AWS Discloses New Security Services and Capabilities

Amazon Web Services

Amazon Web Services (AWS) has expanded its portfolio of three new services and technologies to help businesses securely build and function in the cloud.

Customers can increase efficiency when investigating incidents over workloads with the new Amazon Detective. The service is currently available in preview, using machine learning, statistical analysis and graph theory.

Once the AWS director console is activated, Amazon Detective taps AWS CloudTrail data and Amazon Virtual Private Cloud (VPC) flow records to review customer AWS service behaviors and interactions. Amazon Detective aims at providing the information, background and recommendations required to identify the essence and scope of security services issues such as the Amazon Guardduty, the Inspector, Macie and the AWS Security Hub through personalized visualizations.

AWS has also introduced an Access Analyzer (IAM), which is designed to assist customers to review and understand policies that protect their resources, making it easy for managers to check that their policies only provide the desired access to resources.

A new available AWS IAM feature analyzes the policies for Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM positions, and AWS Lambda functions in order to identify all possible paths of entry. The results are reported at the IAM console, which allows customers to act when appropriate.

The Access Analyzer also tracks change policies and makes the findings accessible from consoles and APIs in IAM, Amazon S3 and AWS Security Center. In addition, the data can be submitted as an audit report.

Access Analyzer for S3 will help businesses ensure that they don’t confuse their S3 buckets. In recent years, publicly accessible S3 buckets have caused numerous data security incidents.

AWS has also launched Nitro Enclaves, a new Amazon EC2 capability to help clients protect and process highly sensitive data via computer partitioning and memory resources. Nitro Enclaves will be available early next year in the preview.

“Each enclave has its own kernel, memory and processor as an independent virtual machine. Customers simply select the type of instance and determine how much CPU and memory they want to use. There is no continuous processing, no ability to connect to the enclave and no network connectivity beyond a protected local channel.

In building an enclave, customers can also choose different combinations of CPU cores and memory according to workload size and performance needs.

In addition, open-source libraries of the SDK AWS Nitro Enclaves enable the construction of enclave applications. The SDK is integrated with the AWS Key Management Service (KMS), which allows customers to generate and decrypt data keys within the enclave.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.