Security, Identity, and Compliance on AWS

Today, AWS announces that AWS Control Tower supports seven new compliance frameworks in Control Catalog. Control Catalog is the central place in AWS for searching and enabling managed controls.In addition to existing frameworks, controls are now mapped to CIS-v8.0, FedRAMP-r4, ISO-IEC-27001:2013-Annex-A, NIST-CSF-v1.1, NIST-SP-800-171-r2, PCI-DSS-v4.0, SSAE-18-SOC-2-Oct-2023.

To get started, navigate to the Control Catalog in AWS Control Tower and search for a framework like PCI-DSS-v4.0 to view related controls. This feature helps you meet your compliance requirements faster and with higher confidence. For programmatic access, utilize the new ListControlMappings API to search controls by frameworks, and take advantage of the updated ListControls and GetControl APIs, which now support GovernedResources, to understand the resource types governed by each control. We've also introduced a new classification system to help you better comprehend and manage controls. In addition to the new frameworks, controls in Control Catalog are now mapped to a domain (e.g., "Data Protection"), an objective (e.g., "Data Encryption"), and a common control (e.g., "Encrypt data at rest"). This clearer structure simplifies the process of understanding, searching, and deploying the controls you need. If you're using AWS Config, now you'll see the same comprehensive mapping of Config rules to compliance frameworks, domains, objectives, and common controls that you find in AWS Control Tower, ensuring a unified experience across your AWS environment.

You can use Control Catalog with new mappings in all AWS Regions where AWS Control Tower is available, including AWS GovCloud (US). To learn more, visit AWS Control Tower User Guide.

AWS Key Management Service (KMS) now supports the FIPS 203 Module-Lattice Digital Signature Standard (MLDSA), a quantum-resistant digital signature algorithm designed to help organizations address emerging quantum computing threats. This post-quantum signature algorithm is one of the selected algorithms standardized by NIST to protect sensitive information well into the foreseeable future, including after the advent of cryptographically relevant quantum computers. ML-DSA is particularly valuable for manufacturers and developers who need to protect firmware and application code signing where cryptographic signatures cannot be easily updated after deployment and for organizations that require signatures on digital content to remain valid for several years.

The ML-DSA keys integrate with the existing KMS CreateKey and Sign APIs, enabling customers to preserve their established automation processes, IAM and KMS key policies, auditing capabilities, and tagging workflows. AWS KMS support for ML-DSA introduces three new key specs (ML_DSA_44, ML_DSA_65, and ML_DSA_87) that work with the post-quantum SigningAlgorithm ML_DSA_SHAKE_256, with support for both raw signatures and the pre-hashed variant (External Mu).

This new feature is generally available and you can use ML-DSA in the following AWS Regions: US West (N. California), and Europe (Milan) with the remaining commercial AWS Regions to follow in the coming days. To learn more, see the AWS Security Blog for how to create post-quantum signatures using AWS KMS and ML-DSA, and see the ML-DSA signing topic in the AWS KMS Developer Guide.

Today, Amazon Verified Permissions announces price reduction for single authorization requests by up to 97% to $5 per million API requests. This price reduction makes it substantially cost-effective for customers to implement fine-grained authorization across all their applications, enabling authorization checks for every user action.

Amazon Verified Permissions is a scalable, fully managed authorization service that uses Cedar, an open-source policy language for access control. By decoupling permissions from application logic, Amazon Verified Permissions allows you to centrally manage authorization policies while improving your applications' security posture and development efficiency.

The price reduction applies to all AWS Regions where Amazon Verified Permissions is available starting June 12, 2025, at midnight UTC, and is enabled for all customers without any further action. The reduction applies to requests made to the isAuthorized and isAuthorizedWithToken APIs. The pricing for batch authorization requests and policy management operations remains unchanged. For more information about Amazon Verified Permissions pricing, visit the Verified Permissions pricing page or AWS Pricing calculator.
 

Today, AWS announces enhanced application layer (L7) DDoS protection capabilities with faster automatic detection and mitigation, designed to respond to events within seconds. AWS WAF application layer (L7) DDoS protection is an AWS Managed Rule group that automatically detects and mitigates DDoS events of any duration to ensure your applications on Amazon CloudFront, Application Load Balancer (ALB) and other AWS services supported by WAF stay available and responsive to your users. This enhancement helps cloud security administrators and site reliability engineers protect applications while reducing the operational overhead of manually configuring and managing rules.

This AWS Managed Rule group monitors traffic data to establish a baseline within minutes of activation, then leverages machine learning models to detect anomalies from normal traffic patterns. When traffic deviates from the established baseline, the system automatically applies rules designed to address suspicious requests. You can configure rules to suit the needs of your applications, such as presenting a challenge or blocking a request.

