< ciso
brief />
Tag Banner

All news with #aws iam tag

50 articles · page 2 of 3

AWS IAM Policy Autopilot Now Available as Kiro Power

🤖 AWS IAM Policy Autopilot, the open-source static analysis tool introduced at re:Invent 2025, is now available as a Kiro power. The integration enables one-click installation from the Kiro IDE and web interface, removing the need for manual MCP server configuration and speeding baseline IAM policy creation. Developers can generate and refine policies inside their coding workflow to support rapid prototyping and ongoing application evolution.
read more →

AWS IAM Identity Center Adds Multi-Region Replication

🔁 AWS announced multi-Region replication for IAM Identity Center, enabling automatic copying of identities, entitlements, and configuration from a primary Region to customer-selected additional Regions. The feature preserves access during primary-Region disruptions and allows application deployment in Regions that support data residency or proximity requirements. Available in 17 enabled-by-default commercial Regions for organization instances connected to external IdPs, it requires a multi-Region customer-managed KMS key and incurs standard KMS charges; IAM Identity Center is provided at no extra cost.
read more →

AWS Adds Cognito and CloudWatch Logs to RCPs Across Regions

🔒 AWS has expanded Resource Control Policies (RCPs) to include support for Amazon Cognito and Amazon CloudWatch Logs. RCPs let organizations centrally set the maximum permissions available to resources, enabling consistent baseline controls and a stronger data perimeter. Administrators can now create policies to prevent identities outside their organization from accessing Cognito resources or log groups. This update is available in all AWS commercial Regions and AWS GovCloud (US) Regions.
read more →

AWS adds policy ARN to Access Denied error messages

🔍 AWS now includes the policy Amazon Resource Name (ARN) from AWS Identity and Access Management (IAM) and AWS Organizations in Access Denied error messages for same-account and same-organization scenarios. This change surfaces the exact policy causing the denial—covering Service Control Policies (SCPs), Resource Control Policies (RCPs), identity-based policies, session policies, and permission boundaries—so you can identify and remediate explicit denies more quickly. The update will be rolled out across services and regions; consult IAM documentation for details.
read more →

AWS Transfer Family Terraform Module Enables Web Apps

🔧 The AWS Transfer Family Terraform module now supports provisioning Transfer Family web apps, offering a branded, managed web portal for users to browse, upload, and download data in Amazon S3. The module centralizes deployment with federated authentication via AWS IAM Identity Center and fine-grained permissions using S3 Access Grants. An included end-to-end example covers Identity Center user and group assignment, Access Grants setup, web app configuration, and CloudTrail auditing.
read more →

AWS VPC IPAM Enforces IP Allocation Policies for RDS, ALBs

🔒 Amazon VPC IPAM now supports centrally managed IP allocation policies for RDS instances and ALB resources, enabling administrators to enforce public IP assignment rules. The policies cover RDS, Application Load Balancers, NAT Gateways in regional mode, and Elastic IPs and cannot be overridden by application teams, improving compliance. Available in all AWS commercial and GovCloud (US) Regions, the capability is offered in both IPAM Free and Advanced tiers; the Advanced tier supports cross-account and cross-region policy application.
read more →

AWS IAM Identity Center Adds IPv6 Dual-Stack Endpoints

🌐 AWS now enables IPv6 connectivity to IAM Identity Center via newly introduced dual‑stack endpoints. Clients can connect using IPv6, IPv4, or dual‑stack, while existing IPv4-only endpoints remain available for backward compatibility. Dual‑stack endpoints resolve to an IPv4 or IPv6 address based on the client and network, helping organizations meet IPv6 compliance and reduce NAT complexity. Support is available in all Regions where the service operates, except AWS GovCloud (US) and Taipei.
read more →

Amazon warns of cryptomining campaign abusing AWS IAM

⚠️ Amazon's GuardDuty team is tracking an ongoing cryptomining campaign that uses compromised Identity and Access Management (IAM) credentials to abuse EC2 and ECS resources. The attacker deployed an yenik65958/secret Docker Hub image containing the SBRMiner-MULTI miner and configured large ECS tasks and auto-scaling EC2 groups to maximize mining. The actor also enabled instance termination protection to hinder remediation; Amazon has removed the malicious image, alerted affected customers, and recommends rotating compromised IAM credentials while following GuardDuty mitigation guidance.
read more →

AWS IAM Identity Center Now Available in Taipei Region

🔔 AWS has expanded IAM Identity Center to 37 AWS Regions with official availability in Asia Pacific (Taipei). The service is the recommended way to manage workforce access, offering single sign-on, centralized multi-account access, and integration with existing identity sources. It powers personalized experiences in AWS applications such as Amazon Q and supports user-aware data access controls for services like Amazon Redshift. IAM Identity Center is available at no additional cost in supported regions.
read more →

AWS Partner Central Added to AWS Management Console

🔔 AWS has integrated AWS Partner Central directly into the AWS Management Console, giving Partners streamlined access to Partner Central and the AWS Marketplace Management Portal. The release includes expanded APIs to automate co-sell workflows and Marketplace operations, plus enhanced security and user management built on AWS Identity and Access Management with granular permissions and SSO. The console experience is available in all Regions and migration guidance is provided in the existing portal.
read more →

