Category: Announcements
In Case You Missed Them: Some Recent Security Enhancements in AWS
With the steady cadence of updates and enhancements for AWS services, it can sometimes be easy to miss announcements about features that relate to security. Here are some recent security-related updates in AWS services that we’re excited about and that you might not have heard about.
AWS Trusted Advisor inspects your AWS environment and finds opportunities to save money, improve system performance and reliability, and help close security gaps. Trusted Advisor recently made available four of its most popular checks to all AWS users. Three of those checks pertain specifically to security:
- The Specific Ports Unrestricted check alerts you to overly permissive access to Amazon Elastic Compute Cloud (Amazon EC2) instances and helps you avoid malicious activities such as hacking, denial-of-service attacks, and loss of data.
- The IAM Use check determines whether you’ve followed the recommended practice of creating IAM users, groups, and roles to control access to your account instead of using your account credentials.
- The MFA on Root Account check determines whether you’ve enabled MFA for access to the AWS Management Console when you use your account (root) password.
AWS GovCloud Earns DoD CSM Level 3-5 Provisional Authorization
I’m very excited to share that AWS has received the first ever U.S. Department of Defense (DoD) level 3-5 Provisional Authorization for the AWS GovCloud (US) region under the Defense Information Systems Agency’s (DISA) Cloud Security Model (CSM). AWS has been authorized for CSM levels 1-2 workloads for all US regions since March of this year. This new authorization allows DoD customers to conduct development and integration activities that are required to secure controlled unclassified information in AWS GovCloud at levels 3-5 of the CSM. Simply put, DoD agencies can now use AWS GovCloud’s compliant infrastructure for all but level 6 (classified) workloads.
Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD. The authorization sponsored by DISA will reduce the time necessary for DoD agencies to evaluate and authorize the use of AWS GovCloud. To learn more about the AWS DoD Authorizations, please visit the AWS DoD CSM FAQs page.
Our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog. DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team. For more information on AWS security and compliance, please visit the AWS Security Center and the AWS Compliance Center.
– Chad Woolf, Director, AWS Risk & Compliance
Amazon CloudSearch: Now with More Granular Access Control for Domains
Yesterday, Amazon CloudSearch released a new version that is fully integrated with AWS Identity and Access management (IAM) and enables you to control access to a domain’s document and search services. Jon Handler, an AWS Solution Architect who specializes in search, describes the new features.
In March, we released a new Amazon CloudSearch API that supports 34 languages as well as popular search features such as highlighting, autocomplete, and geospatial search. From a security perspective, one of the most exciting things about the Amazon CloudSearch 2013-01-01 API is that it provides better integration with IAM for the CloudSearch configuration API. Instead of granting users all-or-nothing access to the CloudSearch configuration service, you can grant more granular permissions so you can control access to specific configuration actions, such as creating and managing domains, managing domain resources, setting indexing options, and configuring domain services.
Now, we’ve further enhanced CloudSearch to support full IAM integration for all CloudSearch actions. You can use IAM to control access not just to the CloudSearch configuration service, but also to a domain’s document, search, and suggest services. You have control over which users are allowed to upload documents, submit search requests, and get suggestions.
In this post, I’ll discuss some use cases for granting access to Amazon CloudSearch using IAM. (more…)
Introducing the Redesigned IAM Console
We are excited to announce the redesigned IAM console, now with a streamlined look and feel that makes it even easier to manage your IAM settings. We’ve made it more convenient to manage large resource lists (for example, hundreds of users, groups, or roles), eliminated tab switching, and optimized the console to offer a better experience on mobile devices by restructuring resource detail pages and task workflows. Let’s take a look at the new features.
Security Checklist
We’ve made it easier to adopt the recommendations listed in our IAM best practices. The IAM console dashboard now shows you which recommended security measures are complete and how to take action on those that aren’t. (more…)
AWS CloudTrail Now Logs AWS Management Console Sign-In Events
We’ve heard from many of you that you want greater visibility into when users sign in to the AWS Management Console. We are excited to announce that AWS CloudTrail now captures console sign-in events whenever an account owner, a federated user, or an IAM user signs into the console.
