Amazon Web Services (AWS) has expanded its portfolio with three new services and capabilities meant to help organizations build and operate securely in the cloud.
With the new Amazon Detective, customers can increase efficiency when investigating incidents across workloads. Currently available in preview, the service leverages machine learning, statistical analysis, and graph theory.
Once enabled in the AWS Management Console, Amazon Detective taps into data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs to summarize resource behaviors and interactions across the customer’s AWS environment.
Via tailored visualizations, Amazon Detective aims to provide the details, context, and guidance needed to determine the nature and extent of issues identified by security services such as Amazon GuardDuty, Inspector, Macie, and AWS Security Hub.
AWS also announced the Identity and Access Management (IAM) Access Analyzer, which is designed to help customers audit and understand the policies that protect their resources, allowing administrators to easily check if their policies provide only the intended access to resources.
The new AWS IAM capability, which is immediately available, analyzes policies associated with Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles, and AWS Lambda functions to determine all possible access paths. The findings are listed in the IAM console, enabling customers to take action when needed.
The Access Analyzer also monitors policies for changes, and makes findings accessible through the IAM, Amazon S3, and AWS Security Hub consoles and APIs. Furthermore, the data can be exported as a report for auditing purposes.
Access Analyzer for S3 can help organizations ensure that their S3 buckets are not made public by mistake. Publicly accessible S3 buckets have been the cause of many data security incidents in the past years.
AWS also launched Nitro Enclaves, a new Amazon EC2 capability that aims to make it easier for customers to protect and process highly sensitive data through partitioning compute and memory resources. Nitro Enclaves is set to become available in preview early next year.
“Each enclave is an isolated virtual machine with its own kernel, memory, and processor. Customers simply select an instance type and decide how much CPU and memory they want to designate to the enclave. There is no persistent storage, no ability to login to the enclave, and no networking connectivity beyond a secure local channel,” AWS explains.
Customers can also select different combinations of CPU cores and memory when creating an enclave, depending on the size and performance demands of workloads.
Furthermore, the AWS Nitro Enclaves SDK’s set of open-source libraries allow for the building of enclave applications. The SDK integrates with AWS Key Management Service (KMS), so that customers can generate data keys and decrypt them inside the enclave.