AWS provides a number of whitepapers with guidance on best practices for using their service. The AWS Well-Architected Framework - Security Pillar paper was just updated today and the changes will be discussed in this article. The previous release that we'll compare against was released in November 2017.
One of the ways I find out about new updates like this is by following @wellarchitected on Twitter, who tweeted about this update. He also pointed out an updated video about this paper for those that learn better that way: Get Started with Well-Architected Security Best Practices - AWS Online Tech Talks. I used an online PDF diff'ing service (draftable) to compare the changes.
The following are the main updates I noticed:
- Use GuardDuty: GuardDuty was announced in late November 2017, and has now made it into this whitepaper as a recommendation.
- Use Athena: Previously, to search and analyze logs, AWS advised using ElasticSearch, EMR, or Athena. ElasticSearch and EMR are no longer being recommended, as Athena, being a serverless solution, is more effective for many security use cases. If you've never used Athena before, a quick way to get up and running with it on CloudTrail logs and doing something useful is to try out CloudTracker which now supports Athena.
- Use Shield, WAF, and Firewall Manager: Shield (for DDoS protection) was announced in December, 2016, and WAF (for blocking malicious HTTP requests) was announced in October 2015, but Shield only made a minor appearance previously in the paper, and WAF didn't appear at all. The Firewall Manager (for managing WAFs across an an AWS Organization) was only announced in April 2018. Now these services are being recommended to protect network boundaries, along with Security Groups and NACLs.
- Use CloudFormation: The Infrastructure as Code solution CloudFormation was previously mentioned sporadically, but is now being listed as key service for security.
- Removal of Macie: This seems significant, that the machine learning solution for monitoring S3 buckets is no longer mentioned anywhere in the paper! Previously this had been mentioned as key service for Data Classification. This could be because of the prohibitive costs many ran into when using this service.
The changes in the paper were almost entirely just updates for new services or phasing out old services. No strategic or process changes were found.
If you're looking for help with your AWS security, reach out to me!