IAM Roles Anywhere now supports post-quantum digital certificates AWS Identity and Access Management (IAM) Roles Anywhere now supports the FIPS 204 Module-Lattice Digital Signature Standard (ML-DSA), a quantum-resistant digital signature algorithm standardized by the National Institute of Standards and Technology (NIST) to help protect against threat actors in possession of a large-scale quantum computer. ML-DSA is particularly valuable for IAM Roles Anywhere customers who authenticate workloads to AWS using X.509 certificates issued by certificate authorities, where a weakened signature algorithm could allow an unintended user to issue certificates and obtain unauthorized access. IAM Roles Anywhere enables workloads running outside of AWS to obtain temporary AWS credentials using X.509 certificates to access AWS resources. You establish trust between your AWS environment and your public key infrastructure (PKI) by creating a trust anchor, either by referencing your AWS Private Certificate Authority or registering your own certificate authorities (CAs) with IAM Roles Anywhere. You can now use ML-DSA-signed CA certificates as IAM Roles Anywhere trust anchors, and issue end entity certificates bound to ML-DSA keys. This feature is available in all AWS Regions where IAM Roles Anywhere is available, including the AWS GovCloud (US) Regions, AWS European Sovereign Cloud (Germany) Region, and China Regions. To learn more, see the IAM Roles Anywhere User Guide.

🆕 AWS IAM Roles Anywhere now supports post-quantum ML-DSA certificates for quantum-resistant signatures, letting workloads get temporary AWS credentials via X.509, boosting security against quantum threats. Available globally.

#AWS #AwsIdentityAndAccessManagement #AwsIam

IAM Roles Anywhere now supports post-quantum digital certificates https://aws.amazon.com/iam/roles-anywhere/ now supports the https://csrc.nist.gov/pubs/fips/204/final, a quantum-resistant digital signature algorithm standardized by the National Institute of Standards and Technology (NIST) to help protect against threat actors in possession of a large-scale quantum computer. ML-DSA is particularly valuable for IAM Roles Anywhere customers who authenticate workloads to AWS using X.509 certificates issued by certificate authorities, where a weakened signature algorithm could allow an unintended user to issue certificates and obtain unauthorized access. IAM Roles Anywhere enables workloads running outside of AWS to obtain temporary AWS credentials using X.509 certificates to access AWS resources. You establish trust between your AWS environment and your public key infrastructure (PKI) by creating a trust anchor, either by referencing your https://aws.amazon.com/private-ca/ or registering your own certificate authorities (CAs) with IAM Roles Anywhere. You can now use ML-DSA-signed CA certificates as IAM Roles Anywhere trust anchors, and issue end entity certificates bound to ML-DSA keys. This feature is available in all https://docs.aws.amazon.com/general/latest/gr/rolesanywhere.html where IAM Roles Anywhere is available, including the AWS GovCloud (US) Regions, AWS European Sovereign Cloud (Germany) Region, and China Regions. To learn more, see the https://docs.aws.amazon.com/rolesanywhere/latest/userguide/authentication-sign-process.html.

IAM Roles Anywhere now supports post-quantum digital certificates

https://aws.amazon.com/iam/roles-anywhere/ now supports the https://csrc.nist.gov/pubs/fips/204/final a quantum-resistant digital signature algorithm standardized by the National In...

#AWS #AwsIdentityAndAccessManagement #AwsIam

AWS Security Token Service Now Supports Internet Protocol version 6 (IPv6) AWS Security Token Service (STS) now supports Internet Protocol version 6 (IPv6) addresses via new dual-stack endpoints. You can connect to STS over the public internet using IPv6, IPv4, or dual-stack (both IPv4 and IPv6) clients. Dual-stack support is also available when you access STS endpoints privately from your Amazon Virtual Private Cloud (VPC) using AWS PrivateLink, allowing you to invoke STS APIs without traversing the public internet. Support for dual-stack STS endpoints is available in all AWS Commercial Regions, AWS GovCloud (US) Regions, and China Regions. To get started, configure your STS client to use the new dual-stack endpoints using the configuration instructions in the https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_dual-stack_endpoint_support.html.

AWS Security Token Service Now Supports Internet Protocol version 6 (IPv6)

AWS Security Token Service (STS) now supports Internet Protocol version 6 (IPv6) addresses via new dual-stack endpoints. You can connect to STS over the pub...

#AWS #AwsSecurityTokenService #AwsIdentityAndAccessManagement

AWS Service Reference Information now supports SDK Operation to Action mapping AWS is expanding service reference information to include which operations are supported by AWS services and which IAM permissions are needed to call a given operation. This will help you answer questions such as “I want to call a specific AWS service operation, which IAM permissions do I need?” You can automate the retrieval of service reference information, eliminating manual effort and ensuring your policies align with the latest service updates. You can also incorporate this service reference information directly into your policy management tools and processes for a seamless integration. This feature is offered at no additional cost. To get started, refer to the documentation on https://docs.aws.amazon.com/service-authorization/latest/reference/service-reference.html.

AWS Service Reference Information now supports SDK Operation to Action mapping

AWS is expanding service reference information to include which operations are supported by AWS services and which IAM permissions are needed to call a given operation. ...

