New Services from AWS to Benefit All Customers
All organizations using AWS are using AWS Identity and Access Management (IAM) to govern access to AWS and many of them are also using Amazon EC2 (Elastic Compute Cloud) for compute resources. Recently at its annual re:Invent conference, AWS announced a few features for both IAM and EC2 that can allow organizations to better analyze and optimize their access security and compute provisioning.
AWS IAM Access Analyzer
AWS Identity and Access Management is the service that enables you to manage access to various services and resources in AWS. An administrator would follow best practices to create users, roles and policies to offer least privilege access to resources in the cloud. However, not every policy has considered least privilege before granting access, nor is every policy intended to provide external or public access to resources. AWS IAM Access Analyzer was launched to fix exactly that. IAM Access Analyzer analyzes access control policies to determine which resources can be accessed by other accounts or which resources are publicly accessible.
IAM Access Analyzer is very simple to start using. Simply navigate to AWS IAM and from within the service, create an analyzer with two clicks. Once the analyzer is created, IAM Access Analyzer will start analyzing the various roles in your account. After a few minutes, depending on the size of your environment, IAM Access Analyzer will generate findings.
By enabling IAM Access Analyzer in your account, you create an analyzer for your zone of trust (AWS account.) This analyzer will monitor all the resources within the zone of trust in the region it was enabled and will generate findings which include details about the resource, the external entity that has access and the permissions to take action on. Using the findings that IAM Access Analyzer provides, the administrators can make changes based on whether the access was intentional or a potential gap in security. IAM Access Analyzer is generally available, free to use and can integrate with AWS Security Hub and Amazon CloudWatch Events, making it easy to monitor and respond to compliance and security concerns.
AWS Compute Optimizer
Another announcement from AWS re:Invent was the AWS Compute Optimizer service. This service is designed to help organizations optimize their compute resources for their workloads. As we all know, there are dozens upon dozens of compute options available to choose from to run your workloads on– from general-purpose to memory-optimized to storage optimized, the options are aplenty. From both a cost and performance perspective It can be really costly to your organization if workloads are overprovisioned or under-provisioned. AWS Compute Optimizer uses a machine learning-powered algorithm to analyze your workload’s consumption and will make recommendations based on your usage.
AWS Compute Optimizer is very simple to begin using as well and can be found as a stand-alone service in the AWS management console. All that is needed to enable AWS Compute Optimizer is to click “opt-in.” AWS Compute Optimizer will automatically start analyzing your AWS resources and will deliver recommendations within 12 hours depending on the size of your environment.
AWS Compute Optimizer uses specific metrics from Amazon CloudWatch, like CPU Utilization, disk IO and network IO to recommend new resources for rightsizing. Additionally, you can add more metrics such as Memory Utilization if you install the Amazon CloudWatch Agent onto your EC2 instances. AWS Compute Optimizer is free to use and is currently available in five regions: N. Virginia, Oregon, Ohio and internationally in Ireland and Sao Paulo, with more to come in the future.
I’ve enabled AWS Compute Optimizer in a proof-of-concept AWS account to see how the service works. In the screenshot below, I can see that if I switch the instance type for this workload from a t2.micro to a t3.micro, I can get a lower CPU utilization at a lower cost. Amazon has made it visually easy to compare instance types and to see the benefits of rightsizing.
Benefits to All Customers
There were many more announcements from re:Invent that can be viewed here, but AWS IAM Access Analyzer and AWS Compute Optimizer were a couple of the new services we thought every AWS customer could benefit from.