AWS Security Blog
Tag: Best Practices
A Safer Way to Distribute AWS Credentials to EC2
If you have applications running on EC2 that also access other AWS services like Amazon S3 or Amazon DynamoDB, then these applications require credentials out on the EC2 instance. You can hard-code AWS access keys into your application, but you’re faced with the added responsibility of distributing them to the instance securely and then the […]
A Primer on RDS Resource-Level Permissions
Previously, we blogged about how to use resource-level permissions for Amazon EC2 to control access to specific EC2 instances. Resource-level permissions can now also be applied to Amazon Relational Database Service (Amazon RDS). This week’s guest blogger, Chris Checkwitch, Software Development Manager on the RDS team, will explain how to tackle the commonly requested use case of controlling access to […]
Where’s My Secret Access Key?
Update on March 12, 2019: You can now find and update your access keys from a single, central location in the AWS Management Console. Learn how in this post. In this blog post, I’ll discuss what you should do in case you’ve lost your secret access key or need a new one. This post assumes that […]
2013 PCI Compliance Package Available Now
We’re happy to announce the availability of the 2013 PCI Compliance Package. Along with the AWS PCI Attestation of Compliance, this package includes our independent assessor’s revised and expanded PCI Customer Responsibility Matrix, which describes the customer and AWS shared responsibility for each of the 200+ PCI Data Security Standard controls. This document will help […]
Improve the Security of Your AWS Account in Less Than 5 Minutes
If you’re a frequent reader of this blog, you probably know that AWS recommends as a security best practice that you set up one or more AWS Identity and Access Management (IAM) users for interaction with AWS services, rather than use your root account. Why? The credentials for your AWS root account provide full access […]
Controlling Network Access to EC2 Instances Using a Bastion Server
As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. A best practice in this area is to use a bastion. A bastion is […]
Securing Access to AWS Using MFA – Part 3
In Part 1 (configuring MFA for sign-in) and Part 2 (MFA-protected API access) of this series, we discussed various ways in which AWS Multi-Factor Authentication (MFA) can improve the security of your account. This week’s topic will be a brief overview of how you can use MFA in conjunction with Amazon S3 Versioning. What is […]
Resource-Level Permissions for EC2–Controlling Management Access on Specific Instances
Note: As of March 28, 2017, Amazon EC2 supports tagging on creation, enforced tag usage, AWS Identity and Access Management (IAM) resource-level permissions, and enforced volume encryption. See New – Tag EC2 Instances & EBS Volumes on Creation on the AWS Blog for more information. We are happy to announce that we launched resource-level permissions […]
Generating IAM Policies in Code
If you’ve worked with AWS Identity and Access Management (IAM) policies, you know that they’re expressed as JSON documents. For example, here’s a policy that grants permission to perform some actions in our Amazon Glacier storage service: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “glacier:ListVaults”, “glacier:DescribeVault”, “glacier:GetVaultNotifications” ], “Effect”: “Allow”, “Resource”: “*” } ] } […]
Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
Many of you have asked how to construct an AWS Identity and Access Management (IAM) policy with folder-level permissions for Amazon S3 buckets. This week’s guest blogger Elliot Yamaguchi, Technical Writer on the IAM team, will explain the basics of writing that type of policy. To show you how to create a policy with folder-level […]