AWS Security Blog
Category: AWS Identity and Access Management (IAM)
AWS IAM introduces updated policy defaults for IAM user passwords
November 2, 2020: This post has been updated to reflect the change in date for the default password policy from October 28 to November 18. October 20, 2020: This post has been updated to reflect the change in date for the default password policy from October 2 to October 21 to October 28. July 27, […]
How to define least-privileged permissions for actions called by AWS services
August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. February 21, 2020: We fixed a missing comma in a policy example. March 3, 2020: […]
How to improve LDAP security in AWS Directory Service with client-side LDAPS
You can now better protect your organization’s identity data by encrypting Lightweight Directory Access Protocol (LDAP) communications between AWS Directory Service products (AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector) and self-managed Active Directory. Client-side secure LDAP (LDAPS) support enables applications that integrate with AWS Directory […]
How to use KMS and IAM to enable independent security controls for encrypted data in S3
August 31, 2021:AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. Typically, when you protect data in Amazon Simple Storage Service (Amazon S3), you use a combination […]
Rely on employee attributes from your corporate directory to create fine-grained permissions in AWS
In my earlier post Simplify granting access to your AWS resources by using tags on AWS IAM users and roles, I explained how to implement attribute-based access control (ABAC) in AWS to simplify permissions management at scale. In that scenario, I talked about relying on attributes on your IAM users and roles for access control […]
Use attribute-based access control with AD FS to simplify IAM permissions management
June 19, 2020: The Prerequisites section of this post has been updated to include the prerequisite to enable Sts:tagSession to the role trust policy. AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) […]
How to use CI/CD to deploy and configure AWS security services with Terraform
Like the infrastructure your applications are built on, security infrastructure can be handled using infrastructure as code (IAC) and continuous integration/continuous deployment (CI/CD). In this post, I’ll show you how to build a CI/CD pipeline using AWS Developer Tools and HashiCorp’s Terraform platform as an IAC tool for AWS Web Application Firewall (WAF) deployments. AWS […]
Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
September 19, 2023: This post has been update to correct an explanation of multivalued condition keys. You can now reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in AWS Identity and Access Management (IAM) policies, making it easier to define access for your IAM principals (users and roles) to the […]
Continuously monitor unused IAM roles with AWS Config
February 19, 2024: You can now use IAM Access Analyzer to easily identify unused roles. Read this blog post to learn more. January 6, 2021: We updated this post to fix a bug related to allow listing noncompliant roles. January 6, 2020: We updated this post to reflect a valid STS session duration if configured […]
Identify unused IAM roles and remove them confidently with the last used timestamp
February 19, 2024: You can now use IAM Access Analyzer to easily identify unused roles. Read this blog post to learn more. November 25, 2019: We’ve corrected a documentation link. As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those […]