security service and feature launches. In this follow-up, we’ll dive deep into additional launches that are important for security professionals to be aware of and understand across all AWS services. There have already been plenty in the first half of 2022, so we’ll highlight those soon, as well.

   <h2>AWS Identity</h2> 
   <p>You can use AWS Identity Services to build <a href="https://aws.amazon.com/security/zero-trust/" target="_blank" rel="noopener noreferrer">Zero Trust</a> architectures, help secure your environments with a <a href="https://aws.amazon.com/identity/data-perimeters-on-aws/" target="_blank" rel="noopener noreferrer">robust data perimeter</a>, and work toward the security best practice of <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" target="_blank" rel="noopener noreferrer">granting least privilege</a>. In 2021, AWS expanded the identity source options, AWS Region availability, and support for AWS services. There is also added visibility and power in the permission management system. New features offer new integrations, additional policy checks, and secure resource sharing across AWS accounts.</p> 
   <h3>AWS Single Sign-On</h3> 
   <p>For identity management, <a href="https://aws.amazon.com/single-sign-on/" target="_blank" rel="noopener noreferrer">AWS Single Sign-On (AWS SSO)</a> is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS accounts in <a href="https://aws.amazon.com/organizations/" target="_blank" rel="noopener noreferrer">AWS Organizations</a>. In 2021, AWS SSO announced new integrations for JumpCloud and CyberArk users. This adds to the list of providers that you can use to connect your users and groups, which also includes Microsoft Active Directory Domain Services, Okta Universal Directory, Azure AD, OneLogin, and Ping Identity.</p> 
   <p>AWS SSO expanded its availability to new Regions: AWS GovCloud (US), Europe (Paris), and South America (São Paulo) Regions. Another very cool AWS SSO development is its integration with <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet.html" target="_blank" rel="noopener noreferrer">AWS Systems Manager Fleet Manager</a>. This integration enables you <a href="https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/" target="_blank" rel="noopener noreferrer">to log in interactively to your Windows servers running on Amazon Elastic Compute Cloud (Amazon EC2)</a> while using your existing corporate identities—try it, it’s fantastic!</p> 
   <h3>AWS Identity and Access Management</h3> 
   <p>For access management, there have been a range of feature launches with <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a> that have added up to more power and visibility in the permissions management system. Here are some key examples.</p> 
   <p>IAM made it simpler to relate a user’s IAM role activity to their corporate identity. By setting the <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/aws-identity-and-access-management-now-makes-it-easier-to-relate-a-users-iam-role-activity-to-their-corporate-identity/" target="_blank" rel="noopener noreferrer">new source identity attribute</a>, which persists through role assumption chains and gets logged in <a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener noreferrer">AWS CloudTrail</a>, you can find out who is responsible for actions that IAM roles performed.</p> 
   <p>IAM added support for policy conditions, to help manage permissions for AWS services that access your resources. This important feature launch of <a href="https://aws.amazon.com/about-aws/whats-new/2021/05/aws-identity-and-access-management-now-makes-it-easier-for-you-to-manage-permissions-for-aws-services-accessing-your-resources/" target="_blank" rel="noopener noreferrer">service principal conditions</a> helps you to distinguish between API calls being made <em>on your behalf</em> by a service principal, and those being made by a principal inside your account. You can choose to allow or deny the calls depending on your needs. As a security professional, you might find this especially useful in conjunction with the <a href="https://aws.amazon.com/blogs/security/how-to-define-least-privileged-permissions-for-actions-called-by-aws-services/" target="_blank" rel="noopener noreferrer">aws:CalledVia</a> condition key, which allows you to scope permissions down to specify that this account principal can only call this API if they are calling it using a particular AWS service that’s acting on their behalf. For example, your account principal can’t generally access a particular <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener noreferrer">Amazon Simple Storage Service (Amazon S3)</a> bucket, but if they are accessing it by using <a href="https://aws.amazon.com/athena/" target="_blank" rel="noopener noreferrer">Amazon Athena</a>, they can do so. These conditions can also be used in <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" target="_blank" rel="noopener noreferrer">service control policies (SCPs)</a> to give account principals broader scope across an account, organizational unit, or organization; they need not be added to individual principal policies or resource policies.</p> 
   <p>Another very handy new IAM feature launch is <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-identity-access-management-efficient-troubleshoot-error/" target="_blank" rel="noopener noreferrer">additional information about the reason for an <em>access denied</em> error message</a>. With this additional information, you can now see which of the relevant access control policies (for example, IAM, resource, SCP, or VPC endpoint) was the cause of the denial. As of now, this new IAM feature is supported by more than 50% of all AWS services in the <a href="https://aws.amazon.com/getting-started/tools-sdks/" target="_blank" rel="noopener noreferrer">AWS SDK</a> and <a href="https://aws.amazon.com/cli/" target="_blank" rel="noopener noreferrer">AWS Command Line Interface</a>, and a fast-growing number in the <a href="https://aws.amazon.com/console/" target="_blank" rel="noopener noreferrer">AWS Management Console</a>. We will continue to add support for this capability across services, as well as add more features that are designed to make the journey to least privilege simpler.</p> 
   <h3>IAM Access Analyzer</h3> 
