AWS Directory Service Now Supports API Access and Logging Via AWS CloudTrail

Developers can now programmatically create and configure Simple AD and AD Connector directories in AWS Directory Service via the AWS SDKs or CLI. You can also now use Cloud Trail to log API actions performed via an SDK, the CLI, or AWS Directory Service console. Permissions for performing these actions can be controlled via an AWS IAM policy, and  the APIs can be used in all AWS regions in which Directory Service is available.

To get started, download the latest AWS SDK or CLI, or learn more about the new APIs in our developer guide.

If you have questions, please post them on the Directory Service forum.

– Rob

Some AWS SDKs Security Features You Should Know About

The AWS SDK team recently added and documented some security-related features that we think you shouldn’t miss. Check these out!

Updates for managing access keys in the .NET and Java SDKs. In Referencing Credentials using Profiles, blogger Norm Johanson describes how you can now put a credentials file in your user folder. This great security enhancement makes it easier to keep access keys in a safe and secure location when you use the SDKs, as we recommend in our best practices for managing access keys. You can also keep multiple configuration profiles (as you can  for the AWS CLI), which makes it very easy to test code using the credentials for different users. These features are available in both the .NET SDK and the Java SDK.

Encryption features for Amazon S3. In Using AmazonS3EncryptionClient to Send Secure Data Between Two Parties, blogger Hanson Char describes a little-known feature—how to securely share proprietary data on S3 using a public/private key pair. This feature is available in the .NET, Java, and Ruby SDKs. And in Amazon S3 Client-Side Authenticated Encryption, Hanson alerts us to a new feature of the Java SDK that enables you not only to keep S3 data encrypted at rest, but to enhance the security of the data with a new feature that adds an integrity check for both the data and the envelope key.

To keep up with the fast-moving AWS SDK team, be sure to subscribe to their blogs—you can find their blogs under AWS Blogs on the side of this page.

– Mike

How to Rotate Access Keys for IAM Users

Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if they are compromised. Having an established process that is run regularly also ensures the operational steps around key rotation are verified, so changing a key is never a scary step.

In an earlier post, we described Identity and Access Management (IAM) roles for Amazon EC2. If you run applications on EC2 that need access to AWS services, we strongly recommend using this feature. Roles use temporary security credentials that auto-expire and auto-renew, so you don’t have to worry about access key rotation – AWS does it for you. However, if you are running applications somewhere other than on EC2, you should add access key rotation to your application management process. In this post, Cristian Ilac, software development manager on the IAM team, will walk you through the steps to rotate access keys for an IAM user.  (more…)