< ciso
brief />
Tag Banner

All news with #aws iam tag

50 articles

Amazon RDS IAM Database Authentication Scales Dynamically

πŸ”’ Amazon RDS now supports dynamic connection rate scaling for IAM database authentication, so authentication throughput scales with instance resources. This allows enterprise workloads to use IAM authentication for high-volume connection patterns while depending on available CPU and memory. AWS recommends reusing IAM principals or authentication tokens to optimize performance. The feature is available in all Regions, including AWS GovCloud (US), for Aurora, PostgreSQL, MySQL, and MariaDB.
read more β†’

IAM Identity Center: Customer Managed App Account Access

πŸ” IAM Identity Center now lets customer managed applications programmatically discover user-assigned AWS accounts and roles and retrieve temporary credentials for account access. If your application authenticates users via an external identity provider (IdP), you can configure that IdP as a trusted token issuer and enable AWS account access so users who already signed in through the IdP can obtain credentials without re-authenticating. Administrators must explicitly enable this for each customer managed application, and only management account or delegated administrators can grant the capability, ensuring centralized governance. The feature is available across all commercial, GovCloud (US), and China Regions.
read more β†’

Shai Hulud CI/CD to Redshift breach analysis

πŸ” This FortiGuard Labs analysis examines the Shai Hulud supply chain worm that poisoned CI/CD dependencies to harvest Jenkins credentials and pivot into AWS. The report outlines a mid‑May 2026 incident where FortiCNAPP traced external use of a Jenkins instance role, IAM escalation to a cloudops-monitor identity, and subsequent Redshift data extraction. It highlights detection signals, MITRE mappings, and recommended containment actions.
read more β†’

Restrict AWS Console Access Using Sign-In Policies

πŸ”’ This post explains how AWS Sign-In now supports resource-based policies and resource control policies (RCPs) to restrict AWS Management Console and AWS CLI sign-in to expected networks such as corporate IP ranges, on-premises data center networks, and Amazon VPCs. It walks through a financial services use case that enforces console sign-in from a corporate network, shows how to create and enable a sign-in resource permission statement, and describes verification via AWS CloudTrail. The article also contrasts single-account resource-based policies with organization-wide RCPs and explains integration with AWS Management Console Private Access and the broader data perimeter framework.
read more β†’

IAM Identity Center adds separate account and app quotas

πŸ”” AWS IAM Identity Center now supports separate quotas for AWS accounts and applications. By default, administrators can configure up to 7,000 AWS accounts and 7,000 applications independently, so use of one does not reduce capacity for the other. Existing customers with higher limits retain those limits automatically. Quota increases remain available via the AWS Service Quotas console.
read more β†’

Accelerating AWS security investigations with Kiro CLI

πŸ” This post shows how Kiro CLI, an AI-powered command line assistant, speeds AWS security investigations by proposing, explaining, and optionally executing AWS CLI commands while documenting each step. It demonstrates a GuardDuty-driven investigation following the AWS Security Incident Response Guide: triage, EC2 and IAM assessment, CloudTrail analysis, containment, and remediation. The walkthrough highlights benefits like faster triage, automated CloudTrail queries, and guided remediation, while advising human validation and forensic preservation.
read more β†’

AWS Management Console Private Access Launch

πŸ”’ AWS Management Console Private Access now lets customers reach the AWS Console from VPCs without any internet connectivity, enabling management of AWS infrastructure in air-gapped and strictly controlled networks. The feature routes console traffic through VPC endpoints using AWS PrivateLink, letting customers enforce VPC endpoint policies and existing IAM, Service Control, and Resource Control policies. Available in all AWS commercial regions, customers pay only for the underlying VPC endpoint usage and data processing.
read more β†’

Amazon S3 Access Grants Arrive in Germany Region

πŸ›ˆ Amazon S3 Access Grants are now available in the AWS European Sovereign Cloud (Germany) Region. The feature maps identities from directories like Microsoft Entra ID and AWS IAM principals to S3 datasets, enabling automated, scalable data permission management. This simplifies granting S3 access to end users based on corporate identities. Check the AWS Region Table for full regional availability and refer to the product page for details.
read more β†’

Simplified S3 Tables and Iceberg permissions in GovCloud

πŸ”’ AWS Glue Data Catalog now supports IAM-based authorization for Amazon S3 Tables and Apache Iceberg materialized views in AWS GovCloud (US) Regions. This change lets you consolidate required permissions for storage, catalog, and query engines into a single IAM policy. The capability eases integration with analytics services such as Amazon Athena, Amazon EMR, Amazon Redshift, and AWS Glue. You can still opt in to AWS Lake Formation for fine-grained access controls.
read more β†’

AWS VPC IPAM adds tagging for allocations

πŸ›ˆ Amazon VPC IP Address Manager (IPAM) now supports tags on IPAM pool allocations, letting customers organize, govern, and control access to individual IP address allocations using existing tagging workflows. Tags can be applied at creation or added to existing allocations and referenced in AWS Identity and Access Management and Service Control Policies for centralized governance. Administrators can enforce environment-based allocation controls and teams can search and filter allocations by tag across accounts. The feature is available in all AWS Regions where IPAM is supported at no additional cost.
read more β†’

