Category: Advanced (300)

August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. In this post, I discuss how to use AWS Key Management Service (KMS) to combine […]

October 3, 2021: In the section “Step 3: Create the role for the sysadmin persona,” we’ve corrected step 1 to indicate that sign in occurs through the administrator account, rather than the member account. AWS Security Hub provides you with a comprehensive view of your security posture across your accounts in HAQM Web Services (AWS) […]

January 28, 2025: The following blog post highlights how to implement passwordless authentication with HAQM Cognito and WebAuthn. HAQM Cognito added support for passwordless authentication, including passkeys, email one-time passwords (OTPs), and SMS OTPs, for secure and seamless sign-ins. However, this blog post may still be of interest to you if you want to learn […]

October 23: This post has been updated to utilize Duo Web v4 SDK and OIDC approach for integration with Duo two-factor authentication. Adding multi-factor authentication (MFA) reduces the risk of user account take-over, phishing, and password theft. Adding MFA while providing a frictionless sign-in experience requires you to offer a variety of MFA options that […]

Many customers—especially large enterprises—run workloads across multiple AWS accounts and in multiple AWS regions. AWS Firewall Manager service, launched in April 2018, enables customers to centrally configure and manage AWS WAF rules, audit HAQM VPC security group rules across accounts and applications in AWS Organizations, and protect resources against distributed DDoS attacks. In this blog […]

Security teams that are responsible for securing workloads in hundreds of HAQM Web Services (AWS) accounts in different organizational units aim for a consistent approach across AWS Organizations. Key goals include enforcing preventative measures to mitigate known security issues, having a central approach for notifying the SecOps team about potential distributed denial of service (DDoS) […]

In this post, I review the options you have to protect your customer data when migrating or building new databases in HAQM Web Services (AWS). I focus on how you can support sensitive workloads in ways that help you maintain compliance and regulatory obligations, and meet security objectives. Understanding transparent data encryption I commonly see […]

April 25, 2023: We’ve updated this blog post to include more security learning resources. In this post, we walk you through scenarios that use AWS Firewall Manager to centrally manage security groups across your AWS Organizations implementation. Firewall Manager is a security management tool that helps you centralize, configure, and maintain AWS WAF rules, AWS […]

In this post, I show you how to create isolated AWS Cloud9 environments for your developers without requiring ingress (inbound) access from the internet. I also walk you through optional steps to further isolate your AWS Cloud9 environment by removing egress (outbound) access. Until recently, AWS Cloud9 required you to allow ingress Secure Shell (SSH) […]

September 23, 2020: The squid configuration file in this blog post and associated YAML template have been updated. September 4, 2019: We’ve updated this blog post, initially published on January 26, 2016. Major changes include: support of HAQM Linux 2, no longer having to compile Squid 3.5, and a high availability version of the solution […]