#AWS #AwsIam #AwsIdentityAndAccessManagement

AWS Service Reference Information now supports SDK Operation to Action mapping AWS is expanding service reference information to include which operations are supported by AWS services and which IAM permissions are needed to call a given operation. This will help you answer questions such as “I want to call a specific AWS service operation, which IAM permissions do I need?” You can automate the retrieval of service reference information, eliminating manual effort and ensuring your policies align with the latest service updates. You can also incorporate this service reference information directly into your policy management tools and processes for a seamless integration. This feature is offered at no additional cost. To get started, refer to the documentation on programmatic service reference information.

🆕 AWS offers SDK operation mapping in service reference info to help determine IAM permissions. Automate policy updates and integrate seamlessly at no extra cost. See the programmatic service reference for details.

#AWS #AwsIam #AwsIdentityAndAccessManagement

AWS adds support for three new condition keys to govern API keys for Amazon Bedrock AWS today launched three new condition keys that help administrators govern https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html. The new condition keys help you control the generation, expiration, and the type of API keys allowed. Amazon Bedrock supports two types of API keys: short-term API keys valid for up to 12 hours or long-term API keys which are https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_service-specific-creds.html for use with Bedrock only. The new iam:ServiceSpecificCredentialServiceName condition key lets you control what target AWS services are allowed when creating IAM service-specific credentials. For example, you could allow the creation of Bedrock long-term API keys but not credentials for AWS CodeCommit or Amazon Keyspaces. The new iam:ServiceSpecificCredentialAgeDays condition key lets you control the maximum duration of Bedrock long-term API keys at creation. The new bedrock:BearerTokenType condition key let’s you allow or deny Bedrock requests based on whether the API key is short-term or long-term. These new condition keys are available in all AWS Regions. To learn more about using the new condition keys, visit the https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#available-keys-for-iam or https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-permissions.html.

AWS adds support for three new condition keys to govern API keys for Amazon Bedrock

AWS today launched three new condition keys that help administrators govern docs.aws.amazon.com/bedrock/latest/userguide... The new cond...

#AWS #AwsIdentityAndAccessManagement #AmazonBedrock

AWS adds support for three new condition keys to govern API keys for Amazon Bedrock AWS today launched three new condition keys that help administrators govern API keys for Amazon Bedrock. The new condition keys help you control the generation, expiration, and the type of API keys allowed. Amazon Bedrock supports two types of API keys: short-term API keys valid for up to 12 hours or long-term API keys which are IAM service-specific credentials for use with Bedrock only. The new iam:ServiceSpecificCredentialServiceName condition key lets you control what target AWS services are allowed when creating IAM service-specific credentials. For example, you could allow the creation of Bedrock long-term API keys but not credentials for AWS CodeCommit or Amazon Keyspaces. The new iam:ServiceSpecificCredentialAgeDays condition key lets you control the maximum duration of Bedrock long-term API keys at creation. The new bedrock:BearerTokenType condition key let’s you allow or deny Bedrock requests based on whether the API key is short-term or long-term. These new condition keys are available in all AWS Regions. To learn more about using the new condition keys, visit the IAM User Guide or Amazon Bedrock User Guide.

🆕 AWS adds three new condition keys to govern API keys for Amazon Bedrock, controlling generation, expiration, and type. Available in all regions, these keys manage long-term credentials, short-term keys, and specific service access.

#AWS #AwsIdentityAndAccessManagement #AmazonBedrock

IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. It uses automated reasoning to evaluate all identity policies, resource policies, service control policies (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources. After the new internal access analyzer is enabled in the IAM console, the analyzer monitors your selected resources daily, and surfaces findings in a unified dashboard. The updated dashboard combines internal and external access findings to provide a 360-degree view of all access granted to your critical resources. Security teams can respond to new findings in two ways: taking immediate action to fix unintended access, or setting up automated notifications through Amazon EventBridge to engage development teams for remediation. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements. Internal access findings are available in all https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/. To learn more about IAM Access Analyzer internal access findings: Read the https://aws.amazon.com/blogs/aws/verify-internal-access-to-critical-aws-resources-with-new-iam-access-analyzer-capabilities Review the https://aws.amazon.com/iam/access-analyzer/pricing Visit the https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html 

IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources

AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon ...

#AWS #AwsIdentityAndAccessManagement

IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources AWS Identity and Access Management (IAM) Access Analyzer now identifies who within your AWS organization has access to your Amazon S3, Amazon DynamoDB, or Amazon Relational Database Service (RDS) resources. It uses automated reasoning to evaluate all identity policies, resource policies, service control policies (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources. After the new internal access analyzer is enabled in the IAM console, the analyzer monitors your selected resources daily, and surfaces findings in a unified dashboard. The updated dashboard combines internal and external access findings to provide a 360-degree view of all access granted to your critical resources. Security teams can respond to new findings in two ways: taking immediate action to fix unintended access, or setting up automated notifications through Amazon EventBridge to engage development teams for remediation. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements. Internal access findings are available in all AWS commercial Regions. To learn more about IAM Access Analyzer internal access findings: Read the AWS news blog post Review the pricing page Visit the IAM Access Analyzer documentation

🆕 AWS IAM Access Analyzer now identifies internal access to S3, DynamoDB, and RDS resources within your organization, helping security teams manage and audit access controls. Available in all commercial regions. Learn more on the AWS news blog.

#AWS #AwsIdentityAndAccessManagement