Category: Announcements

(more…)

We established the Security Blog in April 2013 to provide you with guidance, best practices, and technical walk-throughs to help increase the security of your AWS account and better achieve compliance. Hopefully you have been able to read all of the posts published in 2013, but in case you’ve missed a few, here is an index of our in-depth posts:

IAM

We posted a mixture of prescriptive guidance and detailed explanations about released Identity and Access Management features and best practices geared towards practitioners.

• Where’s my secret access key?
• A safer way to distribute AWS credentials to EC2
• IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources)
• Guidelines for when to use Accounts, Users, and Groups
• How to rotate access keys for IAM users
• Improve the security of your AWS account in less than 5 minutes
• Securing access to AWS using MFA – Part I
• Securing access to AWS using MFA – Part 2
• Securing access to AWS using MFA – Part 3

(more…)

Make a New Year Resolution for 2014 to adhere to best practices put forth by AWS Security and Identity.  There are two great pieces of work published in 2013 that are filled with guidance and are highly actionable.  AWS published the Security Best Practices whitepaper, providing a landscape of various security oriented technologies, including IAM, encryption, and compliance reporting.  The Security Blog post that outlined the whitepaper was the second most popular post of the year (behind  Writing IAM Policies: How to grant access to an Amazon S3 bucket), illustrating the importance and interest of cloud security topics.

The other piece of work to reference is IAM’s Top Ten Best Practices session at re:Invent.  I encourage you to view the recorded session, but here’s a quick rundown to get you started:

1. Lock away your AWS account access keys
2. Create individual IAM users
3. Use groups to assign permissions to IAM users
4. Grant least privilege
5. Configure a strong password policy for your users
6. Enable MFA for privileged users
7. Use roles for applications that run on Amazon EC2 instances
8. Delegate by using roles instead of by sharing credentials
9. Rotate credentials regularly
10. Use policy conditions for extra security

Use these security best practices to help make your AWS account as secure as possible.  Not only will you find more peace of mind but hopefully even greater control as you expand your use of AWS.

– Jim

The .NET Developers Blog recently published two easy-to-read posts about access key management for .NET applications.  The first one goes through some of the background of access key management, as well as the use of IAM roles for EC2.  The second post goes deeper into creating and using IAM users and groups instead of using root access.  The next post will discuss rotating credentials.  In the meantime, if you would like a detailed description of rotating access keys, the Security Blog published a post in early October.

– Ben

David Murray  published a great post about best practices for IAM credentials earlier today (December 9th).  He gives a high level description of IAM, followed by methods for using IAM roles for EC2.  To learn more go to the Java Developers Blog.

– Ben

We are pleased to announce that AWS OpsWorks now supports resource-level permissions. AWS OpsWorks is an application management service that lets you provision resources, deploy and update software, automate common operational tasks, and monitor the state of your environment. You can optionally use the popular Chef automation platform to extend OpsWorks using your own custom recipes.

With resource-level permissions you can now:

• Grant users access to specific stacks, making management of multi-user environments easier. For example, you can give a user access to the staging and production stacks but not the secret stack.
• Set user-specific permissions for actions on each stack, allowing you to decide who can deploy new application versions or create new resources on a per-stack basis for example.
• Delegate management of each OpsWorks stack to a specific user or set of users.
• Control user-level SSH access to Amazon EC2 instances, allowing you to instantly grant or remove access to instances for individual users.

(more…)

Amazon Web Services (AWS) held its second annual users conference, re:Invent 2013,  in Las Vegas on November 13th-15th.  Security was again one of the top tracks of the program, with 22 sessions covering every area in cloud security.  Re:Invent 2013 was a great success.

Here are links to the videos and presentations all the security related sessions (those without links will be updated throughout the next couple of weeks): (more…)

Yesterday the EC2 team announced fine grained controls for managing RunInstances. This release enables you to set fine-grained controls over the AMIs, Snapshots, Subnets, and other resources that can be used when creating instances and the types of instances and volumes that users can create when using the RunInstances API.

This is a major milestone in the security story around EC2.  Prior to this it was not practical to use a single account for a variety of users within a single org. This one feature makes that not only much more feasible, but allows for long-requested things like “only allow my users to launch blessed AMIs” and other such super-useful stuff.

To learn more, see Derek Lyon’s post on the AWS Blog.

– Ben

We’re excited to make three announcements around encryption of data at rest in AWS:

• We’ve published a new whitepaper: Securing Data at Rest with Encryption, which describes the various options for encrypting data at rest in AWS. It describes these options in terms of where encryption keys are stored and how access to those keys is controlled. Both server-side and client-side encryption methods are discussed with examples of how each can be accomplished with specific AWS services.

• Amazon Redshift now allows you to use an industry-standard hardware security module (HSM) to protect the encryption keys used to encrypt your Redshift cluster. HSMs are designed to provide the highest levels of security for your encryption keys. AWS CloudHSM and on-premises SafeNet Luna SA HSMs are supported. See the Redshift documentation on using HSMs for more information.

• Amazon RDS for Microsoft SQL Server now supports the use of Transparent Data Encryption (TDE). Once enabled, the database instance encrypts data before it is stored in the database and decrypts it after it is retrieved. You can use this feature in conjunction with our previously announced support for SSL connections to SQL Server to protect data at rest and in transit. See the announcement on the AWS Blog for more details.

If you’re at AWS re:Invent 2013 this week, come to session SEC304 Encrypting and Key Management in AWS to learn more about how to protect your data using encryption.

– Ken

• How security responsibilities are shared between AWS and you, the customer
• How to define and categorize your assets
• How to manage user access to your data using privileged accounts and groups
• Best practices for securing your data, operating systems, and network
• How monitoring and alerting can help you achieve your security objectives

(more…)