   <p><a href="https://aws.amazon.com/iam/features/analyze-access/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management (IAM) Access Analyzer</a> provides actionable recommendations to set secure and functional permissions. Access Analyzer introduced the ability to <a href="https://aws.amazon.com/about-aws/whats-new/2021/03/iam-access-analyzer-validate-access-before-deploying-permissions-changes/" target="_blank" rel="noopener noreferrer">preview the impact of policy changes before deployment</a> and <a href="https://aws.amazon.com/about-aws/whats-new/2021/03/iam-access-analyzer-supports-over-100-policy-checks-with-actionable-recommendations/" target="_blank" rel="noopener noreferrer">added over 100 policy checks</a> for correctness. Both of these enhancements are integrated into the console and are also available through APIs. Access Analyzer also provides findings for external access allowed by resource policies for many services, including a previous launch in which IAM Access Analyzer was <a href="https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-access-analyzer-for-amazon-s3-to-review-access-policies/" target="_blank" rel="noopener noreferrer">directly integrated into the Amazon S3 management console</a>.</p> 
   <p>IAM Access Analyzer also launched the ability to generate fine-grained policies based on analyzing past AWS CloudTrail activity. This feature provides a great new capability for DevOps teams or central security teams to scope down policies to just the permissions needed, <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/iam-access-analyzer-easier-implement-least-privilege-permissions-generating-iam-policies-access-activity/" target="_blank" rel="noopener noreferrer">making it simpler to implement least privilege permissions</a>. IAM Access Analyzer launched further enhancements to <a href="https://aws.amazon.com/about-aws/whats-new/2021/06/iam-access-analyzer-adds-new-policy-checks-help-validate-conditions-during-iam-policy-authoring/" target="_blank" rel="noopener noreferrer">expand policy checks</a>, and the ability to generate a sample least-privilege policy from past activity was expanded beyond the account level to include <a href="https://aws.amazon.com/about-aws/whats-new/2021/08/iam-access-analyzer-generate-iam-policies/" target="_blank" rel="noopener noreferrer">an analysis of principal behavior within the entire organization</a> by analyzing log activity stored in AWS CloudTrail.</p> 
   <h3>AWS Resource Access Manager</h3> 
   <p><a href="https://aws.amazon.com/ram/" target="_blank" rel="noopener noreferrer">AWS Resource Access Manager (AWS RAM)</a> helps you securely share your resources across unrelated AWS accounts within your organization or organizational units (OUs) in AWS Organizations. Now you can also <a href="https://aws.amazon.com/about-aws/whats-new/2021/06/aws-resource-access-manager-enables-granular-access-control-additional-managed-permissions/" target="_blank" rel="noopener noreferrer">share your resources with IAM roles and IAM users</a> for supported resource types. This update enables more granular access using managed permissions that you can use to define access to shared resources. In addition to the default managed permission defined for each shareable resource type, you now have more flexibility to choose which permissions to grant to whom for resource types that support additional managed permissions. Additionally, AWS RAM <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/aws-resource-access-manager-global-resource-types/" target="_blank" rel="noopener noreferrer">added support for global resource types</a>, enabling you to provision a global resource once, and share that resource across your accounts. A global resource is one that can be used in multiple AWS Regions; the first example of a global resource is found in <a href="https://aws.amazon.com/cloud-wan/" target="_blank" rel="noopener noreferrer">AWS Cloud WAN</a>, currently in preview as of this publication. AWS RAM helps you more securely share an <a id="_Hlk103243272" target="_blank" rel="noopener noreferrer">AWS Cloud WAN </a><a href="https://docs.aws.amazon.com/vpc/latest/cloudwan/cloudwan-concepts.html" target="_blank" rel="noopener noreferrer">core network</a>, which is a managed network containing AWS and on-premises networks. With AWS RAM global resource sharing, you can use the Cloud WAN core network to centrally operate a unified global network across Regions and accounts.</p> 
   <h3>AWS Directory Service</h3> 
   <p><a href="https://aws.amazon.com/directoryservice/" target="_blank" rel="noopener noreferrer">AWS Directory Service for Microsoft Active Directory</a>, also known as AWS Managed Microsoft Active Directory (AD), was updated to automatically provide <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/aws-managed-microsoft-ad-amazon-cloudwatch/" target="_blank" rel="noopener noreferrer">domain controller and directory utilization metrics in Amazon CloudWatch</a> for new and existing directories. Analyzing these utilization metrics helps you quantify your average and peak load times to identify the need for additional domain controllers. With this, you can define the number of domain controllers to meet your performance, resilience, and cost requirements.</p> 
   <h3>Amazon Cognito</h3> 
   <p><a href="https://aws.amazon.com/cognito/" target="_blank" rel="noopener noreferrer">Amazon Cognito</a> <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html" target="_blank" rel="noopener noreferrer">identity pools (federated identities)</a> was updated <a href="https://aws.amazon.com/about-aws/whats-new/2021/01/amazon-cognito-identity-pools-now-enables-customers-to-use-attributes-from-identity-providers-to-simplify-permissions-management-to-aws-resources/" target="_blank" rel="noopener noreferrer">to enable you to use attributes from social and corporate identity providers</a> to make access control decisions and simplify permissions management in AWS resources. In Amazon Cognito, you can choose predefined attribute-tag mappings, or you can create custom mappings using the attributes from social and corporate providers’ access and ID tokens, or SAML assertions. You can then reference the tags in an IAM permissions policy to implement attribute-based access control (ABAC) and manage access to your AWS resources. Amazon Cognito also <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cognito-console-user-pools/" target="_blank" rel="noopener noreferrer">launched a new console experience for user pools</a> and now supports targeted sign out through refresh token revocation.</p> 
   <h2>Governance, control, and logging services</h2> 
   <p>There were a number of important releases in 2021 in the areas of governance, control, and logging services.</p> 
   <h3>AWS Organizations</h3> 
