By using AWS re:Post, you agree to the Terms of Use
/Security Identity & Compliance/

Questions tagged with Security Identity & Compliance

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I need to attach IAM role to my EC2 instance.

PentestEnvironment-Deployment-Role/octopus is not authorized to perform: iam:PassRole on resource. I have CF template which create Ec2 and Iam role for my env and all this env I create from not-root account. Iam Role for this account it's only main part: { "Sid": "IAM1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/Pentest-EC2-Role" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:ec2:us-west-2:*:instance/*" ] } } }, { "Sid": "IAM2", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/Pentest-EC2-Role" ] }, { "Sid": "IAM3", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "*" ] }, { "Sid": "IAM4", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:CreatePolicy", "iam:ListPolicyVersions", "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion" ], "Resource": [ "arn:aws:iam::*:policy/Pentest-AWS-resources-Access" ] }, { "Sid": "IAM5", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/Pentest-Instance-Profile" }, { "Sid": "EC2InstanceProfile", "Effect": "Allow", "Action": [ "ec2:DisassociateIamInstanceProfile", "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": "arn:aws:ec2:*:*:instance/*" } ] } Why do I have this error?
1
answers
0
votes
26
views
asked 2 days ago

deny access to a specific idp provider while creating an iam role

Hello All, Using Landing Zone. Each sub account has its own admin users. I would like to implement this as a service control policy from the main account. We have a job workflow in github actions which requests an access token from the AWS IdP provider that we created at our end. This short lived access token is then passed on to an IAM role which has been mentioned in the github workflow. As part of creating the trust relationship of this IAM role, our ORG repo needs to be mentioned. However, this trust relationship can either be edited or a 2nd role with web identity federation can be created to bypass this trust relationship. This way the role can actually be used on via a public repo as well. I would like to deny access to a specific IdP provider while creating an IAM role. sample code ``` { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:ORG/*" } } } ] } ``` Using the UpdateAssumeRolePolicy IAM action I can deny any the ability to edit the trust relationship, however, as a work around, admin users can still create a role with a custom string. Let me know if you need any further information Thanks dsids
1
answers
0
votes
33
views
asked 7 days ago

AWS Assume Role via .Net SDK gives Access Denied but works with CLI

I am trying to upload a file in S3 by AWS Assume Role. When I am trying to access it from CLI it works fine but from .Net SDK it gives me Access Denied error. Here are the steps I followed in CLI - 1. Setup the access key/secret key for user using **aws configure** 2. Assume the Role - **“aws sts assume-role --role-arn "arn:aws:iam::1010101010:role/Test-Account-Role" --role-session-name AWSCLI-Session”** 3. Take the access key / secret key / session token from the assumed role and setup an AWS profile. The credentials are printed out/returned from the assumed role. 4. Switch to the assume role profile: **“set AWS_PROFILE=<TempRole>”** 5. Verify that the user has the role: **“aws sts get-caller-identity”** 6. Access the bucket using ls or cp or rm command - **Works Successfully.** Now I am trying to access it from .Net core App - Here is the code snippet- Note that I am using same Access and Secret key as CLI from my local. ``` try { var region = RegionEndpoint.GetBySystemName(awsRegion); SessionAWSCredentials tempCredentials = await GetTemporaryCredentialsAsync(awsAccessKey, awsSecretKey, region, roleARN); //Use the temp credentials received to create the new client IAmazonS3 client = new AmazonS3Client(tempCredentials, region); TransferUtility utility = new TransferUtility(client); // making a TransferUtilityUploadRequest instance TransferUtilityUploadRequest request = new TransferUtilityUploadRequest { BucketName = bucketName, Key = $"{subFolder}/{fileName}", FilePath = localFilePath utility.Upload(request); //transfer fileUploadedSuccessfully = true; } catch (AmazonS3Exception ex) { // HandleException } catch (Exception ex) { // HandleException } ``` The method to get temp credentials is as follow - GetTemporaryCredentialsAsync ``` private static async Task<SessionAWSCredentials> GetTemporaryCredentialsAsync(string awsAccessKey, string awsSecretKey, RegionEndpoint region, string roleARN) { using (var stsClient = new AmazonSecurityTokenServiceClient(awsAccessKey, awsSecretKey, region)) { var getSessionTokenRequest = new GetSessionTokenRequest { DurationSeconds = 7200 }; await stsClient.AssumeRoleAsync( new AssumeRoleRequest() { RoleArn = roleARN, RoleSessionName = "mySession" }); GetSessionTokenResponse sessionTokenResponse = await stsClient.GetSessionTokenAsync(getSessionTokenRequest); Credentials credentials = sessionTokenResponse.Credentials; var sessionCredentials = new SessionAWSCredentials(credentials.AccessKeyId, credentials.SecretAccessKey, credentials.SessionToken); return sessionCredentials; } } ``` I am getting back the temp credentials but it gives me Access Denied while uploading the file. Not sure if I am missing anything here. Also noted that the token generated via SDK is shorter than that from CLI. I tried pasting these temp credentials to local profile and then tried to access the bucket and getting the Access Denied error then too.
0
answers
0
votes
23
views
asked 23 days ago

