All news with #iam tag

📞 Outsourced helpdesks are increasingly targeted by vishing and other social‑engineering campaigns. Attackers can exploit service‑desk privileges to reset passwords, disable MFA, enroll devices or elevate access, enabling lateral movement. Clients should require evidence of ISO 27001 compliance, enforce least‑privilege, strict caller authentication and continuous, scenario‑based agent training. Technical controls such as caller ID spoofing detection, deepfake audio checks and MFA on helpdesk tools — combined with MDR monitoring — help close this gap.

🔐 Amazon Bedrock AgentCore Identity centralizes and secures identities and credentials for AI agents, integrating with existing identity providers such as Amazon Cognito to avoid user migration and rework of authentication flows. It provides a token vault encrypted with AWS KMS, native AWS Secrets Manager support, and orchestrates OAuth 2.0 flows (2LO and 3LO). Declarative SDK annotations and built-in error handling simplify credential injection and refresh workflows, helping teams deploy agentic workloads securely at scale.

🤖 Organizations are rapidly adopting agentic AI that does more than suggest actions—it opens tickets, calls APIs, and even remediates incidents autonomously. These agents differ from traditional Non-Human Identities because they reason, chain steps, and adapt across systems, making attribution and oversight harder. The author from Token Security recommends named ownership, on‑behalf tracing, and conservative, time‑limited permissions to curb shadow AI risks.

🔐 Ransomware intrusions increasingly begin with compromised identities: recent analyses attribute roughly three quarters of incidents to stolen or misused credentials. Defenses must shift from infrastructure-centric controls to identity-first models like Zero Trust, combining RBAC, MFA and context-aware authentication. Adaptive, risk-based access and passwordless methods reduce friction while improving detection and auditability. Regulatory regimes such as NIS2 and DORA further mandate auditable access controls.

🔒 This post contrasts Amazon Cognito's two primary UI approaches—managed login and a fully custom UI—and outlines feature, security, and operational trade-offs to guide architects and developers. Managed login (offered as a modern branding editor or the Hosted UI classic) offloads hosting, scaling, and maintenance while providing OAuth2 flows, federation with social and OIDC/SAML providers, passwordless options, and CloudTrail action logging. A custom UI gives full control over UX, session management, localization, and supports custom authentication flows via Lambda triggers, but requires development, hosting, and operational responsibility under the AWS Shared Responsibility Model.

🔐 The 2025 State of Cloud Security Report from Fortinet and Cybersecurity Insiders highlights how accelerating cloud adoption and a widespread cybersecurity skills shortage are expanding organizational risk across SaaS, APIs, and hybrid environments. Many incidents result from human error — misconfigurations, exposed APIs, and overprivileged accounts — rather than sophisticated targeted attacks. The post recommends five practical measures, including embracing shared responsibility, enforcing MFA and least privilege, integrating security into CI/CD, automating configuration management, and monitoring SaaS and APIs, and stresses that tools must be paired with user awareness and cultural change.

🔒 CISOs are re-evaluating organizational roles, processes, and partnerships as AI accelerates both attacks and defenses. Leaders say AI is elevating the CISO into strategic C-suite conversations and reshaping collaboration with IT, while security teams use AI to triage alerts, automate repetitive tasks, and focus on higher-value work. Experts stress that AI magnifies existing weaknesses, so fundamentals like IAM, network segmentation, and patching remain critical, and recommend piloting AI in narrow use cases to augment human judgment rather than replace it.

🔐 Amazon SageMaker Unified Studio now supports corporate identities for interactive Apache Spark sessions using AWS Identity Center trusted identity propagation. Data engineers and scientists can sign on to JupyterLab Spark sessions with organizational credentials while administrators apply fine-grained access controls and maintain end-to-end data access traceability. The integration leverages AWS Lake Formation, Amazon S3 Access Grants, and Amazon Redshift Data APIs, and includes comprehensive AWS CloudTrail logging for interactive and background sessions to streamline compliance.

🔒 AWS Storage Gateway now supports VPC endpoint policies, allowing administrators to attach fine‑grained endpoint policies to VPC endpoints that control access to Storage Gateway direct APIs. Administrators can scope access by principal, action, and resource to reduce attack surface and enforce data protection controls. The capability is available in all Regions where Storage Gateway operates; review endpoint policies to align with your security and compliance requirements.

