AWS Security Blog

In Case You Missed These: Recent AWS Security Blog Posts

Just in case you missed any of the AWS Security Blog posts from the last month or so, we have summarized and linked to them in this blog post. The linked posts are shown in reverse chronological order (most recent first), and the subject matter ranges from privacy and data security at Amazon to AWS re:Invent 2015.

June 12:  Privacy and Data Security

Amazon knows customers care deeply about privacy and data security, and we optimize our work to get these issues right for customers. With this post I’d like to provide a number of observations on our policies and positions.

June 8: FERPA Compliance in the AWS Cloud

The security of personally identifiable information (PII) continues to be an important topic among all sectors, and education is no exception. Covered entities subject to FERPA are turning to cloud computing as a highly efficient way to manage and secure vast amounts of educational records and student data. To bring clarity to securing student data and privacy, we recently published a FERPA Compliance on AWS whitepaper.

June 2: How to Delegate Management of Multi-Factor Authentication to AWS IAM Users

AWS Identity and Access Management (IAM) has a list of best practices that you are encouraged to use. One of those best practices is to enable multi-factor authentication (MFA) for your AWS root account. MFA verifies your identity through something you know (user name and password) and something you have (MFA hardware or software token). Enabling MFA for one account is a simple process, and setup on the root account typically only takes a few minutes. But what about large-scale administration of MFA? Centralized provisioning and management can be tedious and scales poorly. Even so, the value of MFA-secured access demands a workable approach for securing your AWS assets.

This post will show you how to grant your users access to provision and manage their own MFA devices while not allowing them access to any AWS resources until they authenticate via their newly provisioned MFA device. The following diagram shows the workflow that this blog post follows.

May 28: How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Once configured, your federated users are authenticated and authorized by your organization’s IdP, and then can use single sign-on (SSO) to sign in to the AWS Management Console. This not only obviates the need for your users to remember yet another user name and password, but it also streamlines identity management for your administrators. This is great if your federated users want to access the AWS Management Console, but what if they want to use the AWS CLI or programmatically call AWS APIs?

In this blog post, I will show you how you can implement federated API and CLI access for your users. The examples provided use the AWS Python SDK and some additional client-side integration code. If you have federated users that require this type of access, implementing this solution should earn you more than one high five on your next trip to the water cooler.

May 22: AWS Key Management Service Adds Support for Updating Key Aliases

In November 2014, AWS launched Key Management Service (KMS), a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data managed by AWS services and within your own applications. One of the features KMS offers is the key alias, an arbitrary string that can be associated with a cryptographic key in a region.

In this blog post, Anders Joergensen, a KMS developer, explains the ways in which you can use key aliases and describes the new UpdateAlias API we’ve launched to allow you to update the association of a key alias from one key to another within a region.

May 21: Test Your Roles’ Access Policies Using the AWS Identity and Access Management Policy Simulator

You can now use the AWS Identity and Access Management (IAM) policy simulator to test and validate your roles’ access control policies. The policy simulator is a tool to help you author and validate the policies that set permissions on your AWS resources. This tool provides a “playground” where you can iteratively author least privilege policies on your AWS resources and test the effects of your policy updates before actually applying the changes to your users, groups, and roles. Also, you may have attached multiple policies to a role and want to know which final permissions are granted across all these policies—the simulator is a great tool for this! To help you get started using the policy simulator for roles, this blog post will walk through an example.

May 20: New SOC 1, 2, and 3 Reports Available — Including a New Region and Service In-Scope

Over the last few months, we’ve added a number of new capabilities that make authoring and managing policies easier. We launched the policy validator that notifies you of noncompliant policies in the IAM console and guides you to a validation tool you can use to help correct your policies. In February, we released managed policies, which enable you to attach a single policy to multiple IAM users, groups, and roles. And last week, we made it easier to author policies in the IAM console with improved error messaging and policy autoformatting. Now, we are upgrading IAM policy validation to help you ensure that you author compliant policies.

May 15:  How to Receive Alerts When Specific APIs Are Called by Using AWS CloudTrail, Amazon SNS, and AWS Lambda

Let’s face it—not all APIs were created equal. For example, you may be really interested in knowing when any of your Amazon EC2 instances are terminated (ec2:TerminateInstance), but less interested when an object is put in an Amazon S3 bucket (s3:PutObject). In this example, you can delete an object, but you can’t bring back that terminated instance. So this begs the question, “Is there a way to be notified when certain APIs are called using my AWS account?” The answer is yes! But how, though, can you be notified if unexpected API calls are made to supported services in your AWS account?

This blog post will show you how to receive email notifications by using AWS CloudTrail, Amazon Simple Notification Service (SNS), and AWS Lambda when specific APIs that you are interested in monitoring are called in your AWS account. Specifically, this post includes step-by-step configuration instructions for implementing a solution, which combines:

  • CloudTrail – As the source of log files for analysis.
  • Lambda – To implement the parsing and filtering logic.
  • SNS – To send notifications.

May 14: AWS Directory Service Now Supports API Access and Logging Via AWS CloudTrail

Developers can now programmatically create and configure Simple AD and AD Connector directories in AWS Directory Service via the AWS SDKs or CLI. You can also now use Cloud Trail to log API actions performed via an SDK, the CLI, or AWS Directory Service console. Permissions for performing these actions can be controlled via an AWS IAM policy, and  the APIs can be used in all AWS regions in which Directory Service is available.

May 13: Staying Ahead of the Curve–Customer Enabler AWS OCIE Cybersecurity Initiative Workbook

We focus on enabling our customers to scale their security and compliance capabilities on AWS, and we enhance our customers’ ability to meet a wide variety of security and regulatory requirements. With a continued focus on our customers’ regulatory needs in the financial services sector, we created another customer facing workbook, which aligns the new US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative requirements with the existing AWS compliance reports and certifications. This AWS OCIE Cybersecurity Initiative Workbook will directly support our financial services customers in meeting their obligations related to these new requirements and in establishing and operating a risk alert program compliant with the OCIE Cybersecurity Initiative.

May 12: AWS re:Invent 2015 Registration Is Now Open

Registration is now open for the fourth annual AWS re:Invent conference—the largest gathering of the global cloud computing community. Join us for more than 250 technical sessions, hands-on bootcamps, certification exams, self-paced labs, hackathons, and exciting after-hours events.

Date: October 6–9, 2015
Location: The Venetian, Las Vegas
Full conference pass: $1,299

Register now: https://reinvent.awsevents.com/
May 11: Amazon Redshift and Amazon RDS Now Support Encryption via AWS Key Management Service in the AWS GovCloud (US) Region

Today, Amazon Redshift and Amazon RDS for MySQL, PostgreSQL, Oracle, and SQL Server DB released support for encryption using AWS Key Management Service (KMS) in the AWS GovCloud (US) region. Using keys under your control, you can now encrypt RDS instances, including MySQL, PostgreSQL, Oracle, and SQL Server DB instance types, and Amazon Redshift clusters in AWS GovCloud (US).

If you have questions, post them on the AWS Forum.

– Craig