Showing only posts tagged Advanced (300). Show all posts.

Automatically detect and block low-volume network floods

Source

In this blog post, I show you how to deploy a solution that uses AWS Lambda to automatically manage the lifecycle of Amazon VPC Network Access Control List (ACL) rules to mitigate network floods detected using Amazon CloudWatch Logs Insights and Amazon Timestream. Application teams should consider the impact …

Validate IAM policies by using IAM Policy Validator for AWS CloudFormation and GitHub Actions

Source

In this blog post, I’ll show you how to automate the validation of AWS Identity and Access Management (IAM) policies by using a combination of the IAM Policy Validator for AWS CloudFormation (cfn-policy-validator) and GitHub Actions. Policy validation is an approach that is designed to minimize the deployment …

Generate machine learning insights for Amazon Security Lake data using Amazon SageMaker

Source

Amazon Security Lake automatically centralizes the collection of security-related logs and events from integrated AWS and third-party services. With the increasing amount of security data available, it can be challenging knowing what data to focus on and which tools to use. You can use native AWS services such as …

How we designed Cedar to be intuitive to use, fast, and safe

Source

This post is a deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies. Using Cedar, you can control access to your application’s resources in a modular and reusable way. You write Cedar policies that express your application’s permissions, and …

How to Connect Your On-Premises Active Directory to AWS Using AD Connector

Source

August 17, 2023: We updated the instructions and screenshots in this post to align with changes to the AWS Management Console. April 25, 2023: We’ve updated this blog post to include more security learning resources. AD Connector is designed to give you an easy way to establish a …

How to automate the review and validation of permissions for users and groups in AWS IAM Identity Center

Source

AWS IAM Identity Center (successor to AWS Single Sign-On) is widely used by organizations to centrally manage federated access to their Amazon Web Services (AWS) environment. As organizations grow, it’s crucial that they maintain control of access to their environment and conduct regular reviews of existing granted permissions …

Cost considerations and common options for AWS Network Firewall log management

Source

When you’re designing a security strategy for your organization, firewalls provide the first line of defense against threats. Amazon Web Services (AWS) offers AWS Network Firewall, a stateful, managed network firewall that includes intrusion detection and prevention (IDP) for your Amazon Virtual Private Cloud (VPC). Logging plays a …

Migrating your secrets to AWS Secrets Manager, Part 2: Implementation

Source

In Part 1 of this series, we provided guidance on how to discover and classify secrets and design a migration solution for customers who plan to migrate secrets to AWS Secrets Manager. We also mentioned steps that you can take to enable preventative and detective controls for Secrets Manager …

Migrating your secrets to AWS Secrets Manager, Part I: Discovery and design

Source

“An ounce of prevention is worth a pound of cure.” – Benjamin Franklin A secret can be defined as sensitive information that is not intended to be known or disclosed to unauthorized individuals, entities, or processes. Secrets like API keys, passwords, and SSH keys provide access to confidential systems and …

How Amazon CodeGuru Security helps you effectively balance security and velocity

Source

Software development is a well-established process—developers write code, review it, build artifacts, and deploy the application. They then monitor the application using data to improve the code. This process is often repeated many times over. As Amazon Web Services (AWS) customers embrace modern software development practices, they sometimes …

Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture

Source

AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates security findings from Amazon Web Services (AWS) and third-party security services, and enables automated remediation. Most of the checks Security Hub performs on AWS resources happen as soon as there is a …

Temporary elevated access management with IAM Identity Center

Source

AWS recommends using automation where possible to keep people away from systems—yet not every action can be automated in practice, and some operations might require access by human users. Depending on their scope and potential impact, some human operations might require special treatment. One such treatment is temporary …

Detect threats to your data stored in RDS databases by using GuardDuty

Source

With Amazon Relational Database Service (Amazon RDS), you can set up, operate, and scale a relational database in the AWS Cloud. Amazon RDS provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. If you use Amazon RDS for your workloads, you can now …

Simplify web app authentication: A guide to AD FS federation with Amazon Cognito user pools

Source

August 13, 2018: Date this post was first published, on the Front-End Web and Mobile Blog. We updated the CloudFormation template, provided additional clarification on implementation steps, and revised to account for the new Amazon Cognito UI. User authentication and authorization can be challenging when you’re building web …

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

Source

In this post, we’ll share an automation pattern that you can use to automatically detect and block suspicious hosts that are attempting to access your Amazon Web Services (AWS) resources. The automation will rely on Amazon GuardDuty to generate findings about the suspicious hosts, and then you can …

Automate the deployment of an NGINX web service using Amazon ECS with TLS offload in CloudHSM

Source

Customers who require private keys for their TLS certificates to be stored in FIPS 140-2 Level 3 certified hardware security modules (HSMs) can use AWS CloudHSM to store their keys for websites hosted in the cloud. In this blog post, we will show you how to automate the deployment …

Simplify management of Network Firewall rule groups with VPC managed prefix lists

Source

In this blog post, we will show you how to use managed prefix lists to simplify management of your AWS Network Firewall rules and policies across your Amazon Virtual Private Cloud (Amazon VPC) in the same AWS Region. AWS Network Firewall is a stateful, managed, network firewall and intrusion …

How to use policies to restrict where EC2 instance credentials can be used from

Source

Today AWS launched two new global condition context keys that make it simpler for you to write policies in which Amazon Elastic Compute Cloud (Amazon EC2) instance credentials work only when used on the instance to which they are issued. These new condition keys are available today in all …

How to visualize IAM Access Analyzer policy validation findings with QuickSight

Source

In this blog post, we show you how to create an Amazon QuickSight dashboard to visualize the policy validation findings from AWS Identity and Access Management (IAM) Access Analyzer. You can use this dashboard to better understand your policies and how to achieve least privilege by periodically validating your …

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

Source

Secrets managers are a great tool to securely store your secrets and provide access to secret material to a set of individuals, applications, or systems that you trust. Across your environments, you might have multiple secrets managers hosted on different providers, which can increase the complexity of maintaining a …

Reduce risk by implementing HttpOnly cookie authentication in Amazon API Gateway

Source

Some web applications need to protect their authentication tokens or session IDs from cross-site scripting (XSS). It’s an Open Web Application Security Project (OWASP) best practice for session management to store secrets in the browsers’ cookie store with the HttpOnly attribute enabled. When cookies have the HttpOnly attribute …

How to revoke federated users’ active AWS sessions

Source

When you use a centralized identity provider (IdP) for human user access, changes that an identity administrator makes to a user within the IdP won’t invalidate the user’s existing active Amazon Web Services (AWS) sessions. This is due to the nature of session durations that are configured …

How to use Amazon Macie to preview sensitive data in S3 buckets

Source

Security teams use Amazon Macie to discover and protect sensitive data, such as names, payment card data, and AWS credentials, in Amazon Simple Storage Service (Amazon S3). When Macie discovers sensitive data, these teams will want to see examples of the actual sensitive data found. Reviewing a sampling of …

How to use trust policies with IAM roles

Source

November 3, 2022: We updated this post to fix some syntax errors in the policy statements and to add additional use cases. August 30, 2021: This post is currently being updated. We will post another note when it’s complete. AWS Identity and Access Management (IAM) roles are a …

How to control non-HTTP and non-HTTPS traffic to a DNS domain with AWS Network Firewall and AWS Lambda

Source

Security and network administrators can control outbound access from a virtual private cloud (VPC) to specific destinations by using a service like AWS Network Firewall. You can use stateful rule groups to control outbound access to domains for HTTP and HTTPS by default in Network Firewall. In this post …

« newer articles | page 4 | older articles »