AWS Security Blog

Tag: Permissions

How to use customer managed policies in AWS IAM Identity Center for advanced use cases

September 23, 2022: This post had been updated to reflect main benefits on using CMPs with permission sets. Are you looking for a simpler way to manage permissions across all your AWS accounts? Perhaps you federate your identity provider (IdP) to each account and divide permissions and authorization between cloud and identity teams, but want […]

Build an end-to-end attribute-based access control strategy with AWS IAM Identity Center and Okta

April 25, 2023: We’ve updated this blog post to include more security learning resources. September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. IAM Identity CenterThis blog post discusses the benefits of using […]

How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts

AWS Secrets Manager now enables you to create and manage your resource-based policies using the Secrets Manager console. With this launch, we are also improving your security posture by both identifying and preventing creation of resource policies that grant overly broad access to your secrets across your Amazon Web Services (AWS) accounts. To achieve this, […]

Tighten S3 permissions for your IAM users and roles using access history of S3 actions

September 28, 2023: IAM is incrementally adding support for actions from more services. For a list of services that report action last accessed information, see IAM action last accessed information services and actions. Customers tell us that when their teams and projects are just getting started, administrators may grant broad access to inspire innovation and […]

Use attribute-based access control with AD FS to simplify IAM permissions management

June 19, 2020: The Prerequisites section of this post has been updated to include the prerequisite to enable Sts:tagSession to the role trust policy. AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) […]

Identify unused IAM roles and remove them confidently with the last used timestamp

February 19, 2024: You can now use IAM Access Analyzer to easily identify unused roles. Read this blog post to learn more. November 25, 2019: We’ve corrected a documentation link. As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those […]

New! Set permission guardrails confidently by using IAM access advisor to analyze service-last-accessed information for accounts in your AWS organization

You can use AWS Organizations to centrally govern and manage multiple accounts as you scale your AWS workloads. With AWS Organizations, central security administrators can use service control policies (SCPs) to establish permission guardrails that all IAM users and roles in the organization’s accounts adhere to. When teams and projects are just getting started, administrators […]

Create fine-grained session permissions using IAM managed policies

As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request. Today, one of the most widely used mechanisms for requesting temporary […]

Automate analyzing your permissions using IAM access advisor APIs

As an administrator that grants access to AWS, you might want to enable your developers to get started with AWS quickly by granting them broad access. However, as your developers gain experience and your applications stabilize, you want to limit permissions to only what they need. To do this, access advisor will determine the permissions […]