AWS Security Blog

Category: How-To*

Demystifying EC2 Resource-Level Permissions

Note: As of March 28, 2017,  Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information. AWS announced initial support for Amazon EC2 resource-level permissions in July of […]

Read More

An In-Depth Look at the IAM Policy Simulator

This week’s guest blogger, Ajith Ranabahu, Software Development Engineer on the AWS Identity and Access Management (IAM) team, presents an in-depth look at the IAM policy simulator. Many of you have asked about how to author and troubleshoot access control policies. To help with this task, last year we launched the policy simulator, which makes it easier […]

Read More

Coming Soon! An Important Change to How You Manage Your AWS Account’s Access Keys

As part of our ongoing efforts to help keep your resources secure, on April 21, 2014, AWS removed the ability to retrieve existing secret access keys for your AWS (root) account. See the updated blog post Where’s My Secret Access Key? for more information about access keys and secret access keys. -Kai

Read More

High-Availability IAM Design Patterns

Today Will Kruse, Senior Security Engineer on the AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable resiliency against authentication and authorization failures in an application deployed on Amazon EC2 using a high availability design pattern based on IAM roles. Background Many of you invest significant effort to ensure that a […]

Read More

Analyzing OS-Related Security Events on EC2 with SplunkStorm

An important objective of analyzing OS-generated data is to detect, correlate, and report on potential security events. Several partner solutions available in AWS Marketplace provide this functionality, including Splunk.  Splunk is also used for many other use cases relevant to AWS, including devops, where developers and operations use Splunk to analyze logs for better performance and availability […]

Read More

Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0

At this year’s re:Invent I had the opportunity to present on the topic of delegating access to your AWS environment. One use case I demonstrated was enterprise federation to AWS using Windows Active Directory (AD), Active Directory Federation Services (ADFS) 2.0, and SAML (Security Assertion Markup Language) 2.0. The presentation must have struck a nerve, because a […]

Read More

How to Rotate Access Keys for IAM Users

Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if they are compromised. Having an established process that is run regularly also ensures […]

Read More

Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket

In this post, we’ll address a common question about how to write an AWS Identity and Access Management (IAM) policy to grant read-write access to an Amazon S3 bucket.  Doing so helps you control who can access your data stored in S3. You can grant either programmatic access or AWS Management Console access to S3 […]

Read More