Imagine a world where we can state 

with mathematical certainty: 

“None of our data stored in the cloud is public or accessible 

without authorisation.” 

AWS’s technology called Zelkova promises exactly this. This automated reasoning tool can analyse cloud access policies using formal mathematical methods and prove that there are no unintended loopholes. For leaders, this is crucial, as even the smallest configuration error in cloud security can lead to serious data protection incidents. With Zelkova, we get a high level of assurance that our infrastructure’s access rules work as intended. Below, we introduce what Zelkova is, how it works, the security benefits it provides, and how it can be integrated into SecOps (Security Operations) automation. Finally, we’ll look at Zelkova’s capabilities, how it works with other AWS security tools (e.g., IAM Access Analyzer), and its main features and automation options.

Mathematical Guarantee of Security
Zelkova uses formal mathematical reasoning to verify cloud configurations, ensuring correct security settings and excludes human error.

Instant Automated Alerts
Zelkova tools trigger real-time alerts on violation of error policies, preventing unauthorized access even before any actual incidents could occur.

Integrate Into SecOps Workflows
Zelkova integrates into enterprise SecOps workflows for automatic incident management, notifications, and even self-healing scripts to immediately address security gaps.

What is Zelkova and How Does It Work? 

Zelkova is a technology developed by AWS’s Automated Reasoning Group that applies formal verification (mathematical logic) to analyse cloud access policies. While traditional methods (e.g., manual code review, audits, or simulations) can only check a limited number of cases, Zelkova mathematically “considers” every possible access request to determine if anything could violate our security expectations. In simple terms: instead of trying to guess the right questions about our security settings, Zelkova automatically generates and answers the relevant questions for us.

What does this mean in practice? Suppose we have an S3 bucket and want to know if anyone could accidentally access it without authorisation. Zelkova solves this by converting the bucket’s access policy into a mathematical formula and then tries to prove the opposite: is there any scenario where a public (or untrusted) user could gain access? If it finds one, our policy is too permissive. If not, it’s proven that the bucket is truly private. The algorithms Zelkova uses (so-called SMT solvers) can solve such logical problems at incredible speed, performing hundreds of millions of checks. As a result, Zelkova can make broad statements, such as: “The XYZ bucket is not public, i.e., no public request will be granted access.” This is a qualitatively higher level of assurance than traditional testing can provide.

What makes this special? With Zelkova, AWS’s approach of “provable security” is realised, providing the highest level of assurance for critical cloud security configurations. Previously, security teams could only gain “reasonable assurance” that there were no errors (e.g., by sampling configurations or running partial tests). In contrast, Zelkova allows us to be absolutely certain: e.g., “None of our S3 buckets are publicly accessible”—and this is backed by mathematical proof.

Why Is This Important for Security?

A significant portion of cloud data security incidents can be traced back to configuration errors or excessive permissions. A common example is when an S3 bucket is misconfigured and sensitive data falls into the wrong hands. The business risk of such incidents is enormous: loss of reputation, decreased customer trust, compliance sanctions, and financial damage. Zelkova drastically reduces these hidden risks. Since it reviews every possible policy interpretation for us, it immediately alerts us if a policy would allow even a single unauthorised access.

Security benefits summarised:

• Proactive protection: Instead of waiting for an attacker to exploit a mistake or for the security team to notice a misconfiguration, Zelkova-supported tools signal problems at the moment of creation.
• Scalability without human resources: Cloud environments can be vast, with thousands of resource policies. It’s impossible to manually audit every change. Zelkova provides automated, continuous monitoring without human intervention, 24/7, so security keeps pace with development.
• Mathematical certainty: Zelkova provides mathematical proof for certain security statements (e.g., “There is no public access to resource X.”). This is a quantum leap compared to traditional, probability-based security checks. Provability is especially important during audits: leaders and auditors can gain higher confidence that critical systems are truly protected.
• Enforcing best practices: Zelkova compares settings to AWS’s internal security baseline. If something deviates (i.e., is more permissive than it should be), it immediately signals. This enforces best security practices and helps implement the “least privilege” principle everywhere.

Where Can We See Zelkova’s Power? – AWS Services and Integrations

While Zelkova itself is an invisible “engine” under the AWS cloud, several specific AWS services leverage its capabilities, providing direct functionality for leaders and engineers. These tools build on Zelkova’s logic to offer service-level features with easy usability. Here are some key examples:

• IAM Access Analyzer: Part of AWS Identity and Access Management, and one of the most important Zelkova-based Access Analyzer continuously checks various resource policies (S3 buckets, KMS keys, IAM roles, etc.) to see if they allow access from outside the “zone of trust.” For example, if a policy in an S3 bucket allows an external (from another AWS account or public) user, Access Analyzer generates a finding. Zelkova does this in the background: it mathematically determines whether the policy allows anything not from our account. It’s not log-based and not retrospective (it doesn’t wait for someone to actually access), but evaluates at the moment of configuration—essentially predicting if a setting could be wrong or dangerous. Access Analyzer is available in the AWS Management Console and via API, and its findings indicate the severity of the risk. Since 2023, Access Analyzer findings can be integrated into AWS Security Hub for centralised security alerts.
• Amazon S3 Block Public Access: The “Block Public Access” feature in S3 is a very simple but effective If enabled, AWS will not apply any new policy or ACL that would make buckets public, and it even disables existing public access. Zelkova’s logic is behind this: for every policy change, it asks, “Would this change grant public access?”—if yes, the system does not allow it. This acts as a built-in safety belt against configuration errors.
• AWS Config – Zelkova-powered rules: AWS Config is a cloud configuration monitoring service that continuously checks resource settings against expectations or rules. Some built-in rules now run with Zelkova under the hood. For example, rules like “S3-bucket-public-read-prohibited” or “Lambda-function-public-access-prohibited” use formal analysis to determine if all unwanted access is truly prohibited. If a rule is violated, Config generates an alert, and you can even trigger automatic remediation.
• AWS Trusted Advisor (Security checks): Trusted Advisor provides recommendations for optimising and securing your cloud environment. Some security checks—such as searching for open S3 buckets or excessive permissions—also benefit from Zelkova’s capabilities. Trusted Advisor can review resource policies and warn if it finds public access or other risks, supporting security teams as an external “auditor.”

