Macie Launch: AWS Tackles the S3 Security Holes Amazon Web Services, (AWS), on Monday introduced several enhancements to its cloud that are intended to address potential security flaws. “Protecting customers is our top priority,” Adrian Cockcroft, vice-president of cloud architecture strategy at AWS, stated during his keynote presentation at AWS Summit in New York City. Cockcroft’s comments and the string security announcements he made at AWS Summit come in the wake multiple instances of users’ data being exposed or leaked through unsecured or misconfigured Amazon Simple Storage Service buckets (S3). AWS reacted to the security breaches by reminding users to secure their S3 buckets late last month. AWS has now taken control of Macie, a new security service that uses machine-learning to identify, categorize, and secure sensitive data on S3. Macie, which is now generally available, can be used to locate sensitive or personally identifiable data in AWS. It also records the current level of access to that data and typical user behavior related to it. For example, when and where do users log in to access that data. Macie uses these patterns as its baseline and continuously monitors for irregularities and warns users if it finds them. It is also useful in maintaining regulatory compliance, especially with the EU’s forthcoming General Protection Data Regulation (GDPR) which will be in effect next year. “Amazon Macie recognizes personally identifiable data (PII) and provides customers dashboards and alerts, which will enable customers comply with GDPR regulations around encryption or pseudonymization,” Tara Walker, AWS technical evangelist, wrote in a blog post. Macie can be combined with Lambda queries to make it a powerful tool for addressing GDPR concerns. Macie is currently only compatible with S3, but AWS stated that it will soon expand support for other data stores. Other AWS Security Enhancements Cockcroft announced several other security enhancements at Monday’s Summit event.

  • The AWS Config service gives users a view into their AWS resource configurations. It can now automatically identify S3 buckets which allow global read-write access.
  • AWS CloudTrail, which tracks AWS account activity, has been enabled by default for all AWS customers.
  • Amazon Elastic File System now supports encryption for at-rest data
  • AWS is updating its CloudHSM key management service to make it fully managed and pay-as you go. The original product will be available as “CloudHSM Classic”.
Author: Victoria