AWS WAF application layer (L7) DDoS protection can be enabled by all AWS WAF and AWS Shield Advanced subscribers in all supported AWS Regions, except Asia Pacific (Thailand), Mexico (Central), and China (Beijing and Ningxia). You can deploy this AWS Managed Rule group for your Amazon CloudFront, ALB, and other supported AWS resources. See the Pricing page for more details.

To learn more about AWS WAF application layer (L7) DDoS protection, visit the AWS WAF documentation or the AWS WAF console. To get started, refer to our technical documentation for detailed information about enabling this feature to protect your web applications.
 

Amazon EKS Pod Identity now provides a simplified experience for configuring application permissions to access AWS resources in separate accounts. With enhancements to EKS Pod Identity APIs, you can now seamlessly configure access to resources across AWS accounts by providing the resource account’s IAM details during the creation of the Pod Identity association. Your applications running in the EKS cluster automatically receive the required AWS credentials during runtime without requiring any code changes.

EKS Pod Identity enables applications in your EKS cluster to access AWS resources across accounts through a process called IAM role chaining. When creating a Pod Identity association, you can provide two IAM roles — an EKS Pod Identity role in the same account as your EKS cluster and a target IAM role from the account containing your AWS resources (like S3 buckets or DynamoDB tables). When your application pod needs to access AWS resources, it requests credentials from the EKS Pod Identity, which automatically assumes the roles through IAM role chaining to provide your pod with the necessary cross-account temporary credentials.

This feature is available in all AWS Regions where Amazon EKS is available. To learn more, see Access AWS Resources using EKS Pod Identity Target IAM Roles.

AWS Key Management Service (KMS) is announcing support for on-demand rotation of symmetric encryption KMS keys with imported key material. This new capability enables you to rotate the cryptographic key material of Bring Your Own Keys (BYOK) keys without changing the key identifier (key ARN). Rotating keys helps you meet compliance requirements and security best practices that mandate periodic key rotation.

Organizations can now better align key rotation with their internal security policies when using imported keys within AWS KMS. This new on-demand rotation capability supports both immediate rotation as well as scheduled rotation. Similar to flexible rotation for standard KMS keys, this new rotation capability offers seamless transition to new key material within an existing KMS key ARN and key alias, with zero downtime and complete backwards compatibility with existing data protected under this key.

On-demand key rotation is available in all AWS Regions, including the AWS GovCloud (US) Regions and in the China Regions. To learn more, see the AWS Security Blog for how to use on demand rotation with imported keys, and the rotate on-demand topic in the AWS KMS developer guide.
 

AWS WAF now supports matching incoming request against Autonomous System Numbers (ASNs). By monitoring and restricting traffic from specific ASNs, you can mitigate risks associated with malicious actors, comply with regulatory requirements, and optimize the performance and availability of your web applications. This new ASN Match Statement integrates seamlessly with existing WAF rules, making it easy for you to incorporate ASN based security controls into your overall web application defense strategy.

You can specify a list of ASNs to match against incoming request and take appropriate action such as block or allow the request. You can also use ASN in your rate-based rule statements. These rules aggregate requests according to your criteria, counts and rate limits the requests based on the rule's evaluation window, request limit, and action settings.

ASN Match statement is available in all regions where AWS WAF is available. The rate-based rule support with ASN is available in regions where the enhanced rate-based rules are currently supported. There is no additional cost for using ASN in Match statement and rate-based rules, however standard AWS WAF charges still apply. For more information about the service, visit the AWS WAF page. For more information about pricing, visit the AWS WAF Pricing page

Today, AWS announces the launch of a new monitoring dashboard in the AWS Network Firewall console, enhancing customers ability to monitor their network traffic. This new feature provides visibility into network activities, allowing for more effective management and troubleshooting of firewall configurations.

The new dashboard offers valuable insights into traffic patterns, including top traffic flows, TLS Server Name Indication (SNI), and HTTP Host headers. This level of detail allows customers to quickly identify and analyze their most significant network interactions. Additionally, the dashboard provides visibility into long-lived TCP flows and traffic flows where TCP handshake failed, which is particularly useful for troubleshooting network issues and identifying potential security concerns.

This new monitoring dashboard is available in all AWS Regions where AWS Network Firewall is supported, see AWS Region table. There are no additional charges on AWS Network Firewall to use this dashboard. Please check Amazon CloudWatch pricing or Amazon Athena pricing to understand charges related to Logs and Queries.

To take advantage of this new feature, customers need to configure Flow logs and Alert logs in their AWS Network Firewall, and enable the monitoring dashboard. For more information on how to set up and use the new monitoring dashboard, please visit the AWS Network Firewall documentation or log in to the AWS Management Console.