AWS Security Blog https://aws.amazon.com/blogs/security/ Tue, 24 Oct 2017 05:13:19 +0000 en-US hourly 1 Reserved Seating Now Open for AWS re:Invent 2017 https://aws.amazon.com/blogs/security/reserved-seating-now-open-for-aws-reinvent-2017/ Thu, 19 Oct 2017 23:31:11 +0000 cd9b685e13eb1e5b556b8b658c631a50b4c98b7b Reserved seating&nbsp;for AWS&nbsp;re:Invent&nbsp;2017 is now open! Some important things you should know about reserved seating: Reserved seating&nbsp;is a way to get a guaranteed seat in breakout sessions, workshops, chalk talks, and other events. You can reserve seats using both the re:Invent&nbsp;registration app and the re:Invent mobile app. 75 percent of each room will be available […] <p><img class="alignnone wp-image-5519 size-full" title="re:Invent 2017 banner" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/19/reInvent2017.png" alt="re:Invent 2017 banner" width="999" height="201" /></p> <p>Reserved seating&nbsp;for AWS&nbsp;re:Invent&nbsp;2017 is now open! Some important things you should know about reserved seating:</p> <ol> <li>Reserved seating&nbsp;is a way to get a guaranteed seat in breakout sessions, workshops, chalk talks, and other events.</li> <li>You can reserve seats using both the re:Invent&nbsp;registration app and the re:Invent mobile app.</li> <li>75 percent of each room will be available for reserved seating.</li> <li>25 percent of each room will be saved for walk-up attendees.</li> </ol> <p>You can watch a<a href="https://www.youtube.com/watch?v=AOVIvcQQ0io" target="_blank" rel="noopener noreferrer"> 24-minute video</a> that explains reserved seating and how to start reserving your seats today. You also can review the <a href="https://www.slideshare.net/AmazonWebServices/reserved-seating-and-mobile-app-at-aws-reinvent-2017-aws-online-tech-talks" target="_blank" rel="noopener noreferrer">Reserved Seating &amp; Mobile app slide deck</a>.</p> <p>Or you can <a href="https://www.portal.reinvent.awsevents.com/connect/publicDashboard.ww" target="_blank" rel="noopener noreferrer">log in and start reserving seats now</a>.</p> <p>– Craig</p> Want to Learn More About AWS CloudHSM and Hardware Key Management? Register for and Attend this October 25 Tech Talk: “CloudHSM – Secure, Scalable Key Storage in AWS” https://aws.amazon.com/blogs/security/want-to-learn-more-about-aws-cloudhsm-and-hardware-key-management-register-for-and-attend-this-october-25-tech-talk-cloudhsm-secure-scalable-key-storage-in-aws/ Tue, 17 Oct 2017 14:36:07 +0000 af6533627f2a7eba1b3539ba620bb9ff5f618571 As part of the AWS Online Tech Talks series, AWS will present&nbsp;CloudHSM – Secure, Scalable Key Storage in AWS&nbsp;on Wednesday, October 25. This tech talk will start at 9:00 A.M. Pacific Time and end at 9:40 A.M. Pacific Time. Applications handling confidential or sensitive data are subject to corporate or regulatory requirements and therefore need […] <p><img class="alignnone" title="AWS Online Tech Talks banner" src="https://d0.awsstatic.com/Digital%20Marketing/Webinar/webinar_banner.png" alt="AWS Online Tech Talks banner" width="1180" height="200" align="middle" /></p> <p>As part of the AWS Online Tech Talks series, AWS will present&nbsp;<a href="https://pages.awscloud.com/registration_102517_CloudHSM-Secure-Scalable-Key-Storage-in-AWS.html" target="_blank" rel="noopener noreferrer">CloudHSM – Secure, Scalable Key Storage in AWS</a>&nbsp;on Wednesday, October 25. This tech talk will start at 9:00 A.M. Pacific Time and end at 9:40 A.M. Pacific Time.</p> <p>Applications handling confidential or sensitive data are subject to corporate or regulatory requirements and therefore need validated control of encryption keys and cryptographic operations. <a href="https://aws.amazon.com/cloudhsm/" target="_blank" rel="noopener noreferrer">AWS CloudHSM </a>brings to your AWS resources the security and control of traditional HSMs. This Tech Talk will show how you can leverage CloudHSM to build scalable, reliable applications without sacrificing either security or performance. Attend this Tech Talk to learn how you can use CloudHSM to quickly and easily build secure, compliant, fast, and flexible applications.</p> <p>You also will:</p> <ul> <li>Learn about the challenges CloudHSM can help you address.</li> <li>Understand how CloudHSM can secure your workloads and data.</li> <li>Learn how to transfer and modernize workloads.</li> </ul> <p>This tech talk is free.&nbsp;<a href="https://pages.awscloud.com/registration_102517_CloudHSM-Secure-Scalable-Key-Storage-in-AWS.html" target="_blank" rel="noopener noreferrer">Register today</a>.