Category: Announcements
Enhanced IAM Capabilities for the AWS Billing Console
In this post, Graham Evans, a developer on the AWS Billing team, describes new security features that expand how you can secure access to billing information in your AWS account.
My team—AWS Billing— recently released the new and improved Billing and Cost Management Console. We’re now happy to introduce an improvement to the access and capabilities of users, which includes both IAM users and federated users. Building on our existing IAM capabilities that let you grant users read-only access, we’ve released new actions to grant additional read/write access to billing information.
You can now manage the access your users have to the following pages in the Billing console:
- Dashboard
- Bills
- Cost Explorer
- Advance Payment
- Payment Methods
- Payment History
- Consolidated Billing
- Account Settings
- Reports
- Preferences
- Credits
New in Amazon EMR: Support for Federated Users
AWS announced yesterday that Amazon Elastic MapReduce (EMR) added support for federated users. If you use Amazon EMR, you can now enable users to administer Amazon EMR clusters who are signed in to your corporate network using their corporate credentials—you no longer need to create IAM users for access to EMR.
Up to now, federated users who’ve signed into the console—for example, using an identity provider that supports SAML (Security Assertion Markup Language) or a custom proxy service—have seen the Amazon EMR console disabled. But no more! Federated users now have the same console-based access to Amazon EMR that IAM users do.
The new support extends the ways in which you can take advantage of federated access to AWS. If you haven’t investigated federation, we encourage you to try it. If you already use SAML, have a look at the list of solution providers who make it easy to enable federation with AWS. Or check out some of the other federation scenarios that are available.
For more information the new release, see the Amazon EMR documentation.
– Mike
With New ELB Permissions, Support for IAM in AWS Is Going Strong
The Elastic Load Balancing team announced on May 13, 2014 that they’ve added support for resource-level permissions. Not only can you specify which ELB actions a user can perform, you can specify which resources the user can perform those actions on. For more information about the new ELB permissions, see Controlling Access to Your Load Balancer.
This is another step forward in enabling you to place greater control over your AWS resources. Nearly every AWS service now supports IAM to allow you to control access to actions. With most services you can also use temporary security credentials, meaning that you can take advantage of cross-account access and identity federation. And in the last year, many existing services have added support for resource-level permissions, including Amazon EC2, Amazon RDS, and AWS OpsWorks. Meanwhile, new services like Amazon Kinesis and AWS CloudTrail launched with the ability to set resource-level permissions.
You can always find an up-to-date list of services that support IAM in the IAM documentation. To learn more about resource-level permissions, check out the following AWS Security Blog entries:
- Resource-level Permissions for EC2 – Controlling Management Access on Specific Instances
- Announcement: Resource Permissions for additional EC2 API actions
- Demystifying EC2 Resource-Level Permissions
- A primer on RDS resource-level permissions
- Announcing resource-level permissions for AWS OpsWorks
– Mike
A Convenient New Hardware MFA Form Factor
Is your key chain too full for yet another key fob? Ever find yourself locked out of AWS because you didn’t have your key chain on hand? Gemalto, a third-party provider, has just released a new multi-factor authentication (MFA) device in a convenient “credit card” form factor that fits comfortably into a wallet. It works like a traditional MFA one-time password (OTP) device—you follow the same easy setup steps, and you simply tap the button on the card to display the authentication code.
If you haven’t yet activated AWS MFA, now is a great time to do so. It’s one of the simplest ways to help significantly improve the security of your AWS account. With AWS MFA enabled for a user, when the user signs in to an AWS website, he or she will be prompted not only for a username and password (the first factor – what they know), but also well as for an authentication code from their AWS MFA device (the second factor – what they have). (more…)
Come Join Our May Webinars as AWS, Partners, and Customers Discuss Security
May is the month of security oriented webinars at AWS. We’re presenting three webinars that touch on different identity and access management (IAM) technologies and use cases.
The first webinar highlights AWS CloudTrail, APN (AWS Partner Network) partner Splunk, and FINRA. The webinar begins with an overview of CloudTrail, followed by a discussion of how Splunk uses CloudTrail logs in its Security Information and Event Management (SIEM) solution. FINRA, a customer who uses the Splunk SIEM solution, will provide a real-world example. This webinar is scheduled for May 20, 2014. Register here.
The second webinar describes how AWS partners can take advantage of cross-account access and other delegation capabilities to safely access AWS resources in their customers’ AWS accounts. This webinar is scheduled for May 28th, 2014. Register here if your organization is in the AWS Partner Network.
The third webinar focuses on how to grant federated users in your organization access to AWS by using 3rd-party identity management solutions. We’ll begin with an overview of IAM and identity federation. Then APN partner Ping Identity will talk about Ping Federation, a solution that integrates with AWS IAM. The date of this webinar is May 28, 2014. Register here.
We look forward to your participation!
– Ben
Important Change to How You Manage Your AWS Account’s Access Keys
As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys.
-Kai
AWS Security and CVE-2014-0160 (“Heartbleed”)
We have reviewed all AWS services for impact by CVE-2014-0160 (also known as the Heartbleed bug) and have either determined that the services were unaffected or we’ve applied mitigations that do not require customer action. In a few cases, we are recommending that customers rotate SSL certificates or secret keys. For additional detail see AWS Services Updated to Address OpenSSL Vulnerability.
Update (23 Apr 2014): The AWS premium support site has added an FAQ page for questions about the CVE-2014-0160 issue.
For information about managing private keys and certificates, see the following topics.
If you have questions, please visit the IAM forums.
– Jim
IAM User Sign-in Page Changes
Today, AWS updated the sign-in experience for IAM users accessing AWS websites such as the AWS Management Console, Support, or Forums. As previously announced, the new sign-in experience continues to provide the same functionality as the previous one, it but provides a more consistent experience for IAM users when signing in to AWS account whether it is on a PC, tablet, or mobile phone. (more…)
Redshift – FedRAMP AWS Security Blog Announcement
AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.
With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift. The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.
AWS Secures DoD Provisional Authorization
I’m very excited to share that AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model’s impact levels 1-2 for all four of AWS’s Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoD’s stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWS’s secure, compliant infrastructure. To learn more about the AWS DoD Provisional Authorization, please visit https://aws.amazon.com/compliance/dod-csm-faqs.
Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD. The Defense Information Systems Agency (DISA) assessed our compliance with those additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.
With today’s announcement, our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog, and DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team. For more information on AWS security and compliance, please visit the AWS Security Center, https://aws.amazon.com/security, and the AWS Compliance Center, https://aws.amazon.com/compliance.
Chad Woolf
Director, AWS Risk & Compliance
