Category: Announcements

May is the month of security oriented webinars at AWS. We’re presenting three webinars that touch on different identity and access management (IAM) technologies and use cases.

The first webinar highlights AWS CloudTrail, APN (AWS Partner Network) partner Splunk, and FINRA. The webinar begins with an overview of CloudTrail, followed by a discussion of how Splunk uses CloudTrail logs in its Security Information and Event Management (SIEM) solution. FINRA, a customer who uses the Splunk SIEM solution, will provide a real-world example. This webinar is scheduled for May 20, 2014. Register here.

The second webinar describes how AWS partners can take advantage of cross-account access and other delegation capabilities to safely access AWS resources in their customers’ AWS accounts. This webinar is scheduled for May 28^th, 2014. Register here if your organization is in the AWS Partner Network.

The third webinar focuses on how to grant federated users in your organization access to AWS by using 3^rd-party identity management solutions. We’ll begin with an overview of IAM and identity federation. Then APN partner Ping Identity will talk about Ping Federation, a solution that integrates with AWS IAM. The date of this webinar is May 28, 2014. Register here.

We look forward to your participation!

– Ben

As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys.

-Kai

We have reviewed all AWS services for impact by CVE-2014-0160 (also known as the Heartbleed bug) and have either determined that the services were unaffected or we’ve applied mitigations that do not require customer action. In a few cases, we are recommending that customers rotate SSL certificates or secret keys. For additional detail see AWS Services Updated to Address OpenSSL Vulnerability.

Update (23 Apr 2014): The AWS premium support site has added an FAQ page for questions about the CVE-2014-0160 issue.

For information about managing private keys and certificates, see the following topics.

• Managing Signing Certificates for IAM Users
• Creating, Uploading, and Deleting Server Certificates

If you have questions, please visit the IAM forums.

– Jim

Today, AWS updated the sign-in experience for IAM users accessing AWS websites such as the AWS Management Console, Support, or Forums. As previously announced, the new sign-in experience continues to provide the same functionality as the previous one, it but provides a more consistent experience for IAM users when signing in to AWS account whether it is on a PC, tablet, or mobile phone.   (more…)

AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.

With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift.  The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

(more…)

I’m very excited to share that AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model’s impact levels 1-2 for all four of AWS’s Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoD’s stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWS’s secure, compliant infrastructure. To learn more about the AWS DoD Provisional Authorization, please visit https://aws.amazon.com/compliance/dod-csm-faqs.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD.  The Defense Information Systems Agency (DISA) assessed our compliance with those additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.

With today’s announcement, our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog, and DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team.  For more information on AWS security and compliance, please visit the AWS Security Center, https://aws.amazon.com/security, and the AWS Compliance Center, https://aws.amazon.com/compliance.

Chad Woolf
Director, AWS Risk & Compliance

Web identity federation in AWS STS enables you to create apps where users can sign in using a web-based identity provider like Login with Amazon, Facebook, or Google. Your app can then trade identity information from the provider for temporary security credentials that the app can use to access AWS.

The AWS mobile development team created an S3PersonalFileStore sample app for iOS and Android that shows you how to use web identity federation to let users store information in individual S3 folders. And now they’ve posted a blog entry that shows you how to use AWS CloudFormation to simplify the configuration of the sample app:

Simplify Web Identity Federation Setup with AWS CloudFormation

Check it out!

– Jeff

As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys.

-Kai

Here on the AWS Security Blog we’ve published several posts that recommend IAM best practices. We’re pleased to find that third-party bloggers are adding their own voices.  Codeship, a company that provides a continuous code deployment and testing service, just published a great post about how to secure your AWS account using Identity and Access Management (IAM) features.  Some of the recommendations include using IAM users, MFA, and roles for EC2. There’s plenty more in the blog post—check it out!

– Ben

Today AWS announced support for adding multi-factor authentication (MFA) for cross-account access. In this blog post, I will walk you through a common use case, including a code sample, which demonstrates how to create policies that enforce MFA when IAM users from one AWS account make programmatic requests for resources in a different account.

Many of you maintain multiple AWS accounts, so I am frequently asked how to simplify access management across those accounts. IAM roles provide a secure and controllable mechanism to enable cross-account access. Roles allow you to accomplish cross-account access without any credential sharing and without the need to create duplicate IAM users. With today’s announcement, you can add another layer of protection for cross-account access by requiring the users to authenticate using an MFA device before assuming a role.

Imagine your company maintains multiple AWS accounts: Development, Staging, and Production. Let’s assume you want to centralize the access management of all these “child” accounts using a single “parent” account that contains your IAM users. (more…)