Amazon Web Services Inc. today announced three new security-related products at its annual AWS re:Invent conference today in Las Vegas, all aimed at providing new services and capabilities for its customers to “operate securely.”

Leading the announcements is the long-rumored Amazon Detective. The new service has been designed to make it easier for AWS customers to undertake investigations into security issues across their cloud instances. On launch, the service has already attracted the likes of McAfee LLC, which announced that its MVISION Cloud for AWS would provide support for its customers from day one.

Amazon Detective is said to help security teams conduct faster and more effective investigations. Enabled with a few clicks in the AWS Management Console, the service automatically uses data from AWS CloudTrail and Amazon Virtual Private Cloud Flow Logs to create a graph model that summarizes resource behaviors and interactions observed across the user’s AWS environment. Using machine learning and statistical analysis, Amazon Detective delivers tailored visualizations to assist customers detect unusual behavior of their AWS installs.

Second on the list is AWS IAM Access Analyzer, a new AWS Identity and Access Management service aimed at making it simpler for security teams and administrators to audit resource policies for unintended access. That’s especially important in an age of ongoing security issues alongside legal compliance requirements such as the European Union General Data Protection Regulation and the forthcoming California Consumer Privacy Act.

AWS IAM Access Analyzer is a service that provides users the ability to analyze policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, IAM roles and AWS Lambda functions. Said to be capable of analyzing hundreds or even thousands of policies across a customer’s environment in seconds, the service delivers detailed findings of resources that are accessible from outside the account. In theory, at least, the service may go some way in helping customers avoid exposing their data to all and sundry on misconfigured databases.

Last is AWS Nitro Enclaves, a new Amazon EC2 capability that’s claimed to make it easy for customers to process highly sensitive data by partitioning compute and memory resources within an instance to create an isolated compute environment.

Created to protect highly sensitive data, Nitro Enclaves allows users to create completely isolated compute environments to process highly sensitive data. Each enclave is an isolated virtual machine with its own kernel, memory and processor. Users select an instance type and decide how much processor and memory they want to designate to the enclave.

In addition, users can develop enclave applications using the AWS Nitro Enclaves software development kit set of open-source libraries. The AWS Nitro Enclaves SDK integrates with AWS Key Management Service, allowing customers to generate data keys and to decrypt them inside the enclave.

“Security leaders often tell us that one of the things that excites them most about the cloud is the potential to drastically reduce the amount of time and resources their teams dedicate to chores that aren’t central to the goal of building and operating a secure environment,” Steve Schmidt, chief information security officer of AWS, said in a statement. “Each of the offerings we introduced today represents a different approach to helping customers be more secure, but they’re all designed to decrease the amount of time security teams spend on tasks like checking configurations, aggregating data, and devising custom solutions to remove needless churn from crucial security processes.”

AWS IAM Access Analyzer is available starting today. Amazon Detective and AWS Nitro Enclaves are available in preview starting today with a date yet to be announced for their full availability.

Photo: Robert Hof/SiliconANGLE