Introducing the AWS Access Graph to Find and Fix Cloud Security Issues

AWS is built for scale and speed, but for security teams, that can mean complexity. Role- and resource-based policies allow entities to assume access easily, but as quickly as entities assume new roles, old ACLs get left behind or Public Access Blocks get left off. To understand and mitigate the risk of this complexity in the cloud, security teams need to be able to both visualize and fix these risks at scale.

That’s why Varonis is excited to add the AWS Access Graph to our cloud-native Data Security Platform.

With the AWS Access Graph, security teams can easily visualize how users, roles, groups, and policies map to data. They can also use Varonis’ built-in remediation capabilities to block access paths and reduce exposure automatically.

Read on to learn more about these new cloud security capabilities for AWS.

Visualize effective data access.

AWS offers lots of flexibility when it comes to granting access; so much so that between access keys, identities, inline policies, and resource policies in AWS, there are over 17,000 possible IAM permissions to manage.

With Varonis’ new access graph, security teams can easily analyze complex AWS access policies, identify overexposed sensitive data, and proactively block data pathways. The access graph builds on Varonis’ existing in-depth view of AWS effective permissions, which normalizes permissions into an easy-to-understand CRUDS model. The AWS access graph gives security teams a visual map of effective access for every user, account, and role.

With the AWS Access Graph, security teams can:

Analyze effective access – quickly understand which access keys, groups, identity policies, inline policies, and resource policies affect access
Prevent data exposure – see which policies expose sensitive data publicly
Limit external access – surface trust roles that grant external access to internal resources
Clean up stale policies – tighten access policies by identifying and removing stale or unused policies

The access graph updates dynamically when permissions change and allows security teams to analyze access bidirectionally—seeing both which entities can access a resource and what resources an entity can access.

Cut off pathways to data automatically.

Being able to see access paths gives security teams a head start in protecting data. Importantly, however, a cloud security solution also needs to be able to remove risky access to effectively limit access to sensitive data and the potential blast radius of an attack.

Varonis builds scalable remediation directly into our platform, allowing security teams to secure AWS continuously and automatically.

With this release, we’re adding new policies specific to AWS to our already robust library of remediation policies. New remediation capabilities allow security teams to proactively block pathways to data and reduce exposure with the ability to:

Remove stale policy assignments from users and roles
Remove stale group memberships from users
Restrict external access to roles (trust relationships)
Delete unused customer-managed policies

Improve security posture.

Maintaining least privilege is a security best practice for good reason. It’s a big part of why using roles and resource-based policies is the recommended access method in AWS. Direct permissions like those through ACLs, Public Access Blocks, or CloudFront Access can be easily forgotten and left unmanaged, leaving a larger blast radius for attackers to exploit.

The AWS access graph gives security teams a dashboard view of their security posture, showing where they are using best practices and where they may have risks like direct permissions, overexposed sensitive objects, or stale objects.

Try Varonis for free.

Varonis’ cloud-native Data Security Platform is a force multiplier for security teams, helping them achieve outcomes with minimal manual effort.

With Varonis for AWS, organizations gain complete, contextual, and continuous visibility of their critical AWS data risk and achieve real security outcomes with the ability to automatically:

Discover and classify critical data at scale, including shadow data
Identify and remediate data exposure
Detect configuration drift and fix critical misconfigurations
Monitor activity to detect, investigate, and stop threats in real time

Want to try Varonis in your environment? Request a demo today.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Nathan Coppinger Nathan has always loved learning about cutting-edge technology but didn’t have the patience for coding. So, he found his niche as a microphone for the talented individuals behind the code.