AWS Security Blog

Category: Security, Identity, & Compliance*

Remove Unnecessary Permissions in Your IAM Policies by Using Service Last Accessed Data

As a security best practice, AWS recommends writing AWS Identity and Access Management (IAM) policies that adhere to the principle of least privilege, which means granting only the permissions required to perform a specific task. However, verifying which permissions an application or user actually needs can be a challenge. To help you determine which permissions […]

Read More

Announcing Managed Microsoft Active Directory in the AWS Cloud

AWS Directory Service now offers an additional directory type. Now you can launch and run a Microsoft Active Directory (AD) as a managed service in the AWS cloud. AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD, is powered by Windows Server 2012 R2. When you select and launch […]

Read More

What’s New in AWS Key Management Service: AWS CloudFormation Support and Integration with More AWS Services

We’re happy to make two announcements about what’s new in AWS Key Management Service (KMS). First, AWS CloudFormation has added a template for KMS that lets you quickly create KMS customer master keys (CMK) and set their properties. Starting today, you can use the AWS::KMS::Key resource to create a CMK in KMS. To get started, […]

Read More

How to Set Up Federated API Access to AWS by Using Windows PowerShell

When accessing AWS resources in an organization, we recommend that you have a standard and repeatable authentication method for purposes of security, auditability, compliance, and the capability to support role and account separation. As part of my AWS Professional Services engagements, I have helped AWS customers establish such an authentication mechanism via federated access to […]

Read More

AWS Certification Update – ISO 27017

I am happy to announce that AWS has achieved ISO 27017 certification. This new criterion builds upon the ISO 27002 standard, with additional controls specifically applicable to cloud service providers. AWS is the first cloud provider to obtain this certification, which is available now for download on our AWS Cloud Compliance site. Additionally, we’ve posted an FAQ […]

Read More

How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI

Many AWS customers keep their environments separated from each other: development resources do not interact with production, and vice versa. One way to achieve this separation is by using multiple AWS accounts. Though this approach does help with resource isolation, it can increase your user management because each AWS account can have its own AWS […]

Read More

s2n and Lucky 13

Great security research combines extremely high levels of creativity, paranoia, and attention to detail. All of these qualities are in evidence in two new research papers about how s2n, our Open Source implementation of the SSL/TLS protocols, handles the Lucky 13 attack from 2013. The research found issues with how s2n mitigates Lucky 13 and improvements that […]

Read More

AWS Announces Successful SOC Assessment with 3 New Services in Scope

Today, I’m happy to announce the completion of another successful Service Organization Controls (SOC) assessment. The AWS SOC program is an intense, period-in-time audit performed every six months. We have been releasing SOC Reports (or their SAS 70 predecessors) regularly since 2009, and we have, over the years, gradually built in more controls and added […]

Read More

AWS Releases Preview of SMS MFA for IAM Users

Today, AWS introduced the preview of Short Message Service (SMS) support for multi-factor authentication (MFA), making it easier for you to implement a security best practice. Until now, you could enable MFA for AWS Identity and Access Management (IAM) users only with hardware or virtual MFA tokens, but this new feature enables you to use […]

Read More

AWS Security Token Service (STS) Is Now Active by Default in All AWS Regions

My previous blog post on November 11, 2015, reported that we were preparing to activate AWS Security Token Service (STS) by default in all AWS regions. As of today, AWS STS is active by default in all AWS regions, for all customers. This means that your applications and services can immediately take advantage of reduced […]

Read More