   <p><a href="https://aws.amazon.com/organizations/" target="_blank" rel="noopener noreferrer">AWS Organizations</a> added a number of important import features and integrations during 2021. Security-relevant services like <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/amazon-detective-account-management-support-aws-organizations/" target="_blank" rel="noopener noreferrer">Amazon Detective</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-inspector-continual-vulnerability-management/" target="_blank" rel="noopener noreferrer">Amazon Inspector</a>, and <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/amazon-virtual-private-cloud-vpc-announces-ip-address-manager-ipam/" target="_blank" rel="noopener noreferrer">Amazon Virtual Private Cloud (Amazon VPC) IP Address Manager (IPAM)</a>, as well as others like <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-devops-guru-multi-account-insight-aws-organizations/" target="_blank" rel="noopener noreferrer">Amazon DevOps Guru</a>, launched integrations with Organizations. Others like <a href="https://aws.amazon.com/single-sign-on/" target="_blank" rel="noopener noreferrer">AWS SSO</a> and <a href="https://docs.aws.amazon.com/license-manager/" target="_blank" rel="noopener noreferrer">AWS License Manager</a> upgraded their Organizations support by <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-license-manager-delegated-administrator-managed-entitlements/" target="_blank" rel="noopener noreferrer">adding support for a Delegated Administrator account</a>, reducing the need to use the management account for operational tasks. <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-ec2-amazon-machine-images-organizations/" target="_blank" rel="noopener noreferrer">Amazon EC2</a> and <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/ec2-image-builder-sharing-amis-aws-organization-units/" target="_blank" rel="noopener noreferrer">EC2 Image Builder</a> took advantage of the account grouping capabilities provided by Organizations to allow cross-account sharing of Amazon Machine Images (AMIs) (for more details, see the Amazon EC2 section later in this post). Organizations also got an <a href="https://aws.amazon.com/about-aws/whats-new/2021/05/aws-organizations-launches-new-console-experience/" target="_blank" rel="noopener noreferrer">updated console</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/07/aws-organizations-increases-quotas-tag-policies/" target="_blank" rel="noopener noreferrer">increased quotas for tag policies</a>, and provided support for the launch of <a href="https://aws.amazon.com/blogs/mt/programmatically-managing-alternate-contacts-on-member-accounts-with-aws-organizations/" target="_blank" rel="noopener noreferrer">an API that allows for programmatic creation and maintenance of AWS account alternate contacts</a>, including the very important security contact (although that feature doesn’t require Organizations). For more information on the value of using the security contact for your accounts, see the blog post <a href="https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/" target="_blank" rel="noopener noreferrer">Update the alternate security contact across your AWS accounts for timely security notifications</a>.</p> 
   <h3>AWS Control Tower</h3> 
   <p>2021 was also a good year for <a href="https://aws.amazon.com/controltower/" target="_blank" rel="noopener noreferrer">AWS Control Tower</a>, beginning with an important launch of <a href="https://aws.amazon.com/about-aws/whats-new/2021/01/aws-control-tower-extends-governance-existing-ous-aws-organizations/" target="_blank" rel="noopener noreferrer">the ability to take over governance of existing OUs and accounts</a>, as well as bulk update of new settings and guardrails with <a href="https://aws.amazon.com/about-aws/whats-new/2021/01/aws-control-tower-provides-bulk-account-update/" target="_blank" rel="noopener noreferrer">a single button click or API call</a>. Toward the end of 2021, AWS Control Tower added another valuable enhancement that allows it to work with a broader set of customers and use cases, namely <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-control-tower-supports-nested-organizational-units/" target="_blank" rel="noopener noreferrer">support for nested OUs</a> within an organization.</p> 
   <h3>AWS CloudFormation Guard 2.0</h3> 
   <p>Another important milestone in 2021 for creating and maintaining a well-governed cloud environment was the <a href="https://aws.amazon.com/about-aws/whats-new/2021/05/aws-cloudformation-guard-2-0-is-now-generally-available/" target="_blank" rel="noopener noreferrer">re-launch of CloudFormation Guard as Cfn-Guard 2.0</a>. This launch was a major overhaul of the Cfn-Guard domain-specific language (DSL), <a href="https://aws.amazon.com/blogs/mt/introducing-aws-cloudformation-guard-2-0/" target="_blank" rel="noopener noreferrer">a DSL designed to provide the ability to test infrastructure-as-code (IaC) templates such as CloudFormation and Terraform</a> to make sure that they conform with a set of constraints written in the DSL by a central team, such as a security organization or network management team.</p> 
   <p>This approach provides a powerful new middle ground between the older security models of prevention (which provide developers only an <em>access denied</em> message, and often can’t distinguish between an acceptable and an unacceptable use of the same API) and a <em>detect and react</em> model (when undesired states have already gone live). The Cfn-Guard 2.0 model gives builders the freedom to build with IaC, while allowing central teams to have the ability to reject infrastructure configurations or changes that don’t conform to central policies—and to do so with completely custom error messages that invite dialog between the builder team and the central team, in case the rule is unnuanced and needs to be refined, or if a specific exception needs to be created.</p> 
   <p>For example, a builder team might be allowed to provision and attach an internet gateway to a VPC, but the team can do this only if the routes to the internet gateway are limited to a certain pre-defined set of CIDR ranges, such as the public addresses of the organization’s branch offices. It’s not possible to write an IAM policy that takes into account the CIDR values of a VPC route table update, but you can write a Cfn-Guard 2.0 rule that allows the creation and use of an internet gateway, but only with a defined and limited set of IP addresses.</p> 
   <h3>AWS Systems Manager Incident Manager</h3> 
   <p>An important launch that security professionals should know about is <a href="https://docs.aws.amazon.com/incident-manager/latest/userguide/what-is-incident-manager.html" target="_blank" rel="noopener noreferrer">AWS Systems Manager Incident Manager</a>. Incident Manager provides a number of powerful capabilities for managing incidents of any kind, including operational and availability issues but also security issues. With Incident Manager, you can automatically take action when a critical issue is detected by an <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">Amazon CloudWatch</a> alarm or <a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener noreferrer">Amazon EventBridge</a> event. Incident Manager runs pre-configured response plans to engage responders by using SMS and phone calls, can enable chat commands and notifications using <a href="https://aws.amazon.com/chatbot/" target="_blank" rel="noopener noreferrer">AWS Chatbot</a>, and runs automation workflows with AWS Systems Manager Automation runbooks. The Incident Manager console integrates with <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html" target="_blank" rel="noopener noreferrer">AWS Systems Manager OpsCenter</a> to help you track incidents and post-incident action items from a central place that also synchronizes with third-party management tools such as Jira Service Desk and ServiceNow. Incident Manager enables cross-account sharing of incidents using AWS RAM, and provides cross-Region replication of incidents to achieve higher availability.</p> 
