All news with #aws iam tag

AWS: Tagging for RDS and Aurora Automated Backups Released

🔖 Amazon Web Services now supports resource tagging for automated backups and cluster automated backups in Amazon RDS and Aurora. You can tag automated backups independently from the parent DB instance or DB cluster using the AWS Management Console, API, or SDK. Use these tags with IAM policies to implement attribute-based access control and to organize, manage, and track backup costs. This capability is available in all AWS Regions, including AWS GovCloud (US).

AWS unveils AI-driven security enhancements at re:Invent

🔒 AWS announced a suite of AI- and automation-driven security features at re:Invent 2025 designed to shift cloud protection from reactive response to proactive prevention. AWS Security Agent and agentic incident response add continuous code review and automated investigations, while ML enhancements in GuardDuty and near real-time analytics in Security Hub improve multi-stage threat detection. Agent-centric IAM tools, including policy autopilot and private sign-in routes, streamline permissions and enforce granular, zero-trust access for agents and workloads.

AWS Partner Central Added to AWS Management Console

🔔 AWS has integrated AWS Partner Central directly into the AWS Management Console, giving Partners streamlined access to Partner Central and the AWS Marketplace Management Portal. The release includes expanded APIs to automate co-sell workflows and Marketplace operations, plus enhanced security and user management built on AWS Identity and Access Management with granular permissions and SSO. The console experience is available in all Regions and migration guidance is provided in the existing portal.

AWS Secrets Store CSI Driver Add-on for Amazon EKS

🔐 This post introduces the AWS provider for the Secrets Store CSI Driver and the new Amazon EKS add-on that mounts Secrets Manager secrets and Systems Manager parameters as files in Kubernetes pods. The add-on simplifies installation compared with Helm or kubectl, supports EC2 and hybrid nodes, and includes security patches and FIPS endpoint options. The walkthrough covers prerequisites, creating a test secret, installing the add-on, configuring an IAM role and EKS Pod Identity association, deploying an example pod that mounts the secret at /mnt/secrets-store, validating retrieval, and cleaning up resources.

Amazon Redshift Adds Federated Permissions for Warehouses

🔐 Amazon Redshift now supports federated permissions to centralize and enforce data access policies across multiple Redshift warehouses, reducing governance overhead for multi-warehouse deployments. Registered warehouses are auto-mounted account-wide and can be queried using existing workforce identities via AWS IAM Identity Center or IAM roles. Row-level, column-level, and masking controls are applied automatically, ensuring consistent fine-grained access control regardless of query location.

AWS Security Incident Response: AI Investigative Agent

🔎 The new AI-powered investigative agent in AWS Security Incident Response automates evidence collection, correlation, and timeline building to speed incident investigations from hours to minutes. It interactively asks clarifying questions, queries CloudTrail, IAM, EC2, and cost data, and summarizes critical findings and timelines. The capability is available now across commercial AWS Regions and is included with the service’s metered pricing.

AWS Security Incident Response Adds Agentic AI Investigator

🔍 AWS Security Incident Response now offers an agentic AI investigative capability that automatically gathers, correlates, and summarizes evidence across AWS data sources. The investigative agent assesses new cases, asks submitters clarifying questions for missing indicators or timeframes, and collects logs from AWS CloudTrail, AWS Identity and Access Management (IAM), Amazon EC2, and AWS Cost Explorer. Findings are presented as clear, actionable summaries, and the feature is enabled automatically at no extra cost in supported Regions.

Amazon SageMaker One-Click Onboarding for Existing Data

✨ Amazon SageMaker now offers one-click onboarding of existing AWS datasets into Amazon SageMaker Unified Studio, letting customers begin data work in minutes while retaining their current IAM roles and permissions. The feature provisions a pre-configured serverless notebook with a built-in AI agent that supports SQL, Python, Spark, and natural language. Users can start from SageMaker, Amazon Athena, Amazon Redshift, or Amazon S3 Tables consoles and the setup imports permissions from AWS Glue Data Catalog, Lake Formation, and S3 to accelerate first use.

AWS STS now supports dual‑stack IPv6 endpoints globally

🌐 AWS Security Token Service (STS) now supports IPv6 via new dual‑stack endpoints, allowing connections over IPv6, IPv4, or both. Dual‑stack access is supported over the public internet and privately from Amazon VPCs using AWS PrivateLink, so STS APIs can be invoked without traversing the public internet. This capability is available in all Commercial, GovCloud (US), and China Regions. Configure STS clients using the IAM user guide to enable dual‑stack endpoints.

SageMaker Studio: Long‑Running Sessions with Corporate IDs

⏳ Amazon SageMaker Unified Studio now supports long-running background sessions using corporate identities via AWS IAM Identity Center's trusted identity propagation (TIP). Users can launch interactive notebooks and data processing on SageMaker, Amazon EMR, and AWS Glue that persist when they log off or experience network or credential interruptions. Sessions retain corporate permissions and can run up to 90 days (default 7 days), reducing the need for continuous monitoring and improving productivity for multi-hour or multi-day workloads.

