Category: Announcements

At the end of 2013, we introduced single sign-on to the AWS Management Console using the Security Assertion Markup Language (SAML) 2.0. This enables you to use your organization’s existing identity system to sign in to the console without having to provide AWS credentials.

Today we’re happy to announce that, in response to your feedback, we’ve made a number of improvements to the sign-in page. Here’s what it looks like now:

As you can see, there are three improvements. First, we’ve organized the roles by account, which makes it much easier to zero in on a role in a specific account. Second, we’re now displaying account aliases if you have configured them. This means that your users don’t have to know the account ID if they’re used to seeing the account alias. And finally, we’re displaying roles using only their names and not full Amazon Resource Names (ARNs), making it easier to focus on the actual role. (If you have only one role configured, users go directly to the console without seeing this page.) (more…)

AWS re:Invent is only one month away! Several members of the AWS Security and AWS Identity and Access Management (IAM) teams will be presenting on security topics and answering your questions in the AWS Security Booth. We have 21 sessions covering security this year. In this blog post, I want to highlight six essential sessions to attend.  (more…)

With the steady cadence of updates and enhancements for AWS services, it can sometimes be easy to miss announcements about features that relate to security. Here are some recent security-related updates in AWS services that we’re excited about and that you might not have heard about.

AWS Trusted Advisor inspects your AWS environment and finds opportunities to save money, improve system performance and reliability, and help close security gaps. Trusted Advisor recently made available four of its most popular checks to all AWS users. Three of those checks pertain specifically to security:

• The Specific Ports Unrestricted check alerts you to overly permissive access to Amazon Elastic Compute Cloud (Amazon EC2) instances and helps you avoid malicious activities such as hacking, denial-of-service attacks, and loss of data.
• The IAM Use check determines whether you’ve followed the recommended practice of creating IAM users, groups, and roles to control access to your account instead of using your account credentials.
• The MFA on Root Account check determines whether you’ve enabled MFA for access to the AWS Management Console when you use your account (root) password.

(more…)

I’m very excited to share that AWS has received the first ever U.S. Department of Defense (DoD) level 3-5 Provisional Authorization for the AWS GovCloud (US) region under the Defense Information Systems Agency’s (DISA) Cloud Security Model (CSM). AWS has been authorized for CSM levels 1-2 workloads for all US regions since March of this year. This new authorization allows DoD customers to conduct development and integration activities that are required to secure controlled unclassified information in AWS GovCloud at levels 3-5 of the CSM. Simply put, DoD agencies can now use AWS GovCloud’s compliant infrastructure for all but level 6 (classified) workloads.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD. The authorization sponsored by DISA will reduce the time necessary for DoD agencies to evaluate and authorize the use of AWS GovCloud. To learn more about the AWS DoD Authorizations, please visit the AWS DoD CSM FAQs page.

Our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog. DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team. For more information on AWS security and compliance, please visit the AWS Security Center and the AWS Compliance Center.

– Chad Woolf, Director, AWS Risk & Compliance

Yesterday, Amazon CloudSearch released a new version that is fully integrated with AWS Identity and Access management (IAM) and enables you to control access to a domain’s document and search services. Jon Handler, an AWS Solution Architect who specializes in search, describes the new features.

In March, we released a new Amazon CloudSearch API that supports 34 languages as well as popular search features such as highlighting, autocomplete, and geospatial search. From a security perspective, one of the most exciting things about the Amazon CloudSearch 2013-01-01 API is that it provides better integration with IAM for the CloudSearch configuration API. Instead of granting users all-or-nothing access to the CloudSearch configuration service, you can grant more granular permissions so you can control access to specific configuration actions, such as creating and managing domains, managing domain resources, setting indexing options, and configuring domain services.

Now, we’ve further enhanced CloudSearch to support full IAM integration for all CloudSearch actions. You can use IAM to control access not just to the CloudSearch configuration service, but also to a domain’s document, search, and suggest services. You have control over which users are allowed to upload documents, submit search requests, and get suggestions.

In this post, I’ll discuss some use cases for granting access to Amazon CloudSearch using IAM. (more…)

We are excited to announce the redesigned IAM console, now with a streamlined look and feel that makes it even easier to manage your IAM settings. We’ve made it more convenient to manage large resource lists (for example, hundreds of users, groups, or roles), eliminated tab switching, and optimized the console to offer a better experience on mobile devices by restructuring resource detail pages and task workflows. Let’s take a look at the new features.

Security Checklist

We’ve made it easier to adopt the recommendations listed in our IAM best practices. The IAM console dashboard now shows you which recommended security measures are complete and how to take action on those that aren’t. (more…)

We’ve heard from many of you that you want greater visibility into when users sign in to the AWS Management Console. We are excited to announce that AWS CloudTrail now captures console sign-in events whenever an account owner, a federated user, or an IAM user signs into the console.

For those of you who aren’t familiar with CloudTrail, it’s a service that enables you to record AWS API calls made from within your account and store the results in an Amazon S3 bucket. We recommend that you enable CloudTrail as part of a general security best practice.

In this blog post I give an overview of the benefits of logging console sign-in events and describe how to read log files.  (more…)

The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.

We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

In this blog post, I’ll discuss a number of use cases enabled by this release.  (more…)

As you might have seen, AWS recently released Amazon Cognito, a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. If you develop mobile apps that call AWS services, you definitely want to check out Amazon Cognito.

What is Amazon Cognito?

Amazon Cognito simplifies the task of authorizing your users to access resources in your AWS account without the need to embed long-term AWS credentials in your app. It works with the AWS Security Token Service to uniquely identify a user and to give the user a consistent identity throughout the lifetime of an app. In addition, Amazon Cognito offers a synchronization service that enables you to save app data locally on users’ devices. This allows your app to work even when the device is offline or when the same user accesses the app on a different device.  (more…)

In this post, Graham Evans, a developer on the AWS Billing team, describes new security features that expand how you can secure access to billing information in your AWS account.

My team—AWS Billing— recently released the new and improved Billing and Cost Management Console.  We’re now happy to introduce an improvement to the access and capabilities of users, which includes both IAM users and federated users. Building on our existing IAM capabilities that let you grant users read-only access, we’ve released new actions to grant additional read/write access to billing information.

You can now manage the access your users have to the following pages in the Billing console:

• Dashboard
• Bills
• Cost Explorer
• Advance Payment
• Payment Methods
• Payment History
• Consolidated Billing
• Account Settings
• Reports
• Preferences
• Credits

(more…)