   <h3>AWS CloudTrail</h3> 
   <p><a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener noreferrer">AWS CloudTrail</a> added some great new logging capabilities in 2021, including logging data-plane events <a href="https://aws.amazon.com/about-aws/whats-new/2021/03/aws-cloudtrail-adds-logging-of-data-events-for-amazon-dynamoDB/" target="_blank" rel="noopener noreferrer">for Amazon DynamoDB</a> and <a href="https://aws.amazon.com/about-aws/whats-new/2021/07/aws-cloudtrail-supports-logging-data-events-amazon-ebs-direct-apis/" target="_blank" rel="noopener noreferrer">Amazon Elastic Block Store (Amazon EBS) direct APIs</a> (direct APIs allow access to EBS snapshot content through a REST API). CloudTrail also got further enhancements to its machine-learning based <a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-insights-events-with-cloudtrail.html" target="_blank" rel="noopener noreferrer">CloudTrail Insights</a> feature, including a new one called <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-cloudtrail-announces-launch-errorrate-insights/" target="_blank" rel="noopener noreferrer">ErrorRate Insights</a>.</p> 
   <h2>Amazon S3</h2> 
   <p> Amazon Simple Storage Service (Amazon S3) is one of the most important services at AWS, and its steady addition of security-related enhancements is always big news. Here are the 2021 highlights.</p> 
   <h3>Access Points aliases</h3> 
   <p><a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener noreferrer">Amazon S3</a> introduced a new feature, <a href="https://aws.amazon.com/about-aws/whats-new/2021/07/amazon-s3-access-points-aliases-allow-application-requires-s3-bucket-name-easily-use-access-point/" target="_blank" rel="noopener noreferrer">Amazon S3 Access Points aliases</a>. With Amazon S3 Access Points aliases, you can make the access points backwards-compatible with a large amount of existing code that is programmed to interact with S3 buckets rather than access points.</p> 
   <p>To understand the importance of this launch, we have to go back to 2019 to the launch of <a href="https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-s3-access-points-manage-data-access-at-scale-shared-data-sets/#:~:text=Amazon%20S3%20Access%20Points%20is,permissions%20customized%20for%20the%20application." target="_blank" rel="noopener noreferrer">Amazon S3 Access Points</a>. Access points are a powerful mechanism for managing S3 bucket access. They provide a great simplification for managing and controlling access to shared datasets in S3 buckets. You can create up to 1,000 access points per Region within each of your AWS accounts. Although bucket access policies remain fully enforced, you can delegate access control from the bucket to its access points, allowing for distributed and granular control. Each access point enforces a customizable policy that can be managed by a particular workgroup, while also avoiding the problem of bucket policies needing to grow beyond their maximum size. Finally, you can also bind an access point to a particular VPC for its lifetime, to prevent access directly from the internet. </p> 
   <p>With the 2021 launch of Access Points aliases, Amazon S3 now generates a unique DNS name, or <em>alias</em>, for each access point. The Access Points aliases look and acts just like an S3 bucket to existing code. This means that you don’t need to make changes to older code to use Amazon S3 Access Points; just substitute an Access Points aliases wherever you previously used a bucket name. As a security team, it’s important to know that this flexible and powerful administrative feature is backwards-compatible and can be treated as a drop-in replacement in your various code bases that use Amazon S3 but haven’t been updated to use access point APIs. In addition, using Access Points aliases adds a number of powerful security-related controls, such as permanent binding of S3 access to a particular VPC.</p> 
   <h3>Bucket Keys</h3> 
   <p>Amazon S3 launched <a href="https://aws.amazon.com/about-aws/whats-new/2021/06/identify-and-copy-existing-objects-to-use-s3-bucket-keys-reducing-the-costs-of-server-side-encryption-with-aws-key-management-service-sse-kms/" target="_blank" rel="noopener noreferrer">support for S3 Inventory and S3 Batch Operations to identify and copy objects to use S3 Bucket Keys</a>, which can help reduce the costs of server-side encryption (SSE) with <a href="https://aws.amazon.com/kms/" target="_blank" rel="noopener noreferrer">AWS Key Management Service (AWS KMS)</a>.</p> 
   <p><a href="https://aws.amazon.com/about-aws/whats-new/2020/12/amazon-s3-bucket-keys-reduce-the-costs-of-server-side-encryption-with-aws-key-management-service-sse-kms/" target="_blank" rel="noopener noreferrer">S3 Bucket Keys were launched at the end of 2020</a>, another great launch that security professionals should know about, so here is an overview in case you missed it. S3 Bucket Keys are data keys generated by AWS KMS to provide another layer of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping" target="_blank" rel="noopener noreferrer">envelope encryption</a> in which the outer layer (the S3 Bucket Key) is cached by S3 for a short period of time. This extra key layer increases performance and reduces the cost of requests to AWS KMS. It achieves this by decreasing the request traffic from Amazon S3 to AWS KMS from a one-to-one model—one request to AWS KMS for each object written to or read from Amazon S3—to a one-to-many model using the cached S3 Bucket Key. The S3 Bucket Key is never stored persistently in an unencrypted state outside AWS KMS, and so Amazon S3 ultimately must always return to AWS KMS to encrypt and decrypt the S3 Bucket Key, and thus, the data. As a result, you still retain control of the key hierarchy and resulting encrypted data through AWS KMS, and are still able to audit Amazon S3 returning periodically to AWS KMS to refresh the S3 Bucket Keys, as logged in CloudTrail.</p> 
   <p>Returning to our review of 2021, S3 Bucket Keys gained the ability to use Amazon S3 Inventory and Amazon S3 Batch Operations <em>automatically </em>to migrate objects from the higher cost, slightly lower-performance SSE-KMS model to the lower-cost, higher-performance S3 Bucket Keys model.</p> 
   <h3>Simplified ownership and access management</h3> 
