AWS Security Blog

Category: AWS Identity and Access Management (IAM)

Managing temporary elevated access to your AWS environment

In this post you’ll learn about temporary elevated access and how it can mitigate risks relating to human access to your AWS environment. You’ll also be able to download a minimal reference implementation and use it as a starting point to build a temporary elevated access solution tailored for your organization. Introduction While many modern […]

Read More

Validate IAM policies in CloudFormation templates using IAM Access Analyzer

In this blog post, I introduce IAM Policy Validator for AWS CloudFormation (cfn-policy-validator), an open source tool that extracts AWS Identity and Access Management (IAM) policies from an AWS CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template. I also show you how to run the tool […]

Read More

AWS introduces changes to access denied errors for easier permissions troubleshooting

To help you more easily troubleshoot your permissions in Amazon Web Services (AWS), we’re introducing additional context in the access denied error messages. We’ll start to introduce this change in September 2021, and gradually make it available in all AWS services over the next few months. If you’re currently relying on the exact text of […]

Read More

Strengthen the security of sensitive data stored in Amazon S3 by using additional AWS services

October 13, 2021: We’ve added a section on redacting and transforming personally identifiable information with Amazon S3 Object Lambda. In this post, we describe the AWS services that you can use to both detect and protect your data stored in Amazon Simple Storage Service (Amazon S3). When you analyze security in depth for your Amazon […]

Read More

How to restrict IAM roles to access AWS resources from specific geolocations using AWS Client VPN

You can improve your organization’s security posture by enforcing access to Amazon Web Services (AWS) resources based on IP address and geolocation. For example, users in your organization might bring their own devices, which might require additional security authorization checks and posture assessment in order to comply with corporate security requirements. Enforcing access to AWS […]

Read More

How to implement SaaS tenant isolation with ABAC and AWS IAM

August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. Multi-tenant applications must be architected so that the resources of each tenant are isolated and […]

Read More

Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM

June 5, 2021: We’ve updated Figure 1: User request flow. Authorizing functionality of an application based on group membership is a best practice. If you’re building APIs with Amazon API Gateway and you need fine-grained access control for your users, you can use Amazon Cognito. Amazon Cognito allows you to use groups to create a […]

Read More

IAM makes it easier for you to manage permissions for AWS services accessing your resources

Amazon Web Services (AWS) customers are storing an unprecedented amount of data on AWS for a range of use cases, including data lakes and analytics, machine learning, and enterprise applications. Customers secure their data by implementing data security controls including identity and access management, network security, and encryption. For non-public, sensitive data, customers want to […]

Read More

Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles

AWS Identity and Access Management (IAM) helps customers analyze access and achieve least privilege. When you are working on new permissions for your team, you can use IAM Access Analyzer policy generation to create a policy based on your access activity and set fine-grained permissions. To analyze and refine existing permissions, you can use last […]

Read More

How to relate IAM role activity to corporate identity

September 8, 2021: The post was updated to correct a typo about the CloudTrail log snippet. April 14, 2021: In the section “Use the SourceIdentity attribute with identity federation,” we updated “AWS SSO” to “sign-in endpoint” for clarity. AWS Security Token Service (AWS STS) now offers customers the ability to specify a unique identity attribute […]

Read More