AWS Security Blog

Tag: AWS IAM

Use attribute-based access control with AD FS to simplify IAM permissions management

June 19, 2020: The Prerequisites section of this post has been updated to include the prerequisite to enable Sts:tagSession to the role trust policy. AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) […]

Read More

Continuously monitor unused IAM roles with AWS Config

January 6, 2020: Made an update to reflect a valid STS session duration if configured to assume a role into other accounts. Developing in the cloud encourages you to iterate frequently as your applications and resources evolve. You should also apply this iterative approach to the AWS Identity and Access Management (IAM) roles you create. […]

Read More

Identify unused IAM roles and remove them confidently with the last used timestamp

November 25, 2019: We’ve corrected a documentation link. As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those teams and applications evolve, you might only rely on a sub-set of your original roles to meet your needs. This can leave […]

Read More

New! Set permission guardrails confidently by using IAM access advisor to analyze service-last-accessed information for accounts in your AWS organization

You can use AWS Organizations to centrally govern and manage multiple accounts as you scale your AWS workloads. With AWS Organizations, central security administrators can use service control policies (SCPs) to establish permission guardrails that all IAM users and roles in the organization’s accounts adhere to. When teams and projects are just getting started, administrators […]

Read More

Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources

Note from July 5, 2019: Added information about attribute-based access control (ABAC) to the “AWS features used in this approach” section. When organizations first adopt AWS, they have to make many decisions that will lay the foundation for their future footprint in the cloud. Part of this includes making decisions about the number of AWS […]

Read More

How to rotate Amazon DocumentDB and Amazon Redshift credentials in AWS Secrets Manager

Using temporary credentials is an AWS Identity and Access Management (IAM) best practice. Even Dilbert is learning to set up temporary credentials. Today, AWS Secrets Manager made it easier to follow this best practice by launching support for rotating credentials for Amazon DocumentDB and Amazon Redshift automatically. Now, with a few clicks, you can configure […]

Read More

How to centralize and automate IAM policy creation in sandbox, development, and test environments

To keep pace with AWS innovation, many customers allow their application teams to experiment with AWS services in sandbox environments as they move toward production-ready architecture. These teams need timely access to various sets of AWS services and resources, which means they also need a mechanism to help ensure least privilege is granted. In other […]

Read More

How to create and manage users within AWS Single Sign-On

AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts. By default, AWS SSO now provides a directory that you can use to create users, organize them in groups, and set permissions across those groups. You […]

Read More

Use YubiKey security key to sign into AWS Management Console with YubiKey for multi-factor authentication

Update on October 8, 2018: After we launched support for security devices manufactured by Yubico on September 25, 2018, we received feedback from customers to support other U2F security key providers, as well. Starting October 8, 2018, you can now enable other U2F security keys as an MFA device for your root and IAM users. […]

Read More