AWS Security Blog

High-Availability IAM Design Patterns

Today Will Kruse, Senior Security Engineer on the AWS Identity and Access Management (IAM) team, provides a tutorial on how to enable resiliency against authentication and authorization failures in an application deployed on Amazon EC2 using a high availability design pattern based on IAM roles. Background Many of you invest significant effort to ensure that a […]

Read More

How Do I Protect Cross-Account Access Using MFA?

Today AWS announced support for adding multi-factor authentication (MFA) for cross-account access. In this blog post, I will walk you through a common use case, including a code sample, which demonstrates how to create policies that enforce MFA when IAM users from one AWS account make programmatic requests for resources in a different account. Many […]

Read More

New Whitepaper: Security at Scale: Logging in AWS

The newly released Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail can help you meet compliance and security requirements through the logging of API calls. The API call history can be used to track changes to resources, perform security analysis, operational troubleshooting and as an aid in meeting compliance […]

Read More

Dilbert Learns to Set Up Temporary Credentials

It seems that the topic of using temporary security credentials has been coming up at lot recently. Several weeks ago Rich Mogull expressed his chagrin for not using temporary credentials in his post titled, “My $500 Cloud Security Screw-up”. And over the weekend Scott Adams published a Dilbert comic poking fun of Dilbert not understanding […]

Read More

An Instructive Tale About Using IAM Best Practices

An interesting blog post came to our attention recently—My $500 Cloud Security Screw-up by Rich Mogull. He describes how he learned to adhere to several important AWS security principles through several unfortunate events.   Mike Pope, senior technical writer for AWS Identity, paraphrases the post here. Rich had inadvertently leaked his AWS access keys, allowing some […]

Read More

Tracking Federated User Access to Amazon S3 and Best Practices for Protecting Log Data

Auditing by using logs is an important capability of any cloud platform.  There are several third party solution providers that provide auditing and analysis using AWS logs.  Last November AWS announced its own logging and analysis service, called AWS CloudTrail.  While logging is important, understanding how to interpret logs and alerts is crucial.  In this blog […]

Read More

A Retrospective of 2013

We established the Security Blog in April 2013 to provide you with guidance, best practices, and technical walk-throughs to help increase the security of your AWS account and better achieve compliance. Hopefully you have been able to read all of the posts published in 2013, but in case you’ve missed a few, here is an […]

Read More

Make a New Year Resolution

Make a New Year Resolution for 2014 to adhere to best practices put forth by AWS Security and Identity.  There are two great pieces of work published in 2013 that are filled with guidance and are highly actionable.  AWS published the Security Best Practices whitepaper, providing a landscape of various security oriented technologies, including IAM, […]

Read More

Analyzing OS-Related Security Events on EC2 with SplunkStorm

An important objective of analyzing OS-generated data is to detect, correlate, and report on potential security events. Several partner solutions available in AWS Marketplace provide this functionality, including Splunk.  Splunk is also used for many other use cases relevant to AWS, including devops, where developers and operations use Splunk to analyze logs for better performance and availability […]

Read More

Delegating API Access to AWS Services Using IAM Roles

Suppose you run a research lab and you dump a terabyte or so of data into Amazon DynamoDB for easy processing and analysis. Your colleagues at other labs and in the commercial sphere have become aware of your research and would like to reproduce your results and perform further analysis on their own. AWS supports this very important […]

Read More