These three new features and products from AWS’ Security, Identity, and Compliance product line unveiled at re:Invent 2019 didn’t make a splash, but they’re actually exciting.
re:Invent managed to be bigger than last year in terms of the number of attendees (60,000 vs. 50,000) and sponsors (400 vs. 200), and product announcements. A lot of pixels were created in the past week to cover (and re-cover) ground on AWS keynotes and major product announcements (a quick Google search will show you what you need to know), so we’re going to focus instead on these three new features and products:
IAM Access Analyzer: Continuously Monitor Access to Your Environment (and Finally Figure Out Who’s Actually on First)
We’re actually excited about this new feature. IAM Access Analyzer gives granular control and visibility of policies to admins and security teams, i.e., you can now control who has access to specific resources and see how those users are able to use them across your entire AWS environment.
One of the immediate benefits of IAM Access Analyzer is that it continuously monitors for new or updated policies, and analyzes permissions granted using policies for your IAM roles, S3 buckets, Lambda functions, KMS keys, and SQS queues. You’ll get detailed findings through S3, IAM, and Security Hub and its APIs to prove who has public and cross-account access to your AWS resources from outside your account. And as if you needed a cherry on top of this security sundae, the findings can be exported as a report for any and all of your audits.
Security Hub + IAM Access Analyzer = More Visibility Into Compliance Status and Security Alerts
This isn’t exactly a new feature per se, but Security Hub now integrates with IAM Access Analyzer to give you a single-source view of your compliance status and security alerts, and empower you to take actions via CloudWatch Event rules to send the findings to your SIEM or other incident management tools.
On the subject of alerts, Security Hub not only aggregates and prioritizes them for you, but it also continuously monitors your AWS environment via automated compliance checks (note these are based on AWS’ standards and best practices, e.g., CIS AWS Foundations Benchmark).
The “Detective” Honorific: Not Just for Pikachu and Batman
Amazon Detective appears to be a continuation of AWS’ efforts to make further inroads into the crowded SIEM and log management space. Detective claims to, like almost every log management and SIEM vendor in the market, “[make] it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.”
And if the buzzword-filled description of Detective held water (“uses machine learning, statistical analysis, and graph theory to build a linked set of data”), then we’re looking at what could very well be a serious SIEM tool that will get a lot of usage among AWS’ many, many customers.
“A Mile Wide and an Inch Deep”
There’s a reason why AWS is still the leader compared to Azure and Google Cloud Platform (GCP): how do you catch up to a team that’s always innovating and making deeper inroads into every part of the DevSecOps tool ecosystem?
These three new security and compliance features didn’t get as much airtime and attention as their more glamorous product brethren did, but they seem promising and especially helpful for security teams and engineers wearing too many hats with so little time. However, it remains to be seen if IAM Access Analyzer, Security Hub’s new capabilities, and Amazon Detective are up to snuff.