AWS launches EC2 Instance Connect Endpoint, Verified Permissions

At its annual re:Inforce security conference, AWS gave customers new ways to securely connect to their EC2 instances.

The cloud provider on Tuesday unveiled EC2 Instance Connect Endpoint (EIC Endpoint), which allows users to connect to their cloud resources without requiring a public IP addresses. The new offering lets customers establish SSH and RDP connections to EC2 instances from, for example, a private subnet.

During the open re:Inforce keynote Tuesday, Becky Weiss, senior principal engineer at AWS, explained how the new offering improves upon EC2 Instance Connect, which was first introduced in 2019 and gave customers the ability to connect to their instances with SSH.

"But until now, that still meant that needed network access to that EC2 instance, either directly via a public IP address or by way of a bastion host that you're responsible for patching, maintaining and securing," Weiss said during the keynote.

EIC Endpoint, she said, eliminates the need for an internet-facing EC2 host and removes additional costs and overhead for bastion hosts. In addition, customers can take advantage of AWS Identity and Access Management controls for those private connections.

"EC2 Instance Connect Endpoint also improves your security posture by relying on [AWS] IAM for strong authentication and authorization for connections before they reach your EC2 instances," Weiss said, adding that connections are logged to AWS CloudTrail and are fully auditable.

Neil MacDonald, a vice president and distinguished analyst at Gartner, said the best way to think of EIC Endpoint is as a managed bastion host-as-a-service.

"In this way, AWS brings a highly available and always-on/always-patched service for customers to connect and administer their EC2 instances. Instead of the customer having to set this jump server up themselves, AWS is delivering this as a cloud service," MacDonald said in an email to TechTarget Editorial. "This is a useful capability, but could be further enhanced with built- in session recording for auditing purposes."

AWS also launched Verified Permissions, a security service first unveiled in late 2022 that provides fine-grained authorization and permissions management for customer-built applications. Weiss said one of the most common topics customers discuss with AWS is building authorization systems for resources within their own applications.

"These systems can take months to build and because they tend to be use case-specific, scaling that effort across a large number of applications is also a bit of a challenge," she said.

Instead of taking on that challenge, Verified Permissions allows customers to create authorization policies and define permissions using Cedar, an open- source language for access control developed by AWS. Weiss said the service is designed to automatically check and enforce permissions.

"This approach is much more secure, scalable and manageable over the long term than having each developer hard code entitlements directly into their application," MacDonald said. "Of course, the limitation is that the applications are deployed into AWS."

Jack Poller, a senior analyst at TechTarget's Enterprise Strategy Group, said Verified Permissions gives customers the ability to decouples and extracts the authorization process and code from their applications, enabling developers to quickly add authorizations to those apps without having to develop additional code.

"The combination of Verified Permissions and Cedar means that developers can focus on ensuring the proper functionality of their applications without having to become specialists in authentication and authorization. Meanwhile, other interested parties -- line- of- business users, security teams and DevSecOps teams -- can define fine-grained policies using a common language across all Amazon apps," Poller said. "And since Cedar is open source, the desire is that it become the lingua- franca for describing fine-grained access policies for every application."

Verified Permissions is available in all commercial AWS regions except those in China.

EIC Endpoint is available at no additional cost in all commercial AWS regions and GovCloud regions in the U.S.

Rob Wright is a longtime technology reporter who lives in the Boston area.