Category: Security

In part I of our series on multi-factor authentication (MFA), we mentioned that the next topic would be securing access to AWS APIs with MFA. This week’s guest blogger Kai Zhao, Product Manager on our AWS Identity and Access Management (IAM) team, will give a brief overview of AWS MFA-protected API access.

Introduction

MFA-protected API access extends AWS MFA protection to AWS service APIs. You can enforce MFA authentication for AWS service APIs via AWS Identity and Access Management (IAM) policies. This provides an extra layer of security over powerful operations that you designate, such as terminating Amazon EC2 instances or reading sensitive data stored in Amazon S3. (more…)

Log into Facebook or Google, then access AWS resources? Impossible (well, perhaps difficult…) you say – until now. On 5/28 the AWS Identity and Access Management (IAM) team launched web identity federation. This new feature expands existing AWS identity federation capabilities to include support for public identity providers such as Facebook, Google, or the newly launched Login with Amazon service.  Wait, you’ve never heard of Login with Amazon?  It’s a new service you can use to securely connect your websites and apps with millions of Amazon.com customers!

A number of folks have already written about our web identity federation functionality so I won’t repeat everything here.  If you want to learn the basics head over and read this post in the AWS blog.  If you’re looking for some sample code, the AWS mobile team has you covered – see what Bob Kinney said here.  Want more you say?  Get started by digging into the web identity federation documentation.

Jeff Wierer
Principal Product Manager, AWS Identity and Access Management

Thinking about building a secure delegation solution to grant temporary access to your AWS account?  This week’s guest blogger Kai Zhao, Product Manager on our AWS Identity and Access Management (IAM) team, will discuss some considerations when deciding on an approach:

Introduction

Using temporary security credentials (“sessions”) enables you to securely delegate access to your AWS environment to one or more users or applications, without having to share your long-term credentials (i.e. password or secret access key).  Use cases include cross-account access (enabling users from one AWS account to access resources in another) and single sign-on to AWS (enabling users authenticated within your enterprise to access AWS without re-authentication).

Many customers have asked for guidance on how to build delegation solutions that grant temporary access to their AWS environment.  This blog post will cover two AWS APIs that you can use for this purpose (sts:GetFederationToken and sts:AssumeRole), how to call each API, and the benefits of using one versus the other.

Please be aware that this blog post will dive deep into some technical details.  It’s helpful to first have a basic understanding of IAM and how to make programmatic AWS API calls with IAM users.  You may want to brush up first by reviewing the Using IAM and Temporary Security Credentials documentation. (more…)

I’m very excited to share that AWS is now a FedRAMP-compliant cloud service provider. See the Amazon press release. This is game-changing news for our U.S. government customers and systems integrators and other companies that provide products and services to the U.S. government because:

1. It provides agencies a standardized approach to security assessment, authorization, and continuous monitoring for AWS products and services. Prior to the FedRAMP process, government security assessments of cloud providers were not standardized; each varied greatly in scope and depth and were an inefficient use of time and resources. Through FedRAMP, agencies now have a mechanism to obtain comprehensive AWS security assessment documentation and to perform an evaluation of our environment. Agencies can immediately request access to the AWS FedRAMP package by submitting a FedRAMP Package Access Request Form and begin moving through the process to evaluate our platform and authorize AWS for sensitive government workloads.
2. It demonstrates the AWS environment meets the high bar of the FedRAMP security and control requirements. This means U.S. government customers can immediately start leveraging the Authority to Operate (ATO) provided by the Department of Health and Human Services (HHS) to use the AWS cloud. Kevin Charest, HHS Chief Information Security Officer, shared that by using AWS, all of the HHS Operating Divisions can now “reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”
3. It provides agencies with the immediate ability to comply with the Office of Management and Budget’s (OMB) mandate to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB).

(more…)

AWS is pleased to announce the immediate availability of the AWS Service Organization Control (SOC) 3 report, which you can freely distribute. This report on AWS security practices enables you and your stakeholders to validate that AWS has obtained independent auditor assurance, which attests to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles.

Moreover, we’re happy to announce the following are now in scope for all our SOC reports:

• AWS’s Sydney, Australia region
• Amazon Elastic MapReduce (EMR)
• Amazon Redshift
• AWS Identity & Access Management (IAM)

The expanding list of services and regions incorporated into our compliance program allows our customers to use a wider range of AWS services for sensitive and/or regulated workloads. (more…)

In this post, we’ll address a common question about how to write an AWS Identity and Access Management (IAM) policy to grant read-write access to an Amazon S3 bucket.  Doing so helps you control who can access your data stored in S3.

You can grant either programmatic access or AWS Management Console access to S3 resources. For example, you might grant programmatic access to an application that reads and writes data gathered from a website to an S3 bucket. With console access, users who interact with S3 to download and upload files can use a web-based GUI instead of constructing API calls. Let’s walk through two different policies: one that grants programmatic access and another that grants console access. (more…)

In this series of blog posts, we’ll walk through different ways to keep your AWS resources secure using AWS Multi-Factor Authentication (MFA).

As a best practice, we strongly recommend that you secure access to your account with AWS MFA.  It’s a simple way to add an extra layer of protection on top of your username and password.

With AWS MFA enabled, when a user signs in to an AWS website, they’ll be prompted for their username and password (the first factor – what they know), as well as for an authentication code from their AWS MFA device (the second factor – what they have). Taken together, these multiple factors provide increased security by preventing access to your AWS environment unless a valid MFA code is supplied. (more…)

This blog will feature information for customers interested in AWS security and compliance.  You’ll see content from many AWS team members covering a range of topics, including:

• Security best practices for AWS services, including Amazon EC2, Amazon S3, AWS IAM, and others
• How-to guides
• Compliance milestones
• Customer and partner stories
• And more!

To get future updates, please check back often or subscribe to our blog using the RSS feed button at the top of the page.

If you have requests to cover specific topics, please let us know in the comments.

Steve Schmidt
Chief Information Security Officer, AWS