How AWS secures its infrastructure with Sonaris (2024)

With Sonaris, an internally developed tool, AWS continuously monitors its systems to pre-empt attacks on customer data.

Credit: Michael Vi / Shutterstock

AWS is using its public cloud infrastructure as a globe-spanning threat detection tool to protect customers from trillions of malicious attempts to access its resources each year.

The cloud giant revealed the existence of the detector at its security-focused event, AWS re:Inforce, last week. It has been using it for some years, and between May 2023 and April 2024 it blocked over 24 billion attempts to scan customer data stored in Amazon Simple Storage Service (Amazon S3) and nearly 2.6 trillion attempts to discover vulnerable services running on customers’ virtual servers in Amazon Elastic Compute Cloud (EC2).

It calls this detector Sonaris, a name apparently borrowed from IT-themed TV series Halt and Catch Fire, which featured a computer network exploration tool with the same name.

“Sonaris is an internal, AWS-developed capability, designed to detect and neutralize certain unauthorized and potentially abusive attempts to access AWS resources,” said Chris Betz, the company’s chief information security officer. “AWS’s infrastructure acts as a sensor, providing a wide and deep view of potential threats. This capability enables AWS to respond swiftly and effectively to malicious attempts, protecting its customers and enhancing the overall security of the internet.”

A glorified TDR?

While the scale of the capabilities claimed for Sonaris in defending business critical resources across the AWS infrastructure is staggering, it’s hard to see how it differs from a conventional threat detection and response (TDR) solutions such as CWPP, NDR and EDR, especially because of the way it works.

Betz said the primary function of Sonaris is to process service logs in order to detect threats and publish contextualised mitigation recommendations for alerting and response. This is a routine approach that most threat scanners function on. Why, then, is Sonaris so successful?

David Vance, a senior analyst from ESG Global, offers an explanation, and it has to do with MadPot, the network of honeypots AWS has built into the system.

“Since Sonaris leverages a tremendous amount of threat intelligence gathered from AWS’ threat sensor framework, called MadPot, I believe it can be an effective front-line tool to defend against many different types of AWS attacks going forward,” he said.

This makes sense considering the first-hand threat intelligence AWS commands from its vast infrastructure and how that, coupled with some external telemetry, can be factoring into Sonaris’ ability to sniff out unauthorized attempts at access.

“Once unauthorized traffic is detected, Sonaris connects to AWS services like Amazon GuardDuty, AWS WAF and AWS Shield to automatically and preemptively block malicious access to customer resources and data hosted on AWS,” Vance added, furthering AWS’ case for a fully rounded capability. “It can also detect and alert if customer accounts are accessed by unauthorized users using compromised IAM access keys.”

A new revenue stream?

Despite a strong commercial potential, interestingly, Sonaris has not been packaged into a public facing offering.

Betz said AWS has no plans to turn Sonaris into a commercial offering, though.

“This is a unique capability that uses AWS’ infrastructure at scale to identify attacks and attackers, and seamlessly feeds into our products,” said Betz.“We don’t sell Sonaris, rather, we use it to protect our customers.”

Commenting on AWS’ reluctance to offer the capability on subscription, ESG’s Vance said, “I believe AWS could charge for Sonaris, but I suspect Sonaris was unveiled as an inclusive security capability as opposed to additional for cost offering because AWS believes this level of security should be “table stakes” for their customers. Also, by providing Sonaris for free, it gives AWS a pricing advantage over their competitors.”

While competing cloud giants like Google Cloud and Microsoft Azure have commercial counterpart offerings, Google Cloud Armour and Azure DDoS protection respectively, AWS’ Sonaris is strictly internal, for the moment at least, intended only for overall protection of AWS hosted workloads.

“We feel it is important to discuss this capability now — especially as the threat landscape continues to evolve and increase in complexity — in order to help our customers better understand the measures we take to protect against malicious threats,” Betz added on the timing of revealing Sonaris. “Additionally, industry collaboration and communication is critical to creating stronger security principles for all stakeholders and minimizing an attacker’s anonymity.”

The tool, if the numbers shared by AWS check out, is sure to play a pivotal role in strengthening AWS’ security infrastructure. While AWS refused to share exactly when Sonaris became operational, it is important to note the cloud leader continues to face high scale attacks, including a few within the time frame Sonaris was supposedly in full swing.

“Sonaris uses a variety of sensors and threat intelligence to find enumeration of AWS resources, which has different patterns than normal activity,” Betz added. “We’re continually experimenting with new patterns to further protect AWS customers.”