All news with #aws iam tag

Simplified Amazon Bedrock Model Access and Governance Controls

🔐 Amazon Bedrock now automatically enables serverless foundation models in each AWS Region, removing the prior per-model enablement step and retiring the Model Access page and PutFoundationModelEntitlement IAM permission. Access is managed through standard AWS controls—IAM and Service Control Policies (SCPs)—so account- and organization-level governance remains intact. Existing model restrictions enforced by IAM or SCPs continue to apply, and previously enabled models are unaffected. Administrators should transition to scoped IAM/SCP policies and patterns such as wildcards and NotResource denies to maintain least-privilege control.

Amazon Bedrock automatically enables serverless models

🔓 Amazon Bedrock now automatically enables access to all serverless foundation models by default in all commercial AWS regions. This removes the prior manual activation step and lets users immediately use models via the Amazon Bedrock console, AWS SDK, and features such as Agents, Flows, and Prompt Management. Anthropic models remain enabled but require a one-time usage form before first use; completing the form via the console or API and submitting it from an AWS organization management account will enable Anthropic across member accounts. Administrators continue to control access through IAM policies and Service Control Policies (SCPs).

AWS Resource Explorer Enables Immediate Regional Discovery

🔍 AWS Resource Explorer now provides immediate access to resource search within each AWS Region without requiring prior activation. To start searching you need, at minimum, permissions granted by the AWS Resource Explorer Read Only Access or AWS Read Only Access managed policies, and you can discover resources via the Resource Explorer console, Unified Search, or AWS CLI/SDKs. To index the full inventory, including historical backfill and automatic updates, complete Resource Explorer setup so it can create a service-linked role. You can also enable cross-Region search with a single console click or the new CreateResourceExplorerSetup API, and the feature is available at no additional cost in supported Regions.

Amazon Cognito: Managed vs. Custom Login UI Options

🔒 This post contrasts Amazon Cognito's two primary UI approaches—managed login and a fully custom UI—and outlines feature, security, and operational trade-offs to guide architects and developers. Managed login (offered as a modern branding editor or the Hosted UI classic) offloads hosting, scaling, and maintenance while providing OAuth2 flows, federation with social and OIDC/SAML providers, passwordless options, and CloudTrail action logging. A custom UI gives full control over UX, session management, localization, and supports custom authentication flows via Lambda triggers, but requires development, hosting, and operational responsibility under the AWS Shared Responsibility Model.

Crimson Collective Targets AWS Cloud Instances for Theft

🔒 Researchers report the 'Crimson Collective' has been targeting long-term AWS credentials and IAM accounts to steal data and extort companies. Using open-source tools like TruffleHog, the attackers locate exposed AWS keys, create new IAM users and access keys, then escalate privileges by attaching AdministratorAccess. They snapshot RDS and EBS volumes, export data to S3, and send extortion notices via AWS SES. Rapid7 urges organisations to audit keys, enforce least privilege, and scan for exposed secrets.

SageMaker Unified Studio adds SSO for Spark sessions

🔐 Amazon SageMaker Unified Studio now supports corporate identities for interactive Apache Spark sessions using AWS Identity Center trusted identity propagation. Data engineers and scientists can sign on to JupyterLab Spark sessions with organizational credentials while administrators apply fine-grained access controls and maintain end-to-end data access traceability. The integration leverages AWS Lake Formation, Amazon S3 Access Grants, and Amazon Redshift Data APIs, and includes comprehensive AWS CloudTrail logging for interactive and background sessions to streamline compliance.

AWS Transfer Family Adds Four New IAM Condition Keys

🔒 AWS has added four service-specific IAM condition keys for AWS Transfer Family, enabling administrators to write more granular policies and SCPs. These keys let you constrain server protocols, endpoint types, and storage domains at request time. For example, use transfer:RequestServerEndpointType to block public servers or transfer:RequestServerProtocols to allow only SFTP. The keys are available in all Regions where the service is offered.

AWS Transfer Family Adds VPC Endpoint Policy Support

🔒 AWS now supports attaching VPC endpoint policies to Transfer Family interface VPC endpoints, enabling administrators to apply granular access controls to Transfer Family APIs. Administrators can restrict specific API actions, designate which principals may call them, and limit target resources. The capability integrates with existing IAM policies and organizational service control policies, and Transfer Family also supports FIPS 140-3 enabled VPC endpoints across all AWS Regions.

AWS Lambda Code Signing Now Available in GovCloud Regions

🔐 AWS Lambda now supports code signing in AWS GovCloud (US-West and US-East) through the managed AWS Signer service. Lambda validates signatures at deployment to ensure code has not been altered and that it originates from trusted signers. Administrators can create Signing Profiles, bind allowed profiles to functions, and configure whether failed signature checks produce warnings or reject deployments. Access and permissions are controlled via IAM, and there is no additional charge to use this capability.

Defense-in-Depth: Building an AWS Control Framework

🔒 This post outlines a practical, layered approach to reduce risk in AWS by moving beyond detective-only controls to a comprehensive defense‑in‑depth control framework. It recommends combining preventative, proactive, detective, and responsive controls across the resource lifecycle and illustrates how AWS services such as AWS Control Tower, AWS Organizations, Security Hub, and AWS Config enable that strategy. The guidance covers concrete patterns—from SCPs, RCPs and policy‑as‑code in CI/CD to automated remediation via Lambda and Systems Manager—to scale governance, reduce findings, and shorten remediation time.

