Amazon’s cloud computing division has announced new security products and features that it hopes will simplify and enhance security for its customers of any scale.
In his keynote at AWS re:Inforce 2023, Amazon Web Services CISO CJ Moses outlined the problems many businesses face with cloud security, as the threat landscape expands thanks to shifting tactics of criminals and the meteoric rise of generative AI.
Some new launches are in preview, whilst others are now generally available, with the overall thrust being the centralization of security and IAM protocols to make it easier for cloud users to maintain and strengthen their security posture.
Moses began by stating the need for strong security both of the cloud itself and within it.
He also outlined a threat detection algorithm used by AWS, that if you can determine how cyberattacks are carried out and the motivations behind them, you can then work out who carried them out – a methodology Moses reappropriated from his days as the Assistant Section Chief for the FBI.
He also believes that the vast amounts of data AWS has collected over the years relating to security incidents from its customers serves as intelligence for the company to develop better security solutions. As he put it, scale breeds intelligence, which leads to better security.
He also claimed that 3TB of data is analyzed every minute by AWS, which also shares its intelligence with hosting providers and domain registrars in an effort to make the internet in general a safer place, so he claims.
The company’s recently released AWS Security Lake is one of the core components available to its customers, which centralizes security data management and includes automated processes to lift the burden of manual threat detection.
Of course, no keynote today is complete without a reference to the emerging generative AI revolution. To that end, Moses talked about AWS’ commitment to investing in Large Language Models to harness their crime-fighting powers.
Although he didn’t delve into the technical details of the models used, Moses did say that although threat actors have been making use of generative AI tools to launch more effective attacks, their powers can equally be harnessed in the good fight against them.
One of the new AI tools which has now launched in public preview is Amazon CodeGuru Security, a static application security testing (SAST) that makes use of Machine Learning (ML) to find vulnerabilities and flaws in code written by developers. It is claimed to have a low false positive rate, and can find issues ranging from log injection to resource leaks.
Becky Weiss also took the stage to discuss new features addressing the challenges associated with authorization. One of these is Cedar, a new open-source language for writing and enforcing authorization policies.
Also new is Amazon Verified Permissions, which is now generally available and can centrally manage permissions. It is scalable and allows for fine-grained authorization, with policy-based access controls that can be implemented using the aforementioned Cedar.
Amazon Guard also has three new expansions: threat detection for Amazon Aurora, EKS runtime monitoring, and increased coverage to support Lambda functions. Code scanning with Lambda is now generally available too, giving developers the ability to scan for flaws in their own code, which Weiss claimed has a high true positive rate.