SecOps Automations Based on Zelkova and Access Analyzer

For a CISO or any security leader, it’s not just important to have tools that signal problems—but also that these can be integrated into the company’s security operations, preferably in an automated way. Fortunately, Zelkova-based services (like IAM Access Analyzer) are designed to easily connect with other cloud components, building notification and intervention chains.

1. Event-driven alerts and interventions: IAM Access Analyzer generates an event in AWS EventBridge after evaluating each new or modified resource policy (if it finds an external access risk). You can set up rules to automatically catch these events. For example, you can create an EventBridge rule for any S3 bucket warning about “external access allowed.” Such a rule can trigger a series of automatic actions:

• Send a notification to an Amazon SNS topic, which then emails the security team or integrates a message into the company Slack.
• Directly trigger an AWS Lambda function that takes specific steps, e.g., reverts the change (removes the public policy or enables Block Public Access on the affected bucket), or flags the resource for human review.
• Log the alert in an incident management system, opening a ticket for the responsible team to investigate.

The advantage of this mechanism is that it all happens within seconds or minutes. If someone accidentally makes a resource public, the SecOps team is notified almost immediately—not just at the next scheduled audit. If the reaction is well automated, the system may have already fixed the dangerous setting before the developer even notices, minimising the window of vulnerability.

2. Integration into CI/CD processes: In the spirit of DevSecOps, it’s worth building security checks into the development process from the very beginning. Since Access Analyzer functionality is available via the AWS API, a company can integrate it into its pipelines. For example:

• Infrastructure as Code (IaC) checks: Before applying a Terraform or CloudFormation stack, you can call a pre-check with Access Analyzer. For S3, there’s a preview mode where you can ask the Analyzer if it would generate an alert before the policy goes live. If yes, the pipeline can be interrupted or require conditional approval.
• Pull Request checks: If developers modify an IAM policy in code, a pipeline step can automatically call a script using Access Analyzer’s Validate Policy This function flags bad practices and errors (e.g., if permissions are too broad, it suggests narrowing by IP address). Results can be fed back to the developer before code is merged.
• Continuous compliance checks: Although Access Analyzer is mainly event-driven, you can combine it with scheduled checks. For example, a daily or weekly Jenkins job can call the Access Analyzer API, list all open (Active) warnings, compare with previous runs, and escalate if any warning remains open for a long time.

3. Visibility and reporting for C-level: Finally, it’s important that C-level leaders also receive transparent information about these security automations. Access Analyzer and related SecOps processes can be integrated with reporting tools. For example:

• With Security Hub or a custom dashboard, you can show how many potential incidents were prevented by Zelkova-based sentinels (e.g., “last month we blocked X public access attempts”).
• Trends can be displayed: is the number of misconfigurations decreasing over time? Which business units regularly trigger warnings? This helps prioritise further security training or resources.
• Leadership reports can highlight what modern, automated tools the company uses to protect customer data. This is a trust factor for clients and partners, and internally demonstrates security maturity.

What have the Romans ever done for us? The Strategic Big Picture

Why is it important for a senior leader—CIO, CTO, CISO, or even CEO—to understand Zelkova’s significance and application?

• Innovation in security: Zelkova is one of those pioneering technologies that take cloud security to a new level. Its use signals that the company keeps up with the latest security solutions. A C-level leader supporting such innovations is a forward-thinking strategist who ensures the foundations for secure growth in the long term.
• Risk reduction and peace of mind: Having systems that are proven to be protected against common configuration errors means direct business risk reduction. There’s less chance of a data protection scandal or fine. This provides peace of mind for senior management. Insurers and auditors also appreciate mathematics-based checks—as residual risk is minimised.
• Efficiency and cost savings: Preventing security incidents is always cheaper than dealing with them after the fact. With Zelkova, the number and burden of manual checks can be reduced. The security team, thanks to automated alerts, can focus on the few truly problematic cases, rather than reviewing thousands of “hopefully good” settings. This frees up resources for other strategic tasks.
• Trust and compliance: In business partner or client negotiations, the question may arise: “How secure is your system? What guarantees that our data isn’t exposed?” Here, you can play a strong card: an AWS Zelkova-based security architecture. Explaining that the company uses technology that protects data with mathematical certainty can be a serious competitive advantage in building trust. Regulatory compliance (e.g., GDPR, SOC2, ISO27001) is also easier to demonstrate when critical controls are supported by formal verification—what’s proven can be a strong argument in audit documentation.
• Laying the groundwork for the future: As cloud infrastructure grows and becomes more complex, traditional security approaches (manual checks, random audits) become less sustainable. Using Zelkova and automated reasoning future-proofs the security strategy. AWS is already working on similar projects, e.g., expanding automatic compliance checks to more areas. Those who adopt provable security principles today will find it much easier to adapt to new tools tomorrow. This kind of progress is a strategic advantage in the era of digital transformation.

In summary: Zelkova is not just a technical curiosity for engineers, but a business-critical security innovation that provides an invisible safety net for valuable data. As a C-level leader, it’s worth putting such solutions on the agenda and supporting their adoption—because data security ultimately creates trust, business stability, and long-term opportunities for success.