Technical data

Amazon Web Services Unveils Improved Cloud Vulnerability Management


Hear from CIOs, CTOs, and other senior executives and leaders on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Amazon Web Services (AWS) today announced several new features to improve and automate vulnerability management on its platform, in response to changing security requirements in the cloud.

Newly added capabilities to the Amazon Inspector service will address the “critical need to detect and remediate quickly” to secure workloads in the cloud, according to an AWS blog post written by developer advocate Steve Roberts. The announcement came as part of the AWS re: Invent conference, which kicked off today.

In a second security announcement, AWS unveiled a new secret detector feature for its Amazon CodeGuru Reviewer tool, aimed at automatically detecting secrets such as passwords and API keys that were inadvertently committed in source code. .

AWS security updates come as businesses continue their accelerated journey to the cloud, even as security teams struggle to keep pace. Gartner estimates that 70% of workloads will run in the public cloud within three years, up from 40% today. But a recent survey of cloud engineering professionals found that 36% of organizations have experienced a cloud security data breach or serious breach in the past 12 months.

Changing cloud security needs

In the Amazon Inspector Updates post, Roberts acknowledged that “vulnerability management for cloud customers has changed significantly” since the service launched in 2015.

Among the new requirements are “the ability for frictionless large-scale deployment, support for an expanded set of resource types requiring evaluation and a critical need to detect and correct quickly,” he said. it stated in the message.

The key updates for Amazon Inspector announced today include assessment scans that are continuous and automated, replacing manual scans that only occur periodically, as well as automated resource discovery.

“There are tens of thousands of vulnerabilities, new discoveries and made public regularly. With this ever-growing threat, manual review can cause customers to be unaware of exposure and therefore potentially vulnerable between reviews, ”Roberts wrote in the post.

Using the Amazon Inspector update will enable autodiscover and begin continuous assessment of a customer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry based container workloads. .

More feature updates

AWS also announced a number of other new features for Amazon Inspector, including additional support for container-based workloads, with the ability to assess workloads on EC2 and container infrastructure; integration with AWS Organizations, allowing customers to use Amazon Inspector across all accounts in their organization; elimination of the stand-alone Amazon Inspector analysis agent, as the evaluation analysis is now performed by the AWS Systems Manager agent (so that a separate agent does not need to be installed); and improved risk scoring and easier identification of the most critical vulnerabilities.

A “highly contextualized” risk score can now be generated by correlating common vulnerability and exposure (CVE) metadata with factors such as network accessibility, Roberts said.

Secret Detector

Meanwhile, with Amazon CodeGuru Reviewer’s new Secret Finder feature, AWS addresses the issue of developers accidentally passing secrets to source code or configuration files, including passwords, API keys. , SSH keys and access tokens.

“Like many other developers facing a tight deadline, I have often taken shortcuts when managing and consuming secrets in my code, using clear text environment variables or hard-coded static secrets. during local development, then I inadvertently validated them, ”wrote Alex Casalboni, Developer Advocate at AWS, in a blog post announcing the CodeGuru Reviewer updates. “Of course, I’ve always regretted it and wish there was an automated way to detect and secure these secrets in all of my repositories.”

The new ability takes advantage of machine learning to detect hard-coded secrets during a code review process, “ultimately helping you to ensure that any new code does not contain hard-coded secrets before being merged and deployed, ”Casalboni wrote.

AWS re: Invent 2021 takes place today through Friday, both in person in Las Vegas and online.


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member