Category: AWS Identity and Access Management (IAM)

April 25, 2023: We’ve updated this blog post to include more security learning resources. August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. Multi-tenant […]

September 8, 2023: It’s important to know that if you activate user sign-up in your user pool, anyone on the internet can sign up for an account and sign in to your apps. Don’t enable self-registration in your user pool unless you want to open your app to allow users to sign up. June 5, […]

November 24, 2023: This post has been updated to show the differences between accessing data by way of an AWS service over public endpoints and over AWS PrivateLink (data access pattern 2). July 7, 2023: This post had been updated to use Amazon S3 Replication as an example in Data access pattern 3b section. Amazon […]

September 28, 2023: IAM is incrementally adding support for actions from more services. For a list of services that report action last accessed information, see IAM action last accessed information services and actions. AWS Identity and Access Management (IAM) helps customers analyze access and achieve least privilege. When you are working on new permissions for […]

September 8, 2021: The post was updated to correct a typo about the CloudTrail log snippet. April 14, 2021: In the section “Use the SourceIdentity attribute with identity federation,” we updated “AWS SSO” to “sign-in endpoint” for clarity. AWS Security Token Service (AWS STS) now offers customers the ability to specify a unique identity attribute […]

August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. May 26, 2021: In the section “Secure your tags using an AWS Organizations service control […]

August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. Here is the latest from AWS Identity from November 2020 through February 2021. The features highlighted in this blog post can help you manage […]

In this blog post, we’ll demonstrate how you can use Amazon Detective’s new role session analysis feature to investigate security findings that are tied to the usage of an AWS Identity and Access Management (IAM) role. You’ll learn about how you can use this new role session analysis feature to determine which Amazon Web Services […]

AWS Identity and Access Management (IAM) now enables Amazon Web Services (AWS) administrators to use tags to manage and secure access to more types of IAM resources, such as customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and virtual multi-factor authentication (MFA) devices. A tag is an attribute that consists of a key […]

December 4, 2020: We’ve updated this post to use s3:CreateBucket to simplify the intro example, replaced figure 8 removing the IfExists reference, and clarified qualifier information in the example. In this post, I’m going to share two techniques I’ve used to write least privilege AWS Identity and Access Management (IAM) policies. If you’re not familiar […]