🔒 AWS has added four service-specific IAM condition keys for AWS Transfer Family, enabling administrators to write more granular policies and SCPs. These keys let you constrain server protocols, endpoint types, and storage domains at request time. For example, use transfer:RequestServerEndpointType to block public servers or transfer:RequestServerProtocols to allow only SFTP. The keys are available in all Regions where the service is offered.

🔔 AWS IAM Identity Center is now deployable in 36 AWS Regions, including Asia Pacific (Bangkok) and Mexico Central (Querétaro). The service provides centralized workforce access, single sign-on, and integration with existing identity sources to streamline account and application access across AWS. It powers personalized experiences in AWS applications such as Amazon Q and supports user-aware access auditing for services like Amazon Redshift. IAM Identity Center is available at no additional cost in these Regions.

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

🔐 AWS Lambda now supports code signing in AWS GovCloud (US-West and US-East) through the managed AWS Signer service. Lambda validates signatures at deployment to ensure code has not been altered and that it originates from trusted signers. Administrators can create Signing Profiles, bind allowed profiles to functions, and configure whether failed signature checks produce warnings or reject deployments. Access and permissions are controlled via IAM, and there is no additional charge to use this capability.

🔒 Tenfold’s Community Edition offers a free, full-featured Identity Governance & Administration (IGA) platform for organizations of up to 150 users. Its no-code interface enables automated role-based onboarding and offboarding using configurable profiles, and supports self-service password resets and access requests with customizable approval workflows. The solution analyzes Active Directory, SharePoint and Microsoft 365 permissions, helps identify unwanted external sharing, and automates scheduled access reviews to reduce privilege creep and IT helpdesk workload.

🔐 Security leaders face a shifting threat landscape, tighter regulation, and increasing IT complexity, so a well-integrated toolset is essential. The article outlines 13 core solution categories — from XDR, MFA and IAM to DLP, CASB, backup/DR and AI‑SPM — and explains how each strengthens detection, access control, data protection and recovery. Emphasis is placed on integration, automation and real-time response to reduce manual verification and satisfy compliance and cyberinsurance requirements.

🔐 AWS announced that AWS Organizations service control policies (SCPs) now support the full IAM policy language, adding features such as NotAction, NotResource, resource-level Allow statements, conditions in Allow, and more flexible action wildcards. The update is available across AWS commercial and GovCloud (US) Regions. These changes simplify permission models, reduce prior workarounds (such as tagging-based exceptions), and make SCPs more expressive and concise. AWS recommends careful wildcard use and continuing to prefer explicit Deny statements for robust controls.

🔐 AWS Organizations now supports the full IAM policy language for service control policies (SCPs), allowing administrators to use conditions, individual resource ARNs, and the NotAction element with Allow statements. You can also apply wildcards at the beginning or middle of Action strings and use the NotResource element for finer scoping. These enhancements let teams create more concise and precise organizational guardrails to enforce least-privilege across accounts. The change is backward compatible and available in all AWS commercial and AWS GovCloud (US) Regions.

🔒 Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft for its continued use of the RC4 encryption algorithm. The letter highlights a technique called Kerberoasting, which exploits Kerberos ticket encryption to extract service account credentials. The complaint raises concerns about lingering support for weak ciphers in enterprise authentication.

🔐 Amazon RDS Proxy now supports end-to-end IAM authentication for Amazon Aurora and RDS database instances, allowing applications to authenticate through the proxy using AWS IAM without storing credentials in Secrets Manager. This reduces credential rotation overhead and simplifies credential management. The capability is available for MySQL and PostgreSQL in all Regions where RDS Proxy is supported.

🔐 Amazon Athena now supports single sign-on for its JDBC and ODBC drivers using AWS IAM Identity Center’s trusted identity propagation. With updated drivers (JDBC 3.6.0 and ODBC 2.0.5.0), analysts can connect from third‑party BI tools and SQL clients using corporate credentials while Lake Formation permissions are enforced and actions are logged. This removes the need for embedded credentials, simplifies identity‑based data governance, and streamlines access management across tools.