This week, I joined almost 10,000 of my closest friends at the Javits Center for the annual NYC AWS Summit. Like previous year’s summits, this year’s event included several product announcements (more below), and some interesting customer stories. In the past, this event was keynoted by Werner Vogels, and typically included at least one announcement of a price reduction. This year, in lieu of price drops, AWS released a meaty set of new products and enhancements, and many of them are now generally available. Note that AWS typically announces products as public betas first, and then GAs them several months (or years, ahem EFS) later. Is this trend shifting towards more private betas? It will be interesting to see what happens at re:Invent!
There were two clear themes that stood out to me at this event: migration (underscored by the Hulu, FICO, and ZocDoc stories) and security. The security enhancements AWS introduced at the summit are very timely, given the disturbingly increasing trend of data leaks from unencrypted S3 buckets (for recent examples see the Verizon and RNC contractor Deep Root Analytics leaks). Obviously, AWS wants to help customers get ahead of these vulnerabilities and flag them before they become headline news.
On to the announcements!
AWS Migration Hub
Over the past few years, AWS has released several disparate migration tools, namely Server Migration Service, Application Discovery Service, and Database Migration. Each of these serves a specific purpose throughout the migration lifecycle. There was previously no way to visualize your migration end to end in a UI and track progress towards your ultimate goal. The migration hub does just this. The solution will help customers have a central dashboard to manage their various migration projects, as well as integrate different AWS and third party tools. You can get a more detailed look at the AWS Migration Hub’s capabilities in Jeff Barr’s blog, but in essence, the solution allows you to group application by dependency, then track the progress of the migration, whether it occurs in AWS Server Migration Service, CloudEndure Live Migration, Racemi DynaCenter, or AWS Database Migration Service. This is a great project management solution for any company undergoing a migration using one of these tools. Note that this is immediately generally available and free to use (customers only pay for AWS resources and services consumed by the Hub).
Amazon Macie
One of the most exciting announcements of the day was the general availability of Amazon Macie. Macie enables customers to automatically discover, classify and detect sensitive information using machine learning. The product uses natural language processing to classify S3 data, then will automatically monitor for anomalies in access to the data. Customers can also use Macie to run behavior analytics — visualizing S3 bucket access patterns to look for suspicious activity. Once detected, Macie will alert security teams of the problem so they can go remediate it. There have been discussions for several years of infrastructure teams using analytics on their own infrastructure, but this is one of the most compelling use-cases I’ve seen to date. Of course, by using Macie, you are giving AWS permission to access the contents of your S3 buckets, something which some organizations may not be comfortable with. This product actually stems from an acquisition Amazon made in January 2017 of the company Harvest.ai, which at the time flew under the radar of most industry watchers, given it’s relatively small price tag of $19 million. Amazon is really proving that they can successfully grow both organically and inorganically (unlike Migration Hub, Macie is a paid service).
Other Security and Compliance Enhancements: EFS Encryption, CloudTrail and Config Rules
Adrian Cockcroft wrapped up the keynotes with a rapid succession of security-related enhancements to existing products. Specifically, the announcements included:
- Encrypted EFS at rest. The popular file storage service, Elastic File System, now includes the option to encrypt data at rest. The key can be a built-in key that is managed by AWS or a key that you created yourself using AWS Key Management Service (KMS).
- Revamp of CloudHSM. AWS CloudHSM, the hardware-based service that enables customers to manage keys using FIPS 140-2 Level 3, got a major overhaul this week. Adrian summarized the updates by saying CloudHSM is now “cloudier.”
- Cloudtrail enabled by default for all customers. CloudTrail is an essential compliance tool that provides an audit trail for all activities and events that take place in an AWS account. Moving forward, CloudTrail will now be turned on by default for all customers and will include 7 days of event history for free. No longer will you be working on troubleshooting an issue, only to find you have no visibility into what happened because someone forgot to enable CloudTrail.
- New AWS Config Rules to secure S3 buckets. Saving the best (in my opinion) for last. Now you can set up AWS Config to alert you if any bucket has global write access or global read access. This will go a long way in preventing some of the issues in data leaks I mention above. Coincidentally enough, CloudHealth also released a related policy condition this week around AWS Config: the ability flags any accounts that don’t have AWS Config enabled and actively recording for every region. I added a screenshot of this policy below.
What did you think?
I’m just scratching the surface here of all the great content that was covered in the keynotes, and I haven’t even hit the breakouts yet! I’m curious what are your big takeaways from the NYC Summit? What are you looking forward to at re:Invent? Hit me up on Twitter to get the conversation going.