AWS IAM Policy Autopilot generates baseline IAM policies

🔒 AWS announced IAM Policy Autopilot, an open-source MCP server and CLI that analyzes Python, TypeScript, and Go code locally to generate baseline, identity-based IAM policies for application roles. It integrates with AI coding assistants such as Kiro, Claude Code, and Cursor to speed policy creation. The tool stays current with AWS services and is available at no additional cost for local use. Generated policies are intended as starting points that require review and least-privilege refinement.
read more →

AWS previews MCP Server for AI agents across AWS ecosystem

🔧 The AWS MCP Server is now in preview and offers a managed remote Model Context Protocol (MCP) interface that consolidates the prior AWS API MCP and AWS Knowledge servers into a single endpoint. It enables AI agents and AI-native IDEs to access AWS documentation, generate and execute calls to over 15,000 APIs, and follow pre-built Agent SOPs to perform multi-step tasks. Authentication and authorization use AWS IAM, and audit logging is provided via CloudTrail; the service is available at no additional cost in US East (N. Virginia), with customers paying only for resources and data transfer.
read more →

AWS STS now supports dual‑stack IPv6 endpoints globally

🌐 AWS Security Token Service (STS) now supports IPv6 via new dual‑stack endpoints, allowing connections over IPv6, IPv4, or both. Dual‑stack access is supported over the public internet and privately from Amazon VPCs using AWS PrivateLink, so STS APIs can be invoked without traversing the public internet. This capability is available in all Commercial, GovCloud (US), and China Regions. Configure STS clients using the IAM user guide to enable dual‑stack endpoints.
read more →

SageMaker Studio: Long‑Running Sessions with Corporate IDs

⏳ Amazon SageMaker Unified Studio now supports long-running background sessions using corporate identities via AWS IAM Identity Center's trusted identity propagation (TIP). Users can launch interactive notebooks and data processing on SageMaker, Amazon EMR, and AWS Glue that persist when they log off or experience network or credential interruptions. Sessions retain corporate permissions and can run up to 90 days (default 7 days), reducing the need for continuous monitoring and improving productivity for multi-hour or multi-day workloads.
read more →

Amazon SageMaker Studio Integrates EMR on EKS with SSO

🔒 Amazon SageMaker Unified Studio now supports EMR on EKS as a compute option for interactive Apache Spark sessions, bringing containerized, large-scale distributed compute with automatic scaling and cost optimizations directly into the Studio environment. The feature adds trusted identity propagation through AWS Identity Center, enabling single sign-on and end-to-end data access traceability for interactive analytics. Data practitioners can use corporate credentials to access Glue Data Catalog resources from SageMaker JupyterLab while administrators retain fine-grained access controls and audit trails. This capability is available in all existing SageMaker Unified Studio regions.
read more →

AWS introduces aws login for secure developer access

🔐 The new aws login CLI command lets developers obtain temporary programmatic credentials using the same sign-in method as the AWS Management Console, eliminating the need to create and manage long-term access keys. The command opens a browser-based OAuth2 flow and supports root/IAM user sign-in as well as federated identity providers. Issued credentials auto-rotate every 15 minutes and remain valid up to the IAM session duration (maximum 12 hours). Aws login integrates with profiles, remote development workflows, AWS SDKs, AWS Tools for PowerShell, and legacy SDKs via credential_process.
read more →

AWS IAM Adds Outbound Identity Federation with JWTs

🔐 AWS Identity and Access Management (IAM) now supports outbound identity federation, enabling customers to exchange AWS credentials for short‑lived, cryptographically signed JSON Web Tokens (JWTs) to authenticate workloads with third‑party clouds, SaaS providers, and self‑hosted applications. Tokens include workload context so external services can enforce fine‑grained access control. Administrators can restrict who can generate tokens and configure token properties such as lifetime, audience, and signing algorithm via IAM policies, and audit issuance and usage through CloudTrail. The capability is available in all AWS commercial Regions, AWS GovCloud (US) Regions, and China Regions.
read more →

AWS IAM Temporary Delegation for Partner Product Integration

🔐 AWS Identity and Access Management (IAM) introduces temporary delegation, enabling time-limited, delegated access to Amazon and AWS Partner products for tasks like initial deployments, ad-hoc maintenance, and feature upgrades. The capability eliminates the need for persistent IAM roles, improves auditability, and reduces setup and operational burden. It is available in all AWS commercial Regions and is being adopted by partners such as Archera, Aviatrix, Databricks, HashiCorp, Qumulo, Rapid7 and others.
read more →

AWS enables console sign-in credentials for CLI and SDK

🔐 AWS now permits developers to use their existing AWS Management Console sign-in credentials for programmatic access via the AWS CLI, AWS Tools for PowerShell, and AWS SDKs after a brief browser-based authentication flow. The aws login command in AWS CLI v2.32.0 and later obtains automatically rotated, short-lived credentials to reduce reliance on long-term access keys. This capability is available in all commercial AWS regions and aims to streamline local development setup while improving security posture.
read more →

AWS IAM Adds aws:SourceVpcArn for Region Controls Support

🔒 AWS Identity and Access Management (IAM) introduces the global condition key aws:SourceVpcArn, which returns the ARN of the VPC where a VPC endpoint is attached. Administrators can apply this key in IAM policies to enforce region-based controls for resources accessed via AWS PrivateLink, restricting access to VPC endpoints in specified regions. The new condition key helps meet data residency and compliance requirements and is available in all commercial AWS Regions.
read more →