Category: Announcements

In May 2013, we announced support for federation using identities Amazon, Facebook, and Google (a.k.a. web identity federation), which allows your apps to authenticate users via Amazon, Facebook, or Google and then access AWS resources managed under your account.

To help you understand how web identity federation works, today we’re releasing the Web Identity Federation Playground. This is an interactive web page that lets you explore the three key steps of web identity federation.  First, you sign in with Amazon, Facebook, or Google.  Next, you make an AWS request to obtain temporary security credentials.  Lastly, you use those temporary security credentials to access an AWS resource (AWS S3 in this case). In addition, the Playground is entirely self-contained (no need to use the AWS CLI, SDKs, or Management Console) so you can try it out without writing any code!

In this blog post, we’ll walk through the steps of using the Web Identity Federation Playground. (more…)

Note: As of March 28, 2017,  Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information.

We are happy to announce that we launched resource-level permissions for EC2 today. The official announcement can be found here. To help you take advantage of these new features for securing your EC2 environment, we will be publishing a series of posts covering common scenarios and best practices. This week’s guest blogger, Derek Lyon, Product Manager on the EC2 team, will explain how we address one of our most commonly-requested use cases: managing access to specific EC2 instances.

Customers have been able to use IAM policies to control which of their users or groups could start, stop, reboot, and terminate instances across all EC2 instances under an account. With this release of EC2-based resource permissions, customers can now strictly control which IAM users or groups can start, stop, reboot, and terminate specific EC2 instances. This ability to assign control of an individual instance to a specific user or group helps organizations implement important security principles like separation of duties (preventing critical functions from being in the hands of one user) and least privilege ( providing each user access only to the minimum resources they need to do their job). For example, you probably don’t want to give everyone in your organization permission to terminate business-critical production instances, so now you can assign that privilege to only a few trusted administrators. Below is a four-step process that will show you how to use our new resource-level permissions feature along with IAM policies to help protect specific instances. (more…)

Dear readers,

We hope you’ve found our posts over the past couple of months both informative and useful. While we’ve posted a variety of topics to appeal to a broad audience, we’d like to hear directly from you about what we could do better. What additional topics would you like us to write about related to security and AWS? Please use the Comments link below to tell us what you’d like to see.

Thanks,
Jim

Based on feedback from our customers, AWS has published an Auditing Security Checklist to help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. The checklist builds off the recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.

The Auditing Security Checklist for AWS can help you:

• Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
• Assess your existing organizational use of AWS and to ensure it meets security best practices
• Develop AWS usage policies or validate that existing policies are being followed

(more…)

Log into Facebook or Google, then access AWS resources? Impossible (well, perhaps difficult…) you say – until now. On 5/28 the AWS Identity and Access Management (IAM) team launched web identity federation. This new feature expands existing AWS identity federation capabilities to include support for public identity providers such as Facebook, Google, or the newly launched Login with Amazon service.  Wait, you’ve never heard of Login with Amazon?  It’s a new service you can use to securely connect your websites and apps with millions of Amazon.com customers!

A number of folks have already written about our web identity federation functionality so I won’t repeat everything here.  If you want to learn the basics head over and read this post in the AWS blog.  If you’re looking for some sample code, the AWS mobile team has you covered – see what Bob Kinney said here.  Want more you say?  Get started by digging into the web identity federation documentation.

Jeff Wierer
Principal Product Manager, AWS Identity and Access Management

I’m very excited to share that AWS is now a FedRAMP-compliant cloud service provider. See the Amazon press release. This is game-changing news for our U.S. government customers and systems integrators and other companies that provide products and services to the U.S. government because:

1. It provides agencies a standardized approach to security assessment, authorization, and continuous monitoring for AWS products and services. Prior to the FedRAMP process, government security assessments of cloud providers were not standardized; each varied greatly in scope and depth and were an inefficient use of time and resources. Through FedRAMP, agencies now have a mechanism to obtain comprehensive AWS security assessment documentation and to perform an evaluation of our environment. Agencies can immediately request access to the AWS FedRAMP package by submitting a FedRAMP Package Access Request Form and begin moving through the process to evaluate our platform and authorize AWS for sensitive government workloads.
2. It demonstrates the AWS environment meets the high bar of the FedRAMP security and control requirements. This means U.S. government customers can immediately start leveraging the Authority to Operate (ATO) provided by the Department of Health and Human Services (HHS) to use the AWS cloud. Kevin Charest, HHS Chief Information Security Officer, shared that by using AWS, all of the HHS Operating Divisions can now “reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”
3. It provides agencies with the immediate ability to comply with the Office of Management and Budget’s (OMB) mandate to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB).

(more…)

AWS is pleased to announce the immediate availability of the AWS Service Organization Control (SOC) 3 report, which you can freely distribute. This report on AWS security practices enables you and your stakeholders to validate that AWS has obtained independent auditor assurance, which attests to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles.

Moreover, we’re happy to announce the following are now in scope for all our SOC reports:

• AWS’s Sydney, Australia region
• Amazon Elastic MapReduce (EMR)
• Amazon Redshift
• AWS Identity & Access Management (IAM)

The expanding list of services and regions incorporated into our compliance program allows our customers to use a wider range of AWS services for sensitive and/or regulated workloads. (more…)

This blog will feature information for customers interested in AWS security and compliance.  You’ll see content from many AWS team members covering a range of topics, including:

• Security best practices for AWS services, including Amazon EC2, Amazon S3, AWS IAM, and others
• How-to guides
• Compliance milestones
• Customer and partner stories
• And more!

To get future updates, please check back often or subscribe to our blog using the RSS feed button at the top of the page.

If you have requests to cover specific topics, please let us know in the comments.

Steve Schmidt
Chief Information Security Officer, AWS