When you use Amazon Web Services (AWS) services, AWS Identity and Access Management (IAM) stays busy behind the scenes.
At AWS’s annual re:Inforce conference, AWS CISO Amy Herzog revealed IAM now handles 1.2 billion API calls per second worldwide. For reference, IAM handled around 400 million API calls at the same rate in 2021.
“This is like foundational glue to make AWS work,” Karen Haberkorn, AWS director of product management for identity, told IT Brew.
Something old, something new. Haberkorn broke down capabilities currently available in IAM Access Analyzer. One of the tool’s main features is an external access analyzer, which allows customers to see which AWS resources can be accessed outside of their organization.
“The customer knows what’s important [and] what access is intended, but the tool lets them see where those paths exist,” Haberkorn said.
Another capability in its toolset is its unused access analyzer which, as the name implies, identifies unused permissions, roles, and keys within an organization.
Last week, AWS announced an internal access analyzer capability in IAM Access Analyzer that uses automated reasoning to analyze policy types—including service control policies and resource control policies—and identify which roles or users have access to S3 buckets, Amazon DynamoDB tables, or Amazon Relational Database Service snapshots.
Haberkorn said that AWS’s recent expansion to IAM is significant because most tools in the industry tend to focus on the access users already have rather than the access they could potentially have.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We’re able to answer that harder question of who could access it because we use this capability that we like to call provable security. It uses a mathematical science called automated reasoning to literally construct a proof… about whether that access path is possible to traverse,” Haberkorn said.
Haberkorn said the combination of the three capabilities is a “powerful combo.”
Keep it 100. AWS also announced that IAM now has comprehensive multi-factor authentication enforcement for root users across all AWS account types, which Haberkorn said is exciting because of the login process’s ability to mitigate attacks.
“Stopping that up front, long before someone’s deep in the stack, is a really powerful security principle I would say, and one that AWS has taken seriously from the very beginning,” Haberkorn said.
Up next. AWS IAM’s next focus will be on GenAI, specifically around how it works with agents, Haberkorn said.
“We already have identified the features we already have that are applicable to building an AI agent and we’re looking at how [we can] make it just easier for an AI agent builder to bring this stuff together for them so they don’t have to go hunting around for all the separate features in AWS,” Haberkorn said.