Category: Announcements

The AWS SDK team recently added and documented some security-related features that we think you shouldn’t miss. Check these out!

Updates for managing access keys in the .NET and Java SDKs. In Referencing Credentials using Profiles, blogger Norm Johanson describes how you can now put a credentials file in your user folder. This great security enhancement makes it easier to keep access keys in a safe and secure location when you use the SDKs, as we recommend in our best practices for managing access keys. You can also keep multiple configuration profiles (as you can  for the AWS CLI), which makes it very easy to test code using the credentials for different users. These features are available in both the .NET SDK and the Java SDK.

Encryption features for Amazon S3. In Using AmazonS3EncryptionClient to Send Secure Data Between Two Parties, blogger Hanson Char describes a little-known feature—how to securely share proprietary data on S3 using a public/private key pair. This feature is available in the .NET, Java, and Ruby SDKs. And in Amazon S3 Client-Side Authenticated Encryption, Hanson alerts us to a new feature of the Java SDK that enables you not only to keep S3 data encrypted at rest, but to enhance the security of the data with a new feature that adds an integrity check for both the data and the envelope key.

To keep up with the fast-moving AWS SDK team, be sure to subscribe to their blogs—you can find their blogs under AWS Blogs on the side of this page.

– Mike

Is your key chain too full for yet another key fob? Ever find yourself locked out of AWS because you didn’t have your key chain on hand? Gemalto, a third-party provider, has just released a new multi-factor authentication (MFA) device in a convenient “credit card” form factor that fits comfortably into a wallet. It works like a traditional MFA one-time password (OTP) device—you follow the same easy setup steps, and you simply tap the button on the card to display the authentication code.

If you haven’t yet activated AWS MFA, now is a great time to do so. It’s one of the simplest ways to help significantly improve the security of your AWS account. With AWS MFA enabled for a user, when the user signs in to an AWS website, he or she will be prompted not only for a username and password (the first factor – what they know), but also well as for an authentication code from their AWS MFA device (the second factor – what they have).  (more…)

On May 21, AWS launched encryption for EBS volumes, a frequently requested feature, which can help you meet stricter security and encryption compliance requirements. You can now create an encrypted EBS volume and attach it to an EC2 instance. Data on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption for data as it moves between EC2 instances and EBS storage.

Over on the AWS blog, Jeff Barr has a writeup with more details, and you can read more about EBS encryption in the EC2 documentation. Check it out!

– Ken

May is the month of security oriented webinars at AWS. We’re presenting three webinars that touch on different identity and access management (IAM) technologies and use cases.

The first webinar highlights AWS CloudTrail, APN (AWS Partner Network) partner Splunk, and FINRA. The webinar begins with an overview of CloudTrail, followed by a discussion of how Splunk uses CloudTrail logs in its Security Information and Event Management (SIEM) solution. FINRA, a customer who uses the Splunk SIEM solution, will provide a real-world example. This webinar is scheduled for May 20, 2014. Register here.

The second webinar describes how AWS partners can take advantage of cross-account access and other delegation capabilities to safely access AWS resources in their customers’ AWS accounts. This webinar is scheduled for May 28^th, 2014. Register here if your organization is in the AWS Partner Network.

The third webinar focuses on how to grant federated users in your organization access to AWS by using 3^rd-party identity management solutions. We’ll begin with an overview of IAM and identity federation. Then APN partner Ping Identity will talk about Ping Federation, a solution that integrates with AWS IAM. The date of this webinar is May 28, 2014. Register here.

We look forward to your participation!

– Ben

As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys.

-Kai

We have reviewed all AWS services for impact by CVE-2014-0160 (also known as the Heartbleed bug) and have either determined that the services were unaffected or we’ve applied mitigations that do not require customer action. In a few cases, we are recommending that customers rotate SSL certificates or secret keys. For additional detail see AWS Services Updated to Address OpenSSL Vulnerability.

Update (23 Apr 2014): The AWS premium support site has added an FAQ page for questions about the CVE-2014-0160 issue.

For information about managing private keys and certificates, see the following topics.

• Managing Signing Certificates for IAM Users
• Creating, Uploading, and Deleting Server Certificates

If you have questions, please visit the IAM forums.

– Jim

Today, AWS updated the sign-in experience for IAM users accessing AWS websites such as the AWS Management Console, Support, or Forums. As previously announced, the new sign-in experience continues to provide the same functionality as the previous one, it but provides a more consistent experience for IAM users when signing in to AWS account whether it is on a PC, tablet, or mobile phone.   (more…)

AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.

With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift.  The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

(more…)

I’m very excited to share that AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model’s impact levels 1-2 for all four of AWS’s Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoD’s stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWS’s secure, compliant infrastructure. To learn more about the AWS DoD Provisional Authorization, please visit https://aws.amazon.com/compliance/dod-csm-faqs.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD.  The Defense Information Systems Agency (DISA) assessed our compliance with those additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.

With today’s announcement, our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog, and DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team.  For more information on AWS security and compliance, please visit the AWS Security Center, https://aws.amazon.com/security, and the AWS Compliance Center, https://aws.amazon.com/compliance.

Chad Woolf
Director, AWS Risk & Compliance

Web identity federation in AWS STS enables you to create apps where users can sign in using a web-based identity provider like Login with Amazon, Facebook, or Google. Your app can then trade identity information from the provider for temporary security credentials that the app can use to access AWS.

The AWS mobile development team created an S3PersonalFileStore sample app for iOS and Android that shows you how to use web identity federation to let users store information in individual S3 folders. And now they’ve posted a blog entry that shows you how to use AWS CloudFormation to simplify the configuration of the sample app:

Simplify Web Identity Federation Setup with AWS CloudFormation

Check it out!

– Jeff