Category: Announcements

One of the benefits of AWS is the highly available, durable, and practically unlimited cloud-based storage you can get with Amazon Simple Storage Services (Amazon S3).  Over two trillion objects are already stored in S3 and customers are always finding more creative uses for S3.  One of the more commonly requested use cases is how to make S3 available to end users.  Do you use the AWS Management Console to access S3 buckets?  Do you build a custom application to do so instead?  Most customers want their users to access S3 buckets the same way the users interact with local file folders.

A number of third parties offer solutions that can help customers provision access to AWS services.  For example, CloudBerry Lab has a solution, CloudBerry Explorer, that allows mapping a Windows drive to an S3 bucket.  Historically this solution required that an AWS administrator create an IAM user for each Windows user.  While this works well with a small number of users, if you have 10’s of thousands of users, you need to keep track of that many long-term access keys.  (more…)

Yesterday AWS announced that it now supports resource-level permissions for seven additional EC2 APIs, including:

• DeleteNetworkAcl
• DeleteNetworkAclEntry
• DeleteRoute
• DeleteRouteTable
• DeleteDhcpOptions
• DeleteInternetGateway
• DeleteCustomerGateway

As with other EC2 API actions that support resource-level permissions, you can also construct policies based on the tags associated with the resources.  To learn more, go to either our recent post on resource level permissions or the Amazon EC2 User Guide.

– Ben

<Repost from AWS Blog, here in its entirety>

One of the most powerful features of AWS Identity and Access Management (IAM) is its ability to issue temporary security credentials and grant controlled access to people in a network without having to define individual identities for each user (i.e., identity federation). This enables customers to extend their existing authentication systems and allow users to Single Sign-On (SSO) to the AWS Management Console.

Last November, we released sample code that will allow customers to create a federation proxy server that uses IAM roles to create temporary security credentials which can be used by Windows Active Directory users to Single Sign-On (SSO) to the AWS Management Console. Thousands of universities and government institutions currently use Shibboleth as their SSO authentication system across many disparate systems. We’ve received feedback from these customers who want a sample demonstrating how to leverage existing Shibboleth systems to easily enable SSO to the AWS Management Console.

Today, we are excited to release additional sample code that extends the functionality of the federation proxy to support Shibboleth using the Security Assertion Markup Language (SAML). The sample code empowers system architects and admins to configure Shibboleth and IAM so users can leverage AWS services while still managing the user’s credentials in their local directory. The sample allows federated users to log into the AWS Management Console without having to create individual IAM users. This approach of federating the use of AWS is a great way to expand and extend your organization’s ability to securely access AWS resources.  (more…)

** Update:  the Google Autenticator application for iOS has been updated and now available from Apple’s App Store.  It no longer has an issue of potentially losing existing AWS MFA tokens as reported in this post.

Do you use Google Authenticator for iOS for AWS MFA? If so, then read this!

If you use Google Authenticator for iOS for AWS MFA to secure your AWS account, please read on. Google recently released an update to the Google Authenticator app in the Apple App Store. We’ve received reports indicating that this update is deleting all MFA tokens from the smartphone. This could prevent you from authenticating to your AWS account.  Google has since pulled the Google Authenticator application from the App Store and are presumably working on a fix for this issue.

We wanted to give AWS customers guidance on how to best proceed until a fix is provided. How you proceed depends on whether you’ve upgraded and whether you can access AWS.  (more…)

Jeff Barr, AWS’s chief evangelist, recently did an AWS Report interview with Symplified’s CTO and co-founder Darren Plat covering identity federation and single sign-on to cloud-based apps.  The interview goes into depth about the need for identity federation services in the cloud and how Symplified implemented their offering for AWS services. You can watch the interview.

– Ben

We’re happy to announce the availability of the 2013 PCI Compliance Package. Along with the AWS PCI Attestation of Compliance, this package includes our independent assessor’s revised and expanded PCI Customer Responsibility Matrix, which describes the customer and AWS shared responsibility for each of the 200+ PCI Data Security Standard controls. This document will help not only those who need to effectively manage a PCI cardholder environment on AWS, but can help any customer better understand their responsibility of operating controls so you can effectively develop and operate a highly secure environment on AWS and even prepare your organization for various audits. The PCI data security standard is a globally-accepted security standard that customers use to support a wide range of sensitive workloads, including, of course, processing and storing sensitive payment card data.

What are customers saying about becoming PCI compliant with AWS?

“The underlying AWS infrastructure was PCI compliant out of the box and our QSA was happy with the AWS PCI Package and Responsibility Matrix.  This freed us to think about our system and software architecture as opposed to capital expenditure costs normally involved in finding a suitable hosting facility, equipment, sundries not to mention building, assessing and running the infrastructure.” (more…)

In May 2013, we announced support for federation using identities Amazon, Facebook, and Google (a.k.a. web identity federation), which allows your apps to authenticate users via Amazon, Facebook, or Google and then access AWS resources managed under your account.

To help you understand how web identity federation works, today we’re releasing the Web Identity Federation Playground. This is an interactive web page that lets you explore the three key steps of web identity federation.  First, you sign in with Amazon, Facebook, or Google.  Next, you make an AWS request to obtain temporary security credentials.  Lastly, you use those temporary security credentials to access an AWS resource (AWS S3 in this case). In addition, the Playground is entirely self-contained (no need to use the AWS CLI, SDKs, or Management Console) so you can try it out without writing any code!

In this blog post, we’ll walk through the steps of using the Web Identity Federation Playground. (more…)

Note: As of March 28, 2017,  Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information.

We are happy to announce that we launched resource-level permissions for EC2 today. The official announcement can be found here. To help you take advantage of these new features for securing your EC2 environment, we will be publishing a series of posts covering common scenarios and best practices. This week’s guest blogger, Derek Lyon, Product Manager on the EC2 team, will explain how we address one of our most commonly-requested use cases: managing access to specific EC2 instances.

Customers have been able to use IAM policies to control which of their users or groups could start, stop, reboot, and terminate instances across all EC2 instances under an account. With this release of EC2-based resource permissions, customers can now strictly control which IAM users or groups can start, stop, reboot, and terminate specific EC2 instances. This ability to assign control of an individual instance to a specific user or group helps organizations implement important security principles like separation of duties (preventing critical functions from being in the hands of one user) and least privilege ( providing each user access only to the minimum resources they need to do their job). For example, you probably don’t want to give everyone in your organization permission to terminate business-critical production instances, so now you can assign that privilege to only a few trusted administrators. Below is a four-step process that will show you how to use our new resource-level permissions feature along with IAM policies to help protect specific instances. (more…)

Dear readers,

We hope you’ve found our posts over the past couple of months both informative and useful. While we’ve posted a variety of topics to appeal to a broad audience, we’d like to hear directly from you about what we could do better. What additional topics would you like us to write about related to security and AWS? Please use the Comments link below to tell us what you’d like to see.

Thanks,
Jim

Based on feedback from our customers, AWS has published an Auditing Security Checklist to help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. The checklist builds off the recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.

The Auditing Security Checklist for AWS can help you:

• Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
• Assess your existing organizational use of AWS and to ensure it meets security best practices
• Develop AWS usage policies or validate that existing policies are being followed

(more…)