AWS Security Blog

New Security Services Launched at AWS re:Invent 2015—Amazon Inspector, AWS WAF, and AWS Config Rules

Today at re:Invent, AWS announced two new security services and one new feature to help you improve your security posture and protect applications deployed on AWS.

Amazon Inspector is an automated security assessment service that helps minimize the likelihood of introducing security or compliance issues when deploying applications on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed report with prioritized steps for remediation.

To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security compliance standards (such as PCI DSS) and vulnerability definitions. Examples include enabling remote root login, or including vulnerable software versions. These rules are regularly updated by AWS security researchers.

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over your web applications by defining customizable web security rules.

You can use AWS WAF to block common attack patterns, such as SQL injection or cross-site scripting, and create custom rules specific to your applications. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a fully featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

AWS WAF is generally available, and Amazon Inspector is available in preview. AWS also announced preview availability of AWS Config Rules.

AWS Config Rules is a feature of AWS Config, and is a new set of cloud governance capabilities that allow IT administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines. AWS Config Rules lets you choose from a set of prebuilt rules based on common AWS best practices or custom rules that you define. For example, you can ensure Amazon EBS volumes are encrypted, Amazon EC2 instances are properly tagged, and Elastic IP addresses (EIPs) are attached to instances. Config Rules can continuously monitor your AWS resources and provides a new dashboard to track compliance status. Using Config Rules, an IT administrator can quickly determine when and how a resource went out of compliance.

These new services and new feature will make it significantly easier for you to assess your applications’ security, keep track of deviations from best practice, and protect your applications throughout the development lifecycle.

– Paul