At its annual re:Inforce conference, Amazon Web Services (AWS) has announced new and enhanced security features and tools.
Additional multi-factor authentication option
To facilitate the concerted push to get customers to secure their accounts with multiple authentication factors, AWS has added support for FIDO2 passkeys as a second authentication method.
“If you’re already using another form of MFA like a non-syncable FIDO2 hardware security key or authenticator app, the question of whether or not you should migrate to syncable passkeys is dependent on your or your organizations’ uses and requirements,” Arynn Crow, Senior Manager of User Authentication Products for AWS Identity, explained.
“Because their credentials are bound only to the device that created them, FIDO2 security keys provide the highest level of security assurance for customers whose regulatory or security requirements demand the strongest forms of authentication, such as FIPS-certified devices. It’s also important to understand that the passkey providers’ security model, such as what requirements the provider places for accessing or recovering access to the key vault, are now important considerations in your overall security model when you decide what kinds of MFA to deploy or to use going forward.”
Access management made easier
AWS Identity and Access Management (IAM) Access Analyzer has been updated and can now help organizations locate and delete unused roles, access keys, and passwords, and set, verify, and refine unused permissions.
Malware protection for Amazon S3
Amazon GuardDuty Malware Protection has been expanded to detect malicious file uploads to S3 buckets.
“Your development and security teams can work together to configure and oversee malware protection throughout your organization for select buckets where new uploaded data from untrusted entities is required to be scanned for malware,” says Channy Yun, a Principal Developer Advocate for AWS.
“You can configure post-scan action in GuardDuty, such as object tagging, to inform downstream processing, or consume the scan status information provided through Amazon EventBridge to implement isolation of malicious uploaded objects.”
AI apps governance
AWS Audit Manager’s AI best practice framework has been updated.
“This framework simplifies evidence collection and enables you to continually audit and monitor the compliance posture of your generative AI workloads through 110 standard controls which are pre-configured to implement best practice requirements,” notes Matheus Guimaraes, Senior Developer Advocate, UK/IR at AWS.
“The standard controls (…) are organized under domains named accuracy, fair, privacy, resilience, responsible, safe, secure and sustainable. Controls may perform automated or manual checks or a mix of both.”
Other helpful additions and improvements:
- Simplified analysis of logs stored in AWS CloudTrail Lake via natural language queries that produce SQL queries (still in preview)
- Streamlined integration of network services – firewalls, IDS/IPS, etc. – into the customers’ WAN that connects their data centers, offices, and virtual private clouds.