Amazon Web Services (AWS), an Amazon.com company, announced three new services and capabilities that make it easier for customers to build and operate securely:
- Amazon Detective is a new security service that makes it easy for customers to conduct faster and more efficient investigations into security issues across their workloads (available in preview).
- AWS IAM Access Analyzer is a new AWS Identity and Access Management (IAM) capability that makes it simple for security teams and administrators to audit resource policies for unintended access.
- AWS Nitro Enclaves is a new Amazon EC2 capability that makes it easy for customers to process highly sensitive data by partitioning compute and memory resources within an instance to create an isolated compute environment (available in preview early next year).
AWS is architected to be the world’s most secure and flexible cloud computing environment. Many of today’s most security-minded organizations trust AWS with their sensitive workloads, which in turn means that all AWS customers benefit from rapidly evolving infrastructure and services designed to meet the most exacting standards for security and compliance.
AWS has taken away much of the undifferentiated heavy lifting associated with enterprise computing, and customers have asked for similar efficiencies in how they go about building and operating securely in the cloud.
AWS has continuously introduced new capabilities that help customers achieve greater security, including services like Amazon GuardDuty (which continuously monitors for threats to a customer’s accounts and workloads), Amazon Inspector (which assesses application hosts for vulnerabilities and deviations from best practices), Amazon Macie (which uses machine learning to discover, classify, and protect sensitive data), and AWS Security Hub (a unified security and compliance center).
AWS has also delivered a slew of native features like Amazon S3 Block Public Access that help customers use core services more securely, and technological innovations like the AWS Nitro System that enhance the inherent security of customer instances by moving virtualization and security functions to dedicated hardware and software.
Amazon Detective, IAM Access Analyzer, and AWS Nitro Enclaves reduce the amount of custom engineering required to meet security and compliance needs, allow security teams to be more efficient and confident when responding to issues, and make it easier for customers to effectively manage access to AWS resources.
Amazon Detective makes security investigations faster and easier
When customers face a security issue like compromised user credentials or unauthorized access to a resource, security teams must conduct an investigation to understand the cause, assess the impact, and determine remediation steps.
Before an investigation can even begin, customers must first collect and combine terabytes of potentially relevant data from network, application, and security monitoring systems and make it available in a way that allows their security analysts to infer related anomalies.
In order to explore the data, analysts rely on data scientists and engineers to turn seemingly simple questions like ‘is this normal?’ into mathematical models and queries that can help produce answers. Customers then typically build custom dashboards that analysts use to validate, compare, and correlate the data to reach their conclusions.
Security teams must continually re-establish baselines of normal behavior, understand new patterns of activity, and revisit application configurations as resources, accounts, and applications are added or updated in an environment. These complex and time-consuming tasks impede security teams’ ability to quickly investigate and respond to security issues.
Amazon Detective helps security teams conduct faster and more effective investigations. Once enabled with a few clicks in the AWS Management Console, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs (with support for DNS logs coming soon) into a graph model that summarizes resource behaviors and interactions observed across a customer’s AWS environment.
Using machine learning, statistical analysis, and graph theory, Amazon Detective produces tailored visualizations to help customers answer questions like ‘is this an unusual API call?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune their own queries and algorithms.
Amazon Detective’s visualizations provide the details, context, and guidance to help analysts quickly determine the nature and extent of issues identified by AWS security services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, and AWS Security Hub.
Amazon Detective’s graph model and analytics are continuously updated as new telemetry becomes available from a customer’s AWS resources, allowing security teams to spend less time tending to constantly changing data sources. By letting the Amazon Detective service perform the necessary data sifting, security teams can more quickly move on to remediation.
AWS IAM Access Analyzer makes it easier for customers to audit
In the cloud, the term ‘resources’ is used to refer to building blocks like compute instances and storage buckets, and access to these resources is governed by policies. Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment.
In order to protect against unintended access, customers have traditionally performed periodic audits in which they analyze a subset of their policies to confirm that they are configured correctly and operating as intended.
These manual audits are time consuming, costly, and prone to human error, while also making it difficult for customers to track all the policy changes being made within their constantly evolving environments.
AWS offers a range of preventative controls, such as Amazon S3 Block Public Access, which help protect against risks to specific resource types that could stem from policy misconfiguration.
However, customers also wanted more centralized visibility across their different resource policies in order to more easily determine whether any have been misconfigured to allow unintended public or cross-account access.
