Today marks the official rollout of our new integration with AWS. This is the latest integration this year, hot on the tail of our announcements around GitHub and Salesforce. Our goal remains the same: to offer the most detailed and wide-ranging identity security available.
The Enduring Appeal of AWS to Attackers
Beyond being just a cloud provider, AWS doubles as an identity provider, overseeing user access and designating resource permissions. AWS accounts are a tempting target for attackers who might want unauthorized access, siphon off valuable data, or misuse resources.
Stumbling across an open, misconfigured S3 bucket is one thing, but taking over an account with elevated permissions would provide an attacker with a wide range of options.
Unsurprisingly, attackers have continued to launch attacks on AWS environments in 2023, and attackers have continued to innovate. In February, the research team at Sysdig reported on the Scarleteel threat group, highlighting their enhanced capabilities to launch attacks on AWS and Kubernetes environments.
If identity security programs are to be successful, cloud providers – including AWS – will have to be included.
Towards a Unified View of Identities
Enterprises often have a fragmented, siloed approach to managing identity providers. This complicates the consolidation of data and obfuscates vital insights.
Our integration aims to address this by providing a unified view of all AWS accounts. But we want to go even further and bring all identities into one place, merging the same user wherever possible. This means bringing in all AWS instances, Okta tenants, Microsoft Entra ID, Cisco Duo, Auth0, GitHub accounts, and Slack users.
The result? A single view of all activities and permissions of each identity.
Now, also consider that each user has accounts in multiple other platforms. AWS users likely have a presence in Okta, Azure AD, and other identity providers. Since users hold numerous accounts across various platforms, tracking every activity and event becomes essential for anomaly detection and threat identification.
But isn't that what SIEMs are designed for?
True, if we were only considering activities and events. However, identity security also demands understanding entitlements, group membership, and permissions. It requires you to know if there are discrepancies with what your HR directory says. You need to find the dormant accounts lying around that are poorly secured and waiting to be taken over.
Continuous Monitoring with Complete Identity Context
There are many tools that offer monitoring of AWS, falling mostly under the CNAPP domain. CNAPP (Cloud-native application protection platforms) incorporates tools for Infrastructure as Code (IaC) scanning, cloud workload protection (CWPP), cloud infrastructure entitlement management (CIEM), and cloud security posture management (CSPM).
Our AWS integration offers something different by focusing specifically on identity to generate unique insights. We ingest data that includes Users, Groups, User to Group relationships, Permission Sets, and Event Log data types.
By combining static entitlement data with dynamic, event-centric data, Oort affords unparalleled identity security insights. The Oort data science team has crafted specific "Checks" for the AWS integration, ensuring continuous surveillance of both identity security posture and threats. An example of a user failing the “New Country for Tenant” check is displayed below.
How to Get Started
Setting up the integration is incredibly easy. With just an API key, customers can quickly start ingesting data from AWS. Once integrated, we ingest and consolidate AWS accounts, making them accessible within the Users Tab alongside users from other identity providers. For ease of navigation, accounts can be filtered on the sidebar, and there's even an option to pinpoint AWS administrators.
On selecting a user profile, a concise AWS integration summary is displayed. This summary encompasses critical user data such as email, title, user type, and the timestamp of the last successful login. Predictably, the activity tab chronicles every AWS event pertinent to that user and reveals the AWS Groups they're affiliated with.
With this integration, we aim to arm security analysts with a tool that offers an integrated and comprehensive view of identity activities and permissions across AWS, ensuring a proactive approach to identity security.
Learn more with a demo.
If you’re not an existing customer but curious to learn more about our AWS integration (or our overall approach to identity security), we’d love to hear from you! You can request a live demonstration and speak with our team by following this link: https://oort.io/demo.