All news with #aws iam tag

🔒 Amazon SageMaker Unified Studio now supports domain management for both Identity Center and IAM-based domains outside the AWS Console. Administrators and data management teams can create and manage projects, configure workforce identity, administer users and permissions, and set networking properties. VPC configuration and account associations are consistent across domain types and available in all Regions where Unified Studio is offered.

🔐 AWS Security Hub now brings identity risk into the same unified console where central security teams manage threats, exposures, and posture findings. It detects unused IAM permissions, roles, and credentials across an AWS organization and correlates those identity findings with exposure context. When enabled, Security Hub automatically creates a service‑linked IAM Access Analyzer in each member account and evaluates 90 days of actual access activity. It also offers on‑demand recommended least‑privilege policies and is included in Security Hub Essentials at no additional cost.

🔒 AWS Transfer Family web apps now support federated permissions with AWS IAM Identity Center across multiple Regions. Previously, Transfer web apps could only be created in the Region of the IAM Identity Center instance. With IAM Identity Center multi-Region replication, administrators can replicate workforce identities and create Transfer web apps in additional Regions, reducing latency and improving availability. Users sign in with existing credentials.

🧭 Amazon SageMaker Data Agent is now available in SageMaker Unified Studio domains configured with IAM Identity Center. The agent enables data analysts and engineers to describe analysis goals in plain English and receive working Python or SQL code for connected sources such as Amazon Athena, Amazon Redshift, Amazon S3, and AWS Glue Data Catalog. It preserves conversational context across notebook cells, selected tables, and query history, proposes step-by-step plans, and includes a Fix with AI feature to help debug execution errors. The capability is available in all commercial AWS Regions where Unified Studio is supported.

🛡️ AWS Identity and Access Management (IAM) has raised maximum quotas for six resource types to help customers scale. Updated limits include customer managed policies, instance profiles, managed policies per role, role trust policy length, roles per account, and OpenID Connect providers. These changes give teams more flexibility to design IAM controls and support growing workloads. To request increases, use Service Quotas or AWS Support per region.

🔒This AWS Security Blog post explains how to use the AWS Service Authorization Reference to determine what IAM policies can and cannot control. It introduces the PARC (Principal, Action, Resource, Condition) authorization context and shows how condition keys drive policy decisions. Through practical examples — S3 server-side encryption, EC2 instance-type restrictions, and DynamoDB leading keys — the article explains when to rely on policies and when to layer detective or policy-as-code controls.

🔒 AWS has made IAM Identity Center available in the AWS European Sovereign Cloud (Germany) Region, an independent cloud fully located within the EU to address evolving sovereignty requirements. The service offers centralized workforce access management, single sign-on across AWS applications, and user-aware access controls for auditing and data governance. It supports centralized management of multiple AWS accounts and is available at no additional cost.

🔐 AWS Identity and Access Management (IAM) now lets you create and configure IAM roles directly within many service console workflows, so you no longer need to switch to the IAM console. A new in-context permissions panel appears during relevant tasks and supports default policies or a simplified statement builder for custom permissions, while retaining full IAM role-management capabilities. Initially available in the US East (N. Virginia) Region, the feature will roll out to additional services and regions. This streamlines role setup for services such as EC2, Lambda, EKS and more.

🔐 AWS now includes the ARN of the policy that caused an AccessDenied error for same-account and same-organization requests. This enhancement adds only the policy ARN (not policy content) for SCPs, RCPs, permissions boundaries, session policies, and identity-based policies, and does not change authorization logic. The rollout begins early 2026 across all Regions, improving troubleshooting and cross-team communication.

🌐 AWS IAM Identity Center now supports IPv6 through dual‑stack endpoints in the AWS Asia Pacific (Taipei) and AWS GovCloud (US) Regions, completing global availability wherever IAM Identity Center is offered. Clients and browsers will resolve either IPv4 or IPv6 addresses based on network and client protocol. Administrators can find the dual-stack portal URL in the IAM Identity Center console under Settings and share it with their workforce; GovCloud deployments should consult region-specific documentation.

