Introducing the AWS Access Graph to Find and Fix Cloud Security Issues

Tighten your cloud security posture with the ability to automatically visualize the AWS blast radius and cut off access paths to data.
Nathan Coppinger
3 min read
Last updated November 7, 2024
AWS Access Graph

AWS is built for scale and speed, but for security teams, that can mean complexity. Role- and resource-based policies allow entities to assume access easily, but as quickly as entities assume new roles, old ACLs get left behind or Public Access Blocks get left off.

To understand and mitigate the risk of this complexity in the cloud, security teams need to be able to both visualize and fix these risks at scale.

That’s why Varonis is excited to add the AWS Access Graph to our cloud-native Data Security Platform.

With the AWS Access Graph, security teams can easily visualize how users, roles, groups, and policies map to data. They can also use Varonis’ built-in remediation capabilities to block access paths and reduce exposure automatically.

Read on to learn more about these new cloud security capabilities for AWS.

Visualize effective data access.

AWS offers lots of flexibility when it comes to granting access; so much so that between access keys, identities, inline policies, and resource policies in AWS, there are over 17,000 possible IAM permissions to manage.

With Varonis’ new access graph, security teams can easily analyze complex AWS access policies, identify overexposed sensitive data, and proactively block data pathways.

The access graph builds on Varonis’ existing in-depth view of AWS effective permissions, which normalizes permissions into an easy-to-understand CRUDS model. The AWS access graph gives security teams a visual map of effective access for every user, account, and role.

Visualize all identities with access to data and what policies affect their permissions. 

many to 1 access graph (2)

Visualize all identities with access to data and what policies affect their permissions. 

With the AWS Access Graph, security teams can:

  • Analyze effective access – quickly understand which access keys, groups, identity policies, inline policies, and resource policies affect access
  • Prevent data exposure – see which policies expose sensitive data publicly
  • Limit external access – surface trust roles that grant external access to internal resources
  • Clean up stale policies – tighten access policies by identifying and removing stale or unused policies

The access graph updates dynamically when permissions change and allows security teams to analyze access bidirectionally—seeing both which entities can access a resource and what resources an entity can access.

Identify every resource that a single user has access to and map their pathways to sensitive data.

1 to many access graph

Identify every resource that a single user has access to and map their pathways to sensitive data.

Cut off pathways to data automatically.

Being able to see access paths gives security teams a head start in protecting data. Importantly, however, a cloud security solution also needs to be able to remove risky access to effectively limit access to sensitive data and the potential blast radius of an attack.

Varonis builds scalable remediation directly into our platform, allowing security teams to secure AWS continuously and automatically.

With this release, we’re adding new policies specific to AWS to our already robust library of remediation policies. New remediation capabilities allow security teams to proactively block pathways to data and reduce exposure with the ability to:  

  • Remove stale policy assignments from users and roles
  • Remove stale group memberships from users
  • Restrict external access to roles (trust relationships)
  • Delete unused customer-managed policies

Automatically and continuously revoke stale policy assignments.

AWS remove stale policy assignment

Automatically and continuously revoke stale policy assignments.

Improve security posture.

Maintaining least privilege is a security best practice for good reason. It’s a big part of why using roles and resource-based policies is the recommended access method in AWS.

Direct permissions like those through ACLs, Public Access Blocks, or CloudFront Access can be easily forgotten and left unmanaged, leaving a larger blast radius for attackers to exploit.

The AWS access graph gives security teams a dashboard view of their security posture, showing where they are using best practices and where they may have risks like direct permissions, overexposed sensitive objects, or stale objects.

The AWS access graph provides a full view of the security posture and where sensitive data is exposed to risk.

AWS access graph and exposure analysis

The AWS access graph provides a full view of the security posture and where sensitive data is exposed to risk.

Try Varonis for free.

Varonis’ cloud-native Data Security Platform is a force multiplier for security teams, helping them achieve outcomes with minimal manual effort.

With Varonis for AWS, organizations gain complete, contextual, and continuous visibility of their critical AWS data risk and achieve real security outcomes with the ability to automatically:

  • Discover and classify critical data at scale, including shadow data
  • Identify and remediate data exposure
  • Detect configuration drift and fix critical misconfigurations
  • Monitor activity to detect, investigate, and stop threats in real time

Want to try Varonis in your environment? Request a demo today.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

cloud-security-essentials:-the-case-for-automated-dspm
Cloud Security Essentials: The Case for Automated DSPM
Data security posture management (DSPM) has emerged as a standard for securing sensitive data in the cloud and other environments. However, without automation, DSPM doesn’t stand a chance. Automation is crucial to overcoming the challenges of securing data in the cloud.
what-about-individual-users-on-acl's?
What About Individual Users on ACL's?
One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically...
data-security-in-the-cloud:-key-use-cases-for-dspm
Data Security in the Cloud: Key Use Cases for DSPM
Discover the key use cases for data security posture management (DSPM) and why this framework is only one part of a holistic data security approach.
automatically-remove-salesforce-public-links-with-varonis
Automatically Remove Salesforce Public Links with Varonis
Varonis’ least privilege automation capabilities now remove public Salesforce links automatically.