Amazon developers unveiled Access Analyzer, a new cloud container control solution. The system uses mathematical logic to identify public repositories, allowing administrators quickly blocking access to baskets opened by mistake.The service began to work in all regions where Amazon is available, with the exception of two Chinese counties. There is no extra charge for using this system.
The new mechanism is based on Zelkova technology, which translates access control policies into logical expressions. After that, it is possible to carry out mathematical operations with them, checking compliance with certain rules at an abstract level.
“Zelkova uses automated reasoning to analyze policies and the future consequences of policies. This includes AWS Identity and Access Management (IAM) policies, Amazon Simple Storage Service (S3) policies, and other resource policies. These policies dictate who can (or can’t) do what to which resources. Because Zelkova uses automated reasoning, you no longer need to think about what questions you need to ask about your policies”, — explain Zelkova technology in Amazon.
Access Analyzer system repeatedly applies Zelkova to access policies, gradually increasing the accuracy of requests. In a few seconds, the system performs thousands of iterations to identify all user groups that potentially have access to the cloud basket.
“This method does not use event logs, behavior patterns or mechanical selection. Using abstract constructs extends Access Analyzer’s ability to predict situations while protecting the privacy of storage administrators and visitors”, – the developers emphasized.
Access Analyzer extends to Amazon S3 cloud container policies, user role allocation, AWS key control, Lambda features, and Amazon Simple Queue Service requests. Administrators can see which accounts and IP addresses are allowed to open certain repositories, track conflicting and ineffective access rules, and block the possibility of unauthorized key manipulations.
To use Access Analyzer, users need to enable it through the access control console. After that, the service will analyze the storages in this region and create a list of findings – this is how Amazon engineers call the discovered paths to access cloud baskets.
The administrator can immediately lock containers or set individual rules for them. In cases when the basket should remain open, the find can be archived. It will continue to hang in the Access Analyzer window, so the administrator will not forget to close access when the need for publicity disappears.
The new solution aims to increase the reliability of tuning Amazon cloud storage, which in recent years has become the source of many major leaks. Researchers found on the Internet the data of European taxpayers, American voters, Facebook users. In 2017, hacking a cloud container led to the resignation of Uber’s security chief.
User Review( votes)