Amazon S3 Adds Attribute-Based Access Control (ABAC)

🏷️ Amazon S3 now supports attribute-based access control (ABAC) for general purpose buckets, allowing organizations to use bucket tags to automatically manage permissions. Instead of constantly editing IAM or bucket policies, administrators can create policies that reference bucket tags and grant access by adding or modifying tags. Enable ABAC with the S3 PutBucketAbac API and manage tags via TagResource/UntagResource; you can also require tags at bucket creation to enforce standards. The feature is available in all AWS Regions at no additional cost via the Console, REST API, CLI, SDK, and CloudFormation.

AWS IAM Adds Outbound Identity Federation with JWTs

🔐 AWS Identity and Access Management (IAM) now supports outbound identity federation, enabling customers to exchange AWS credentials for short‑lived, cryptographically signed JSON Web Tokens (JWTs) to authenticate workloads with third‑party clouds, SaaS providers, and self‑hosted applications. Tokens include workload context so external services can enforce fine‑grained access control. Administrators can restrict who can generate tokens and configure token properties such as lifetime, audience, and signing algorithm via IAM policies, and audit issuance and usage through CloudTrail. The capability is available in all AWS commercial Regions, AWS GovCloud (US) Regions, and China Regions.

AWS IAM Adds aws:SourceVpcArn for Region Controls Support

🔒 AWS Identity and Access Management (IAM) introduces the global condition key aws:SourceVpcArn, which returns the ARN of the VPC where a VPC endpoint is attached. Administrators can apply this key in IAM policies to enforce region-based controls for resources accessed via AWS PrivateLink, restricting access to VPC endpoints in specified regions. The new condition key helps meet data residency and compliance requirements and is available in all commercial AWS Regions.

AWS enables console sign-in credentials for CLI and SDK

🔐 AWS now permits developers to use their existing AWS Management Console sign-in credentials for programmatic access via the AWS CLI, AWS Tools for PowerShell, and AWS SDKs after a brief browser-based authentication flow. The aws login command in AWS CLI v2.32.0 and later obtains automatically rotated, short-lived credentials to reduce reliance on long-term access keys. This capability is available in all commercial AWS regions and aims to streamline local development setup while improving security posture.

AWS IAM Temporary Delegation for Partner Product Integration

🔐 AWS Identity and Access Management (IAM) introduces temporary delegation, enabling time-limited, delegated access to Amazon and AWS Partner products for tasks like initial deployments, ad-hoc maintenance, and feature upgrades. The capability eliminates the need for persistent IAM roles, improves auditability, and reduces setup and operational burden. It is available in all AWS commercial Regions and is being adopted by partners such as Archera, Aviatrix, Databricks, HashiCorp, Qumulo, Rapid7 and others.

Automating Session Manager Preferences with CloudFormation

🔐 This post explains how to centrally manage AWS Systems Manager Session Manager preferences across multiple accounts and Regions using CloudFormation StackSets and an AWS Lambda function. The solution automates updates to the SSM-SessionManagerRunShell document, provisions optional logging destinations (Amazon S3 or CloudWatch Logs), and can create KMS keys for session and log encryption. It aims to reduce manual configuration errors and ensure consistent security and compliance at scale.

AWS Adds ML-DSA Post-Quantum Code Signing to Private CA

🔐 AWS announced support for post-quantum ML-DSA code signing in AWS Private CA, integrated with AWS KMS. The integration lets customers create ML-DSA X.509 certificate chains and generate KMS-held ML-DSA key pairs to sign binaries, enabling quantum-resistant code-signing, device authentication, and private-PKI workflows such as mTLS or IKEv2/IPsec. A provided Java Runner demonstrates CA creation, CSR issuance, CMS detached signing with SHAKE256, and signature verification against customer-managed roots.

AWS Backup Adds Delegated Admin Support in 17 Regions

🔔 AWS Backup now supports delegated administrators in 17 additional AWS Regions, allowing designated accounts to manage backup operations and administrative tasks across member accounts. The expansion includes regions in Africa, Asia Pacific, Canada, Europe, Israel, Mexico, and the Middle East. AWS Backup Audit Manager also supports cross-Region and cross-account delegated admin reports for jobs and backup plan compliance. Visit the AWS Backup console to get started.

AWS re:Invent 2025 — Security Sessions & Themes Overview

🔒 AWS re:Invent 2025 highlights an expanded Security and Identity track featuring more than 80 sessions across breakouts, workshops, chalk talks, and hands-on builders’ sessions. The program groups content into four practical themes — Securing and Leveraging AI, Architecting Security and Identity at scale, Building and scaling a Culture of Security, and Innovations in AWS Security — with real-world guidance and demos. Attendees can meet experts at the Security and AI Security kiosks in the expo hall and are encouraged to reserve limited-capacity hands-on sessions early to secure seats.

AWS Advanced .NET Data Provider Driver Now GA for RDS

🔔 The Amazon Web Services Advanced .NET Data Provider Driver is now generally available for Amazon RDS and Amazon Aurora PostgreSQL and MySQL-compatible databases. The driver reduces RDS Blue/Green switchover and database failover times to improve application availability and supports multiple authentication mechanisms including Federated Authentication, AWS Secrets Manager, and IAM token-based authentication. Built on top of Npgsql, native MySql.Data and MySqlConnector, it integrates with NHibernate and supports Entity Framework for MySQL, and is released under the Apache 2.0 license.