AWS Security Blog

Category: Amazon EC2*

Amazon EC2 Resource-Level Permissions for RunInstances

Yesterday the EC2 team announced fine grained controls for managing RunInstances. This release enables you to set fine-grained controls over the AMIs, Snapshots, Subnets, and other resources that can be used when creating instances and the types of instances and volumes that users can create when using the RunInstances API. This is a major milestone […]

Read More

Announcement: Resource Permissions for additional EC2 API actions

Yesterday AWS announced that it now supports resource-level permissions for seven additional EC2 APIs, including: DeleteNetworkAcl DeleteNetworkAclEntry DeleteRoute DeleteRouteTable DeleteDhcpOptions DeleteInternetGateway DeleteCustomerGateway As with other EC2 API actions that support resource-level permissions, you can also construct policies based on the tags associated with the resources.  To learn more, go to either our recent post on […]

Read More

Using IAM Roles to Distribute Non-AWS Credentials to Your EC2 Instances

Last week’s blog post explained how to distribute AWS credentials to EC2 instances using IAM roles.  Will Kruse, Security Engineer on the AWS Identity and Access Management (IAM) team, is back again this week to discuss how roles can also be used to distribute arbitrary secrets to EC2 instances. As we discussed last week, Amazon EC2 Roles for Instances […]

Read More

A Safer Way to Distribute AWS Credentials to EC2

If you have applications running on EC2 that also access other AWS services like Amazon S3 or Amazon DynamoDB, then these applications require credentials out on the EC2 instance.  You can hard-code AWS access keys into your application, but you’re faced with the added responsibility of distributing them to the instance securely and then the […]

Read More

Controlling Network Access to EC2 Instances Using a Bastion Server

As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. A best practice in this area is to use a bastion. A bastion is […]

Read More

Resource-Level Permissions for EC2–Controlling Management Access on Specific Instances

Note: As of March 28, 2017,  Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information. We are happy to announce that we launched resource-level permissions […]

Read More