🤖 AWS IAM Policy Autopilot, the open-source static analysis tool introduced at re:Invent 2025, is now available as a Kiro power. The integration enables one-click installation from the Kiro IDE and web interface, removing the need for manual MCP server configuration and speeding baseline IAM policy creation. Developers can generate and refine policies inside their coding workflow to support rapid prototyping and ongoing application evolution.

🔁 AWS announced multi-Region replication for IAM Identity Center, enabling automatic copying of identities, entitlements, and configuration from a primary Region to customer-selected additional Regions. The feature preserves access during primary-Region disruptions and allows application deployment in Regions that support data residency or proximity requirements. Available in 17 enabled-by-default commercial Regions for organization instances connected to external IdPs, it requires a multi-Region customer-managed KMS key and incurs standard KMS charges; IAM Identity Center is provided at no extra cost.

🔒 AWS has expanded Resource Control Policies (RCPs) to include support for Amazon Cognito and Amazon CloudWatch Logs. RCPs let organizations centrally set the maximum permissions available to resources, enabling consistent baseline controls and a stronger data perimeter. Administrators can now create policies to prevent identities outside their organization from accessing Cognito resources or log groups. This update is available in all AWS commercial Regions and AWS GovCloud (US) Regions.

🔍 AWS now includes the policy Amazon Resource Name (ARN) from AWS Identity and Access Management (IAM) and AWS Organizations in Access Denied error messages for same-account and same-organization scenarios. This change surfaces the exact policy causing the denial—covering Service Control Policies (SCPs), Resource Control Policies (RCPs), identity-based policies, session policies, and permission boundaries—so you can identify and remediate explicit denies more quickly. The update will be rolled out across services and regions; consult IAM documentation for details.

🔧 The AWS Transfer Family Terraform module now supports provisioning Transfer Family web apps, offering a branded, managed web portal for users to browse, upload, and download data in Amazon S3. The module centralizes deployment with federated authentication via AWS IAM Identity Center and fine-grained permissions using S3 Access Grants. An included end-to-end example covers Identity Center user and group assignment, Access Grants setup, web app configuration, and CloudTrail auditing.

🔒 Amazon VPC IPAM now supports centrally managed IP allocation policies for RDS instances and ALB resources, enabling administrators to enforce public IP assignment rules. The policies cover RDS, Application Load Balancers, NAT Gateways in regional mode, and Elastic IPs and cannot be overridden by application teams, improving compliance. Available in all AWS commercial and GovCloud (US) Regions, the capability is offered in both IPAM Free and Advanced tiers; the Advanced tier supports cross-account and cross-region policy application.

🌐 AWS now enables IPv6 connectivity to IAM Identity Center via newly introduced dual‑stack endpoints. Clients can connect using IPv6, IPv4, or dual‑stack, while existing IPv4-only endpoints remain available for backward compatibility. Dual‑stack endpoints resolve to an IPv4 or IPv6 address based on the client and network, helping organizations meet IPv6 compliance and reduce NAT complexity. Support is available in all Regions where the service operates, except AWS GovCloud (US) and Taipei.

⚠️ Amazon's GuardDuty team is tracking an ongoing cryptomining campaign that uses compromised Identity and Access Management (IAM) credentials to abuse EC2 and ECS resources. The attacker deployed an yenik65958/secret Docker Hub image containing the SBRMiner-MULTI miner and configured large ECS tasks and auto-scaling EC2 groups to maximize mining. The actor also enabled instance termination protection to hinder remediation; Amazon has removed the malicious image, alerted affected customers, and recommends rotating compromised IAM credentials while following GuardDuty mitigation guidance.

🔔 AWS has expanded IAM Identity Center to 37 AWS Regions with official availability in Asia Pacific (Taipei). The service is the recommended way to manage workforce access, offering single sign-on, centralized multi-account access, and integration with existing identity sources. It powers personalized experiences in AWS applications such as Amazon Q and supports user-aware data access controls for services like Amazon Redshift. IAM Identity Center is available at no additional cost in supported regions.

🔔 AWS has integrated AWS Partner Central directly into the AWS Management Console, giving Partners streamlined access to Partner Central and the AWS Marketplace Management Portal. The release includes expanded APIs to automate co-sell workflows and Marketplace operations, plus enhanced security and user management built on AWS Identity and Access Management with granular permissions and SSO. The console experience is available in all Regions and migration guidance is provided in the existing portal.