All news with #iam tag

🛠️ Amazon SageMaker Unified Studio now adds business context, metadata, and data governance features for IAM-based domains. Customers can annotate AWS Glue Data Catalog tables with business names, descriptions, and README documentation, and use AI-generated metadata to automate cataloging. Teams can build business glossaries, define metadata form templates, and capture structured attributes like classification, retention, and ownership. These capabilities enable search, filtering by glossary or metadata fields, and access requests with automated Lake Formation permission grants, and are available in all regions where SageMaker Unified Studio is supported.

🔒 AWS Managed Microsoft AD now supports CRUD operations on users and groups through the Directory Service Data APIs, accessible via the AWS CLI, APIs, and Management Console. This enables automation of identity lifecycle management and tighter security controls by integrating with services like Amazon GuardDuty, AWS Step Functions, and Amazon EventBridge. The blog demonstrates a practical workflow that detects unusual AD user behavior and triggers automated remediation such as disabling accounts and notifying stakeholders.

🔒 Amazon explains how AgentCore Gateway enforces a centralized authorization layer between autonomous agents and external tools, treating the LLM as an untrusted actor. Policies are expressed in the open-source Cedar language for readability, bounded execution, and mathematical analyzability, enabling deterministic enforcement and formal verification during policy authoring and attachment. A neuro-symbolic workflow translates natural-language rules into Cedar, validates them with Cedar Analysis, and enforces decisions at runtime to constrain tool invocations and filter unavailable actions.

⚠️Orchid Security's Identity Gap: Snapshot 2026 reveals that unseen, unmanaged identity elements now exceed visible ones, with 'identity dark matter' at 57% versus 43%. The report warns that rapid adoption of Agent AI amplifies risk because autonomous agents look for the most efficient access paths, often exploiting hard-coded or orphaned credentials and excessive privileges. Orchid urges strengthening identity and access management controls and using its readiness checklist to mitigate exposures.

🌐 AWS outlines how to present a single, brand-aligned vanity entry point (for example, aws.mycompany.com) in front of IAM Identity Center multi-Region access portals. The approach uses Amazon Route 53 latency-based routing, Application Load Balancer 302 redirects, and optional Amazon ARC Region switches for automated failover while TLS is managed through AWS Certificate Manager. Traffic is directed to the nearest healthy regional portal and the vanity domain does not persist in the browser address bar.

🛡️ Amazon Connect Customer now offers a permission that lets agents access only their own performance evaluations directly in the Connect UI. Agents can search for contacts where they received evaluations, view evaluations alongside call recordings and transcripts, and submit an acknowledgment after review. Administrators can grant department-level contact visibility for investigations while preventing access to peers' evaluation data. The feature is available in all AWS regions where Amazon Connect Customer is offered.

🔧 IAM Policy Autopilot now analyzes Java applications and cross-references Terraform definitions to produce more precise IAM policies. The open-source tool, introduced at re:Invent 2025, already supported Python, TypeScript, and Go, and is available at no additional cost for local use. By resolving resource ARNs from Terraform, generated policies can avoid broad wildcard permissions and better enforce least-privilege. This update speeds policy creation and reduces time spent troubleshooting access issues.

🔐 Amazon announced new administration features for SageMaker Unified Studio that give administrators finer control over identity configuration and user management across both IAM and IAM Identity Center domain types. Administrators can now configure AWS IAM Identity Center for SSO onboarding, add IAM roles, users, and groups as project members, and manage domain users from a consolidated admin portal. For Identity Center domains, federated access through IAM roles now produces unique user sessions so collaborators sharing a role do not overwrite each other and actions remain auditable. These updates enable teams to use corporate IAM or IAM Identity Center identities consistently across domains and simplify collaboration and auditing in the Studio environment.

🛒 AWS Marketplace announces the Agreements API, enabling programmatic procurement and agreement management for Marketplace products. With this API you can generate estimates, accept offers, track charges and entitlements, update purchase orders, and manage agreements within your existing tools and workflows. Combined with the Discovery API, it supports an end-to-end procurement journey from product discovery to purchase and allows partners to build custom storefronts. The Agreements API is available in the US East (N. Virginia) Region; get started by configuring AWS Identity and Access Management permissions and calling the API via the AWS SDK.

🔒 AWS has announced general availability of the AWS MCP Server, a managed endpoint that gives AI coding agents secure, auditable access to AWS services using the Model Context Protocol (MCP). The server is part of the Agent Toolkit for AWS and enforces IAM-based guardrails while emitting CloudWatch metrics and CloudTrail logs so teams keep visibility and control. It supports calling any AWS API through a single tool, sandboxed Python execution for multi-step tasks without filesystem or shell access, and a new agent skills format for on-demand, curated procedures. The service is available at no additional charge; customers pay only for the AWS resources agents consume.

