Amazon Web Services is the world's biggest cloud provider. As a result, its security directly influences that of countless websites and online services. And those concerns aren't just theoretical; dangerous lapses happen all the time[1]. Customers store all sorts of datasets and raw information in AWS repositories, which then become part of their own infrastructure. If a customer makes a mistake in how they set something up, or they don't understand the full implications of an AWS feature, it can expose them to the risk of unauthorized access and data exfiltration.
AWS account misconfigurations have exposed everything from voter registrations[2], to FedEx customer data[3], insurance information[4], and even the systems of the massive accounting and consulting firm Accenture[5].
Two new tools might help alleviate the problem, though. Known as Zelkova and Tiros, the offerings from the AWS Automated Reasoning Group analyze crucial AWS security configurations, evaluating access control schemes and mapping possible paths to the open internet from an S3 bucket. They also offer automated feedback on the practical ramifications of different setups, helping administrators avoid dangerous errors.
"What we’re hoping to achieve is to get a kind of provable security out of our systems," said Greg Frascadore, security architect at the hedge fund Bridgewater Associates, which has been testing Zelkova and Tiros at an AWS conference in New York City Tuesday. "By provable security I don’t mean that what we get out is infallible security. Instead what we’re trying to get is a formal analysis, and a methodical way that we have gone about verifying that the security controls we put into place are working the way we think they’re working. Our security objective here is to stop data exfiltration from AWS."
The