SageMaker domain management for Identity Center

πŸ”’ Amazon SageMaker Unified Studio now supports domain management for both Identity Center and IAM-based domains outside the AWS Console. Administrators and data management teams can create and manage projects, configure workforce identity, administer users and permissions, and set networking properties. VPC configuration and account associations are consistent across domain types and available in all Regions where Unified Studio is offered.
read more β†’

AWS Security Hub Adds Unused Identity Access Detection

πŸ” AWS Security Hub now brings identity risk into the same unified console where central security teams manage threats, exposures, and posture findings. It detects unused IAM permissions, roles, and credentials across an AWS organization and correlates those identity findings with exposure context. When enabled, Security Hub automatically creates a service‑linked IAM Access Analyzer in each member account and evaluates 90 days of actual access activity. It also offers on‑demand recommended least‑privilege policies and is included in Security Hub Essentials at no additional cost.
read more β†’

AWS Transfer Family Adds Cross-Region Federated Permissions

πŸ”’ AWS Transfer Family web apps now support federated permissions with AWS IAM Identity Center across multiple Regions. Previously, Transfer web apps could only be created in the Region of the IAM Identity Center instance. With IAM Identity Center multi-Region replication, administrators can replicate workforce identities and create Transfer web apps in additional Regions, reducing latency and improving availability. Users sign in with existing credentials.
read more β†’

SageMaker Data Agent Supports IAM Identity Center Now

🧭 Amazon SageMaker Data Agent is now available in SageMaker Unified Studio domains configured with IAM Identity Center. The agent enables data analysts and engineers to describe analysis goals in plain English and receive working Python or SQL code for connected sources such as Amazon Athena, Amazon Redshift, Amazon S3, and AWS Glue Data Catalog. It preserves conversational context across notebook cells, selected tables, and query history, proposes step-by-step plans, and includes a Fix with AI feature to help debug execution errors. The capability is available in all commercial AWS Regions where Unified Studio is supported.
read more β†’

AWS IAM raises quotas for common identity resources

πŸ›‘οΈ AWS Identity and Access Management (IAM) has raised maximum quotas for six resource types to help customers scale. Updated limits include customer managed policies, instance profiles, managed policies per role, role trust policy length, roles per account, and OpenID Connect providers. These changes give teams more flexibility to design IAM controls and support growing workloads. To request increases, use Service Quotas or AWS Support per region.
read more β†’

Understanding the AWS Service Authorization Reference

πŸ”’This AWS Security Blog post explains how to use the AWS Service Authorization Reference to determine what IAM policies can and cannot control. It introduces the PARC (Principal, Action, Resource, Condition) authorization context and shows how condition keys drive policy decisions. Through practical examples β€” S3 server-side encryption, EC2 instance-type restrictions, and DynamoDB leading keys β€” the article explains when to rely on policies and when to layer detective or policy-as-code controls.
read more β†’

AWS IAM Identity Center Now in EU Sovereign Cloud (DE)

πŸ”’ AWS has made IAM Identity Center available in the AWS European Sovereign Cloud (Germany) Region, an independent cloud fully located within the EU to address evolving sovereignty requirements. The service offers centralized workforce access management, single sign-on across AWS applications, and user-aware access controls for auditing and data governance. It supports centralized management of multiple AWS accounts and is available at no additional cost.
read more β†’

AWS simplifies IAM role creation in service workflows

πŸ” AWS Identity and Access Management (IAM) now lets you create and configure IAM roles directly within many service console workflows, so you no longer need to switch to the IAM console. A new in-context permissions panel appears during relevant tasks and supports default policies or a simplified statement builder for custom permissions, while retaining full IAM role-management capabilities. Initially available in the US East (N. Virginia) Region, the feature will roll out to additional services and regions. This streamlines role setup for services such as EC2, Lambda, EKS and more.
read more β†’

AWS adds denying policy ARNs to access denied errors

πŸ” AWS now includes the ARN of the policy that caused an AccessDenied error for same-account and same-organization requests. This enhancement adds only the policy ARN (not policy content) for SCPs, RCPs, permissions boundaries, session policies, and identity-based policies, and does not change authorization logic. The rollout begins early 2026 across all Regions, improving troubleshooting and cross-team communication.
read more β†’

AWS IAM Identity Center Adds IPv6 in Taipei and GovCloud

🌐 AWS IAM Identity Center now supports IPv6 through dual‑stack endpoints in the AWS Asia Pacific (Taipei) and AWS GovCloud (US) Regions, completing global availability wherever IAM Identity Center is offered. Clients and browsers will resolve either IPv4 or IPv6 addresses based on network and client protocol. Administrators can find the dual-stack portal URL in the IAM Identity Center console under Settings and share it with their workforce; GovCloud deployments should consult region-specific documentation.
read more β†’