In Case You Missed Them: Some Recent Security Enhancements in AWS

With the steady cadence of updates and enhancements for AWS services, it can sometimes be easy to miss announcements about features that relate to security. Here are some recent security-related updates in AWS services that we’re excited about and that you might not have heard about.

AWS Trusted Advisor inspects your AWS environment and finds opportunities to save money, improve system performance and reliability, and help close security gaps. Trusted Advisor recently made available four of its most popular checks to all AWS users. Three of those checks pertain specifically to security:

• The Specific Ports Unrestricted check alerts you to overly permissive access to Amazon Elastic Compute Cloud (Amazon EC2) instances and helps you avoid malicious activities such as hacking, denial-of-service attacks, and loss of data.
• The IAM Use check determines whether you’ve followed the recommended practice of creating IAM users, groups, and roles to control access to your account instead of using your account credentials.
• The MFA on Root Account check determines whether you’ve enabled MFA for access to the AWS Management Console when you use your account (root) password.

Additional checks are available to customers who are signed up for Business or Enterprise-level support. For more details, see AWS Trusted Advisor for Everyone on the AWS blog and Controlling Access to the Trusted Advisor Console on the AWS website.

Amazon S3 recently added support for Server Side Encryption with Customer-provided Keys (SSE-C). When you use this feature, Amazon S3 encrypts your objects with encryption keys that you provide, so you get the benefits of using your encryption keys without the cost of managing your own encryption code. For details, see Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) in the Amazon S3 documentation.

Amazon Cognito now provides identity and sync services for both mobile apps and web-based apps. Amazon Cognito brought many benefits to mobile apps that access AWS—unique user identities across devices, data sync, support for unauthenticated users, and of course a way for apps to access AWS without having to store credentials. These same benefits are all now available in the AWS SDKs that support web development. This includes the AWS SDK for JavaScript (both for the browser and node.js), AWS SDK for Java, AWS SDK for .NET, and AWS SDK for PHP. For more information, see Stefan Buliani’s recent post on the AWS Mobile Development blog: Use Amazon Cognito in your website for simple AWS authentication.

Amazon WorkSpaces added support for multi-factor authentication (MFA) as an extra layer of security. When MFA is enabled, users must provide a username and password as well as a one-time password (OTP) from an MFA device. MFA in Amazon WorkSpaces works in conjunction with a RADIUS server on your on-premises network. For more information, see the Amazon WorkSpaces documentation.

Elastic Transcoder added support for specifying individual resources in IAM policies. Administrators can control access not just to actions, but to which resources those actions apply to. For example, you can allow some users to perform all actions on all pipelines, but allow other users access only to certain pipelines or certain jobs. For details, see Controlling Access to Elastic Transcoder in the Elastic Transcoder documentation.

And that’s not even to mention a number of recent AWS security enhancements that we’ve described on this blog, including granular domain permissions in Amazon CloudSearch, tracking console sign-in events in AWS CloudTrail, and enhanced password management and credential reports in AWS IAM.

As always, if you have questions about these features or about AWS services, visit the AWS forums.

– Mike