Amazon Web Services Inc. today announced a variety of new security tools as well as expansions to existing services for its cloud computing customers.

The goals, as described by Becky Weiss (pictured), an AWS cloud engineer presenting at AWS’ annual re:Inforce conference in Anaheim, California, are to bring more zero-trust features further across its cloud infrastructure and to make it easier for its customers to screen the more than 1 billion API calls per second for potential bad actors, evidence of malware, and vulnerabilities. The company mitigates 700,000 distributed denial-of-service attacks annually.

Central to this mission is the general availability of Security Lake, which was previewed at last year’s re:Invent conference. This centralizes security data from across AWS and non-AWS environments, both for cloud and on-premises workloads, so that security analysts can investigate and respond to security events. Google has an equivalent tool for its cloud called Chronicle, for example. The service is now being used by more than 50 different partners to provide security analytics, the company stated at the conference.

A key zero-trust component is Verified Access, which was announced earlier this year and is used to validate every application request in real time. This obviates the need for a virtual private network.

Earlier this year, CrowdStrike Holdings Inc. announced it was integrating its Falcon threat inspection software with this service. Falcon can assess the endpoint posture (such as whether or not it is patched to current levels and doesn’t contain any malware) as part of this validation process.

A companion service was also introduced today called Verified Permissions, which add fine-grained authorization and permissions management using a specialized open-source programming language called Cedar. Access controls and policies are written in Cedar, which are then used by Verified Permissions to grant or deny access to applications.

Another series of announcements is aimed at helping developers write more secure code using a variety of new AWS tools. Inspector, the company’s vulnerability management service, has expanded its features to scan Lambda code for things such as code injection or weak cryptography.

Inspector also now offers the ability to export a software bill of materials to be used in automated tools to understand the depth of your software supply chains. Weiss demonstrated how this is accomplished by a single click. The company also announced a preview release of CodeGuru Security, a static application testing tool that leverages machine learning to find coding issues.

This isn’t the sole machine learning-based service that AWS has. Chief Information Officer CJ Moses mentioned during his presentation that there are several other efforts underway that have been previously announced, including Bedrock, which can be used to build private ML-based apps and CodeWhisperer, an AI-based coding companion similar to Microsoft’s Co-pilot than can be used to build apps.

Finally, its proactive threat detection service GuardDuty has been expanded with new features that can scan Aurora databases, EKS Runtime containers and Lambda-based threats. “Our customers want identity preventative controls so they can define a data perimeter more easily, and be able to operate at scale,” said Weiss.

Amazon also announced its Global Partner Security Initiative that will aid system integrators in collaborating on innovative compliance products and managed services for multicloud environments.

Photo: Amazon