Amazon Web Services Inc. today announced the immediate availability of two potentially transformative tools: the AWS DevOps Agent and the AWS Security Agent.

They’re designed to act as “always-on” teammates that can be paired with DevOps and security teams, so that humans can focus less on reactive problem solving and more on proactive optimization, the company said. Both of the new agents have a security focus.

The AWS DevOps Agent is an intelligent operations assistant that’s programmed to investigate, resolve and hopefully also prevent incidents from crippling applications running in cloud and on-premises environments. Whereas traditional application monitoring tools are only able to alert humans to problems that occur, the DevOps Agent is designed to act more like an experienced site reliability engineer, said AWS Senior Specialist Solutions Architect Madhu Balaji.

The DevOp Agent’s primary role is to just sit there monitoring applications in deployment 24/7, ready and waiting for any signs of a discrepancy that could indicate problems. Should it trigger an alert, it will automatically begin investigating what has happened by correlating the telemetry, code and deployment data to get to the bottom of it.

The agent also enables “proactive prevention,” by analyzing historical incident patterns to provide targeted recommendations that can strengthen system resilience and stop outages from repeating. Previously available in preview for AWS environments, it has now added support for Microsoft Azure and on-premises systems through the Model Context Protocol, giving teams a unified view of their applications wherever they live.

As always, AWS rolled out a litany of early adopters to illustrate the effectiveness of the new offering. They include the restaurant technology platform Zenchef SAS, which said it used the AWS DevOps Agent during a hackathon to identify an identity access management misconfiguration in less than 30 minutes. It dealt with the problem itself so that Zenchef’s engineers could stay focused on what they were building.

Automated penetration testing

The AWS Security Agent is more proactive, enabling companies to adopt continuous penetration testing across their entire application portfolios. Pentesting, as it’s known, involves simulating cyberattacks on systems to try and identify where they might be vulnerable. Traditionally, it has always been done by human experts, at a prohibitively high cost. As a result, even the largest enterprises have historically been able to pentest only maybe 10% of their most critical applications, doing so maybe once a year.

AWS wants companies to be able to pen test all of their applications, all of the time, and that’s exactly what the AWS Security Agent is designed to do. Unlike traditional vulnerability scanners, it doesn’t just look for potential vulnerabilities: it tries to validate those threats by trying multiple complex attacks to see if it can break into the system and cause damage.

In a blog post, AWS Product Manager Ayush Singh explained that the agent works by indexing the source code and application programming interface specifications of each app in order to understand the business logic flaws that other tools might miss. Once it finds a vulnerability and works out how to exploit it, it will automatically create a pull request in the app’s git repository, where it will suggest a code fix to remediate the problem. With this, it can reduce the vulnerability remediation workflow from weeks to just a few hours, Singh said.

Balaji said the new agents are not meant to replace DevOps teams and site reliability engineers, but simply to make their lives easier. He explained that security incidents put human engineers under immense pressure to figure out what went wrong and how to fix it in the shortest possible time, because every second of downtime means the company is losing thousands of dollars in revenue.

In the case of companies that provide essential services to the public, having software go down simply isn’t an option. The agents are meant to reduce the possibility of such incidents from occurring, making it more manageable for human teams to operate and secure software at scale, he said.

Both agents are available starting today in AWS’ US East, US West, Europe (Frankfurt/Ireland) and Asia Pacific (Sydney/Tokyo) regions. Initially, they’re free for every customer, although that probably won’t last long. AWS said it will begin charging for the AWS DevOps Agent on April 10, but it hasn’t said anything about when it plans to do so for the Security Agent.

Image: SiliconANGLE/Gemini