   <p>The final item from 2021 for Amazon S3 is probably the most important of all. Last year was the year that Amazon S3 achieved fully modernized object ownership and access management capabilities. You can now <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/" target="_blank" rel="noopener noreferrer">disable access control lists to simplify ownership and access management for data in Amazon S3</a>.</p> 
   <p>To understand this launch, we need to go in time to the origins of Amazon S3, which is one of the oldest services in AWS, created even before IAM was launched in 2011. In those pre-IAM days, a storage system like Amazon S3 needed to have some kind of access control model, so Amazon S3 invented its own: <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html" target="_blank" rel="noopener noreferrer">Amazon S3 access control lists (ACLs)</a>. Using ACLs, you could add access permissions down to the object level, but only with regard to access by other AWS account principals (the only kind of identity that was available at the time), or <em>public</em> access (read-only or read-write) to an object. And in this model, objects were always owned by the creator of the object, not the bucket owner.</p> 
   <p>After IAM was introduced, Amazon S3 added the bucket policy feature, a type of resource policy that provides the rich features of IAM, including full support for all IAM principals (users and roles), time-of-day conditions, source IP conditions, ability to require encryption, and more. For many years, Amazon S3 access decisions have been made by combining IAM policy permissions and ACL permissions, which has served customers well. But the <em>object-writer-is-owner</em> issue has often caused friction. The good news for security professionals has been that a <em>deny</em> by either type of access control type overrides an <em>allow</em> by the other, so there were no security issues with this bi-modal approach. The challenge was that it could be administratively difficult to manage both resource policies—which exist at the bucket and access point level—and ownership and ACLs—which exist at the object level. Ownership and ACLs might potentially impact the behavior of only a handful of objects, in a bucket full of millions or billions of objects.</p> 
   <p>With the features released in 2021, Amazon S3 has removed these points of friction, and now provides the features needed to reduce ownership issues and to make IAM-based policies the <em>only</em> access control system for a specified bucket. The first step came in 2020 with the ability <a href="https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-s3-object-ownership-enables-bucket-owners-to-automatically-assume-ownership-of-objects-uploaded-to-their-buckets/" target="_blank" rel="noopener noreferrer">to make object ownership track bucket ownership</a>, regardless of writer. But that feature applied only to <em>newly-written</em> objects. The final step is the 2021 launch we’re highlighting here: the ability to disable at the bucket level the evaluation of all <em>existing</em> ACLs—including ownership and permissions—effectively nullifying all object ACLs. From this point forward, you have the mechanisms you need to govern Amazon S3 access with a combination of S3 bucket policies, S3 access point policies, and (within the same account) IAM principal policies, without worrying about legacy models of ACLs and per-object ownership.</p> 
   <h2>Additional database and storage service features</h2> 
   <h3>AWS Backup Vault Lock</h3> 
   <p><a href="https://aws.amazon.com/backup/" target="_blank" rel="noopener noreferrer">AWS Backup</a> added an important new <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-backup-backup-protection-aws-backup-vault-lock/" target="_blank" rel="noopener noreferrer">additional layer for backup protection</a> with the availability of AWS Backup Vault Lock. A <em>vault lock</em> feature in AWS is the ability to configure a storage policy such that even the most powerful AWS principals (such as an account or Org root principal) can only delete data if the deletion conforms to the preset data retention policy. Even if the credentials of a powerful administrator are compromised, the data stored in the vault remains safe. Vault lock features are extremely valuable in guarding against a wide range of security and resiliency risks (including accidental deletion), notably in an era when ransomware represents a rising threat to data.</p> 
   <p>Prior to AWS Backup Vault Lock, AWS provided the extremely useful Amazon S3 and Amazon S3 Glacier vault locking features, but these previous vaulting features applied only to the two Amazon S3 storage classes. AWS Backup, on the other hand, supports a wide range of storage types and databases across the AWS portfolio, including <a href="https://aws.amazon.com/ebs/" target="_blank" rel="noopener noreferrer">Amazon EBS</a>, <a href="https://aws.amazon.com/rds/" target="_blank" rel="noopener noreferrer">Amazon Relational Database Service (Amazon RDS)</a> including <a href="https://aws.amazon.com/rds/aurora/" target="_blank" rel="noopener noreferrer">Amazon Aurora</a>, <a href="https://aws.amazon.com/dynamodb/" target="_blank" rel="noopener noreferrer">Amazon DynamoDB</a>, <a href="https://aws.amazon.com/neptune/" target="_blank" rel="noopener noreferrer">Amazon Neptune</a>, <a href="https://aws.amazon.com/documentdb/" target="_blank" rel="noopener noreferrer">Amazon DocumentDB</a>, <a href="https://aws.amazon.com/efs/" target="_blank" rel="noopener noreferrer">Amazon Elastic File System (Amazon EFS)</a>, <a href="https://aws.amazon.com/fsx/lustre/" target="_blank" rel="noopener noreferrer">Amazon FSx for Lustre</a>, <a href="https://aws.amazon.com/fsx/windows/" target="_blank" rel="noopener noreferrer">Amazon FSx for Windows File Server</a>, <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">Amazon EC2</a>, and <a href="https://aws.amazon.com/storagegateway/" target="_blank" rel="noopener noreferrer">AWS Storage Gateway</a>. While built on top of Amazon S3, AWS Backup <a href="https://aws.amazon.com/about-aws/whats-new/2022/02/general-availability-aws-backup-amazon-s3/" target="_blank" rel="noopener noreferrer">even supports backup of data stored in Amazon S3</a>. Thus, this new AWS Backup Vault Lock feature effectively serves as a vault lock for all the data from most of the critical storage and database technologies made available by AWS.</p> 
   <p>Finally, as a bonus, AWS Backup added two more features in 2021 that should delight security and compliance professionals: <a href="https://aws.amazon.com/about-aws/whats-new/2021/08/aws-backup-audit-manager/" target="_blank" rel="noopener noreferrer">AWS Backup Audit Manager</a> and <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-backup-audit-manager-compliance-reports/" target="_blank" rel="noopener noreferrer">compliance reporting</a>.</p> 
   <h3>Amazon DynamoDB</h3> 