</p> <p>–&nbsp;Craig</p> How to Automatically Revert and Receive Notifications About Changes to Your Amazon VPC Security Groups https://aws.amazon.com/blogs/security/how-to-automatically-revert-and-receive-notifications-about-changes-to-your-amazon-vpc-security-groups/ Wed, 11 Oct 2017 13:50:58 +0000 0c964149512103462212030216b6f4d227280610 In a previous AWS Security Blog post, Jeff Levine showed how you can monitor changes to your Amazon EC2 security groups. The methods he describes in that post are examples of detective controls, which can help you determine when changes are made to security controls on your AWS resources. In this post, I take that […] <p>In a previous <a href="https://aws.amazon.com/blogs/security/how-to-monitor-aws-account-configuration-changes-and-api-calls-to-amazon-ec2-security-groups/" target="_blank" rel="noopener noreferrer">AWS Security Blog post</a>, Jeff Levine showed how you can monitor changes to your <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener noreferrer">Amazon EC2</a> security groups. The methods he describes in that post are examples of <em>detective controls</em>, which can help you determine when changes are made to security controls on your AWS resources.</p> <p>In this post, I take that approach a step further by introducing an example of a <em>responsive control</em>, which you can use to automatically respond to a detected security event by applying a chosen security mitigation. I demonstrate a solution that continuously monitors changes made to an <a href="https://aws.amazon.com/vpc/" target="_blank" rel="noopener noreferrer">Amazon VPC</a> <a href="http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html" target="_blank" rel="noopener noreferrer">security group</a>, and if a new ingress rule (the same as an inbound rule) is added to that security group, the solution removes the rule and then sends you a notification after the changes have been automatically reverted.</p> <h3>The scenario</h3> <p>Let’s say you want to reduce your infrastructure complexity by <a href="https://aws.amazon.com/blogs/mt/replacing-a-bastion-host-with-amazon-ec2-systems-manager/" target="_blank" rel="noopener noreferrer">replacing your Secure Shell (SSH) bastion hosts</a> with <a href="https://aws.amazon.com/ec2/systems-manager/" target="_blank" rel="noopener noreferrer">Amazon EC2 Systems Manager</a> (SSM). SSM allows you to run commands on your hosts remotely, removing the need to manage bastion hosts&nbsp;or rely on SSH to execute commands. To support this objective, you must prevent your staff members from opening SSH ports to your web server’s Amazon VPC security group. If one of your staff members does modify the VPC security group to allow SSH access, you want the change to be automatically reverted and then receive a notification that the change to the security group was automatically reverted. If you are not yet familiar with security groups, see <a href="http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html" target="_blank" rel="noopener noreferrer">Security Groups for Your VPC</a> before reading the rest of this post.<span id="more-5393"></span></p> <h3>Solution overview</h3> <p>This solution begins with a <em>directive</em> <em>control</em> to mandate that no web server should be accessible using SSH. The directive control is enforced using a <em>preventive</em> <em>control,</em> which is implemented using a security group rule that prevents ingress from port 22 (typically used for SSH). The detective control is a “listener” that identifies any changes made to your security group. Finally, the responsive control reverts changes made to the security group and then sends a notification of this security mitigation.</p> <p>The detective control, in this case, is an <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener noreferrer">Amazon CloudWatch</a> event that detects changes to your security group and triggers the responsive control, which in this case is an <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener noreferrer">AWS Lambda</a> function. I use <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener noreferrer">AWS CloudFormation</a> to simplify the deployment.</p> <p>The following diagram shows the architecture of this solution.</p> <p><img class="alignnone wp-image-5398 size-full" title="Solution architecture diagram" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/09/Annotated-Flow-FINAL.png" alt="Solution architecture diagram" width="1028" height="263" /></p> <p>Here is how the process works:</p> <ol> <li>Someone on your staff adds a new ingress rule to your security group.</li> <li>A CloudWatch event that continually monitors changes to your security groups detects the new ingress rule and invokes a designated Lambda function (with Lambda, you can run code without provisioning or managing servers).</li> <li>The Lambda function evaluates the event to determine whether you are monitoring this security group and reverts the new security group ingress rule.</li> <li>Finally, the Lambda function sends you an email to let you know what the change was, who made it, and that the change was reverted.</li> </ol> <h3>Deploy the solution by using CloudFormation</h3> <p>In this section, you will click the <strong>Launch Stack</strong> button shown below to launch the CloudFormation stack and deploy the solution.