AWS IAM Access Analyzer makes it simple for security teams and administrators to validate that their policies provide only the intended access to resources.
With one click in the IAM Console, customers can enable AWS IAM Access Analyzer across their account to analyze policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles, and AWS Lambda functions.
Once enabled, IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.
This means that AWS IAM Access Analyzer can analyze hundreds or even thousands of policies across a customer’s environment in seconds, and deliver detailed findings about resources that are accessible from outside the account. Customers can then review these findings in the IAM console, taking action on any that allow broader-than-intended access.
AWS IAM Access Analyzer continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated.
AWS IAM Access Analyzer findings are accessible through the IAM, Amazon S3, and AWS Security Hub consoles and APIs, and can be exported as a report for auditing purposes.
Using AWS IAM Access Analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access.
AWS Nitro Enclaves: Easier protection and processing of highly sensitive data
Many customers in healthcare, financial services, energy, media and entertainment, and other data-intensive industries have asked for help further protecting highly sensitive data like personally identifiable information and intellectual property on their compute instances, particularly from internal threats within their own accounts.
Today, customers can protect their data using encryption while it is at rest and in transit, but encryption does not address the risk of insider access to sensitive data as it is being processed by an application (such as patient data that must be served to a healthcare dashboard for treatment decisions).
One approach would be to remove much of functionality that an instance provides for general-purpose computing (e.g. networking, the ability to log into an instance, the capability to store and retrieve data, etc.) but doing so would render the entire instance unusable.
Customers sometimes create an entirely separate cluster of instances for processing sensitive data, protected by complicated permissions, highly restrictive networking, and other isolations.
However, these complex permissions, systems, and policies can break down through simple human error, and managing them can be an operational burden, an organizational bottleneck, and costly.
AWS Nitro Enclaves makes it easy for customers to create a completely isolated compute environment to process highly sensitive data. Each enclave is an isolated virtual machine with its own kernel, memory, and processor.
Customers simply select an instance type and decide how much CPU and memory they want to designate to the enclave. There is no persistent storage, no ability to login to the enclave, and no networking connectivity beyond a secure local channel.
AWS Nitro Enclaves provides the flexibility to partition varying combinations of CPU cores and memory from the parent instance when creating an enclave, enabling customers to match resources to the size and performance demands of their workloads.
Customers can develop enclave applications using the AWS Nitro Enclaves SDK’s set of open-source libraries. The AWS Nitro Enclaves SDK also integrates with AWS Key Management Service (KMS), allowing customers to generate data keys and to decrypt them inside the enclave.
AWS Nitro Enclaves supports a wide range of workloads and is available on a range of Nitro-based Amazon EC2 instance types, including M5, C5, R5 and I3en.
“Security leaders often tell us that one of the things that excites them most about the cloud is the potential to drastically reduce the amount of time and resources their teams dedicate to chores that aren’t central to the goal of building and operating a secure environment,” said Steve Schmidt, CISO, AWS.
“Each of the offerings we introduced today represents a different approach to helping customers be more secure, but they’re all designed to decrease the amount of time security teams spend on tasks like checking configurations, aggregating data, and devising custom solutions to remove needless churn from crucial security processes.
“This will help customers move sensitive workloads to the cloud more easily, protect their resources more efficiently, and unburden their security teams to focus on the high-judgement work that makes them indispensable.”
Zillow is a leading real estate and rental marketplace dedicated to empowering consumers with data, inspiration, and knowledge around the place they call home, and connecting them with the best local professionals who can help.
“Zillow relies on AWS for serving its website and running key business applications such our Zestimate home-validation tool,” said Jason Popp, Principal Cloud Security Engineer at Zillow.
“Protecting our customers and partners’ personal and financial data is extremely important to us. Amazon Detective gives our information security team immediate insight into potential issues. This allows our team to efficiently protect our expansive information technology infrastructure.”
Zalando is Europe’s leading online fashion platform that delivers to customers in 17 countries. “Data protection and ensuring that our employees, customers, and partners have trust in us is a top priority,” said Tobias Sarnowski, Principal Security Architect, Zalando.
“We go to great lengths to protect this data, not just at rest or in transit, but also while it is being processed. Today achieving this level of application and data isolation requires a number of policy and access configurations, and maintaining these configurations with regular audits, alarming, and other measures requires considerable time and resources to manage.
“We are excited that with Nitro Enclaves, we will be able to easily and confidently ensure the security and isolation posture of this data without all of the additional legwork.”