Sonrai Security website logo for identity and data governance and cloud security

Sonrai Dig for AWS

Maze GraphicMaze Graphic

Sonrai Dig is built on a sophisticated graph that continuously identifies and monitors every possible relationship between identities and data that exists inside your AWS cloud. Dig works in concert with your underlying AWS services and incorporates your security controls to enable audit, visibility, protection, detection, and automation of security controls running on AWS. It additionally monitors and remediates cloud misconfigurations and policy violations allowing customers to achieve continuous security and compliance.

Your AWS workloads require an integrated security approach with 24/7 AWS cloud monitoring to protect and govern your identities and data.


Enterprise companies today have hundreds of applications sitting inside of a public cloud such as AWS. Their AWS footprint has exploded with increased usage by many teams. From tens of thousands of pieces of compute, thousands of roles, instances of RDS or DynamoDB, with a growing array of interdependencies and inheritances. Improperly set up, this can lead to many security risks such as over permissioned identities, separation of duties risks, and unused access paths to critical data. Sonrai Dig, our enterprise identity and data security platform, de-risks your AWS environment by finding these configuration holes, helping you fix them, and preventing those problems from occurring in the first place. The platform is built natively on AWS and is foundational to companies building secure workloads in the cloud.

From Our Customers
"Sonrai Security provides us with complete visibility of platform, identity, and data risks across our large AWS cloud infrastructure. The platform has become the cornerstone of the RMS public cloud risk management and security program."
Kyle Watson - Security Architect, RMS

"Securing access to our data and tracking identities in the cloud is complex, and Sonrai understood how to simplify that from the beginning."
-Andy Makings, Head of DevSecOps

Sonrai Dig & AWS

Identity Risk Monitoring and Access Graphing

Uncover all identity and data relationships between people and non-people identities (admins, roles, compute instances, serverless functions, and containers) across your AWS account, other cloud accounts, and 3rd-party data stores. Sonrai Dig for AWS, our identity and data security platform, graphs all access paths to enforce Least Privilege, and workflow enables certification of identities.

  • Separation of duties
  • Privilege escalation
  • Toxic Combinations
  • Dormant identities
  • Who/what has access rights?
Learn More
Identity Access Map in AWS for Sonrai Dig

Lock Down and Monitor “Crown-Jewel” Data

Discover, classify, lockdown, and continuously monitor “crown jewel” data including RDS and DynamoDB. Enforce “least access” to critical stores. Sonrai Dig for AWS relentlessly monitors your critical data sitting inside object stores and database services. Suspicious access activity or undesirable changes in access rights are flagged.

  • What is normal access behavior?
  • What or who can access this resource and from where?
  • What is accessing this resource?
  • What has changed?
  • What is the blast-radius?
Learn More
Sonrai Dig Critical Resource Monitor for Data Governance in the Public Cloud

Integration and Automation Between Security, Cloud, Audit, IAM, and DevOps

Audit and security teams of large enterprises more closely scrutinizing cloud expansions. One Fortune 100 company uses Sonrai Dig for AWS as the basis of a cloud security operating model that streamlines workflow and communication between audit, security, cloud, and DevOps teams.

  • Identify issues and manage escalations by assigning actions and issues for remediation to the appropriate teams
  • Increase security and automation of workloads in prod, reduce the number of security incidents, which increases the acceptance of cloud, resulting in faster deployments
  • Automate security findings across different teams to improve time to resolution and increase productivity
  • Give CISOs and enterprise audit teams peace of mind that the cloud team is fully enforcing enterprise identity, data, and platform governance mandates.
Learn More
Governance Automation Engine for DevOps / Swimlanes / Governance Automation

Integrate With Existing AWS Cloud Tools

No one solution solves security in public cloud. Modern applications use 3rd party software components that extend the functionality of AWS platforms. These components are not monitored by the cloud provider’s APIs, making it complicated to understand the full set of permissions an identity has and what data is possibly exposed by those permissions.

Sonrai Dig for AWS continuous monitoring and normalized query language apply to 3rd party sources such as Hashicorp Vault. This allows monitoring for data exposure risk based on a secret stored in these services which gives access to sensitive data.

AWS security tools also provide exceptional value in the way of indicator and threat detection. Sonrai's integration with Amazon GuardDuty collects and analyzes the entire library of findings reported by GuardDuty. When a GuardDuty finding is received by Sonrai Security, the entire finding, as reported by AWS, is saved as “metadata” attached to the corresponding resource node in the Sonrai platform.   Additionally, new findings will be alerted by Sonrai Dig across all connected accounts in a multi-account AWS deployment and placed into swimlanes and correlated with all other findings for that application and stage of development sending them to the correct team.

Learn More
AWS Guard Duty - Control Framework

Deep understanding and integration with AWS Services

Sonrai Dig’s unique integration allows us to provide visibility and context across 150+ AWS services. The result is that there are no blind spots.

For example, if you're using AWS IAM and you have approved your trust relationships in AWS, these permissions will carry into Sonrai Dig and be used as a way to vet trust relationships on our side. IAM Access Analyzer then helps you validate your trust relationships. Sonrai Dig takes vetting to another level. If there are identities in that account that can then be exploited in that trust relationship, Dig can monitor and report how the exploit happened and report back on how that exploit used that particular trust relationship to get access to data and resources in AWS. If something can assume multiple assumed roles across many accounts, Dig will take that into account in Effective Permissions to prevent this exploit in the future.

Sonrai Dig also has a powerful integration with AWS GuardDuty. Few people are aware that AWS security tools have access to some data that even you as an AWS customer don’t get access to in your environment. For example, you may not have access to your own DNS logs, but AWS GuardDuty does. Dig, through it’s AWS GuardDuty integration, is able to bring that context into our dashboard so you can see these logs and more.

When it comes to AWS services integrations, we do them all.

Learn More
Common Mistakes with Microsoft Azure Common

Ready to De-Risk Your Public Cloud? See It For Yourself.

Identity and data access complexity are exploding in your public cloud. Tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances. First-generation security tools miss this as evidenced by so many breaches. Sonrai Dig de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place. Schedule a conversation to talk with us about how we can help your enterprise.