</p> <h4>Prerequisites</h4> <ul> <li>You must have <a href="https://aws.amazon.com/cloudtrail/" target="_blank" rel="noopener noreferrer">AWS CloudTrail</a> already enabled in the AWS Region where you will be deploying the solution. CloudTrail lets you log, continuously monitor, and retain events related to API calls across your AWS infrastructure. See <a href="http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html" target="_blank" rel="noopener noreferrer">Getting Started with CloudTrail</a> for more information.</li> <li>You must have a default VPC in the region in which you will be deploying the solution. AWS accounts have one default VPC per AWS Region. If you’ve deleted your VPC, see <a href="http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html#create-default-vpc" target="_blank" rel="noopener noreferrer">Creating a Default VPC</a> to recreate it.</li> </ul> <h4>Resources that this solution creates</h4> <p>When you launch the CloudFormation stack, it creates the following resources:</p> <ul> <li>A sample VPC security group in your default VPC, which is used as the target for reverting ingress rule changes.</li> <li>A CloudWatch event rule that monitors changes to your AWS infrastructure.</li> <li>A Lambda function that reverts changes to the security group and sends you email notifications.</li> <li>A permission that allows CloudWatch to invoke your Lambda function.</li> <li>An <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management</a> (IAM) role with limited privileges that the Lambda function assumes when it is executed.</li> <li>An <a href="http://aws.amazon.com/sns/" target="_blank" rel="noopener noreferrer">Amazon SNS</a> topic to which the Lambda function publishes notifications.</li> </ul> <h4>Launch the CloudFormation stack</h4> <p>The link in this section uses the <span style="font-family: courier">us-east-1</span> Region (the US East [N. Virginia] Region). Change the region if you want to use this solution in a different region. See <a href="http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html#select-region" target="_blank" rel="noopener noreferrer">Selecting a Region</a> for more information about changing the region.</p> <p>To deploy the solution, click the following <strong>Launch Stack</strong> button to launch the stack.&nbsp;After you click the button, you must sign in to the AWS Management Console if you have not already done so.</p> <p><a href="https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=security-group-change-auto-response&amp;templateURL=https://s3.amazonaws.com/awsiammedia/public/sample/revertsecuritygroupchanges/security-group-change-auto-response.yaml" target="_blank" rel="noopener noreferrer"><img class="alignnone wp-image-5399 size-full" title="Click this &quot;Launch Stack&quot; button" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/09/Launch-Stack.png" alt="Click this &quot;Launch Stack&quot; button" width="107" height="20" /></a></p> <p>Then:</p> <ol> <li>Choose <strong>Next</strong> to proceed to the <strong>Specify Details</strong> page.</li> <li>On the <strong>Specify Details</strong> page, type your email address in the <strong>Send notifications to</strong>&nbsp;box. This is the email address to which change notifications will be sent. (After the stack is launched, you will receive a confirmation email that you must accept before you can receive notifications.)</li> <li>Choose <strong>Next</strong> until you get to the <strong>Review</strong> page, and then choose the <strong>I acknowledge that AWS CloudFormation might create IAM resources</strong> check box. This confirms that you are aware that the CloudFormation template includes an IAM resource.</li> <li>Choose <strong>Create</strong>. CloudFormation displays the stack status, <strong>CREATE_COMPLETE</strong>, when the stack has launched completely, which should take less than two minutes.<img class="alignnone wp-image-5460 size-full" title="Screenshot showing that the stack has launched completely" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/createcomplete_RB101017-a.png" alt="Screenshot showing that the stack has launched completely" width="792" height="156" /></li> </ol> <h3>Testing the solution</h3> <ol> <li>Check your email for the SNS confirmation email. You must confirm this subscription to receive future notification emails. If you don’t confirm the subscription, your security group ingress rules still will be automatically reverted, but you will not receive notification emails.</li> <li>Navigate to the <a href="https://console.aws.amazon.com/ec2/v2/home" target="_blank" rel="noopener noreferrer">EC2 console</a> and choose <strong>Security Groups</strong> in the navigation pane.</li> <li>Choose the security group created by CloudFormation. Its name is <strong>Web Server Security Group</strong>.</li> <li>Choose the <strong>Inbound</strong> tab in the bottom pane of the page. Note that only one rule allows HTTPS ingress on port 443 from <span style="font-family: courier">0.0.0.0/0</span> (from anywhere).