Amazon is rolling out two new tools to help AWS customers create and securely configure new cloud deployments and to ensure they stay as secure as possible once they’re up and running.
The new tools, called Control Tower and Security Hub, both were unveiled at Amazon’s AWS re:Inforce conference in Boston Monday and are part of an effort to streamline the process of configuring and locking down AWS environments and accounts. Figuring out the initial levels of security and access can be complicated, especially for companies or teams that are new to AWS environments, so Amazon has developed the new services to ease that burden a bit.
Control Tower is designed as a comprehensive tool for securely setting up new AWS environments, providing a method for automating many of the tasks involved in initial setup, such as identity and access management, centralized logging, and security audits across accounts. Control Tower comprises a number of individual components, including the Landing Zone, which is the multi-account AWS environment the tool sets up; a set of default policy controls known as Guardrails; Blueprints, which are the design patterns used to establish the Landing Zone; and the Environment, which is the AWS account and all of the attendant resources set up to run an application.
"Control Tower is basically template for an entire enterprise deployment and management of a full, multi-account environment with all key security controls pre-configured. For new clients, especially small to mid-sized ones, it looks promising," said Rich Mogull, CEO of Securosis.
The Control Tower service can only be used for setting up fresh AWS accounts and there’s no extra charge for it.
“This service automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use. Control Tower incorporates the knowledge that AWS Professional Service has gained over the course of thousands of successful customer engagements,” said Jeff Barr, chief evangelist for AWS.
“AWS Control Tower builds on multiple AWS services including AWS Organizations, AWS Identity and Access Management (IAM) (including Service Control Policies), AWS Config, AWS CloudTrail, and AWS Service Catalog. You get a unified experience built around a collection of workflows, dashboards, and setup steps. AWS Control Tower automates a landing zone to set up a baseline environment.”
The second piece of Amazon’s security news this week is the release of Security Hub for general availability. The tool has been in preview mode until now, and is meant to function as a central dashboard for teams to monitor security alerts and issues in their AWS environments. Most enterprises have something similar on their internal networks, but cloud deployments are a different story. The variety of accounts and complexity of deployments can make managing and prioritizing security alerts a difficult task, and Security Hub is meant to take some of the burden of that off of security teams.
“When you enable AWS Security Hub, permissions are automatically created via IAM service-linked roles. Automated, continuous compliance checks begin right away. Compliance standards determine these compliance checks and rules. The first compliance standard available is the Center for Internet Security (CIS) AWS Foundations Benchmark. We’ll add more standards this year,” said Brandon West, leader of the AWS developer evangelism team.
“The results of these compliance checks are called findings. Each finding tells you severity of the issue, which system reported it, which resources it affects, and a lot of other useful metadata. For example, you might see a finding that lets you know that multi-factor authentication should be enabled for a root account, or that there are credentials that haven’t been used for 90 days that should be revoked.”
Security Hub has automation at its heart, but it also allows customers to shape it to their needs in many ways. For example, customers can create custom actions that group various findings together to create an event that can then trigger something like an alert sent to specific people.
"Security Hub is a decent start but has a long way to go. It combines AWS and third-party security dashboarding in one place. It will be an essential tool for all security organizations in AWS, even when using third-party tools that offer overlapping functionality," Mogull said.