Category: Announcements

Amazon Web Services (AWS) held its second annual users conference, re:Invent 2013,  in Las Vegas on November 13th-15th.  Security was again one of the top tracks of the program, with 22 sessions covering every area in cloud security.  Re:Invent 2013 was a great success.

Here are links to the videos and presentations all the security related sessions (those without links will be updated throughout the next couple of weeks): (more…)

Yesterday the EC2 team announced fine grained controls for managing RunInstances. This release enables you to set fine-grained controls over the AMIs, Snapshots, Subnets, and other resources that can be used when creating instances and the types of instances and volumes that users can create when using the RunInstances API.

This is a major milestone in the security story around EC2.  Prior to this it was not practical to use a single account for a variety of users within a single org. This one feature makes that not only much more feasible, but allows for long-requested things like “only allow my users to launch blessed AMIs” and other such super-useful stuff.

To learn more, see Derek Lyon’s post on the AWS Blog.

– Ben

We’re excited to make three announcements around encryption of data at rest in AWS:

• We’ve published a new whitepaper: Securing Data at Rest with Encryption, which describes the various options for encrypting data at rest in AWS. It describes these options in terms of where encryption keys are stored and how access to those keys is controlled. Both server-side and client-side encryption methods are discussed with examples of how each can be accomplished with specific AWS services.

• Amazon Redshift now allows you to use an industry-standard hardware security module (HSM) to protect the encryption keys used to encrypt your Redshift cluster. HSMs are designed to provide the highest levels of security for your encryption keys. AWS CloudHSM and on-premises SafeNet Luna SA HSMs are supported. See the Redshift documentation on using HSMs for more information.

• Amazon RDS for Microsoft SQL Server now supports the use of Transparent Data Encryption (TDE). Once enabled, the database instance encrypts data before it is stored in the database and decrypts it after it is retrieved. You can use this feature in conjunction with our previously announced support for SSL connections to SQL Server to protect data at rest and in transit. See the announcement on the AWS Blog for more details.

If you’re at AWS re:Invent 2013 this week, come to session SEC304 Encrypting and Key Management in AWS to learn more about how to protect your data using encryption.

– Ken

• How security responsibilities are shared between AWS and you, the customer
• How to define and categorize your assets
• How to manage user access to your data using privileged accounts and groups
• Best practices for securing your data, operating systems, and network
• How monitoring and alerting can help you achieve your security objectives

(more…)

We’re happy to announce the launch of the AWS Compliance Forum – a unique community designed for AWS customers interested in achieving compliance while using AWS services.

The AWS Compliance Forum was developed based on discussions with customers who wanted a community to connect with fellow AWS customers, interact with AWS compliance specialists, and access specialized industry enablers and education. This forum can support you in your efforts to achieve and maintain security assurance and compliance with your industry and regulatory standards while using AWS.

There is no additional charge for being a member of the AWS Compliance Forum – the only requirement is to take a brief entrance survey so that forum content and discussions can be catered to your industry, geography, and interests.

Take the survey and join the forum now  >> AWS Compliance Forum Entrance Survey

– Chad

Check out the new IAM policy simulator, a tool that enables you to test the effects of IAM access control policies before committing them into production, making it easier to verify and troubleshoot permissions.

Learn more at the AWS Blog.

– Kai

Today AWS CloudFormation released added support for  temporary security credentials provided by the AWS Security Token Service.  This release enables a number of scenarios such as federated users being able to use CloudFormation from the AWS Management Console and authorizing Amazon EC2 instances with IAM roles to call CloudFormation APIs.  To learn more about this new feature, please read the post from the AWS Blog.

– Ben

AWS re:Invent 2013, AWS’s second annual conference for developers and technical leaders, is less than a month away.  We have some great sessions and activities lined up to ensure that content quality is high and that your questions are answered.

Update (20 May 2014): For links to the session videos and slide presentations from AWS re:Invent 2013, see the blog entry Recap of re:Invent Sessions. We’ve removed links from this post to the AWS re:Invent 2013 site. Be sure to visit the AWS re:Invent 2014 site!

Last year’s inaugural event went so well that AWS has added 50% more sessions. This of course also means more security and compliance sessions!  Sessions this year will marquis some great technical and business leaders from AWS.  We will also showcase some customers and partners who are proven thought leaders in security and compliance.

If you’re planning to go, now is the time to organize agenda to get the most out of the following 20-plus security and compliance oriented sessions. You can use the “Add to My Favorites” button in the Session Catalog to make it easier to plan while letting us know how many seats to reserve. (more…)

One of the benefits of AWS is the highly available, durable, and practically unlimited cloud-based storage you can get with Amazon Simple Storage Services (Amazon S3).  Over two trillion objects are already stored in S3 and customers are always finding more creative uses for S3.  One of the more commonly requested use cases is how to make S3 available to end users.  Do you use the AWS Management Console to access S3 buckets?  Do you build a custom application to do so instead?  Most customers want their users to access S3 buckets the same way the users interact with local file folders.

A number of third parties offer solutions that can help customers provision access to AWS services.  For example, CloudBerry Lab has a solution, CloudBerry Explorer, that allows mapping a Windows drive to an S3 bucket.  Historically this solution required that an AWS administrator create an IAM user for each Windows user.  While this works well with a small number of users, if you have 10’s of thousands of users, you need to keep track of that many long-term access keys.  (more…)

Yesterday AWS announced that it now supports resource-level permissions for seven additional EC2 APIs, including:

• DeleteNetworkAcl
• DeleteNetworkAclEntry
• DeleteRoute
• DeleteRouteTable
• DeleteDhcpOptions
• DeleteInternetGateway
• DeleteCustomerGateway

As with other EC2 API actions that support resource-level permissions, you can also construct policies based on the tags associated with the resources.  To learn more, go to either our recent post on resource level permissions or the Amazon EC2 User Guide.

– Ben