<img class="alignnone wp-image-5447 size-full" title="Screenshot showing the &quot;Inbound&quot; tab in the bottom pane of the page" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/edit-inboundtab_RB101017.png" alt="Screenshot showing the &quot;Inbound&quot; tab in the bottom pane of the page" width="912" height="549" /></li> </ol> <ol start="5"> <li>Choose <strong>Edit</strong> to display the <strong>Edit inbound rules</strong> dialog box (again, an inbound rule and an ingress rule are the same thing).</li> <li>Choose <strong>Add Rule</strong>.</li> <li>Choose <strong>SSH</strong> from the <strong>Type</strong> drop-down list.</li> <li>Choose <strong>My IP</strong> from the <strong>Source</strong> drop-down list. Your IP address is populated for you. By adding this rule, you are simulating one of your staff members violating your organization’s policy (in this blog post’s hypothetical example) against allowing SSH access to your EC2 servers. You are testing the solution created when you launched the CloudFormation stack in the previous section. The solution should remove this newly created SSH rule automatically.<br /> <img class="alignnone wp-image-5456 size-full" title="Screenshot of editing inbound rules" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/editinboundrules_RB101017-c.png" alt="Screenshot of editing inbound rules" width="1087" height="332" /></li> <li>Choose <strong>Save</strong>.</li> </ol> <p>Adding this rule creates an EC2 <span style="font-family: courier">AuthorizeSecurityGroupIngress</span> service event, which triggers the Lambda function created in the CloudFormation stack. After a few moments, choose the refresh button (&nbsp;<img class="alignnone wp-image-5406" title="The &quot;refresh&quot; icon" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/09/refresh.png" alt="The &quot;refresh&quot; icon" width="10" height="10" />&nbsp;) to see that the new SSH ingress rule that you just created has been removed by the solution you deployed earlier with the CloudFormation stack. If the rule is still there, wait a few more moments and choose the refresh button again.</p> <p><img class="alignnone wp-image-5450 size-full" title="Screenshot of refreshing the page to see that the SSH ingress rule has been removed" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/refreshbutton_RB101017.png" alt="Screenshot of refreshing the page to see that the SSH ingress rule has been removed" width="900" height="404" /></p> <p>You should also receive an email to notify you that the ingress rule was added and subsequently reverted.</p> <p><img class="alignnone wp-image-5455 size-full" title="Screenshot of the notification email" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/Notification-Email-a.png" alt="Screenshot of the notification email" width="769" height="550" /></p> <h3>Cleaning up</h3> <p>If you want to remove the resources created by this CloudFormation stack, you can delete the CloudFormation stack:</p> <ol> <li>Navigate to the <a href="https://console.aws.amazon.com/cloudformation/home" target="_blank" rel="noopener noreferrer">CloudFormation console</a>.</li> <li>Choose the stack that you created earlier.</li> <li>Choose the <strong>Actions</strong> drop-down list.</li> <li>Choose <strong>Delete Stack</strong>, and then choose <strong>Yes, Delete</strong>.</li> <li>CloudFormation will display a status of <strong>DELETE_IN_PROGRESS</strong> while it deletes the resources created with the stack. After a few moments, the stack should no longer appear in the list of completed stacks.<br /> <img class="alignnone wp-image-5458 size-full" title="Screenshot of stack &quot;DELETE_IN_PROGRESS&quot;" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/10/deleteinprogress_RB101017-a.png" alt="Screenshot of stack &quot;DELETE_IN_PROGRESS&quot;" width="795" height="157" /></li> </ol> <h3>Other applications of this solution</h3> <p>I have shown one way to use multiple AWS services to help continuously ensure that your security controls haven’t deviated from your security baseline. However, you also could use the <a href="https://github.com/awslabs/aws-security-benchmark" target="_blank" rel="noopener noreferrer">CIS Amazon Web Services Foundations Benchmarks</a>, for example, to establish a governance baseline across your AWS accounts and then use the principles in this blog post to automatically mitigate changes to that baseline.</p> <p>To scale this solution, you can create a framework that uses <a href="https://aws.amazon.com/answers/account-management/aws-tagging-strategies/" target="_blank" rel="noopener noreferrer">resource tags</a> to identify particular resources for monitoring. You also can use a consolidated monitoring approach by using cross-account event delivery. See <a href="http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html" target="_blank" rel="noopener noreferrer">Sending and Receiving Events Between AWS Accounts</a> for more information. You also can extend the principle of automatic mitigation to detect and revert changes to other resources such as IAM policies and <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener noreferrer">Amazon S3</a> bucket policies.