FILTER

AWS IAM Access Analyzer and Other Compliance Features

These three new features and products from AWS’ Security, Identity, and Compliance product line unveiled at re:Invent 2019 didn’t make a splash, but they’re actually exciting.

re:Invent managed to be bigger than last year in terms of the number of attendees (60,000 vs. 50,000) and sponsors (400 vs. 200), and product announcements. A lot of pixels were created in the past week to cover (and re-cover) ground on AWS keynotes and major product announcements (a quick Google search will show you what you need to know), so we’re going to focus instead on these three new features and products.

What is AWS IAM Access Analyzer?

IAM Access Analyzer gives granular control and visibility of policies to admins and security teams, i.e., you can now control who has access to specific resources and see how those users are able to use them across your entire AWS environment.

 

AWS IAM Access Analyzer Pricing

There is no additional cost for using IAM analyzer for creating an organization of trust.

IAM Access Features:

  • IAM Access Analyzer provides over 100 policy checks
  • Analyze report errors and warnings
  • Get suggestions and actionable recommendations
  • Continuous monitoring

IAM Access Analyzer: Continuously Monitor Access to Your Environment

One of the immediate benefits of IAM Access Analyzer is that it continuously monitors for new or updated policies, and analyzes permissions granted using policies for your IAM roles, S3 buckets, Lambda functions, KMS keys, and SQS queues. You’ll get detailed findings through S3, IAM, and Security Hub and its APIs to prove who has public and cross-account access to your AWS resources from outside your account. And as if you needed a cherry on top of this security sundae, the findings can be exported as a report for any and all of your audits.

Security Hub + IAM Access Analyzer = More Visibility Into Compliance Status and Security Alerts

This isn’t exactly a new feature per se, but Security Hub now integrates with IAM Access Analyzer to give you a single-source view of your compliance status and security alerts, and empower you to take actions via CloudWatch Event rules to send the findings to your SIEM or other incident management tools.

On the subject of alerts, Security Hub not only aggregates and prioritizes them for you, but it also continuously monitors your AWS environment via automated compliance checks (note these are based on AWS’ standards and best practices, e.g., CIS AWS Foundations Benchmark).

PS: Launch a security program that protects your business, builds trust with customers, and impresses your board by downloading Security Best Practices for Startups.

What is Amazon Detective?

Amazon Detective appears to be a continuation of AWS’ efforts to make further inroads into the crowded SIEM and log management space. Detective claims to, like almost every log management and SIEM vendor in the market, “[make] it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.”

And if the buzzword-filled description of Detective held water (“uses machine learning, statistical analysis, and graph theory to build a linked set of data”), then we’re looking at what could very well be a serious SIEM tool that will get a lot of usage among AWS’ many, many customers.

Final Thoughts: AWS IAM Access Analyzer

There’s a reason why AWS is still the leader compared to Azure and Google Cloud Platform (GCP): how do you catch up to a team that’s always innovating and making deeper inroads into every part of the DevSecOps tool ecosystem?

These three new security and compliance features didn’t get as much airtime and attention as their more glamorous product brethren did, but they seem promising and especially helpful for security teams and engineers wearing too many hats with so little time. However, it remains to be seen if IAM Access Analyzer, Security Hub’s new capabilities, and Amazon Detective are up to snuff.