AWS is built for scale and speed, but for security teams, that can mean complexity. Role- and resource-based policies allow entities to assume access easily, but as quickly as entities assume new roles, old ACLs get left behind or Public Access Blocks get left off.
To understand and mitigate the risk of this complexity in the cloud, security teams need to be able to both visualize and fix these risks at scale.
That’s why Varonis is excited to add the AWS Access Graph to our cloud-native Data Security Platform.
With the AWS Access Graph, security teams can easily visualize how users, roles, groups, and policies map to data. They can also use Varonis’ built-in remediation capabilities to block access paths and reduce exposure automatically.
Read on to learn more about these new cloud security capabilities for AWS.
Visualize effective data access.
AWS offers lots of flexibility when it comes to granting access; so much so that between access keys, identities, inline policies, and resource policies in AWS, there are over 17,000 possible IAM permissions to manage.
With Varonis’ new access graph, security teams can easily analyze complex AWS access policies, identify overexposed sensitive data, and proactively block data pathways.
The access graph builds on Varonis’ existing in-depth view of AWS effective permissions, which normalizes permissions into an easy-to-understand CRUDS model. The AWS access graph gives security teams a visual map of effective access for every user, account, and role.
Visualize all identities with access to data and what policies affect their permissions.
With the AWS Access Graph, security teams can:
- Analyze effective access – quickly understand which access keys, groups, identity policies, inline policies, and resource policies affect access
- Prevent data exposure – see which policies expose sensitive data publicly
- Limit external access – surface trust roles that grant external access to internal resources
- Clean up stale policies – tighten access policies by identifying and removing stale or unused policies
The access graph updates dynamically when permissions change and allows security teams to analyze access bidirectionally—seeing both which entities can access a resource and what resources an entity can access.
Identify every resource that a single user has access to and map their pathways to sensitive data.
Cut off pathways to data automatically.
Being able to see access paths gives security teams a head start in protecting data. Importantly, however, a cloud security solution also needs to be able to remove risky access to effectively limit access to sensitive data and the potential blast radius of an attack.
Varonis builds scalable remediation directly into our platform, allowing security teams to secure AWS continuously and automatically.
With this release, we’re adding new policies specific to AWS to our already robust library of remediation policies. New remediation capabilities allow security teams to proactively block pathways to data and reduce exposure with the ability to:
- Remove stale policy assignments from users and roles
- Remove stale group memberships from users
- Restrict external access to roles (trust relationships)
- Delete unused customer-managed policies
Automatically and continuously revoke stale policy assignments.
Improve security posture.
Maintaining least privilege is a security best practice for good reason. It’s a big part of why using roles and resource-based policies is the recommended access method in AWS.
Direct permissions like those through ACLs, Public Access Blocks, or CloudFront Access can be easily forgotten and left unmanaged, leaving a larger blast radius for attackers to exploit.
The AWS access graph gives security teams a dashboard view of their security posture, showing where they are using best practices and where they may have risks like direct permissions, overexposed sensitive objects, or stale objects.
The AWS access graph provides a full view of the security posture and where sensitive data is exposed to risk.
Try Varonis for free.
Varonis’ cloud-native Data Security Platform is a force multiplier for security teams, helping them achieve outcomes with minimal manual effort.
With Varonis for AWS, organizations gain complete, contextual, and continuous visibility of their critical AWS data risk and achieve real security outcomes with the ability to automatically:
- Discover and classify critical data at scale, including shadow data
- Identify and remediate data exposure
- Detect configuration drift and fix critical misconfigurations
- Monitor activity to detect, investigate, and stop threats in real time
Want to try Varonis in your environment? Request a demo today.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.