</p> <h3>Summary</h3> <p>In this blog post, I demonstrated how you can automatically revert changes to a VPC security group and have a notification sent about the changes. You can use this solution in your own AWS accounts to enforce your security requirements continuously.</p> <p>If you have comments about this blog post or other ideas for ways to use this solution, submit a comment in the “Comments” section below. If you have implementation questions, start a new thread in the <a href="https://forums.aws.amazon.com/forum.jspa?forumID=30" target="_blank" rel="noopener noreferrer">EC2 forum</a> or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p>– Rob</p> Join Us for AWS IAM Day on Monday, October 16, in New York City https://aws.amazon.com/blogs/security/join-us-for-aws-iam-day-on-monday-october-16-in-new-york-city/ Tue, 10 Oct 2017 15:01:51 +0000 e3bf1d37128e41dc4491ef24662cd0812e03fc06 Join us in&nbsp;New York City at the AWS Pop-up Loft for AWS IAM Day on Monday,&nbsp;October 16, from 9:30 A.M.–4:15 P.M. Eastern Time. At this free technical event,&nbsp;you will learn&nbsp;AWS Identity and Access Management (IAM) concepts from IAM product managers, as well as tools and strategies you can use for controlling access to your AWS […] <p><img class="alignnone wp-image-5374 size-full" title="AWS IAM Day image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/05/Marketo_1200x350_NYC_1200x2501.png" alt="" width="1201" height="250" /></p> <p>Join us in&nbsp;New York City at the AWS Pop-up Loft for AWS IAM Day on Monday,<strong>&nbsp;</strong>October 16, from 9:30 A.M.–4:15 P.M. Eastern Time. At this free technical event,&nbsp;you will learn&nbsp;<a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management</a> (IAM) concepts from IAM product managers, as well as tools and strategies you can use for controlling access to your AWS environment, such as&nbsp;the IAM policy language and IAM best practices.&nbsp;You also will take an IAM policy ninja dive deep into permissions and how to use IAM roles to delegate access to your AWS resources. Last, you will learn how to integrate Active Directory with AWS workloads.</p> <p>You can attend one session or stay for the full day.</p> <p>Learn more about the available sessions and <a href="https://pages.awscloud.com/namer_ny-IAMDay_October_2017_RegistrationPage.html" target="_blank" rel="noopener noreferrer">register</a>!</p> <p>– Craig</p> Join Us for AWS IAM Day on Monday, October 9, in San Francisco https://aws.amazon.com/blogs/security/join-us-for-aws-iam-day-on-monday-october-9-in-san-francisco/ Thu, 05 Oct 2017 15:48:41 +0000 044da273b4ed5b700752715e1706624eab4ac9e5 Join us in San Francisco at the AWS Pop-up Loft for AWS IAM Day on Monday,&nbsp;October 9, from 9:30 A.M.–4:15 P.M. Pacific Time. At this free technical event,&nbsp;you will learn&nbsp;AWS Identity and Access Management (IAM) concepts from IAM product managers, as well as tools and strategies you can use for controlling access to your AWS […] <p><img class="alignnone wp-image-5366 size-full" title="AWS IAM Day image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/05/Marketo_1200x350_SF_1200x2501.png" alt="" width="1201" height="251" /></p> <p>Join us in San Francisco at the AWS Pop-up Loft for AWS IAM Day on Monday,<strong>&nbsp;</strong>October 9, from 9:30 A.M.–4:15 P.M. Pacific Time. At this free technical event,&nbsp;you will learn&nbsp;<a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener noreferrer">AWS Identity and Access Management</a> (IAM) concepts from IAM product managers, as well as tools and strategies you can use for controlling access to your AWS environment, such as&nbsp;the IAM policy language and IAM best practices.&nbsp;You also will take an IAM policy ninja dive deep into permissions and how to use IAM roles to delegate access to your AWS resources. Last, you will learn how to integrate Active Directory with AWS workloads.</p> <p>You can attend one session or stay for the full day.</p> <p>Learn more about the available sessions and <a href="https://pages.awscloud.com/namer_sf-IAMDay_October_2017_RegistrationPage.html" target="_blank" rel="noopener noreferrer">register</a>!