aws.amazon.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-17.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-17 2026 | Practical steps to minimize key exposure using AWS Security (AWS)Secrets | Library for minimizing AWS key exposure, this resource details practical steps for detecting exposed and unused access keys using Amazon Q Developer and AWS IAM Access Analyzer. It emphasizes implementing preventive guardrails with Service Control Policies (SCPs) and Resource Control Policies (RCPs) to establish data perimeters and restrict credential usage to expected networks. The guide also touches upon using AWS WAF and Amazon Inspector for network-level controls and automated secret rotation for ongoing security hygiene, addressing common threat actor entry points via compromised long-term credentials. |
| 2026-04-11 2026 | Amazon Verified Permissions - CedarAuthZ | Library for externalizing authorization and centralizing policy management, Amazon Verified Permissions leverages the Cedar policy language to enable developers to build secure applications and align with Zero Trust principles. It accelerates development by decoupling authorization from business logic, streamlining security with intuitive, policy-based access controls that support common frameworks. This service helps protect resources, manage user access according to the principle of least privilege, and facilitates granular authorization decisions. Users include TELUS for smart home device permissions, Grosvenor Engineering Group for building asset access, and STEDI for protecting healthcare transaction endpoints. |
| 2026-04-10 2026 | AWS Defense in Depth Against SSRF with EC2 IMDSSSRF | Library for enhancing the EC2 Instance Metadata Service (IMDS) to defend against open firewalls, reverse proxies, and SSRF vulnerabilities. IMDSv2 introduces session-based authentication requiring HTTP PUT requests to initiate a session and obtain a secret token, which then must be included in subsequent requests. This approach effectively mitigates open WAFs, open reverse proxies by checking for `X-Forwarded-For` headers, and many SSRF vulnerabilities by requiring both a PUT request and a valid session token. A final layer of defense against misconfigured layer-3 firewalls and NAT devices is achieved by setting the packet TTL to 1, preventing the session token from leaving the instance. |
| 2021-11-10 2021 | How to Control Access to Your Amazon Elasticsearch Service DomainAuthZ | Reference for controlling access to Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) domains. It details how to leverage AWS Identity and Access Management (IAM) through resource-based policies and identity-based policies. The entry also covers authentication strategies, including IP-based restrictions and Signature Version 4 signing, with examples for both Python and Java. |
| 2021-09-15 2021 | Native Container Image Scanning in Amazon ECRSupply Chain | Library for native container image scanning within Amazon ECR, leveraging the CoreOS Clair open-source project for static analysis of OS packages against CVEs. This solution offers scheduled re-scans via Lambda functions and an HTTP API, or immediate scans with "scan-on-push" or "scan-on-demand" modes. It integrates with AWS CLI and SDKs, providing actionable insights and enabling drill-down into specific findings, without requiring third-party licenses or infrastructure setup. |