Category: Technical How-to

April 3, 2023: This post had been edited to get Figure 3 updated. Amazon Macie is a fully managed data security service that uses machine learning and pattern matching to discover and help protect your sensitive data, such as personally identifiable information (PII), payment card data, and Amazon Web Services (AWS) credentials. Analyzing large volumes […]

January 25, 2024: This post is no longer current. Please see this tutorial for the updated info. March 21, 2023: We modified the description of a permission set in the Introduction. March 8, 2023: We updated the post to reflect some name changes (G Suite is now Google Workspace; AWS Single Sign-On is now AWS […]

September 19, 2025: This post was updated to reflect that AWS Organizations now offers full IAM policy language support for service control policies (SCPs). Details of this new feature are outlined in this post. Companies that store and process data using Amazon Web Services (AWS) want to prevent transfers of that data to or from locations outside […]

January 13, 2025: This post was updated to state the limitations of AWS service permissions with VPC endpoints. April 5, 2023: A fix has been added to the Service Control Policy examples to allow EC2 instances to mount encrypted EBS volumes. March 7, 2023: We’ve added language clarifying the requirement around using VPC Endpoints, and […]

Amazon Simple Queue Service (Amazon SQS) is a fully-managed message queueing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS provides authentication mechanisms so that you can control who has access to the queue. It also provides encryption in transit with HTTP over SSL or TLS, and it […]

April 11, 2023: This post had been updated to provide clarifications: The recommendation to use SES or WorkMail as part of this solution is for receiving TLS reports sent via email from mail receiving organizations. It is unrelated to the BIMI and MTA-STS aspects or any core functionality of the solution.. If you own a […]

Welcome back. If you’re joining this series for the first time, we recommend that you read the first blog post in this series, Considerations for security operations in the cloud, for some context on what we will discuss and deploy in this blog post. In the earlier post, we talked through the different operating models […]

In November 2022, AWS introduced support for granular geographic (geo) match conditions in AWS WAF. This blog post demonstrates how you can use this new feature to customize your AWS WAF implementation and improve the security posture of your protected application. AWS WAF provides inline inspection of inbound traffic at the application layer. You can […]

In this post, we continue with our recommendations for using AWS Identity and Access Management (IAM) APIs. In part 1 of this two-part series, we described how you could create IAM resources and use them soon after for authorization decisions. We also described options for monitoring and responding to IAM resource changes for entire accounts. […]

March 7, 2023: We’ve fixed a typo in the blog post. In this two-part blog post, we’ll provide recommendations for using AWS Identity and Access Management (IAM) APIs, and we’ll share useful details on how IAM works so that you can use it more effectively. For example, you might be creating new IAM resources such as roles […]