Amazon Web Services has announced AWS Lambda serverless function support for its automated vulnerability management service, Amazon Inspector, and a new automated sensitive data discovery capability in its machine learning security and privacy service, Amazon Macie.
Both announcements were made during the AWS Re:Invent 2022 conference in Las Vegas this week. They follow other security-focused AWS releases including the launch of Wickr, a new encrypted messaging service for enterprises and Amazon Security Lake, which centralizes an organization’s security data from cloud and on-premises sources into a purpose-built data lake in its AWS account.
Inspector adds vulnerability assessment for serverless workloads
Amazon Inspector scans AWS workloads for software vulnerabilities and unintended network exposure. Its new support for AWS Lambda functions adds continual, automated vulnerability assessments for serverless compute workloads, according to AWS’ announcement. AWS Lambda runs code in response to events and automatically manages the computing resources that the code requires.
“With this expanded capability, Amazon Inspector now automatically discovers all eligible Lambda functions and identifies software vulnerabilities in application package dependencies used in the Lambda function code,” the company said. All functions are initially assessed upon deployment to the Lambda service and continually monitored and reassessed, informed by updates to the function and newly published vulnerabilities, AWS stated.
“When vulnerabilities are identified in the Lambda function or layer, actionable security findings are generated, aggregated in the Amazon Inspector console, and pushed to AWS Security Hub and Amazon EventBridge to automate workflows,” AWS said.
Amazon Inspector also provides a contextualized vulnerability risk score by correlating vulnerability information with environmental factors such as external network accessibility to help prioritize the highest risks to address.
A list of regions where Amazon Inspector is currently is available here, and accounts can scan their environment for vulnerabilities with a free 15-day trial, AWS stated.
Macie sensitive data discovery provides visibility across S3 buckets
New automated sensitive data discovery capabilities in Amazon Macie give users visibility into where sensitive data resides across their Amazon Simple Storage Service (Amazon S3) estate, AWS wrote.
“With this new capability, Macie automatically and intelligently samples and analyzes objects across your S3 buckets, inspecting them for sensitive data such as personally identifiable information (PII), financial data, and AWS credentials,” AWS said. “Macie then builds and continuously maintains an interactive data map of where your sensitive data in S3 resides across all accounts and regions where you’ve enabled Macie, and provides a sensitivity score for each bucket.”
Amazon Macie uses multiple automated techniques including resource clustering by attributes such as bucket name, file types, and prefixes to minimize the data scanning needed to uncover sensitive data in S3 buckets, AWS added.
Macie offers multiaccount support using AWS Organizations with 30 days of automated sensitive data discovery available at no additional charge for existing Macie accounts. For new accounts, automated sensitive data discovery is part of the 30-day Amazon Macie free trial.
AWS releases offer security benefits for businesses
The new AWS releases are likely to deliver notable security benefits for businesses, analysts say. “These announcements target key customer needs when you consider how organizations are trying to balance moving to technologies such as Lambda whilst maintaining proper security controls. The Macie announcement is also interesting as it helps to tackle data sprawl’ around cloud,” said Fernando Montenegro, a senior principal analyst at tech research company Omdia.
The new features will help security teams apply the necessary controls — runtime protection and data security, respectively — to cloud-based workloads, equipping them to tackle securing the cloud initiatives that have become part and parcel of any digital transformation effort, he adds.
The Inspector update is particularly significant with regard to vulnerability management, said Austin Wolf, information security analyst at Code42. “Its usefulness will be organization and environment dependent, but this idea has a lot of potential to shorten the time between vulnerability discovery, investigation, and formulation of a response plan. If the tool can provide truly relevant context to these discoveries, this will be very useful.” It could also offer helpful prioritization for which risks to address first, Wolf added.
As for the new Macie capabilities, Wolf said that having sensitive data checking as a built-in function should help teams get this function off the ground faster, rather than having to build a model. “If this works like they [AWS] say it will, it’ll be a game changer for security teams who are responsible for securing the data contained in these (often sprawling) environments. What excites me most about this announcement are some of the machine learning implications. This could stand to be a force multiplier for security teams trying to understand and manage data risks in AWS environments.”
(This story has been updated to include comments from Austin Wolf.)