</p> <p>– Craig</p> Join AWS Security on October 4 for a Night of Trivia at Grace Hopper Celebration 2017 https://aws.amazon.com/blogs/security/join-aws-security-for-a-night-of-trivia-at-grace-hopper-2017/ Mon, 02 Oct 2017 17:44:12 +0000 fff0caf032c08a68bbab372119b6d2acbd97bb02 If you’re attending this year’s&nbsp;Grace Hopper Celebration&nbsp;in Orlando, AWS is&nbsp;inviting all attendees to join us for a free evening of learning and networking. This AWS Security Jam will feature an opportunity to learn more about the AWS Security team (and about AWS security), socialize with peers, and engage in a night of trivia with your […] <p><img class="alignnone wp-image-5357 size-full" title="AWS Security Jam image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/10/02/EV_security-jam-2017-hero-bannerv3_1200x325_Oct-20171.jpg" alt="AWS Security Jam image" width="1200" height="325" /></p> <p>If you’re attending this year’s&nbsp;<a href="http://ghc.anitaborg.org/" target="_blank" rel="noopener noreferrer">Grace Hopper Celebration</a>&nbsp;in Orlando, AWS is&nbsp;<a href="https://pages.awscloud.com/event_NAMER_Security-Jam-Grace-Hopper.html" target="_blank" rel="noopener noreferrer">inviting all attendees</a> to join us for a free evening of learning and networking. This AWS Security Jam will feature an opportunity to learn more about the AWS Security team (and about AWS security), socialize with peers, and engage in a night of trivia with your fellow conference friends. We will provide light appetizers and drinks.&nbsp;<a href="https://pages.awscloud.com/event_NAMER_Security-Jam-Grace-Hopper.html" target="_blank" rel="noopener noreferrer">RSVP today</a>.</p> <ul> <li><strong>Day:</strong> Wednesday, October 4, 2017</li> <li><strong>Time:</strong>&nbsp;5:30–8:00&nbsp;P.M.&nbsp;Eastern Time</li> <li><strong>Location:</strong>&nbsp;Rosen Centre Hotel Executive Ballroom, 9840 International Drive, Orlando, FL 32819 (next to the Orange County Convention Center)</li> </ul> <p>The first 150 attendees will win a door prize, and we will give additional prizes as part of a raffle at the end of the event. Follow us on Twitter <a href="https://twitter.com/awssecurityinfo" target="_blank" rel="noopener noreferrer">@AWSSecurityInfo</a> for more information and updates about all things AWS Security and Compliance.</p> <p>– Sara</p> The Top 20 AWS IAM Documentation Pages so Far in 2017 https://aws.amazon.com/blogs/security/the-top-20-aws-iam-documentation-pages-so-far-in-2017/ Mon, 02 Oct 2017 15:34:25 +0000 57361380cfa8fc2ef8a7ddcf6a8dc461de462fb1 The following 20 pages have been the most viewed AWS Identity and Access Management (IAM) documentation pages so far this year. I have included a brief description with each link to explain what each page covers. Use this list to see what other AWS customers have been viewing and perhaps to pique your own interest […] <p style="text-align: center"><img class="alignnone wp-image-5332 size-full" title="AWS IAM image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/09/29/4990-IDAS_IAM_bhv3_IAM_email.png" alt="AWS IAM image" width="600" height="300" /></p> <p>The following 20 pages have been the most viewed AWS Identity and Access Management (IAM) documentation pages so far this year. I have included a brief description with each link to explain what each page covers. Use this list to see what other AWS customers have been viewing and perhaps to pique your own interest about a topic you’ve been meaning to learn about.</p> <ol> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html" target="_blank" rel="noopener noreferrer">What Is IAM?</a><br /> Learn more about IAM, a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and how they can use resources (authorization).</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html" target="_blank" rel="noopener noreferrer">Creating an IAM User in Your AWS Account</a><br /> You can create one or more IAM users in your AWS account. You might create an IAM user when someone joins your organization, or when you have a new application that needs to make API calls to AWS.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html" target="_blank" rel="noopener noreferrer">IAM Policy Elements Reference</a><br /> Learn more about the elements that you can use when you create a policy. View additional policy examples and learn about conditions, supported data types, and how they are used in various services.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html" target="_blank" rel="noopener noreferrer">Managing Access Keys for IAM Users</a><br /> Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" target="_blank" rel="noopener noreferrer">IAM Best Practices</a><br /> To help secure your AWS resources, follow these best practices for IAM.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html" target="_blank" rel="noopener noreferrer">Tutorial: Delegate Access to the Billing Console</a><br /> Learn how to&nbsp;delegate access to specific IAM users who need to view or manage AWS Billing and Cost Management data for an AWS account.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/console.html" target="_blank" rel="noopener noreferrer">The IAM Console and the Sign-in Page</a><br /> Learn about the IAM-enabled AWS Management Console sign-in page and how to sign in as an AWS account root user or as an IAM user. To help your users sign in easily, create a unique sign-in URL for your account.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_how-users-sign-in.html" target="_blank" rel="noopener noreferrer">How Users Sign In to Your Account</a><br /> After you create IAM users and passwords for each, your users can sign in to the AWS Management Console for your AWS account using your account ID or alias, or from a special URL that includes your account ID.