Yesterday at AWS re:Invent, Amazon Web Services Inc. (AWS), an Amazon.com company (NASDAQ: AMZN), announced three new services and capabilities that make it easier for customers to build and operate securely:
Amazon Detective is a new security service that makes it easy for customers to conduct faster and more efficient investigations into security issues across their workloads (available in preview).
Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs (with support for DNS logs coming soon) into a graph model that summarizes resource behaviors and interactions observed across a customer’s AWS environment. Using machine learning, statistical analysis, and graph theory, Amazon Detective produces tailored visualizations to help customers answer questions like ‘is this an unusual API call?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune their own queries and algorithms. Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub. Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a customer’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. By letting the Amazon Detective service perform the necessary data sifting, security teams can more quickly move on to remediation. To learn more about Amazon Detective, visit https://aws.amazon.com/detective/.
AWS IAM Access Analyzer is a new AWS Identity and Access Management (IAM) capability that makes it simple for security teams and administrators to audit resource policies for unintended access (available today).
AWS IAM Access Analyzer makes it simple for security teams and administrators to validate that their policies provide only the intended access to resources. With one click in the IAM Console, customers can enable AWS IAM Access Analyzer across their account to analyze policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles, and AWS Lambda functions. Once enabled, IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy. This means that AWS IAM Access Analyzer can analyze hundreds or even thousands of policies across a customer’s environment in seconds, and deliver detailed findings about resources that are accessible from outside the account. Customers can then review these findings in the IAM console, taking action on any that allow broader-than-intended access. AWS IAM Access Analyzer continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated. AWS IAM Access Analyzer findings are accessible through the IAM, Amazon S3, and AWS Security Hub consoles and APIs, and can be exported as a report for auditing purposes. Using AWS IAM Access Analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access. To get started with AWS IAM Access Analyzer, visit https://aws.amazon.com/iam/features/analyze-access/.
AWS Nitro Enclaves is a new Amazon EC2 capability that makes it easy for customers to process highly sensitive data by partitioning compute and memory resources within an instance to create an isolated compute environment (available in preview early next year).
AWS Nitro Enclaves makes it easy for customers to create a completely isolated compute environment to process highly sensitive data. Each enclave is an isolated virtual machine with its own kernel, memory, and processor. Customers simply select an instance type and decide how much CPU and memory they want to designate to the enclave. There is no persistent storage, no ability to login to the enclave, and no networking connectivity beyond a secure local channel. AWS Nitro Enclaves provides the flexibility to partition varying combinations of CPU cores and memory from the parent instance when creating an enclave, enabling customers to match resources to the size and performance demands of their workloads. Customers can develop enclave applications using the AWS Nitro Enclaves SDK’s set of open-source libraries. The AWS Nitro Enclaves SDK also integrates with AWS Key Management Service (KMS), allowing customers to generate data keys and to decrypt them inside the enclave. AWS Nitro Enclaves supports a wide range of workloads and is available on a range of Nitro-based Amazon EC2 instance types, including M5, C5, R5 and I3en. To learn more about AWS Nitro Enclaves, visit https://aws.amazon.com/ec2/nitro/nitro-enclaves/.