AWS Security Blog

Category: Advanced (300)

AWS Identity and Access Management

How to use the PassRole permission with IAM roles

iam:PassRole is an AWS Identity and Access Management (IAM) permission that allows an IAM principal to delegate or pass permissions to an AWS service by configuring a resource such as an Amazon Elastic Compute Cloud (Amazon EC2) instance or AWS Lambda function with an IAM role. The service then uses that role to interact with […]

Establishing a data perimeter on AWS: Require services to be created only within expected networks

November 13, 2024: This post has been updated to reflect the usage of resource control policies (RCPs) to establish your organization’s data perimeter. Welcome to the fifth post in the Establishing a data perimeter on AWS series. Throughout this series, we’ve discussed how a set of preventative access controls can create an always-on boundary to help ensure […]

Solution overview

Building sensitive data remediation workflows in multi-account AWS environments

The rapid growth of data has empowered organizations to develop better products, more personalized services, and deliver transformational outcomes for their customers. As organizations use Amazon Web Services (AWS) to modernize their data capabilities, they can sometimes find themselves with data spread across several AWS accounts, each aligned to distinct use cases and business units. […]

Set up AWS Private Certificate Authority to issue certificates for use with IAM Roles Anywhere

Traditionally, applications or systems—defined as pieces of autonomous logic functioning without direct user interaction—have faced challenges associated with long-lived credentials such as access keys. In certain circumstances, long-lived credentials can increase operational overhead and the scope of impact in the event of an inadvertent disclosure. To help mitigate these risks and follow the best practice […]

avp arch

Build an entitlement service for business applications using Amazon Verified Permissions

Amazon Verified Permissions is designed to simplify the process of managing permissions within an application. In this blog post, we aim to help customers understand how this service can be applied to several business use cases. Companies typically use custom entitlement logic embedded in their business applications. This is the most common approach, and it […]

architecture diagram horizontal

How to create an AMI hardening pipeline and automate updates to your ECS instance fleet

Amazon Elastic Container Service (Amazon ECS) is a comprehensive managed container orchestrator that simplifies the deployment, maintenance, and scalability of container-based applications. With Amazon ECS, you can deploy your containerized application as a standalone task, or run a task as part of a service in your cluster. The Amazon ECS infrastructure for tasks includes Amazon […]

ChaosKitty_Gamifying

How to use chaos engineering in incident response

Simulations, tests, and game days are critical parts of preparing and verifying incident response processes. Customers often face challenges getting started and building their incident response function as the applications they build become increasingly complex. In this post, we will introduce the concept of chaos engineering and how you can use it to accelerate your […]

Approaches for migrating users to Amazon Cognito user pools

Update: An earlier version of this post was published on September 14, 2017, on the Front-End Web and Mobile Blog. Amazon Cognito user pools offer a fully managed OpenID Connect (OIDC) identity provider so you can quickly add authentication and control access to your mobile app or web application. User pools scale to millions of […]

How to share security telemetry per OU using Amazon Security Lake and AWS Lake Formation

Part 3 of a 3-part series Part 1 – Aggregating, searching, and visualizing log data from distributed sources with Amazon Athena and Amazon QuickSight Part 2 – How to visualize Amazon Security Lake findings with Amazon QuickSight This is the final part of a three-part series on visualizing security data using Amazon Security Lake and […]

A phased approach towards a complex HITRUST r2 validated assessment

Health Information Trust Alliance (HITRUST) offers healthcare organizations a comprehensive and standardized approach to information security, privacy, and compliance. HITRUST Common Security Framework (HITRUST CSF) can be used by organizations to establish a robust security program, ensure patient data privacy, and assist with compliance with industry regulations. HITRUST CSF enhances security, streamlines compliance efforts, reduces […]