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html" target="_blank" rel="noopener noreferrer">Using Multi-Factor Authentication (MFA) in AWS</a><br /> For increased security, AWS recommends that you configure MFA to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html" target="_blank" rel="noopener noreferrer">Working with Server Certificates</a><br /> Some AWS services can use server certificates that you manage with IAM or AWS Certificate Manager (ACM).&nbsp;ACM is the preferred tool to provision, manage, and deploy your server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html" target="_blank" rel="noopener noreferrer">Enabling a Virtual MFA Device</a><br /> Learn how to enable and manage virtual MFA devices from the AWS Management Console.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" target="_blank" rel="noopener noreferrer">Overview of IAM Policies</a><br /> Read an overview of IAM policies, which&nbsp;define permissions.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html" target="_blank" rel="noopener noreferrer">Your AWS Account ID and Its Alias</a><br /> Learn how to find your AWS account ID and its alias.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html" target="_blank" rel="noopener noreferrer">IAM Roles</a><br /> You can delegate access to AWS resources using an IAM role.&nbsp;A role is similar to a user because it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html" target="_blank" rel="noopener noreferrer">Example Policies</a><br /> This collection of policies can help you define permissions for your IAM identities.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html" target="_blank" rel="noopener noreferrer">Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances</a><br /> Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you do not have to distribute long-term credentials to an EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html" target="_blank" rel="noopener noreferrer">Tutorial: Delegate Access Across AWS Accounts Using IAM Roles</a><br /> Learn how to use an IAM role to delegate access to resources that are in different AWS accounts that you own.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html" target="_blank" rel="noopener noreferrer">Creating Your First IAM Admin User and Group</a><br /> Learn how to create an IAM group, grant the group full permissions for all AWS services, and then create an administrative IAM user for yourself by adding the user to the IAM group.</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html" target="_blank" rel="noopener noreferrer">Using Instance Profiles</a><br /> An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. Use the commands on this page to work with instance profiles in an AWS account</li> <li><a href="http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html" target="_blank" rel="noopener noreferrer">Temporary Security Credentials</a><br /> You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.</li> </ol> <p>In the “Comments” section below, let us know if you would like to see anything on these or other IAM documentation pages expanded or updated to make it more useful to you.</p> <p>–&nbsp;Stephenie</p> AWS EU (London) Region Selected to Provide Services to Support UK Law Enforcement Customers https://aws.amazon.com/blogs/security/aws-eu-london-region-selected-to-provide-services-to-support-uk-law-enforcement-customers/ Mon, 02 Oct 2017 13:37:37 +0000 cea31c21a3584c09713971a0d161cf169d3f2e95 The AWS EU (London) Region has been selected to provide services to support UK law enforcement customers. This decision followed an assessment by Home Office Digital, Data and Technology supported by their colleagues in the National Policing Information Risk Management Team (NPIRMT) to determine the region’s suitability for addressing their specific needs. The security, privacy, […] <p><img class="alignnone wp-image-5343 size-full" title="AWS Compliance image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/09/30/SecurityDesignAWS1-1.png" alt="AWS Compliance image" width="800" height="200" /></p> <p>The AWS EU (London) Region has been selected to provide services to support UK law enforcement customers. This decision followed an assessment by <a href="https://hodigital.blog.gov.uk/" target="_blank" rel="noopener noreferrer">Home Office Digital, Data and Technology</a> supported by their colleagues in the National Policing Information Risk Management Team (NPIRMT) to determine the region’s suitability for addressing their specific needs.</p> <p>The security, privacy, and protection of AWS customers are AWS’s first priority. We are committed to supporting Public Sector, Blue Light, Justice, and Public Safety organizations. We hope that other organizations in these sectors will now be encouraged to consider AWS services when addressing their own requirements, including the challenge of providing modern, scalable technologies that can meet their ever-evolving business demands.