   <p><a href="https://aws.amazon.com/dynamodb/" target="_blank" rel="noopener noreferrer">Amazon DynamoDB</a> added a long-awaited feature: <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/you-now-can-use-aws-cloudtrail-to-log-amazon-dynamodb-streams-da/" target="_blank" rel="noopener noreferrer">data-plane operations integration with AWS CloudTrail</a>. DynamoDB has long supported the recording of management operations in CloudTrail—including a long list of operations like <a href="https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html" target="_blank" rel="noopener noreferrer">CreateTable, UpdateTable, DeleteTable, ListTables, CreateBackup, and many others</a>. What has been added now is the ability to log the potentially far higher volume of data operations such as PutItem, BatchWriteItem, GetItem, BatchGetItem, and DeleteItem. With this launch, full database auditing became possible. In addition, DynamoDB added <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-dynamodb-granular-control-audit-logging-streams-data-plane-api-activity-aws-cloudtrail/" target="_blank" rel="noopener noreferrer">more granular control of logging through DynamoDB Streams filters</a>. This feature allows users to vary the recording in CloudTrail of both control plane and data plane operations, at the table or stream level.</p> 
   <h3>Amazon EBS snapshots</h3> 
   <p>Let’s turn now to a simple but extremely useful feature launch affecting <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" target="_blank" rel="noopener noreferrer">Amazon Elastic Block Store (Amazon EBS) snapshots</a>. In the past, it was possible to accidently delete an EBS snapshot, which is a problem for security professionals because data availability is a part of the core security triad of confidentiality, integrity, and availability. Now you can manage that risk and <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/recover-accidental-deletions-snapshots-recycle-bin/" target="_blank" rel="noopener noreferrer">recover from accidental deletions of your snapshots by using Recycle Bin</a>. You simply <a href="https://aws.amazon.com/blogs/aws/new-recycle-bin-for-ebs-snapshots/" target="_blank" rel="noopener noreferrer">define a retention policy that applies to all deleted snapshots</a>, and then you can define other more granular policies, for example using longer retention periods based on snapshot tag values, such as stage=prod. Along with this launch, the Amazon EBS team announced <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/retention-ebs-snapshots-75-amazon-archive-tier/" target="_blank" rel="noopener noreferrer">EBS Snapshots Archive</a>, a major price reduction for long-term storage of snapshots.</p> 
   <h2>AWS Certificate Manager Private Certificate Authority</h2> 
   <p>2021 was a big year for <a href="https://aws.amazon.com/certificate-manager/private-certificate-authority/" target="_blank" rel="noopener noreferrer">AWS Certificate Manager (ACM) Private Certificate Authority (CA)</a> with the following updates and new features:</p> 

   <h2>Network and application protection</h2> 
   <p>We saw a lot of enhancements in network and application protection in 2021 that will help you to enforce fine-grained security policies at important network control points across your organization. The services and new capabilities offer flexible solutions for inspecting and filtering traffic to help prevent unauthorized resource access.</p> 
   <h3>AWS WAF</h3> 
   <p><a href="https://aws.amazon.com/waf/" target="_blank" rel="noopener noreferrer">AWS WAF</a> launched <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/announcing-aws-waf-bot-control/" target="_blank" rel="noopener noreferrer">AWS WAF Bot Control</a>, which gives you visibility and control over common and pervasive bots that consume excess resources, skew metrics, cause downtime, or perform other undesired activities. The <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html" target="_blank" rel="noopener noreferrer">Bot Control managed rule group</a> helps you monitor, block, or rate-limit pervasive bots, such as scrapers, scanners, and crawlers. You can also allow common bots that you consider acceptable, such as status monitors and search engines. AWS WAF also added support for custom responses, managed rule group versioning, <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/aws-waf-in-line-regular-expressions/" target="_blank" rel="noopener noreferrer">in-line regular expressions</a>, and <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-waf-captcha-support/" target="_blank" rel="noopener noreferrer">Captcha</a>. The Captcha feature has been popular with customers, removing another small example of “undifferentiated work” for customers.</p> 
   <h3>AWS Shield Advanced</h3> 
   <p><a href="https://aws.amazon.com/shield/" target="_blank" rel="noopener noreferrer">AWS Shield Advanced</a> now <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/aws-shield-advanced-application-layer-ddos-mitigation/" target="_blank" rel="noopener noreferrer">automatically protects web applications by blocking application layer (L7) DDoS events</a> with no manual intervention needed by you or the AWS Shield Response Team (SRT). When you protect your resources with AWS Shield Advanced and enable automatic application layer DDoS mitigation, Shield Advanced identifies patterns associated with L7 DDoS events and isolates this anomalous traffic by automatically creating AWS WAF rules in your web access control lists (ACLs).</p> 
   <h3>Amazon CloudFront</h3> 
   <p>In other edge networking news, <a href="https://aws.amazon.com/cloudfront/" target="_blank" rel="noopener noreferrer">Amazon CloudFront</a> added <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/" target="_blank" rel="noopener noreferrer">support for response headers</a> policies. This means that you can now add cross-origin resource sharing (CORS), security, and custom headers to HTTP responses returned by your CloudFront distributions. You no longer need to configure your origins or use custom Lambda@Edge or CloudFront Functions to insert these headers.</p> 
   <p>CloudFront Functions were <a href="https://aws.amazon.com/about-aws/whats-new/2021/05/cloudfront-functions/" target="_blank" rel="noopener noreferrer">another great 2021 addition to edge computing</a>, providing a simple, inexpensive, and yet <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/cloudfront-functions-a-new-security-paradigm-for-cdn-edge-computing/" target="_blank" rel="noopener noreferrer">highly secure method</a> for running customer-defined code as part of any CloudFront-managed web request. CloudFront functions allow for the creation of very efficient, fine-grained network access filters, such <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/complying-with-city-level-embargos-using-amazon-cloudfront/" target="_blank" rel="noopener noreferrer">the ability to block or allow web requests at a region or city level</a>.</p> 
