Macie slay: AWS touts S3 patrol bots to kill data-slurping hackers
Plus: Database Glue guns, more encryption, hardware key management, and config tools
AWS kicked off its New York City summit with a handful of announcements on Monday.
Among the new stuff available from Amazon's cloud is a tool that tries to stop leaks of sensitive information – such as people's personal records – along with a file migration and indexing utility, and a configuration and key management system. Here's a rundown of what has been promised by the web giant.
Macie 'machine learning' for data screening
AWS has torn the wraps off Macie: this is, we're told, a system that patrols S3 buckets, classifies your data to identify which bits involve personal information or intellectual property, and flags up weird accesses that may be the result of hackers leaking data from your cloud instances.
Not a bad move seeing as quite a lot of sensitive data manages to leak from poorly configured S3 silos – such as records on 14 million Verizon subscribers – so maybe this will help organizations shore up their security. According to AWS, Macie has four parts, each of which...
Analyzes, classifies, and processes data to understand the historical patterns, user authentications to data, data access locations, and times of access.
Actively monitors usage log data for anomalies detected along with automatic resolution of reported issues through CloudWatch Events and Lambda.
Provides management visibility into details of storage data while providing immediate protection without the need for manual customer input.
Allows administrative configuration for reporting and alert management requirements
Macie shows an overview of 'risk level' in stored files
We're told administrators can set rules and controls on how stuff in the S3 buckets are accessed and stored, so that alerts are fired off when that information is accessed or moved without authorization, or contrary to typical usual patterns. Customers will pay for this protection based on the amount of S3 Macie processes and how many CloudTrail events it analyzes.
Glue sticks metadata onto storage buckets
The Glue service, now generally available, can link up S3, Redshift, and RDS data stores with EC2's query and analysis tools in an automated way, according to AWS. This will help developers write code to perform extract, transform, and load (ETL) tasks such as assigning metadata tags and organizing info for analysis, it is claimed.
"Data integration – extracting data from various sources, normalizing it, and loading it into data stores – often represents as much as 75 percent of the time required to implement an analytics project," AWS says of Glue.
"Customers can spend months hand coding and editing ETL scripts, which frequently become more complex and error prone as data volumes grow, and new data sources are added."
Amazon says customers can use Glue through the AWS Management Console by selecting the stored data they want analyzed. From there, Glue crawls the data and creates tags and tables that can be processed by scripts.
AWS will charge based on the compute time and resources used by Glue to analyze and load the data.
Migration Hub for moving data
The Migration Hub service, as its name suggests, lets administrators and developers track the steps taken when data is moved from on-premises storage to Amazon's cloud.
The hub shows the progress of a migration from the initial discovery of the on-prem servers through the actual activation of the migration tools and the tracking of data as it moves from the local servers into AWS.
The various steps of moving your servers to the cloud
The Migration Hub service can be used on data held in any of AWS's regions (the service itself is hosted in Oregon, USA) and is free of charge, which makes sense as the whole idea of the tool is to get companies into the cloud and paying for AWS services faster.
EFS data gets at-rest encryption
One year after its formal launch, the AWS Elastic File System (EFS) has been given the ability to encrypt data when it is at rest.
The encryption uses either AWS keys or local keys made with the AWS Key Management Service and the AES-256 algorithm. The cryptography kicks in when a new EFS system is created.
AWS Config rules for S3
As the name suggests, AWS config rules allow for either pre-written or custom rules to be placed on AWS instances. The rules will then be automatically applied to allow or prevent things like public read/write access.
Now, AWS is adding the ability to apply those rules to S3 buckets. The rules each cost $2 per month to implement and monitor.
The CloudHSM service allows customers to generate and manage their own security keys for their AWS data.
Thanks to its latest update, the CloudHSM is now fully managed, allowing admins to back up their encryption keys to an S3 bucket on a scheduled basis. Amazon is also adding the option for a pay-as-you-go pricing plan for HSM and adding the ability to generate more complex FIPS 140-2 Level 3 keys.
The service can now also be managed through either the AWS Management Console or Command Line Interface. ®
Sponsored: Becoming a Pragmatic Security Leader