AWS Security Blog
Tag: How-to guides
How to Use Service Control Policies in AWS Organizations
With AWS Organizations, you can centrally manage policies across multiple AWS accounts without having to use custom scripts and manual processes. For example, you can apply service control policies (SCPs) across multiple AWS accounts that are members of an organization. SCPs allow you to define which AWS service APIs can and cannot be executed by […]
Read MoreHow to Delegate Administration of Your AWS Managed Microsoft AD Directory to Your On-Premises Active Directory Users
You can now enable your on-premises users administer your AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. Using an Active Directory (AD) trust and the new AWS delegated AD security groups, you can grant administrative permissions to your on-premises users by managing group membership in your on-premises AD directory. […]
Read MoreIAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
In previous posts we’ve explained how to write S3 policies for the console and how to use policy variables to grant access to user-specific S3 folders. This week we’ll discuss another frequently asked-about topic: the distinction between IAM policies, S3 bucket policies, S3 ACLs, and when to use each. They’re all part of the AWS […]
Read MoreAnnouncing New IAM Policy Simulator
Check out the new IAM policy simulator, a tool that enables you to test the effects of IAM access control policies before committing them into production, making it easier to verify and troubleshoot permissions. Learn more at the AWS Blog. – Kai
Read MoreGuidelines for When to Use Accounts, Users, and Groups
I often get asked when to use different AWS accounts to enforce separation of duties versus using IAM users and groups within a single account. While the complete answer depends on what AWS services you use, the general guidelines in this post will point you in the right direction. As context for the guidelines, consider […]
Read MoreHow to Rotate Access Keys for IAM Users
Changing access keys (which consist of an access key ID and a secret access key) on a regular schedule is a well-known security best practice because it shortens the period an access key is active and therefore reduces the business impact if they are compromised. Having an established process that is run regularly also ensures […]
Read MoreUsing IAM Roles to Distribute Non-AWS Credentials to Your EC2 Instances
Last week’s blog post explained how to distribute AWS credentials to EC2 instances using IAM roles. Will Kruse, Security Engineer on the AWS Identity and Access Management (IAM) team, is back again this week to discuss how roles can also be used to distribute arbitrary secrets to EC2 instances. As we discussed last week, Amazon EC2 Roles for Instances […]
Read MoreA Safer Way to Distribute AWS Credentials to EC2
If you have applications running on EC2 that also access other AWS services like Amazon S3 or Amazon DynamoDB, then these applications require credentials out on the EC2 instance. You can hard-code AWS access keys into your application, but you’re faced with the added responsibility of distributing them to the instance securely and then the […]
Read MoreImportant Notification About Your AWS Virtual MFA Device
** Update: the Google Autenticator application for iOS has been updated and now available from Apple’s App Store. It no longer has an issue of potentially losing existing AWS MFA tokens as reported in this post. Do you use Google Authenticator for iOS for AWS MFA? If so, then read this! If you use Google […]
Read MoreA Primer on RDS Resource-Level Permissions
Previously, we blogged about how to use resource-level permissions for Amazon EC2 to control access to specific EC2 instances. Resource-level permissions can now also be applied to Amazon Relational Database Service (Amazon RDS). This week’s guest blogger, Chris Checkwitch, Software Development Manager on the RDS team, will explain how to tackle the commonly requested use case of controlling access to […]
Read More