AWS Security Blog

Tag: AWS IAM

Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM

June 5, 2021: We’ve updated Figure 1: User request flow. Authorizing functionality of an application based on group membership is a best practice. If you’re building APIs with Amazon API Gateway and you need fine-grained access control for your users, you can use Amazon Cognito. Amazon Cognito allows you to use groups to create a […]

Read More

IAM makes it easier for you to manage permissions for AWS services accessing your resources

Amazon Web Services (AWS) customers are storing an unprecedented amount of data on AWS for a range of use cases, including data lakes and analytics, machine learning, and enterprise applications. Customers secure their data by implementing data security controls including identity and access management, network security, and encryption. For non-public, sensitive data, customers want to […]

Read More

Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles

AWS Identity and Access Management (IAM) helps customers analyze access and achieve least privilege. When you are working on new permissions for your team, you can use IAM Access Analyzer policy generation to create a policy based on your access activity and set fine-grained permissions. To analyze and refine existing permissions, you can use last […]

Read More

IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity

In 2019, AWS Identity and Access Management (IAM) Access Analyzer was launched to help you remove unintended public and cross account access by analyzing your existing permissions. In March 2021, IAM Access Analyzer added policy validation to help you set secure and functional permissions during policy authoring. Now, IAM Access Analyzer takes that a step […]

Read More

Highlights from the latest AWS Identity launches

Here is the latest from AWS Identity from November 2020 through February 2021. The features highlighted in this blog post can help you manage and secure your Amazon Web Services (AWS) environment. Identity services answer the question of who has access to what. They enable you to securely manage identities, resources, and permissions at scale and […]

Read More

Validate access to your S3 buckets before deploying permissions changes with IAM Access Analyzer

AWS Identity and Access Management (IAM) Access Analyzer helps you monitor and reduce access by using automated reasoning to generate comprehensive findings for resource access. Now, you can preview and validate public and cross-account access before deploying permission changes. For example, you can validate whether your S3 bucket would allow public access before deploying your […]

Read More

How to delegate management of identity in AWS Single Sign-On

In this blog post, I show how you can use AWS Single Sign-On (AWS SSO) to delegate administration of user identities. Delegation is the process of providing your teams permissions to manage accounts and identities associated with their teams. You can achieve this by using the existing integration that AWS SSO has with AWS Organizations, […]

Read More

Analyze and understand IAM role usage with Amazon Detective

In this blog post, we’ll demonstrate how you can use Amazon Detective’s new role session analysis feature to investigate security findings that are tied to the usage of an AWS Identity and Access Management (IAM) role. You’ll learn about how you can use this new role session analysis feature to determine which Amazon Web Services […]

Read More

Use tags to manage and secure access to additional types of IAM resources

AWS Identity and Access Management (IAM) now enables Amazon Web Services (AWS) administrators to use tags to manage and secure access to more types of IAM resources, such as customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and virtual multi-factor authentication (MFA) devices. A tag is an attribute that consists of a key […]

Read More

Use new account assignment APIs for AWS SSO to automate multi-account access

February 18, 2021: We updated the name of the organization management account used in the example. The new name is ExampleOrgManagement. February 10, 2021: We updated the commands in the Cleanup section of this post. In this blog post, we’ll show how you can programmatically assign and audit access to multiple AWS accounts for your […]

Read More