Amazon Web Services Inc. made some crucial additions to its security portfolio last week at its 2014 re:Invent...
conference in Las Vegas, including a new encryption key management service.
First, the cloud giant introduced AWS Key Management Service (KMS), which is designed to give users centralized control over their encryption keys for on-premises and cloud-based applications and services. Andy Jassy, senior vice president of AWS, said during his re:Invent keynote that encryption is a crucial component of his company's cloud security strategy.
"If you think about security and you think about companies that care deeply about the privacy and security of their data," Jassy said, "those companies encrypt their data."
Rich MogullCEO and analyst, Securosis
Jassy said some AWS customers are comfortable with Amazon managing the encryption keys, while others prefer to manage the keys themselves. KMS addresses challenges for both sides, Jassy said, by giving customers more visibility and control of keys held by Amazon, as well as a more convenient and safe way to store and rotate keys that customers manage themselves. KMS also gives users visibility into any access to those keys through AWS CloudTrail.
"You can encrypt in one click from the AWS management console, or you can choose to do it programmatically through the SDK we provide," Jassy said. "You have a central place to create keys, disable keys, view all of those keys, and set policies on keys."
KMS is available now. Creating, managing and using keys cost $1 per key version per month. In addition, API requests to the service cost $0.03 per 10,000 requests, with a free tier of 20,000 requests per month.
The cloud provider also announced AWS Config, a new resource dependency and auditing service designed to give users increased visibility into all their AWS resources, configuration history, and configuration change notifications. The data from AWS Config can be used for compliance auditing and security analysis as well as cloud resource tracking. AWS Config builds on the user view provided by CloudTrail, which tracks API calls.
Rich Mogull, CEO and analyst at Securosis, a Phoenix-based security research firm, said AWS Config is a must-have because too many companies lack the proper visibility of what's going on in their cloud infrastructures.
"Config is a core enterprise need," said Mogull. "It's not perfect, but the combination of Config and CloudTrail give you that insight and visibility to what's going in your cloud infrastructure, which every company needs."
A preview version of AWS Config is available now; the service costs $0.003 per configuration item recorded.
Lastly, the newly announced AWS Service Catalog tool lets companies create hosted portals that manage their AWS resources. While it's not specifically a security tool, Service Catalog gives enterprises access control to determine which users can deploy those cloud resources, what configurations those resources are deployed in, and which employees have access to the resources.
AWS Service Catalog also generates reporting and auditing data, tracked by CloudTrail, for compliance requirements. Service Catalog is scheduled for release in early 2015.
Like encryption, compliance tools have become a focal point in the AWS security strategy. Jassy said a couple years ago, companies frequently cited security and compliance concerns as "blockers" for moving more of their computing workloads and data to the cloud, but now that's changed.
"Another component of what we see as the new normal now, security and compliance are becoming reasons that customers are moving to the cloud, and you see that in lots of different ways," Jassy said.
Mogull said the three announcements -- AWS KMS, Config, and Service Catalog -- show AWS is committed to improving cloud security.
Mogull added, "They know security is table stakes for getting into the enterprise."
Learn about the benefits of encryption key rotation in the cloud