</p> <p>– Oliver</p> Register for and Attend this September 28 Tech Talk: “How to Use AWS WAF to Mitigate OWASP Top 10 Attacks” https://aws.amazon.com/blogs/security/register-for-and-attend-this-september-28-tech-talk-how-to-use-aws-waf-to-mitigate-owasp-top-10-attacks/ Wed, 27 Sep 2017 19:03:29 +0000 bdea50d8744f5740f9e5c6b3da1c56554973ceee &nbsp; October 1, 2017, update: This webinar is now available as an on-demand video and slide deck. As part of the AWS Online Tech Talks series, AWS will present&nbsp;How to Use AWS WAF to Mitigate OWASP Top 10 Attacks&nbsp;on Thursday, September 28. This tech talk will start at 9:00 A.M. Pacific Time and end at […] <p><img class="alignnone" title="AWS Online Tech Talks banner" src="https://d0.awsstatic.com/Digital%20Marketing/Webinar/webinar_banner.png" alt="AWS Online Tech Talks banner" width="1180" height="200" align="middle" /></p> <p>&nbsp;</p> <p><strong>October 1, 2017, update:</strong> This webinar is now available as an <a href="https://www.youtube.com/watch?v=uIGXYtBWaA0" target="_blank" rel="noopener noreferrer">on-demand video</a> and <a href="https://www.slideshare.net/AmazonWebServices/how-to-use-aws-waf-to-mitigate-owasp-top-10-attacks-aws-online-tech-talks" target="_blank" rel="noopener noreferrer">slide deck</a>.</p> <hr /> <p>As part of the AWS Online Tech Talks series, AWS will present&nbsp;<a href="https://pages.awscloud.com/registration_092817_How-to-use-AWS-WAF-to-Mitigate-OWASP-Top-10-Attacks.html" target="_blank" rel="noopener noreferrer">How to Use AWS WAF to Mitigate OWASP Top 10 Attacks</a>&nbsp;on Thursday, September 28. This tech talk will start at 9:00 A.M. Pacific Time and end at 9:40 A.M. Pacific Time.</p> <p>The <a href="https://www.owasp.org/index.php/Top_10_2017-Top_10" target="_blank" rel="noopener noreferrer">Open Web Application Security Project (OWASP) Top 10</a> identifies the most critical vulnerabilities that web developers must address in their applications. AWS WAF, a web application firewall, helps you address the vulnerabilities identified in the OWASP Top 10. In this webinar, you will learn how to use AWS WAF to write rules to match common patterns of exploitation and block malicious requests from reaching your web servers.</p> <p>You also will learn how to:</p> <ul> <li>Secure your web applications.</li> <li>Configure AWS Shield and AWS WAF.</li> <li>Defend against the most common layer 7 attacks.</li> </ul> <p>This tech talk is free.&nbsp;<a href="https://pages.awscloud.com/registration_092817_How-to-use-AWS-WAF-to-Mitigate-OWASP-Top-10-Attacks.html" target="_blank" rel="noopener noreferrer">Register today</a>.</p> <p>–&nbsp;Craig</p> Amazon Cognito User Pools Now Integrates with Amazon Pinpoint to Add Analytics for User Pools https://aws.amazon.com/blogs/security/amazon-cognito-user-pools-now-integrates-with-amazon-pinpoint-to-add-analytics-for-user-pools/ Wed, 27 Sep 2017 18:29:50 +0000 79acc0d06e1573bee37cdceb0e8285b758ab1551 Amazon Cognito User Pools now integrates with Amazon Pinpoint to provide analytics for user pools and to enrich the user data for Amazon Pinpoint campaigns. Amazon Cognito User Pools provides user directories that make&nbsp;it easy to add sign-up and sign-in to your mobile or web application. Amazon Pinpoint provides analytics and targeted campaigns to drive […] <p style="text-align: center"><img class="alignnone wp-image-5309 size-full" title="Amazon Cognito User Pools image" src="https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3e253a90eee5098477c95c23d/2017/09/27/Cognito_Overview_4a1.jpg" alt="Amazon Cognito User Pools image" width="1000" height="400" /></p> <p><a href="http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html" target="_blank" rel="noopener noreferrer">Amazon Cognito User Pools</a> now integrates with <a href="https://aws.amazon.com/pinpoint/" target="_blank" rel="noopener noreferrer">Amazon Pinpoint</a> to provide analytics for user pools and to enrich the user data for Amazon Pinpoint campaigns. Amazon Cognito User Pools provides user directories that make&nbsp;it easy to add sign-up and sign-in to your mobile or web application. Amazon Pinpoint provides analytics and targeted campaigns to drive user engagement in mobile apps by using push notifications. Using Amazon Pinpoint analytics, you can track user pool sign-ups, sign-ins, failed authentications, daily active users, and monthly active users.</p> <p>To learn more, see the <a href="https://aws.amazon.com/about-aws/whats-new/2017/09/amazon-cognito-integrates-with-amazon-pinpoint-to-add-analytics-for-user-pools-and-enrich-pinpoint-campaigns/" target="_blank" rel="noopener noreferrer">What’s New post</a>, the <a href="http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html" target="_blank" rel="noopener noreferrer">Amazon Cognito Developer Guide</a>, and the <a href="http://docs.aws.amazon.com/pinpoint/latest/developerguide/welcome.html" target="_blank" rel="noopener noreferrer">Amazon Pinpoint Developer Guide</a>.</p> <p>– Craig</p>