AWS Security Blog

Category: Advanced (300)

Easily control the naming of individual IAM role sessions

AWS Identity and Access Management (IAM) now has a new sts:RoleSessionName condition element for the AWS Security Token Service (AWS STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions. IAM roles help you grant access to AWS services and resources by using dynamically generated short-term credentials. […]

Read More

Round 2 Hybrid Post-Quantum TLS Benchmarks

AWS Cryptography has completed benchmarks of Round 2 Versions of the Bit Flipping Key Encapsulation (BIKE) and Supersingular Isogeny Key Encapsulation (SIKE) hybrid post-quantum Transport Layer Security (TLS) Algorithms. Both of these algorithms have been submitted to the National Institute of Standards and Technology (NIST) as part of NIST’s Post-Quantum Cryptography standardization process. In the […]

Read More

Use AWS Lambda authorizers with a third-party identity provider to secure Amazon API Gateway REST APIs

February 24, 2021: We updated this post to fix a typo in the IAM policy in the “Building a Lambda authorizer” section. Note: This post focuses on Amazon API Gateway REST APIs used with OAuth 2.0 and custom AWS Lambda authorizers. API Gateway also offers HTTP APIs, which provide native OAuth 2.0 features. For more […]

Read More

Continuous compliance monitoring with Chef InSpec and AWS Security Hub

In this post, I will show you how to run a Chef InSpec scan with AWS Systems Manager and Systems Manager Run Command across your managed instances. InSpec is an open-source runtime framework that lets you create human-readable profiles to define security, compliance, and policy requirements and then test your Amazon Elastic Compute Cloud (Amazon […]

Read More

How to create certificates with custom extensions using AWS Certificate Manager Private CA

Digital certificates, also known as X.509 or TLS/SSL certificates, are used to prove the identity of entities like web servers or VPN users and to establish secure communication channels between them. In this blog post, I’ll discuss certificate extensions. You can use certificate extensions for applications beyond the common use case of identifying TLS server […]

Read More

Automated Response and Remediation with AWS Security Hub

November 19, 2020: AWS has an updated solution for implementing the automated response and remediation across multiple accounts. Please refer to the updated post on How to deploy the AWS Solution for Security Hub Automated Response and Remediation. AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status […]

Read More

How to import AWS Config rules evaluations as findings in Security Hub

In June at re:Inforce 2019, AWS announced the general availability of AWS Security Hub, a security service that enables customers to centrally view and manage compliance checks and security findings across their AWS accounts. AWS Security Hub imports security findings from AWS Guard Duty, Amazon Inspector, Amazon Macie, and over 30 AWS partner security solutions. […]

Read More

Use AWS Fargate and Prowler to send security configuration findings about AWS services to Security Hub

In this blog post, I’ll show you how to integrate Prowler, an open-source security tool, with AWS Security Hub. Prowler provides dozens of security configuration checks related to services such as Amazon Redshift, Amazon ElasticCache, Amazon API Gateway and Amazon CloudFront. Integrating Prowler with Security Hub will provide posture information about resources not currently covered […]

Read More

How to get started with security response automation on AWS

December 2, 2019: We’ve updated this post to include some additional information about Security Hub. At AWS, we encourage you to use automation to help quickly detect and respond to security events within your AWS environments. In addition to increasing the speed of detection and response, automation also helps you scale your security operations as […]

Read More

Digital signing with the new asymmetric keys feature of AWS KMS

AWS Key Management Service (AWS KMS) now supports asymmetric keys. You can create, manage, and use public/private key pairs to protect your application data using the new APIs via the AWS SDK. Similar to the symmetric key features we’ve been offering, asymmetric keys can be generated as customer master keys (CMKs) where the private portion […]

Read More