AWS Security Blog

Tag: Permissions

Build an end-to-end attribute-based access control strategy with AWS SSO and Okta

This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and also describes how to use ABAC with AWS Single Sign-On (AWS SSO) when you’re using Okta as an identity provider (IdP). Over the past two years, Amazon Web Services (AWS) has invested heavily in making ABAC available across the majority […]

Read More

How to delegate management of identity in AWS Single Sign-On

In this blog post, I show how you can use AWS Single Sign-On (AWS SSO) to delegate administration of user identities. Delegation is the process of providing your teams permissions to manage accounts and identities associated with their teams. You can achieve this by using the existing integration that AWS SSO has with AWS Organizations, […]

Read More

How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts

AWS Secrets Manager now enables you to create and manage your resource-based policies using the Secrets Manager console. With this launch, we are also improving your security posture by both identifying and preventing creation of resource policies that grant overly broad access to your secrets across your Amazon Web Services (AWS) accounts. To achieve this, […]

Read More

Tighten S3 permissions for your IAM users and roles using access history of S3 actions

Customers tell us that when their teams and projects are just getting started, administrators may grant broad access to inspire innovation and agility. Over time administrators need to restrict access to only the permissions required and achieve least privilege. Some customers have told us they need information to help them determine the permissions an application […]

Read More

Use attribute-based access control with AD FS to simplify IAM permissions management

June 19, 2020: The Prerequisites section of this post has been updated to include the prerequisite to enable Sts:tagSession to the role trust policy. AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) […]

Read More

Identify unused IAM roles and remove them confidently with the last used timestamp

November 25, 2019: We’ve corrected a documentation link. As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those teams and applications evolve, you might only rely on a sub-set of your original roles to meet your needs. This can leave […]

Read More

New! Set permission guardrails confidently by using IAM access advisor to analyze service-last-accessed information for accounts in your AWS organization

You can use AWS Organizations to centrally govern and manage multiple accounts as you scale your AWS workloads. With AWS Organizations, central security administrators can use service control policies (SCPs) to establish permission guardrails that all IAM users and roles in the organization’s accounts adhere to. When teams and projects are just getting started, administrators […]

Read More

Create fine-grained session permissions using IAM managed policies

As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request. Today, one of the most widely used mechanisms for requesting temporary […]

Read More

Automate analyzing your permissions using IAM access advisor APIs

As an administrator that grants access to AWS, you might want to enable your developers to get started with AWS quickly by granting them broad access. However, as your developers gain experience and your applications stabilize, you want to limit permissions to only what they need. To do this, access advisor will determine the permissions […]

Read More