For those of you who aren’t familiar with CloudTrail, it’s a service that enables you to record AWS API calls made from within your account and store the results in an Amazon S3 bucket. We recommend that you enable CloudTrail as part of a general security best practice.
In this blog post I give an overview of the benefits of logging console sign-in events and describe how to read log files. (more…)
New IAM Features: Enhanced Password Management and Credential Reports
The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.
We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.
In this blog post, I’ll discuss a number of use cases enabled by this release. (more…)
How Does Amazon Cognito Relate to Existing Web Identity Federation?
As you might have seen, AWS recently released Amazon Cognito, a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. If you develop mobile apps that call AWS services, you definitely want to check out Amazon Cognito.
What is Amazon Cognito?
Amazon Cognito simplifies the task of authorizing your users to access resources in your AWS account without the need to embed long-term AWS credentials in your app. It works with the AWS Security Token Service to uniquely identify a user and to give the user a consistent identity throughout the lifetime of an app. In addition, Amazon Cognito offers a synchronization service that enables you to save app data locally on users’ devices. This allows your app to work even when the device is offline or when the same user accesses the app on a different device. (more…)
Enhanced IAM Capabilities for the AWS Billing Console
In this post, Graham Evans, a developer on the AWS Billing team, describes new security features that expand how you can secure access to billing information in your AWS account.
My team—AWS Billing— recently released the new and improved Billing and Cost Management Console. We’re now happy to introduce an improvement to the access and capabilities of users, which includes both IAM users and federated users. Building on our existing IAM capabilities that let you grant users read-only access, we’ve released new actions to grant additional read/write access to billing information.
You can now manage the access your users have to the following pages in the Billing console:
- Dashboard
- Bills
- Cost Explorer
- Advance Payment
- Payment Methods
- Payment History
- Consolidated Billing
- Account Settings
- Reports
- Preferences
- Credits
New in Amazon EMR: Support for Federated Users
AWS announced yesterday that Amazon Elastic MapReduce (EMR) added support for federated users. If you use Amazon EMR, you can now enable users to administer Amazon EMR clusters who are signed in to your corporate network using their corporate credentials—you no longer need to create IAM users for access to EMR.
Up to now, federated users who’ve signed into the console—for example, using an identity provider that supports SAML (Security Assertion Markup Language) or a custom proxy service—have seen the Amazon EMR console disabled. But no more! Federated users now have the same console-based access to Amazon EMR that IAM users do.
The new support extends the ways in which you can take advantage of federated access to AWS. If you haven’t investigated federation, we encourage you to try it. If you already use SAML, have a look at the list of solution providers who make it easy to enable federation with AWS. Or check out some of the other federation scenarios that are available.
For more information the new release, see the Amazon EMR documentation.
– Mike
With New ELB Permissions, Support for IAM in AWS Is Going Strong
The Elastic Load Balancing team announced on May 13, 2014 that they’ve added support for resource-level permissions. Not only can you specify which ELB actions a user can perform, you can specify which resources the user can perform those actions on. For more information about the new ELB permissions, see Controlling Access to Your Load Balancer.
This is another step forward in enabling you to place greater control over your AWS resources. Nearly every AWS service now supports IAM to allow you to control access to actions. With most services you can also use temporary security credentials, meaning that you can take advantage of cross-account access and identity federation. And in the last year, many existing services have added support for resource-level permissions, including Amazon EC2, Amazon RDS, and AWS OpsWorks. Meanwhile, new services like Amazon Kinesis and AWS CloudTrail launched with the ability to set resource-level permissions.
You can always find an up-to-date list of services that support IAM in the IAM documentation. To learn more about resource-level permissions, check out the following AWS Security Blog entries:
- Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
- Announcement: Resource Permissions for additional EC2 API actions
- Demystifying EC2 Resource-Level Permissions
- A primer on RDS resource-level permissions
- Announcing resource-level permissions for AWS OpsWorks
– Mike
