Authoring secure and functional policies just got a lot easier with over 100 policy checks from Access Analyzer. Here is why this launch 🚀is a game changer (1/12)
The checks help you DURING policy authoring either in the IAM console or as part of your policy workflows with the API. (2/12)
There are 4⃣ types of checks including security warnings, errors, general warnings, and suggestions that guide your policy authoring. (3/12)
Each check shares actionable guidance to resolve the findings. There is also a doc link for each check to provide more detailed guidance. (4/12)
I have two favorite checks.🥖First is a security check for PassRole on * Since most accounts have an admin role, granting access to pass all roles can lead to privilege escalation and not recommended. 🥖 (5/12)
Second is invalid action, this helps you with typos and removing any actions that are fake news. This helps overall policy hygiene 🚿 making your policies more readable and accurate. (6/12)
Access Analyzer also reports invalid services in policies. Turns out “Pickles” is not an AWS service…yet.
You also get JSON errors. Go and fix all those missing curly brackets and semi-colons. We have all been there. (8/12)
With policy validation, Access Analyzer moves analysis closer to policy creation. Helping you catch and resolve any issues before you deploy them. (9/12)
🍾 We drank our own champagne (I love me some bubbles) and updated AWS managed policies using the same checks we are making available today. 🍾(10/12)
Finally, we are looking to add more checks to our policy validation. Send us your ideas! (11/12)
@AWSIdentity just supercharged🔌attribute-based access control (ABAC) by adding session tags😱. This is a powerful capability and here are all the reasons why (1/9) aws.amazon.com/blogs/aws/new-…
@AWSIdentity Session tags enable you to pass attributes from your IdP to role sessions. This means your identity no longer goes “poof”🌬️when you federate into AWS (2/9)
@AWSIdentity You can use session tags for access control and they act just like principal tags. This means your identity provider becomes the source of truth for access control in AWS (3/9)