Automating Security Hub Exceptions with Business Context

🔒 This post describes an automated approach to validate and document exceptions to AWS Security Hub findings, enabling security teams to enforce governance while developers request and implement compensating controls. The solution leverages EventBridge, SQS, Lambda, and DynamoDB to validate controls, collect evidence, and maintain an immutable audit trail. It preserves segregation of duties, supports multiple validation types, and includes deployment scripts and CloudFormation templates. The authors emphasize the reference architecture is a starting point and must be reviewed and adapted before production use.

AWS Organizations Adds Full IAM Policy Language to SCPs

🔐 AWS Organizations now supports the full IAM policy language for service control policies (SCPs), allowing administrators to use conditions, individual resource ARNs, and the NotAction element with Allow statements. You can also apply wildcards at the beginning or middle of Action strings and use the NotResource element for finer scoping. These enhancements let teams create more concise and precise organizational guardrails to enforce least-privilege across accounts. The change is backward compatible and available in all AWS commercial and AWS GovCloud (US) Regions.

Amazon GuardDuty Protection Plans and Threat Detection

🔐 Amazon GuardDuty centralizes continuous threat detection across AWS using AI/ML and integrated threat intelligence. It offers optional protection plans—S3, EKS, Runtime Monitoring, Malware Protection for EC2 and S3, RDS, and Lambda—that extend detections to service-specific telemetry and runtime behaviors. Built-in Extended Threat Detection correlates signals into high-confidence attack sequences and maps findings to MITRE ATT&CK, providing prioritized remediation guidance.

Amazon RDS Proxy Adds End-to-End IAM Authentication

🔐 Amazon RDS Proxy now supports end-to-end IAM authentication for Amazon Aurora and RDS database instances, allowing applications to authenticate through the proxy using AWS IAM without storing credentials in Secrets Manager. This reduces credential rotation overhead and simplifies credential management. The capability is available for MySQL and PostgreSQL in all Regions where RDS Proxy is supported.

AWS HealthImaging Adds OIDC for DICOMweb APIs Integration

🔐 AWS HealthImaging now supports OpenID Connect (OIDC) authentication for DICOMweb REST APIs, enabling OAuth 2.0–compatible identity providers to issue JWTs to authorize requests. You can integrate existing IdPs such as Amazon Cognito, Okta, or Auth0 to manage user accounts and access to DICOM resources. OIDC support is limited to DICOMweb REST API requests while native AWS IAM authentication remains available for all API calls and the feature is available in all regions where HealthImaging is generally available.

Amazon SageMaker Unified Studio Adds Custom Blueprints

🔧 AWS announced general availability of Custom Blueprints in Amazon SageMaker Unified Studio, enabling customers to supply their own managed IAM policies when creating project roles. Teams can replace or augment the default service-managed policies and use custom AWS CloudFormation templates to define infrastructure and parameters for resources such as Amazon EMR on EC2, AWS Glue Data Catalog, and Amazon Redshift. Sample templates are available in the SageMaker documentation, and the capability is offered in all AWS Commercial Regions where the next-generation SageMaker is available.

Amazon GuardDuty Adds Custom Entity Lists for Detection

🛡️ AWS announced general availability of Amazon GuardDuty custom threat detection using entity lists, expanding support beyond legacy IP-only lists to include domains and mixed IP/domain lists. The service adds a new finding type, Impact:EC2/MaliciousDomainRequest.Custom, when activity involves a listed domain. Entity lists can also be used to suppress alerts from trusted sources, and they simplify permissions and cross-region management. The capability is available in all Regions where GuardDuty runs, excluding China and GovCloud (US).

AWS adds condition keys to govern Amazon Bedrock API keys

🔐 AWS introduced three new IAM condition keys that let administrators govern API keys for Amazon Bedrock. The keys control which services can be issued service-specific credentials, the maximum allowable age of long-term Bedrock API keys at creation, and whether requests use short-term or long-term bearer tokens. These controls are available in all AWS Regions and are documented in the IAM and Bedrock User Guides.

AWS IAM: New VPC Endpoint Condition Keys for Perimeter

🔐 AWS Identity and Access Management (IAM) introduces three global condition keys — aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID — to enforce that requests to resources or identities originate via VPC endpoints. These keys provide account-, organization-path-, and organization-level granularity, automatically scaling as endpoints are added or removed. Use them in new or existing SCPs, RCPs, resource-based, and identity-based policies. They are supported for selected services in commercial Regions where AWS PrivateLink is available.

AWS Adds VPC Endpoint Organization-Based Policy Keys

🔐 AWS introduced three new global IAM condition keys—aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID—to simplify network-origin access controls across multiple accounts and OUs. These keys let administrators restrict resource access based on the account, organizational unit path, or organization that owns the VPC endpoint used for a request, reducing the need to enumerate VPC or VPC endpoint IDs. Example use cases include S3 bucket policies and centrally applied RCPs or SCPs to enforce corporate network perimeters and intra-organization segmentation; adoption depends on service support and testing prior to production rollout.