AWS Security Blog

Tag: IAM

IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity

In 2019, AWS Identity and Access Management (IAM) Access Analyzer was launched to help you remove unintended public and cross account access by analyzing your existing permissions. In March 2021, IAM Access Analyzer added policy validation to help you set secure and functional permissions during policy authoring. Now, IAM Access Analyzer takes that a step […]

Read More

Guidelines for protecting your AWS account while using programmatic access

One of the most important things you can do as a customer to ensure the security of your resources is to maintain careful control over who has access to them. This is especially true if any of your AWS users have programmatic access. Programmatic access allows you to invoke actions on your AWS resources either […]

Read More

How to quickly find and update your access keys, password, and MFA setting using the AWS Management Console

You can now more quickly view and update all your security credentials from one place using the “My Security Credentials” page in the AWS Management Console. When you grant your developers programmatic access or AWS Management Console access, they receive credentials, such as a password or access keys, to access AWS resources. For example, creating […]

Read More

How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory

December 2, 2019: Since the author wrote this post, AWS Single Sign On (AWS SSO) has launched native features that simplify using Azure Active Directory as an identity provider. Therefore, AWS SSO is now the recommended solution for enabling SAML federation using Azure AD. See this blog post for details. You can use federation to […]

Read More

Automate analyzing your permissions using IAM access advisor APIs

As an administrator that grants access to AWS, you might want to enable your developers to get started with AWS quickly by granting them broad access. However, as your developers gain experience and your applications stabilize, you want to limit permissions to only what they need. To do this, access advisor will determine the permissions […]

Read More

Recovering from a rough Monday morning: An Amazon GuardDuty threat detection and remediation scenario

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Given the many log types that Amazon GuardDuty analyzes (Amazon Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and DNS logs), you never know what it might discover in your […]

Read More

How to Eliminate the Need for Hardcoded AWS Credentials in Devices by Using the AWS IoT Credentials Provider

August 31, 2021: AWS IoT Core Credential Provider enables customers to request temporary, limited-privilege security tokens that are valid up to 12 hours and use the tokens to sign and authenticate any AWS request. Until now, the AWS IoT Core Credential Provider issued security tokens that were valid up to 1 hour only. Now with […]

Read More

How to Use Service Control Policies in AWS Organizations

January 20, 2020: Based on customer feedback, we rephrased the fourth goal in the “An example structure with nested OUs and SCPs” section to try to improve clarity. With AWS Organizations, you can centrally manage policies across multiple AWS accounts without having to use custom scripts and manual processes. For example, you can apply service […]

Read More

How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page

Identity federation enables your enterprise users (such as Active Directory users) to access the AWS Management Console via single sign-on (SSO) by using their existing credentials. In Security Assertion Markup Language (SAML) 2.0, RelayState is an optional parameter that identifies a specified destination URL your users will access after signing in with SSO. When using […]

Read More

Now Available: Get Even More Details from Service Last Accessed Data

In December, AWS Identity and Access Management (IAM) released service last accessed data, which shows the time when an IAM entity (a user, group, or role) last accessed an AWS service. This provided a powerful tool to help you grant least privilege permissions. Starting today, it’s easier to identify where you can reduce permissions based […]

Read More