Category: Security

Yesterday, Amazon CloudSearch released a new version that is fully integrated with AWS Identity and Access management (IAM) and enables you to control access to a domain’s document and search services. Jon Handler, an AWS Solution Architect who specializes in search, describes the new features.

In March, we released a new Amazon CloudSearch API that supports 34 languages as well as popular search features such as highlighting, autocomplete, and geospatial search. From a security perspective, one of the most exciting things about the Amazon CloudSearch 2013-01-01 API is that it provides better integration with IAM for the CloudSearch configuration API. Instead of granting users all-or-nothing access to the CloudSearch configuration service, you can grant more granular permissions so you can control access to specific configuration actions, such as creating and managing domains, managing domain resources, setting indexing options, and configuring domain services.

Now, we’ve further enhanced CloudSearch to support full IAM integration for all CloudSearch actions. You can use IAM to control access not just to the CloudSearch configuration service, but also to a domain’s document, search, and suggest services. You have control over which users are allowed to upload documents, submit search requests, and get suggestions.

In this post, I’ll discuss some use cases for granting access to Amazon CloudSearch using IAM. (more…)

We are excited to announce the redesigned IAM console, now with a streamlined look and feel that makes it even easier to manage your IAM settings. We’ve made it more convenient to manage large resource lists (for example, hundreds of users, groups, or roles), eliminated tab switching, and optimized the console to offer a better experience on mobile devices by restructuring resource detail pages and task workflows. Let’s take a look at the new features.

Security Checklist

We’ve made it easier to adopt the recommendations listed in our IAM best practices. The IAM console dashboard now shows you which recommended security measures are complete and how to take action on those that aren’t. (more…)

We’ve heard from many of you that you want greater visibility into when users sign in to the AWS Management Console. We are excited to announce that AWS CloudTrail now captures console sign-in events whenever an account owner, a federated user, or an IAM user signs into the console.

For those of you who aren’t familiar with CloudTrail, it’s a service that enables you to record AWS API calls made from within your account and store the results in an Amazon S3 bucket. We recommend that you enable CloudTrail as part of a general security best practice.

In this blog post I give an overview of the benefits of logging console sign-in events and describe how to read log files.  (more…)

The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.

We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

In this blog post, I’ll discuss a number of use cases enabled by this release.  (more…)

As you might have seen, AWS recently released Amazon Cognito, a user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices. If you develop mobile apps that call AWS services, you definitely want to check out Amazon Cognito.

What is Amazon Cognito?

Amazon Cognito simplifies the task of authorizing your users to access resources in your AWS account without the need to embed long-term AWS credentials in your app. It works with the AWS Security Token Service to uniquely identify a user and to give the user a consistent identity throughout the lifetime of an app. In addition, Amazon Cognito offers a synchronization service that enables you to save app data locally on users’ devices. This allows your app to work even when the device is offline or when the same user accesses the app on a different device.  (more…)

In this post, Graham Evans, a developer on the AWS Billing team, describes new security features that expand how you can secure access to billing information in your AWS account.

My team—AWS Billing— recently released the new and improved Billing and Cost Management Console.  We’re now happy to introduce an improvement to the access and capabilities of users, which includes both IAM users and federated users. Building on our existing IAM capabilities that let you grant users read-only access, we’ve released new actions to grant additional read/write access to billing information.

You can now manage the access your users have to the following pages in the Billing console:

• Dashboard
• Bills
• Cost Explorer
• Advance Payment
• Payment Methods
• Payment History
• Consolidated Billing
• Account Settings
• Reports
• Preferences
• Credits

(more…)

One of the advantages of using the AWS SDKs for programmatic access to AWS is that the SDKs handle the task of signing requests. All you have to do is provide AWS credentials (access key id and secret access key), and when you invoke a method that makes a call to AWS, the SDK translates the method call into a signed request to AWS.

The AWS SDK team has recently made some changes that make it more convenient, more consistent, and easier to specify credentials for the SDKs in a more secure way. In this post, we’ll review the changes.  (more…)

Some customers have asked how they should be using AWS Identity and Access Management (IAM) to help limit their exposure to problems like those that have recently been in the news. In general, AWS recommends that you enable multi-factor authentication (MFA) for your AWS account and for IAM users who are allowed to perform sensitive operations in your account. We also recommend that you use constrained, role-based access whenever practical, and that you do not use root credentials for everyday access to your account.

The list below provides links to best practices and how-to guides that show you how to help safeguard against the types of problems that people have asked about, and against many more.

• IAM Best Practices. A list of recommendations in the IAM documentation for managing your AWS access keys and passwords, using IAM users and groups, using roles and delegation, and turning on logging.
• Securing access to AWS Using MFA (Part 2, Part 3). A multi-part series that shows you how to use MFA to add security to your account. For a quick video, try Improve the security of your AWS account in less than 5 minutes.
• A safer way to distribute AWS credentials to EC2. A post that walks you through the process of making access keys available in a secure and convenient way to applications that are running on EC2 instances.

If you have any questions about these recommendations, or about how to help secure your AWS account, please post them to the AWS Forum.

– Jim

AWS announced yesterday that Amazon Elastic MapReduce (EMR) added support for federated users. If you use Amazon EMR, you can now enable users to administer Amazon EMR clusters who are signed in to your corporate network using their corporate credentials—you no longer need to create IAM users for access to EMR.

Up to now, federated users who’ve signed into the console—for example, using an identity provider that supports SAML (Security Assertion Markup Language) or a custom proxy service—have seen the Amazon EMR console disabled. But no more! Federated users now have the same console-based access to Amazon EMR that IAM users do.

The new support extends the ways in which you can take advantage of federated access to AWS. If you haven’t investigated federation, we encourage you to try it. If you already use SAML, have a look at the list of solution providers who make it easy to enable federation with AWS. Or check out some of the other federation scenarios that are available.

For more information the new release, see the Amazon EMR documentation.

– Mike

As one of our most active customers, Netflix has hundreds of administrators who need access to AWS daily. Therefore, by eliminating their need to use AWS credentials via identity federation, they saved time, money, and administrative effort almost immediately. They were able to use SAML and OneLogin, their existing identity management provider, to federate users with AWS. Now users need to manage only their corporate credentials to have access to AWS services and resources.

The OneLogin team has written a fascinating blog post that describes how they worked with Netflix and with the IAM team to design and implement SAML-based federation at enterprise scale. To read how they did it, check out the post on the OneLogin blog.

And for information about how to configure OneLogin to achieve SSO with AWS, see the OneLogin documentation.

-Ben