AWS Security Blog

Tag: Identity

How to relate IAM role activity to corporate identity

September 8, 2021: The post was updated to correct a typo about the CloudTrail log snippet. April 14, 2021: In the section “Use the SourceIdentity attribute with identity federation,” we updated “AWS SSO” to “sign-in endpoint” for clarity. AWS Security Token Service (AWS STS) now offers customers the ability to specify a unique identity attribute […]

Highlights from the latest AWS Identity launches

August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. Here is the latest from AWS Identity from November 2020 through February 2021. The features highlighted in this blog post can help you manage […]

How AWS IAM Identity Center Active Directory sync enhances AWS application experiences

September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. IAM Identity CenterIdentity management is easiest when you can manage identities in a centralized location and use these identities across various accounts and applications. […]

re:Invent – New security sessions launching soon

Where did the last month go? Were you able to catch all of the sessions in the Security, Identity, and Compliance track you hoped to see at AWS re:Invent? If you missed any, don’t worry—you can stream all the sessions released in 2020 via the AWS re:Invent website. Additionally, we’re starting 2021 with all new […]

re:Invent 2020 – Your guide to AWS Identity and Data Protection sessions

August 16, 2021: We’ve updated this post to include links to recordings of the sessions. AWS re:Invent will certainly be different in 2020! Instead of seeing you all in Las Vegas, this year re:Invent will be a free, three-week virtual conference. One thing that will remain the same is the variety of sessions, including many […]

Aligning IAM policies to user personas for AWS Security Hub

October 3, 2021: In the section “Step 3: Create the role for the sysadmin persona,” we’ve corrected step 1 to indicate that sign in occurs through the administrator account, rather than the member account. AWS Security Hub provides you with a comprehensive view of your security posture across your accounts in Amazon Web Services (AWS) […]

How to implement password-less authentication with Amazon Cognito and WebAuthn

In this blog post, I show you how to offer a password-less authentication experience to your customers. To do this, you’ll allow physical security keys or platform authenticators (like finger-print scanners) to be used as the authentication factor to your web or mobile applications that use Amazon Cognito user pools for authentication. An Amazon Cognito […]

How to configure Duo multi-factor authentication with Amazon Cognito

October 23: This post has been updated to utilize Duo Web v4 SDK and OIDC approach for integration with Duo two-factor authentication. Adding multi-factor authentication (MFA) reduces the risk of user account take-over, phishing, and password theft. Adding MFA while providing a frictionless sign-in experience requires you to offer a variety of MFA options that […]

Rely on employee attributes from your corporate directory to create fine-grained permissions in AWS

In my earlier post Simplify granting access to your AWS resources by using tags on AWS IAM users and roles, I explained how to implement attribute-based access control (ABAC) in AWS to simplify permissions management at scale. In that scenario, I talked about relying on attributes on your IAM users and roles for access control […]

Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations

September 19, 2023: This post has been update to correct an explanation of multivalued condition keys. You can now reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in AWS Identity and Access Management (IAM) policies, making it easier to define access for your IAM principals (users and roles) to the […]