Category: Announcements
New in Amazon EMR: Support for Federated Users
AWS announced yesterday that Amazon Elastic MapReduce (EMR) added support for federated users. If you use Amazon EMR, you can now enable users to administer Amazon EMR clusters who are signed in to your corporate network using their corporate credentials—you no longer need to create IAM users for access to EMR.
Up to now, federated users who’ve signed into the console—for example, using an identity provider that supports SAML (Security Assertion Markup Language) or a custom proxy service—have seen the Amazon EMR console disabled. But no more! Federated users now have the same console-based access to Amazon EMR that IAM users do.
The new support extends the ways in which you can take advantage of federated access to AWS. If you haven’t investigated federation, we encourage you to try it. If you already use SAML, have a look at the list of solution providers who make it easy to enable federation with AWS. Or check out some of the other federation scenarios that are available.
For more information the new release, see the Amazon EMR documentation.
– Mike
With New ELB Permissions, Support for IAM in AWS Is Going Strong
The Elastic Load Balancing team announced on May 13, 2014 that they’ve added support for resource-level permissions. Not only can you specify which ELB actions a user can perform, you can specify which resources the user can perform those actions on. For more information about the new ELB permissions, see Controlling Access to Your Load Balancer.
This is another step forward in enabling you to place greater control over your AWS resources. Nearly every AWS service now supports IAM to allow you to control access to actions. With most services you can also use temporary security credentials, meaning that you can take advantage of cross-account access and identity federation. And in the last year, many existing services have added support for resource-level permissions, including Amazon EC2, Amazon RDS, and AWS OpsWorks. Meanwhile, new services like Amazon Kinesis and AWS CloudTrail launched with the ability to set resource-level permissions.
You can always find an up-to-date list of services that support IAM in the IAM documentation. To learn more about resource-level permissions, check out the following AWS Security Blog entries:
- Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
- Announcement: Resource Permissions for additional EC2 API actions
- Demystifying EC2 Resource-Level Permissions
- A primer on RDS resource-level permissions
- Announcing resource-level permissions for AWS OpsWorks
– Mike
Some AWS SDKs Security Features You Should Know About
The AWS SDK team recently added and documented some security-related features that we think you shouldn’t miss. Check these out!
Updates for managing access keys in the .NET and Java SDKs. In Referencing Credentials using Profiles, blogger Norm Johanson describes how you can now put a credentials file in your user folder. This great security enhancement makes it easier to keep access keys in a safe and secure location when you use the SDKs, as we recommend in our best practices for managing access keys. You can also keep multiple configuration profiles (as you can for the AWS CLI), which makes it very easy to test code using the credentials for different users. These features are available in both the .NET SDK and the Java SDK.
Encryption features for Amazon S3. In Using AmazonS3EncryptionClient to Send Secure Data Between Two Parties, blogger Hanson Char describes a little-known feature—how to securely share proprietary data on S3 using a public/private key pair. This feature is available in the .NET, Java, and Ruby SDKs. And in Amazon S3 Client-Side Authenticated Encryption, Hanson alerts us to a new feature of the Java SDK that enables you not only to keep S3 data encrypted at rest, but to enhance the security of the data with a new feature that adds an integrity check for both the data and the envelope key.
To keep up with the fast-moving AWS SDK team, be sure to subscribe to their blogs—you can find their blogs under AWS Blogs on the side of this page.
– Mike
A Convenient New Hardware MFA Form Factor
Is your key chain too full for yet another key fob? Ever find yourself locked out of AWS because you didn’t have your key chain on hand? Gemalto, a third-party provider, has just released a new multi-factor authentication (MFA) device in a convenient “credit card” form factor that fits comfortably into a wallet. It works like a traditional MFA one-time password (OTP) device—you follow the same easy setup steps, and you simply tap the button on the card to display the authentication code.
If you haven’t yet activated AWS MFA, now is a great time to do so. It’s one of the simplest ways to help significantly improve the security of your AWS account. With AWS MFA enabled for a user, when the user signs in to an AWS website, he or she will be prompted not only for a username and password (the first factor – what they know), but also well as for an authentication code from their AWS MFA device (the second factor – what they have). (more…)
Encryption for EBS Volumes Can Help You with Security and Compliance
On May 21, AWS launched encryption for EBS volumes, a frequently requested feature, which can help you meet stricter security and encryption compliance requirements. You can now create an encrypted EBS volume and attach it to an EC2 instance. Data on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption for data as it moves between EC2 instances and EBS storage.
Over on the AWS blog, Jeff Barr has a writeup with more details, and you can read more about EBS encryption in the EC2 documentation. Check it out!
– Ken
Come Join Our May Webinars as AWS, Partners, and Customers Discuss Security
May is the month of security oriented webinars at AWS. We’re presenting three webinars that touch on different identity and access management (IAM) technologies and use cases.
The first webinar highlights AWS CloudTrail, APN (AWS Partner Network) partner Splunk, and FINRA. The webinar begins with an overview of CloudTrail, followed by a discussion of how Splunk uses CloudTrail logs in its Security Information and Event Management (SIEM) solution. FINRA, a customer who uses the Splunk SIEM solution, will provide a real-world example. This webinar is scheduled for May 20, 2014. Register here.
The second webinar describes how AWS partners can take advantage of cross-account access and other delegation capabilities to safely access AWS resources in their customers’ AWS accounts. This webinar is scheduled for May 28th, 2014. Register here if your organization is in the AWS Partner Network.
The third webinar focuses on how to grant federated users in your organization access to AWS by using 3rd-party identity management solutions. We’ll begin with an overview of IAM and identity federation. Then APN partner Ping Identity will talk about Ping Federation, a solution that integrates with AWS IAM. The date of this webinar is May 28, 2014. Register here.
We look forward to your participation!
– Ben
Important Change to How You Manage Your AWS Account’s Access Keys
As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys.
-Kai
AWS Security and CVE-2014-0160 (“Heartbleed”)
We have reviewed all AWS services for impact by CVE-2014-0160 (also known as the Heartbleed bug) and have either determined that the services were unaffected or we’ve applied mitigations that do not require customer action. In a few cases, we are recommending that customers rotate SSL certificates or secret keys. For additional detail see AWS Services Updated to Address OpenSSL Vulnerability.
Update (23 Apr 2014): The AWS premium support site has added an FAQ page for questions about the CVE-2014-0160 issue.
For information about managing private keys and certificates, see the following topics.
If you have questions, please visit the IAM forums.
– Jim
IAM User Sign-in Page Changes
Today, AWS updated the sign-in experience for IAM users accessing AWS websites such as the AWS Management Console, Support, or Forums. As previously announced, the new sign-in experience continues to provide the same functionality as the previous one, it but provides a more consistent experience for IAM users when signing in to AWS account whether it is on a PC, tablet, or mobile phone. (more…)
Redshift – FedRAMP AWS Security Blog Announcement
AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.
With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.
