Amazon Web Services Adds New Services to Bolster Cloud Security

Ahead of its annual re:invent conference, Amazon announces new security capabilities for its S3 storage service and the AWS PrivateLink for secure private cloud service access.

cloud security

Amazon announced a series of new security features for its cloud platform on Nov. 8, providing users with enhanced capabilities to help protect S3 storage buckets and virtual private cloud (VPC) endpoint connections.

The company is launching the new Amazon Web Services (AWS) security features ahead of its re:invent conference, which runs from Nov. 27 to Dec. 1 in Las Vegas. The security of the AWS Simple Storage Service (S3) has been under intense scrutiny over the course of 2017, with multiple groups of security researchers finding unintentionally exposed data due to various misconfiguration issues.

In total, AWS is adding five new encryption and security features to S3 to help protect cloud storage, including default encryption, permission checks, cross-region replication access control list overwrite, cross-region replication with KMS (Key Management Service) and a detailed inventory report.

"You can now mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration," Jeff Barr, chief evangelist for AWS, wrote in a blog post. "If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket."

Without encryption for an S3 storage bucket, if data is leaked, an attacker will have full access to all the unencrypted data. With encryption, even in the event of a data breach or leak, the data will not be immediately usable by an attacker. The new cross-region replication capabilities in S3 mean that the encryption policy will hold, even when data is replicated and distributed across multiple AWS regions.

At the AWS Summit in New York on Aug.14, Amazon first announced a series of AWS Config service enhancements to help improve S3 storage security. The AWS Config rule enhancements enable organizations to more easily block public read and writes to S3 storage instances. AWS is now improving on that capability with the permission checking feature for S3.

"The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible," Barr wrote. "You will know right away if you open up a bucket for public access, allowing you to make changes with confidence."

Going a step further, the new detailed inventory report feature provides users with a listing that details the encryption status of S3 objects.


AWS also announced its PrivateLink for AWS Services offering on Nov. 8, providing a new approach to helping users keep traffic between AWS services and Amazon VPC deployments as secure as possible. The PrivateLink service is an evolution of AWS' VPC Endpoints service, which gives users a way to directly access a logically isolated segment of AWS for private cloud deployments.

"Today we are announcing AWS PrivateLink, the newest generation of VPC Endpoints which is designed for customers to access AWS services in a highly available and scalable manner, while keeping all the traffic within the AWS network," Colm MacCárthaigh, senior engineer for Amazon Virtual Private Cloud, wrote in a blog post

AWS PrivateLink supports Kinesis, Service Catalog, Amazon EC2, EC2 Systems Manager (SSM) and Elastic Load Balancing (ELB) and will support Amazon Cloudwatch and Key Management Service (KMS) in a future update.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.