AWS Security Blog
Category: Security, Identity, & Compliance
How to verify AWS KMS asymmetric key signatures locally with OpenSSL
August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. In this post, I demonstrate a sample workflow for generating a digital signature within AWS […]
Round 2 Hybrid Post-Quantum TLS Benchmarks
January 25, 2023: AWS KMS, ACM, Secrets Manager TLS endpoints have been updated to only support NIST’s Round 3 picked KEM, Kyber. s2n-tls and s2n-quic have also been updated to only support Kyber. BIKE or other KEMs may still be added as the standardization proceeds. AWS Cryptography has completed benchmarks of Round 2 Versions of […]
2019 C5 attestation is now available
September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. AWS has completed its 2019 assessment against the Cloud Computing Compliance Controls Catalog (C5) information security and compliance program. Germany’s national cybersecurity authority—Bundesamt für Sicherheit in der Informationstechnik (BSI)—established C5 to define a reference standard for German cloud security requirements. […]
Enable automatic logging of web ACLs by using AWS Config
In this blog post, I will show you how to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled. The AWS CloudFormation template included in this blog post will facilitate this solution, and will get you started being able to manage web ACL logging at scale. AWS Firewall […]
Selecting and migrating a Facebook API version for Amazon Cognito
September 8, 2023: It’s important to know that if you activate user sign-up in your user pool, anyone on the internet can sign up for an account and sign in to your apps. Don’t enable self-registration in your user pool unless you want to open your app to allow users to sign up. On May […]
TLS 1.2 to become the minimum for all AWS FIPS endpoints
November 10, 2022: This project was successfully completed in March 2021. TLS 1.2 is now the minimum version supported for all connections to AWS FIPS service endpoints. Note we will be implementing the same policy for non-FIPS endpoints by June 2023. If you also use these endpoints see https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/ for details. June 8, 2022: We’ve […]
Use AWS Lambda authorizers with a third-party identity provider to secure Amazon API Gateway REST APIs
February 24, 2021: We updated this post to fix a typo in the IAM policy in the “Building a Lambda authorizer” section. Note: This post focuses on Amazon API Gateway REST APIs used with OAuth 2.0 and custom AWS Lambda authorizers. API Gateway also offers HTTP APIs, which provide native OAuth 2.0 features. For more […]
Top 10 security items to improve in your AWS account
August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. If you’re looking to improve your cloud security, a good place to start is to follow the top 10 most important cloud security tips […]
15 additional AWS services authorized at DoD Impact Level 6 for the AWS Secret Region
The Defense Information Systems Agency (DISA) has authorized 15 additional AWS services in the AWS Secret Region for production workloads at the Department of Defense (DoD) Impact Level (IL) 6 under the DoD’s Cloud Computing Security Requirements Guide (DoD CC SRG). The authorization at DoD IL 6 allows DoD Mission Owners to process classified and […]
How financial institutions can approve AWS services for highly confidential data
November 19, 2021: We made minor updates to this post, such as updating the number of services in scope for SOC compliance from 124 to 141. January 18, 2021: We made minor updates to this post, such as updating the number of services in scope for SOC compliance from 122 to 124. July 21, 2020: […]