Here is the latest from AWS Identity from November 2020 through February 2021. The features highlighted in this blog post can help you manage and secure your Amazon Web Services (AWS) environment. Identity services answer the question of who has access to what. They enable you to securely manage identities, resources, and permissions at scale and to operate your AWS environment more efficiently.
AWS Identity services include AWS Single Sign-On, AWS Directory Service, Amazon Cognito, AWS Identity and Access Management (IAM), AWS Resource Access Manager, and AWS Organizations. If you’re a security architect, you’ll want to consider the new features related to multi-factor authentication (MFA) and access control that can improve your security posture. If you’re an identity administrator, you might want an easier way to manage identities and their access in AWS. Regardless of your role, you’ll appreciate the visibility and efficiency improvements for centrally managing and governing AWS environments. Let’s review the latest changes and find where you can benefit!
Identity management launches
The identity management services provided by AWS Identity include AWS SSO, AWS Directory Service, and Amazon Cognito. They help you migrate existing workloads to AWS by providing flexible options for where and how you manage your employee, partner, and customer identities. To summarize, the releases discussed in this section provide more options for availability, authentication, and access control.
Microsoft Active Directory identities can now be synchronized with AWS SSO
AWS SSO lets you centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. AWS SSO synchronizes users, groups, and group memberships from Active Directory in addition to Azure AD, Okta, Ping Identity, and OneLogin. Now, any changes you make to user and group information in Active Directory is automatically reflected in AWS SSO, reducing your administrative effort to manage identities in AWS. AWS SSO integrated applications can use the identity data for fine-grained authorization, collaboration, and other in-application user experiences.
More options for MFA when using AWS SSO
AWS SSO now can require MFA for new users and use additional factors through WebAuthn support, which enables use of hardware and biometric authenticators such as YubiKeys and fingerprints. This new capability is available when using AWS SSO or Microsoft Active Directory as your identity source.
AWS Managed Microsoft AD instances are now available across Regions
You now can now deploy and use a single AWS Managed Microsoft AD (Enterprise Edition) directory across multiple AWS Regions. This change makes it easier and more cost-effective to globally deploy and manage Microsoft Windows and Linux workloads.
WorkSpaces now supports smart cards
Users can now authenticate with their smart cards into Amazon WorkSpaces with Active Directory Connector. This enables customers who use smart cards—such as US federal agencies—to access WorkSpaces with their cards instead of entering their user name and password. This feature supports pre-session and in-session authentication. Pre-session authentication is currently available only in the AWS GovCloud (US-West) Region.
Amazon Cognito joins AWS SSO in supporting ABAC for fine-grained permissions in AWS
Amazon Cognito identity pools now enable you to use attributes from social and corporate identity providers to make access control decisions and simplify permissions management to AWS resources. AWS SSO also recently launched attribute-based access control (ABAC) support, which enables you to create fine-grained permissions through attributes that are defined in your AWS SSO identity source, such as cost center and department. Learn more about ABAC from What is ABAC for AWS.
Access management launches
AWS IAM ties your identities to the resources they need access to. IAM provides the granularity to control a user’s access to specific AWS services and resources using permissions, which helps you to enforce least privileged access control. IAM also helps you analyze access across your AWS environment by identifying resources that can be accessed from outside your account.
More AWS services and resources now support tags and can be used for ABAC
IAM now allows you to use tags to manage and secure access to more resources, including customer managed policies, instance profiles, OpenID Connect providers, SAML providers, server certificates, and virtual MFAs. Tags and ABAC are also now supported on Amazon Managed Blockchain, Service Quotas, and AWS Key Management Service (AWS KMS).
IAM Access Analyzer now supports more resources that can be inspected for unintended external access
IAM Access Analyzer now analyzes AWS Secrets Manager resource-based policies for public access to secrets. This adds to the growing list of resources that you can analyze using Access Analyzer, including Amazon Simple Storage Service (Amazon S3) buckets, IAM roles, AWS KMS keys, AWS Lambda functions and layers, and Amazon Simple Queue Service (Amazon SQS) queues.
Resource management launches
AWS RAM is a service that enables you to more easily and securely share AWS resources with any AWS account or within your organization. You can share AWS Transit Gateway resources, subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules with AWS RAM. For a full list, see Shareable AWS resources.
AWS RAM enables sharing of Network Firewall resources
AWS Network Firewall is a highly available, managed network firewall service for your virtual private cloud (VPC). You can create and manage firewall policies and rule groups centrally, and share them through AWS RAM within your organization. For more information, see working with shared firewall policies and rule groups in the AWS Network Firewall developer guide.
Management and governance launches
AWS Identity management and governance services give you the ability to delegate administrative tasks and automate capabilities, like account creation, to make it easier to manage large, multi-account AWS environments. With AWS, you can also improve security and implement your compliance requirements by consistently enforcing who can create what type of resource and where.
AWS services with new or increased support for AWS Organizations
AWS CloudFormation StackSets now supports designating an AWS member account to be the delegated administrator for creating and managing stack sets for your entire organization. AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.
AWS Personal Health Dashboard now supports organization-wide event aggregation. From a single dashboard, you have a complete view of health events, such as maintenance events, security vulnerabilities, and AWS service degradations affecting any account in your AWS organization.
AWS Audit Manager is a new service that’s integrated with Organizations and helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and well-known standards.
AWS Backup now supports cross-account backups in addition to cross-account management. You can deploy an organization-wide backup plan from the management account in your organization, ensuring backups are performed across all accounts and reducing overhead associated with managing separate backups for each account.
Amazon S3 Storage Lens now provides organization-wide visibility into object storage. With the latest updates, you can now understand, analyze, and optimize storage for your entire organization, specific accounts, Regions, buckets, or prefixes, even when it consists of hundreds of accounts across multiple Regions.
Finally, you can now use Trusted Advisor to generate reports with detailed check results across multiple accounts in your organization and use the AWS Management Console to view a high-level summary of check status.
Service Quotas now supports ABAC for quotas
With updated support for tagging and attribute-based access control, tags now can be applied to quotas, enabling you to easily identify, classify, or categorize applied quotas in your AWS account. Applied quotas, or account-specific quotas, are overrides that are specific to your account and that have been granted to you in the past. Additionally, you can now use these tags for ABAC. For example, you could allow only an administrator to request increases on production quotas or quotas with high cost tagged by a different cost center.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.