Category: Security, Identity, & Compliance

If you’re a frequent reader of this blog, you probably know that AWS recommends as a security best practice that you set up one or more AWS Identity and Access Management (IAM) users for interaction with AWS services, rather than use your root account. Why? The credentials for your AWS root account provide full access […]

As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. A best practice in this area is to use a bastion. A bastion is […]

In Part 1 (configuring MFA for sign-in) and Part 2 (MFA-protected API access) of this series, we discussed various ways in which AWS Multi-Factor Authentication (MFA) can improve the security of your account.  This week’s topic will be a brief overview of how you can use MFA in conjunction with Amazon S3 Versioning. What is […]

Note: As of March 28, 2017,  Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information. We are happy to announce that we launched resource-level permissions […]

Dear readers, We hope you’ve found our posts over the past couple of months both informative and useful. While we’ve posted a variety of topics to appeal to a broad audience, we’d like to hear directly from you about what we could do better. What additional topics would you like us to write about related […]

July 15, 2020: The whitepaper Operational Checklists for AWS that’s described in this post has been replaced by a Cloud Audit Academy course. August 28, 2019: The whitepaper Operational Checklists for AWS that’s described in this post has been deprecated due to outdated content. View our current compliance resources here: https://aws.amazon.com/compliance/resources/ View our current security […]

If you’ve worked with AWS Identity and Access Management (IAM) policies, you know that they’re expressed as JSON documents. For example, here’s a policy that grants permission to perform some actions in our Amazon Glacier storage service: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “glacier:ListVaults”, “glacier:DescribeVault”, “glacier:GetVaultNotifications” ], “Effect”: “Allow”, “Resource”: “*” } ] } […]

Many of you have asked how to construct an AWS Identity and Access Management (IAM) policy with folder-level permissions for Amazon S3 buckets. This week’s guest blogger Elliot Yamaguchi, Technical Writer on the IAM team, will explain the basics of writing that type of policy. To show you how to create a policy with folder-level […]

In part I of our series on multi-factor authentication (MFA), we mentioned that the next topic would be securing access to AWS APIs with MFA. This week’s guest blogger Kai Zhao, Product Manager on our AWS Identity and Access Management (IAM) team, will give a brief overview of AWS MFA-protected API access. Introduction MFA-protected API […]

Log into Facebook or Google, then access AWS resources? Impossible (well, perhaps difficult…) you say – until now. On 5/28 the AWS Identity and Access Management (IAM) team launched web identity federation. This new feature expands existing AWS identity federation capabilities to include support for public identity providers such as Facebook, Google, or the newly […]