Amazon Web Services (AWS), has announced three new services and capabilities that make it easier for customers to build and operate securely:
These announcements include:
- Amazon Detective is a new security service that makes it easy for customers to conduct faster and more efficient investigations into security issues across their workloads (available in preview).
- AWS IAM Access Analyzer is a new AWS Identity and Access Management (IAM) capability that makes it simple for security teams and administrators to audit resource policies for unintended access (available today).
- AWS Nitro Enclaves is a new Amazon EC2 capability that makes it easy for customers to process highly sensitive data by partitioning compute and memory resources within an instance to create an isolated compute environment (available in preview early next year).
The new services Amazon Detective, IAM Access Analyzer, and AWS Nitro Enclaves reduce the amount of custom engineering required to meet security and compliance needs, allow security teams to be more efficient and confident when responding to issues, and make it easier for customers to effectively manage access to AWS resources.
Amazon Detective: Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs (with support for DNS logs coming soon) into a graph model that summarizes resource behaviour’s and interactions observed across a customer’s AWS environment.
Using machine learning, statistical analysis, and graph theory, Amazon Detective produces tailored visualizations to help customers answer questions like ‘is this an unusual API call?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune their own queries and algorithms.
Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues. Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a customer’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. The services perform necessary data sifting, security teams can more quickly move on to remediation.
AWS IAM Access Analyzer:
In the cloud, the term ‘resources’ is used to refer to building blocks like compute instances and storage buckets, and access to these resources is governed by policies. Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment.
AWS IAM Access Analyzer makes it simple for security teams and administrators to validate that their policies provide only the intended access to resources. With one click in the IAM Console, customers can enable AWS IAM Access Analyzer across their account to analyse policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles, and AWS Lambda functions.
Once enabled, IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy. Analyzing hundreds or even thousands of policies across a customer’s environment in seconds, and deliver detailed findings about resources that are accessible from outside the account comes easier. The service also continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated.
Using AWS IAM Access Analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access.
AWS Nitro Enclaves:
Companies across verticals and other data-intensive industries have asked for help further protecting highly sensitive data like personally identifiable information and intellectual property on their compute instances, particularly from internal threats within their own accounts.
AWS Nitro Enclaves makes it easy for customers to create a completely isolated compute environment to process highly sensitive data. Each enclave is an isolated virtual machine with its own kernel, memory, and processor. Customers simply select an instance type and decide how much CPU and memory they want to designate to the enclave. There is no persistent storage, no ability to login to the enclave, and no networking connectivity beyond a secure local channel.
This service provides the flexibility to partition varying combinations of CPU cores and memory from the parent instance when creating an enclave, enabling customers to match resources to the size and performance demands of their workloads.
Customers can develop enclave applications using the Nitro Enclaves SDK’s set of open-source libraries. This also integrates with AWS Key Management Service (KMS), allowing customers to generate data keys and to decrypt them inside the enclave. The service supports a wide range of workloads and is available on a range of Nitro-based Amazon EC2 instance types, including M5, C5, R5 and I3en.
Steve Schmidt, CISO, AWS said “Each of the offerings we introduced today represents a different approach to helping customers be more secure, but they’re all designed to decrease the amount of time security teams spend on tasks like checking configurations, aggregating data, and devising custom solutions to remove needless churn from crucial security processes.
This will help customers move sensitive workloads to the cloud more easily, protect their resources more efficiently, and unburden their security teams to focus on the high-judgement work that makes them indispensable.”
(Image Courtesy: www.crowdforangels.com)