AWS unveils AI monitoring for Amazon S3

Amazon Macie discovers and classifies sensitive data in S3 and automatically alerts to unusual activity and exposures

AWS unveils AI monitoring for Amazon S3, other improvements

AWS launched Amazon Macie today, a service that leverages machine learning to help customers prevent inadvertent exposure of sensitive data and unauthorized access to data in Amazon S3. The company said Amazon Macie will support additional AWS storage services later this year. 

Inside the company’s S3 (Simple Cloud Storage Service) platform, Amazon Macie will use natural language processing to discover and classify sensitive data, looking at factors such as personally identifiable information, private keys, and credit card information. The Macie service will also continuously monitor data access for unusual activity. Anomalies will trigger alerts to a customer’s security team, Matt Wood, general manager of artificial intelligence at AWS, said.

Macie will help users understand other risks associated with data as well, providing automatic alerts when customers may have accidentally made sensitive data externally accessible or stored credentials in an unsecure manner. In addition to analyzing data to understand historical patterns of user authentications, access locations, and times of access, and discovering and classifying sensitive data, Amazon Macie provides a dashboard for tracking user activity and monitoring data security.

The Macie console also allows you to define automated remediation actions such as resetting access control lists or requiring password resets.

Amazon Web Services today also revealed a number of improvements to other services:

  • The launch of AWS Migration Hub, to track migrations of applications from data centers to AWS. A collection of AWS and partner migration tools is featured.
  • Encryption of data at rest in AWS in Amazon Elastic File system, with users able to select a key to encrypt content of files. This feature is available now in regions where EFS is supported.
  • A complete rewrite of CloudHSM (hardware security module), for meeting security and compliance requirements for sensitive data. CloudHSM is now a scalable, managed service with provisioning, patching, high availability, and backups now built-in. The service also is now offered on a pay-as-you-go basis with no upfront fees. Support for FIPS 142-2 Level 3 is featured, with security mechanisms designed to detect and respond to physical attempts to access or modify the HSM.
  • Rules are being added to the AWS Config service for evaluating AWS configurations. The new rules help with securing S3 buckets. These include rules for identifying buckets that allow global read and/or write access. 
  • AWS CloudTrail, a governance, compliance, and auditing service for AWS accounts, is now enabled by default for all customers, providing visibility into the last seven days of account activity. Users do not need to configure the service.
  • AWS Glue, an extract, transformation, and load (ETL) service in the Amazon cloud, is now generally available. The “serverless” service saves users from having to provision or manage resources; they pay only for resources used when Glue is running.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform