AWS Summit NY 2018. Photo Credit: Logicworks
AWS has launched over a thousand major service updates in 2018 and launched nearly a dozen new services. (And it’s only July.)
As services are announced, the team at Logicworks immediately starts trying out new features and discussing them with clients. Here are the services that our AWS Certified Engineers are talking about from the last quarter:
AWS Landing Zone
AWS Landing Zone is a service that automates the set-up of a multi-account AWS environment, by helping you implement an initial security baseline across AWS IAM, data security, network design, and more.
Logicworks was able to beta test the product before general release, and our engineers are very excited about the potential of the service for larger customers.
One of the key features of AWS Landing Zones is that it sets up a Shared Services master account — a kind of “hub” account that serves as a destination for all your logs, backups, and other items that you don’t really want people to have access to. The benefit of this master-child account set-up is that this hub master account can force a set of policies or AWS CloudFormation templates to be applied to all accounts. So if you force policies on users of an account that deny privilege, there’s nothing a super administrator of a child account can do to re-enable access. Obviously, this limits the blast radius of certain activities and is a key part of the security (and cost management) strategy of any company with multiple accounts. This is a compelling benefit for companies with many different IT roles that want to limit cross-account access.
“Previously, the highest conceptual object in AWS was the account,” says Phil Christensen, Sr. Solutions Architect at Logicworks. “Now with AWS Organizations, we have new object in the taxonomy that contains accounts, and can be associated with a master account. AWS Landing Zone makes setting up a secure multi-account strategy much simpler, and we’re already suggesting it to larger enterprises.”
AWS Data Lifecycle Manager for EBS Snapshots
AWS Data Lifecycle Manager for EBS Snapshots allows you to define how often to create snapshots and when to delete old snapshots, all at no additional cost to you.
In order to create and manage backups for EBS volumes, we currently use a custom script. That’s why we’re excited about DLM for EBS Snapshots, which is a simpler way to accomplish this. We plan to incorporate DLM for EBS Snapshots into the backup procedures of all our clients in the near future.
AWS Firewall Manager
AWS Firewall Manager is yet another service that makes it easy for larger organizations that manage large pools of resources to automatically configure security best practices. The service ensures that any newly created Application Load Balancers or CloudFront resources within the same account have the same rules, or that global policies across multiple accounts are maintained. For example, you could ensure that a set of IP addresses are automatically blocked across all accounts in your AWS Organization.
“AWS Firewall Manager continues AWS’s evolution of promoting a multi-account strategy with centralized logging and security as best practice,” says Dan Rosenbloom, Director of Product Engineering at Logicworks.
We expect to see more services that facilitate the creation and management of cross-account resources as AWS aims to appeal to large, highly distributed organizations.
New AWS Security Certification
In April, AWS announced a new Specialty certification in Security. The test was designed for “experienced cloud security professionals” and covers incident response, IAM, encryption, logging and monitoring, according to AWS’s announcement.
Cloud security is a core competency of the Logicworks team, so our engineers were eager to take the exam. If you’re looking for a good prep course, we recommend A Cloud Guru.
“Anyone who did well on the security section of the Professional Solutions Architect certification would probably do well on the Security certification,” says Phil Christensen of Logicworks, who passed the exam recently. “Focus on access management and encryption when you study.”
AWS Secrets Manager
AWS Secrets Manager is a new service that allows you to rotate keys safely and give fine-grain access to secrets. Users and applications retrieve secrets by calling the Secrets Manager API, which means you don’t have to hardcode sensitive information in plain text.
Many of Logicworks’ customers must meet compliance regulations like HIPAA, HITRUST, and PCI, which require that you rotate secrets, so this is a great service for those clients. We usually manage secrets with SSM Parameters, and our engineering team is divided about switching over to AWS Systems Manager; several engineers feel SSM Parameters are better, while Thomas Rectenwald, a Sr. DevOps Engineer at Logicworks, prefers AWS Secrets Manager.
“AWS Secrets Manager provides a more robust alternative to using SSM Parameters for storing sensitive data,” says Rectenwald. “Using secrets, we can easily apply key rotation to RDS credentials (MySQL, PostgreSQL & Aurora). For other types, it supports Lambda integration for rotation. This is an auditor’s dream!”