News

With Macie Launch, AWS Tackles S3 Security Holes

• By Gladys Rama
• 08/14/2017

Amazon Web Services (AWS) on Monday rolled out several enhancements designed to mitigate potential security weaknesses in its cloud.

"Protecting our customers is our top priority," said Adrian Cockcroft, vice president of cloud architecture and strategy at AWS, during his keynote presentation at the AWS Summit event in New York City.

Cockcroft's comment, and the string of security announcements he made at AWS Summit, come in the wake of multiple instances of unsecured or misconfigured Amazon Simple Storage Service (S3) buckets leading to users' data being leaked or potentially exposed. The spate of security exposures prompted AWS to directly remind its users late last month to lock down their S3 buckets.

Perhaps as a tacit follow-up to that directive, AWS has taken the wraps off Macie, a brand-new security service that uses machine learning to identify, categorize and secure sensitive data stored on S3.

Now generally available, Macie is designed to identify and locate data in AWS that's considered personally identifiable or sensitive. It also notes the level of access that's currently applied to that data, as well as typical user behaviors related to it, such as when and where users normally log in to access that data.

Using those patterns as its baseline, Macie continuously checks for irregular events and warns users when it detects anomalies.

It's also useful for maintaining regulatory compliance, particularly with the EU's upcoming General Protection Data Regulation (GDPR), which will take effect next year.

"As Amazon Macie recognizes personally identifiable information (PII) and provides customers with dashboards and alerts, it will enable customers to comply with GDPR regulations around encryption and pseudonymization of data," wrote AWS technical evangelist Tara Walker in a blog post. "When combined with Lambda queries, Macie becomes a powerful tool to help remediate GDPR concerns."

While Macie currently only works with S3, AWS said it will expand support to its other data stores later this year.

Other AWS Security Improvements
In addition to the Macie rollout, Cockcroft announced a handful of other security enhancements at the Summit event on Monday:

• The AWS Config service, which gives users a window into their AWS resource configurations, can now automatically identify S3 buckets that allow global read and write access.
• AWS CloudTrail, a service that tracks AWS account activity, is now enabled by default for all AWS users.
• Amazon Elastic File System now supports encryption of at-rest data.
• AWS is revamping its CloudHSM key management service, making it a fully managed, pay-as-you go solution. The original version of the product will still be available as "CloudHSM Classic."