🛡️ Analysts and Orchid Security warn that enterprises are deploying AI agents faster than governance can keep up, creating an invisible layer of "identity dark matter" that conventional IAM misses. Orchid Security inspects applications at the binary and configuration layer to discover agents, audit compliance, and locate static credentials. Its Ask Orchid assistant answers natural-language questions about active agents, NIST compliance, and credential risks, then recommends prioritized remediation. This in-application observability aims to close the structural gap in identity visibility and enforce purpose-bound, least-privilege controls.

🔒 AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) now offers expanded STIG-aligned security settings focused on high-impact directory controls. These settings are available today through a self-service interface, both programmatically and via the AWS Management Console, enabling administrators to declare desired configurations and have AWS implement and persist them. When new domain controllers are added or directories are scaled or deployed in additional regions, AWS automatically applies the declared settings to new instances to maintain consistency.

🔔 Kaspersky reports an increase in phishing campaigns that abuse Amazon Simple Email Service (SES) to send authenticated-looking malicious messages that can bypass reputation-based filters. Attackers are harvesting exposed AWS access keys from public repositories and assets, automating secret discovery, permission checks, and mass email distribution. Because messages originate from a trusted service, SPF, DKIM, and DMARC checks and IP blocks are often ineffective, prompting Kaspersky to recommend stricter IAM controls, MFA, key rotation, and IP restrictions.

🔒 IAM Roles Anywhere now lets you include the CreateSession API in VPC endpoint policies, enabling explicit allow or deny controls for session creation through endpoints. If CreateSession isn't explicitly allowed (or you don't permit all operations, e.g., "rolesanywhere:*"), requests made via the VPC endpoint will not return temporary AWS credentials. This closes a prior gap and delivers consistent, fine‑grained access control across all IAM Roles Anywhere API operations, available in all regions including GovCloud, European Sovereign Cloud, and China.

🔐 Amazon Bedrock AgentCore Identity now supports On-Behalf-Of (OBO) token exchange, enabling developers to build agents that securely access protected resources on behalf of authenticated users without additional consent flows. The OBO exchange issues a new, scoped-down access token that carries both the user and agent identities, granting just-in-time, least-privilege access to outbound services. This capability is generally available in 14 AWS Regions.

🔐 AWS Payment Cryptography now supports Multi-party approval (MPA) for importing root certificates, adding an extra governance layer to critical key management operations. Organizations using X.509 and PKI with asymmetric keys (RSA, ECC) can require two or more authorized approvers even if the requester holds IAM permissions. The capability integrates with AWS IAM Identity Center so teams can review and act on pending requests through a managed approval portal, and it is available in all regions where the service runs with no additional charge beyond standard API rates.

📋 This blog by Rico Mariani outlines eight practical best practices for CISOs conducting risk reviews, focusing on identifying assets, applications, and access controls to shape review scope and priorities. It emphasizes good quality authentication (tokens and issuers like Microsoft Entra), robust authorization, network isolation, detection, and auditing to enable proactive security. The post also highlights commonly overlooked areas such as backups, support, and development systems to ensure comprehensive risk coverage.

🔐 AWS IAM Identity Center centralizes workforce access and can consume session tags from external SAML providers such as Microsoft Entra ID to enable fine‑grained, attribute‑based access control (ABAC) across multiple AWS accounts. By mapping directory group attributes to session tags, administrators can dynamically apply permissions and runtime configuration—examples include selecting an AWS Glue usage profile or configuring Systems Manager Session Manager run‑as behavior. The post walks through SAML and SCIM setup, creating a custom permission set, mapping claims (for example AccessControl:glue:UsageProfile), testing job creation in the Glue console, and validating session tags via CloudTrail AssumeRoleWithSAML events.

🔐 Cisco Talos’ Year in Review, authored by Hazel Burton, highlights how lower barriers to attack and rapid proof-of-concept development are stressing defenders. The report shows attackers increasingly rely on valid accounts, credential abuse, and management-plane targets while still producing detectable anomalous behavior. Recommended priorities include hardening IAM, prioritizing patching by exposure, improving visibility into legacy components, and securing systems that broker trust.

🔐 DORA's Article 9 makes credential management a binding financial risk control for EU financial entities, requiring least-privilege access, phishing‑resistant FIDO2/WebAuthn authentication, and cryptographic key protection. The regulation extends to third-party providers and mandates evidenceable controls. Organisations must deploy vaulting, JIT access, and continuous monitoring to reduce dwell time and meet supervisory expectations.