All news with #iam tag

🔐 AWS Managed Microsoft AD now supports certificate auto-enrollment for LDAPS and Smart Card authentication by integrating with AWS Private CA through the AWS Private CA Connector for AD. The integration automates issuance, renewal, and lifecycle management of domain controller certificates, removing the need to maintain CA infrastructure on Amazon EC2. This capability is available in all Regions offering the connector and can be configured via the console or API.

🔒 Microsoft is starting Phase 2 of mandatory multi-factor authentication for Azure resource management operations on October 1, 2025. Enforcement at the Azure Resource Manager layer will be applied gradually via Azure Policy, requiring users to complete MFA before performing management actions. Workload identities (managed identities and service principals) are not affected. Administrators should enable MFA, test policy in audit mode, and ensure Azure CLI 2.76 and Azure PowerShell 14.3 or later are in use for best compatibility.

🔐 Principal Financial replaced brittle knowledge-based authentication with a digital ID verification and biometric platform to block account takeovers. Using DIVA with a focus on facial recognition and an implementation by Onfido (an Entrust company), the insurer completed rollout within months. The change has virtually eliminated fraudulent registrations and improved user success and completion rates while preserving usability.

🔐 AWS introduced three new IAM condition keys that let administrators govern API keys for Amazon Bedrock. The keys control which services can be issued service-specific credentials, the maximum allowable age of long-term Bedrock API keys at creation, and whether requests use short-term or long-term bearer tokens. These controls are available in all AWS Regions and are documented in the IAM and Bedrock User Guides.

🔒 Today, AWS announced the ability to manage access to AWS Regions and AWS Local Zones from a single location in the AWS Management Console. The new AWS Global View Regions and Zones page lets customers view infrastructure location details, opt-in status, and parent Region relationships across multiple Regions. This centralizes monitoring and access control and is available in all AWS commercial Regions.

🔐 AWS Identity and Access Management (IAM) introduces three global condition keys — aws:VpceAccount, aws:VpceOrgPaths, and aws:VpceOrgID — to enforce that requests to resources or identities originate via VPC endpoints. These keys provide account-, organization-path-, and organization-level granularity, automatically scaling as endpoints are added or removed. Use them in new or existing SCPs, RCPs, resource-based, and identity-based policies. They are supported for selected services in commercial Regions where AWS PrivateLink is available.

🔒 Amazon EMR on EC2 now supports Apache Spark native fine-grained access control (FGAC) through AWS Lake Formation and adds support for AWS Glue Data Catalog views. These capabilities let administrators define and enforce granular Lake Formation policies once and apply them consistently to Spark jobs and interactive sessions, reducing administrative overhead and security risk. Access checks support named resource grants, data filters, and tag-based controls and are logged in AWS CloudTrail for auditing.

🔒 Amazon Verified Permissions is now available in Asia Pacific (Taipei), Asia Pacific (Thailand), Asia Pacific (Malaysia), and Mexico (Central), expanding regional coverage to 35 AWS Regions. The managed service provides scalable, fine-grained authorization using the open-source Cedar policy language, enabling applications to enforce permissions as policies rather than embedding them in code. Developers and administrators can define role-, attribute-, and context-aware access controls for APIs and application resources, simplifying authorization and improving governance.

🔒 This article outlines nine critical errors that can cost CISOs their positions, based on input from several industry leaders. It highlights risks such as overconfidence, unnecessary complexity, weak Governance, Risk & Compliance programs, and poor alignment with business priorities. The piece stresses practical prevention: prioritize access control and identity management, address the human factor, shrink stale data, break down silos, and avoid complacency to reduce breach risk and maintain executive trust.

🎨 Today AWS announced general availability of account color settings in the AWS Management Console across all Public Regions. Account administrators can assign a persistent color (for example, red for production or yellow for testing) that appears in the Console navigation bar for all authorized users, enabling quick visual identification of accounts. The default color is grey; viewing the color requires AWSManagementConsoleBasicUserAccess or the custom permission uxc:getaccountcolor.

🔒 McDonald's reportedly configured a major corporate system with the password 123456, illustrating a glaring failure in basic security hygiene. That weak credential makes systems trivially susceptible to brute-force and credential-stuffing attacks and indicates lax oversight of password policies, privileged accounts, and access controls. Immediate remediation should include forcing password rotation, deploying multi-factor authentication, implementing centralized secrets management, and auditing privileged access.

🔐 Amazon Relational Database Service (RDS) for SQL Server now supports Kerberos authentication when instances are joined to a self-managed Microsoft Active Directory. Previously, Kerberos integration required AWS Managed Microsoft AD; customers can now enable Kerberos authentication with their existing on-premises or self-managed AD environments. This change simplifies migrations and preserves enterprise identity configurations while continuing to support existing integrations with AWS Managed AD. The feature is available in all AWS Commercial and AWS GovCloud (US) Regions.

🔐 This AWS Security Blog post explains how to use Amazon GuardDuty to detect suspicious activity and automatically disable accounts in AWS Managed Microsoft AD. It walks through deploying a managed directory and a directory-administration EC2 instance, configuring AWS Systems Manager Run Command documents, and orchestrating those actions with AWS Step Functions triggered by Amazon EventBridge. The guide includes required permissions, testing steps using GuardDuty’s test domains, and notes on extending the automation to reset passwords or send notifications.

🔐 This AWS Security Blog post explains why long-term IAM access keys introduce exposure and operational risk, and outlines practical, more secure alternatives. It recommends browser-based CloudShell for CLI access, IAM Identity Center (with AWS CLI v2 and MFA) and IDE integrations for developer workflows, and IAM roles for compute and CI/CD. The post also covers external access options, emphasizes temporary credentials, and urges the principle of least privilege.