   <h3>Amazon Virtual Private Cloud and Route 53</h3> 
   <p><a href="https://aws.amazon.com/vpc/" target="_blank" rel="noopener noreferrer">Amazon Virtual Private Cloud (Amazon VPC)</a> added <a href="https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-vpc-subnets/" target="_blank" rel="noopener noreferrer">more-specific routing</a> (routing subnet-to-subnet traffic through a virtual networking device) that allows for packet interception and inspection between subnets in a VPC. This is particularly useful for highly-available, highly-scalable network virtual function services based on <a href="https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/" target="_blank" rel="noopener noreferrer">Gateway Load Balancer</a>, including both AWS services like <a href="https://aws.amazon.com/network-firewall/" target="_blank" rel="noopener noreferrer">AWS Network Firewall</a>, as well as third-party networking services such as the <a href="https://aws.amazon.com/about-aws/whats-new/2022/03/aws-firewall-palo-alto-network-cloud-generation/" target="_blank" rel="noopener noreferrer">recently announced integration</a> between <a href="https://aws.amazon.com/firewall-manager/" target="_blank" rel="noopener noreferrer">AWS Firewall Manager</a> and <a href="https://start.paloaltonetworks.com/cloud-ngfw-on-aws" target="_blank" rel="noopener noreferrer">Palo Alto Networks Cloud Next Generation Firewall</a>, powered by Gateway Load Balancer.</p> 
   <p>Another important set of enhancements to the core VPC experience came in the area of <a href="https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html" target="_blank" rel="noopener noreferrer">VPC Flow Logs</a>. Amazon VPC launched <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/amazon-vpc-flow-logs-announces-out-of-box-integration-with-amazon-athena/" target="_blank" rel="noopener noreferrer">out-of-the-box integration with Amazon Athena</a>. This means with a few clicks, you can now use Athena to query your VPC flow logs delivered to Amazon S3. Additionally, Amazon VPC launched three associated new log features that make querying more efficient by supporting <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-vpc-flow-logs-parquet-hive-prefixes-partitioned-files/" target="_blank" rel="noopener noreferrer">Apache Parquet, Hive-compatible prefixes, and hourly partitioned files</a>.</p> 
   <p>Following Route 53 Resolver’s <a href="https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/" target="_blank" rel="noopener noreferrer">much-anticipated launch of DNS logging in 2020</a>, the big news for 2021 was <a href="https://aws.amazon.com/about-aws/whats-new/2021/03/introducing-amazon-route-53-resolver-dns-firewall/" target="_blank" rel="noopener noreferrer">the launch of its DNS Firewall capability</a>. Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with, or you can take a stricter, “walled-garden” approach by creating “allowlists” that permit outbound DNS queries only to domains that you specify. You can also create alerts for when outbound DNS queries match certain firewall rules, allowing you to test your rules before deploying for production traffic. Route 53 Resolver DNS Firewall launched with two managed domain lists—malware domains and botnet command and control domains—enabling you to get started quickly with managed protections against common threats. It also integrated with Firewall Manager (see the following section) for easier centralized administration.</p> 
   <h3>AWS Network Firewall and Firewall Manager</h3> 
   <p>Speaking of <a href="https://aws.amazon.com/network-firewall/" target="_blank" rel="noopener noreferrer">AWS Network Firewall</a> and <a href="https://aws.amazon.com/firewall-manager/" target="_blank" rel="noopener noreferrer">Firewall Manager</a>, 2021 was a big year for both. Network Firewall added support for <a href="https://aws.amazon.com/about-aws/whats-new/2021/12/aws-network-firewall-aws-managed-rules/" target="_blank" rel="noopener noreferrer">AWS Managed Rules</a>, which are groups of rules based on threat intelligence data, to enable you to stay up to date on the latest security threats without writing and maintaining your own rules. AWS Network Firewall features a flexible rules engine enabling you to define firewall rules that give you fine-grained control over network traffic. As of the launch in late 2021, you can enable managed domain list rules to block HTTP and HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets. Prior to that, another important launch was <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-firewall-configuration-rule-ordering-drop/" target="_blank" rel="noopener noreferrer">new configuration options for rule ordering and default drop</a>, making it simpler to write and process rules to monitor your VPC traffic. Also in 2021, Network Firewall announced <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/aws-network-firewall-is-now-available-in-more-regions/" target="_blank" rel="noopener noreferrer">a major regional expansion</a> following its initial launch in 2020, and a range of compliance achievements and eligibility including <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/aws-network-firewall-hipaa-eligible/" target="_blank" rel="noopener noreferrer">HIPAA</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/07/aws-network-firewall-achieves-pci-dss-compliance/" target="_blank" rel="noopener noreferrer">PCI DSS</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-network-firewall-soc-compliant/" target="_blank" rel="noopener noreferrer">SOC</a>, and <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/aws-network-firewall-iso-compliance/" target="_blank" rel="noopener noreferrer">ISO</a>.</p> 
   <p>Firewall Manager also had a strong 2021, adding a number of additional features beyond its initial core area of managing network firewalls and VPC security groups that provide centralized, policy-based control over many other important network security capabilities: <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/aws-firewall-manager-now-supports-centralized-management-of-amazon-route-53-resolver-dns-firewall/" target="_blank" rel="noopener noreferrer">Amazon Route 53 Resolver DNS Firewall</a> configurations, <a href="https://aws.amazon.com/about-aws/whats-new/2021/04/aws-firewall-manager-supports-centralized-deployment-new-aws-waf-bot-control/" target="_blank" rel="noopener noreferrer">deployment of the new AWS WAF Bot Control</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/07/aws-firewall-manager-supports-central-monitoring-of-vpc-routes-for-aws-network-firewall/" target="_blank" rel="noopener noreferrer">monitoring of VPC routes for AWS Network Firewall</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/aws-firewall-manager-aws-waf-log-filtering/" target="_blank" rel="noopener noreferrer">AWS WAF log filtering</a>, <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/aws-firewall-manager-waf-rate-based-rules/" target="_blank" rel="noopener noreferrer">AWS WAF rate-based rules</a>, and <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-firewall-manager-centralized-logging-aws-network-firewall-logs/" target="_blank" rel="noopener noreferrer">centralized logging of AWS Network Firewall logs</a>.</p> 
   <h3>Elastic Load Balancing</h3> 
   <p><a href="https://aws.amazon.com/elasticloadbalancing/?nc2=type_a" target="_blank" rel="noopener noreferrer">Elastic Load Balancing</a> now supports forwarding traffic directly from Network Load Balancer (NLB) to Application Load Balancer (ALB). With this important <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/" target="_blank" rel="noopener noreferrer">new integration</a>, you can take advantage of many critical NLB features such as support for <a href="https://aws.amazon.com/privatelink/" target="_blank" rel="noopener noreferrer">AWS PrivateLink</a> and exposing static IP addresses for applications that still require ALB.</p> 
   <p>In addition,<a href="https://aws.amazon.com/about-aws/whats-new/2021/10/aws-network-load-balancer-supports-tls-1-3/" target="_blank" rel="noopener noreferrer"> Network Load Balancer now supports version 1.3 of the TLS protocol</a>. This adds to the <a href="https://aws.amazon.com/about-aws/whats-new/2020/09/cloudfront-tlsv1-3-support/" target="_blank" rel="noopener noreferrer">existing TLS 1.3 support in Amazon CloudFront</a>, launched in 2020. AWS plans to add TLS 1.3 support for additional services.</p> 
   <p>The AWS Networking team also made <a href="https://aws.amazon.com/about-aws/whats-new/2021/08/private-connectivity-aws-nat-gateway-available-aws-govcloud-us-regions/" target="_blank" rel="noopener noreferrer">Amazon VPC private NAT gateways</a> available in both AWS GovCloud (US) Regions. The expansion into the AWS GovCloud (US) Regions enables US government agencies and contractors to move more sensitive workloads into the cloud by helping them to address certain regulatory and compliance requirements.</p> 
   <h2>Compute</h2> 
   <p>Security professionals should also be aware of some interesting enhancements in AWS compute services that can help improve their organization’s experience in building and operating a secure environment.</p> 
   <p><a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">Amazon Elastic Compute Cloud (Amazon EC2)</a> launched the <a href="https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-ec2-global-view-console-regions/" target="_blank" rel="noopener noreferrer">Global View</a> on the console to provide visibility to all your resources across Regions. Global View helps you monitor resource counts, notice abnormalities sooner, and find stray resources. A few days into 2022, another simple but extremely useful EC2 launch was the new <a href="https://aws.amazon.com/about-aws/whats-new/2022/01/instance-tags-amazon-ec2-instance-metadata-service/" target="_blank" rel="noopener noreferrer">ability to obtain instance tags from the Instance Metadata Service (IMDS)</a>. Many customers run code on Amazon EC2 that needs to introspect about the EC2 tags associated with the instance and then change its behavior depending on the content of the tags. Prior to this launch, you had to associate an EC2 role and call the EC2 API to get this information. That required access to API endpoints, either through a NAT gateway or a VPC endpoint for Amazon EC2. Now, that information can be obtained directly from the IMDS, greatly simplifying a common use case.</p> 
   <p>Amazon EC2 launched <a href="https://aws.amazon.com/about-aws/whats-new/2021/10/amazon-ec2-amazon-machine-images-organizations/" target="_blank" rel="noopener noreferrer">sharing of </a><a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" target="_blank" rel="noopener noreferrer">Amazon Machine Images (AMIs)</a> with AWS Organizations and Organizational Units (OUs). Previously, you could share AMIs only with specific AWS account IDs. To share AMIs within AWS Organizations, you had to explicitly manage sharing of AMIs on an account-by-account basis, as they were added to or removed from AWS Organizations. With this new feature, you no longer have to update your AMI permissions because of organizational changes. AMI sharing is automatically synchronized when organizational changes occur. This feature greatly helps both security professionals and governance teams to centrally manage and govern AMIs as you grow and scale your AWS accounts. As previously noted, this feature was also added to <a href="https://aws.amazon.com/about-aws/whats-new/2021/11/ec2-image-builder-sharing-amis-aws-organization-units/" target="_blank" rel="noopener noreferrer">EC2 Image Builder</a>. Finally, <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshot-lifecycle.html" target="_blank" rel="noopener noreferrer">Amazon Data Lifecycle Manager</a>, the tool that manages all your EBS volumes and AMIs in a policy-driven way, <a href="https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-data-lifecycle-manager-automates-deprecation-ami/" target="_blank" rel="noopener noreferrer">now supports automatic deprecation of AMIs</a>. As a security professional, you will find this helpful as you can set a timeline on your AMIs so that, if the AMIs haven’t been updated for a specified period of time, they will no longer be considered valid or usable by development teams.</p> 
   <h2>Looking ahead</h2> 
   <p>In 2022, AWS continues to deliver experiences that meet administrators where they govern, developers where they code, and applications where they run. We will continue to summarize important launches in future blog posts. If you’re interested in learning more about AWS services, join us for <a href="https://reinforce.awsevents.com/" target="_blank" rel="noopener noreferrer">AWS re:Inforce</a>, the AWS conference focused on cloud security, identity, privacy, and compliance. AWS re:Inforce 2022 will take place July 26–27 in Boston, MA. <a href="https://portal.awsevents.com/events/reInforce2022/registration?trk=direct" target="_blank" rel="noopener noreferrer">Registration is now open</a>. Register now with discount code SALxUsxEFCw to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. We look forward to seeing you there!</p> 
   <p>To stay up to date on the latest product and feature launches and security use cases, be sure to read the <a href="https://aws.amazon.com/new/" target="_blank" rel="noopener noreferrer">What’s New with AWS</a> announcements (or subscribe to the <a href="https://aws.amazon.com/about-aws/whats-new/recent/feed/" target="_blank" rel="noopener noreferrer">RSS feed</a>) and the <a href="https://aws.amazon.com/blogs/security/" target="_blank" rel="noopener noreferrer">AWS Security Blog</a>.</p> 
   <p>&nbsp;<br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> 

   <!-- '"` -->