KMS policy for cross account cloudtrail

Hi, i have cloudtrail enabled for the organization in the root account. An s3 bucket in a security account (with kms enabled). All logs from all accounts are hitting the bucket! I know need to enable KMS for cloudtrail, im trying to follow the below guide in terraform: [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html]() Using the below code: ``` resource "aws_kms_key" "cloudtrail" { description = "KMS for cloudtrail" deletion_window_in_days = 7 is_enabled = true enable_key_rotation = true policy = <<POLICY { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "${aws_kms_key.cloudtrail.arn}", # THIS IS THE LINE THAT FAILS! "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ "arn:aws:cloudtrail:*:xxx:trail/*", "arn:aws:cloudtrail:*:xx:trail/*", ] }, "StringEquals": { "aws:SourceArn": "arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail" } } } POLICY } ``` But getting an error that the ``` Error: Self-referential block │ │ on kms-cloudtrail.tf line 16, in resource "aws_kms_key" "cloudtrail": │ 16: "Resource": "${aws_kms_key.cloudtrail.arn}", │ │ Configuration for aws_kms_key.cloudtrail may not refer to itself. ``` Im guessing i get the error because the KMS doesnt exist yet so it cant reference it? So is the document wrong? or am miss understanding something regarding it? Any help would be great!
2
answers
0
votes
47
views
asked a month ago

Config Advanved Query Editor - Return ConfigRuleName

I am using the AWS Config Service across multiple Accounts within my Organization. My goal is to write a query which will give me a full list of non-compliant resources in all regions, in all accounts. I have an Aggregator which has the visibility for this task. The Advanced Query I am using is similar to the AWS [Example in the docs:](https://docs.aws.amazon.com/config/latest/developerguide/example-query.html) ``` SELECT configuration.targetResourceId, configuration.targetResourceType, configuration.complianceType, configuration.configRuleList, accountId, awsRegion WHERE configuration.configRuleList.complianceType = 'NON_COMPLIANT' ``` However, the ConfigRuleName is nested within `configuration.configRuleList` - as there could be multiple config rules, (hence the list) assigned to `configuration.targetResourceId` How can I write a query that picks apart the JSON list returned this way? Because the results returned do not export to csv for example very well at all. Exporting a JSON object within a csv provides an unsuitable method if we wanted to import this into a spreadsheet for example, for viewership. I have tried to use `configuration.configRuleList.configRuleName` and this only returns `-` even when the list has a single object within. If there is a better way to create a centralised place to view all my Org's Non-Compliant Resources, I would like to learn about it. Thanks in Advance.
0
answers
0
votes
7
views
asked 2 months ago

AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx). ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server. The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server. Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them. We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing? Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.
1
answers
0
votes
9
views
asked 2 months ago

Control Tower - Disable Compliance Change Notifications

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to `aws-controltower-AggregateSecurityNotifications` SNS Topics. We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications. Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule `AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES` which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour? Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-con`troltower-AggregateSecurityNotifications` topic? So only Control Tower drift notifications would be send to this topic. I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset `AWSControlTowerBP-BASELINE-CLOUDWATCH` from management account to all accounts and there is possibility to disable these notifications by parameter `EnableConfigRuleChangeNotification`. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach? thanks Martin
1
answers
0
votes
58
views
asked 3 months ago

How to build a mechanism to govern multiple AWS data locking features?

**Background** There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years. It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked). Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization. It has been identified at least these three are related operations for data locking: * backup:PutBackupVaultLockConfiguration * glacier:CompleteVaultLock * s3:PutBucketObjectLockConfiguration **Questions** 1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above? 2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)? 3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped? 4. How one can list what various data locks are currently in use? Is Cloudtrail the only option? 5. Are there any other best practise to share - to centrally govern the various AWS data locking features?
0
answers
0
votes
22
views
asked 3 months ago

CloudFront returning header does not include settings

Hello I have configured my CloudFront to use a custom response header CORS policy: Cross-origin resource sharing (CORS)Info Access-Control-Allow-Credentials true Access-Control-Allow-Headers content-type Access-Control-Allow-Methods GET OPTIONS Access-Control-Allow-Origin https://www.xxx.com Access-Control-Expose-Headers - Access-Control-Max-Age (seconds) 600 Origin override request header: GET /index.m3u8 HTTP/2 Host: cdn.xxx.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Origin: https://www.xxx.com Connection: keep-alive Cookie: CloudFront-Policy=xxx; CloudFront-Signature=xxx; CloudFront-Key-Pair-Id=xxx; Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site TE: trailers response header: HTTP/2 200 OK content-type: application/x-mpegURL date: Mon, 07 Feb 2022 17:24:34 GMT last-modified: etag: server: AmazonS3 content-encoding: gzip vary: Accept-Encoding x-xss-protection: 1 x-frame-options: SAMEORIGIN referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff strict-transport-security: max-age=31536000 access-control-allow-origin: https://www.xxx.com vary: Origin x-cache: Hit from cloudfront via: cloudfront.net (CloudFront) x-amz-cf-pop: HKG62-C2 x-amz-cf-id: 6K23FSOHSfGJli3mnSFRfs4nvYXgKw68Ul_s8b5PUsKLg1HrzLqL8w== age: 3929 X-Firefox-Spdy: h2 I try to use HLS request. The response include access-control-allow-origin:https://www.xxx.com. But not include Access-Control-Allow-Credentials.
0
answers
0
votes
10
views
asked 5 months ago

Access Control in Secrets Manager for Federated Users

My scenario: I have my users in Azure AD. This is connected to AWS Single Account SSO into an AWS Account using IAM SAML IDP (PS: we are not using AWS SSO Service). We are using AWS Secrets Manager and want to store per user secret using a secret name path (eg /usersecrets/<azure_ad_username>/<secret_name> When the users login using Azure AD auth, they automatically assume the IAM Role attached. I would like to do the following: Requirement1: 1. Allow users to list secrets, create secrets and get secret value for any secret which has a name /usersecrets/<azure_ad_username>/* (here the azure_ad_username is what AWS session sees when the assume role to login) 2. Deny access to any secret unless the request is coming from Federated user (i.e local IAM users in AWS account should not be able to see any secret in path /usersecrets/<azure_ad_username>/* Requirement2: In addition to the federates Azure AD users, I also want to allow a EC2 Instance Role to be able to Get/List/Describe any secret. This EC2 role is in same AWS account where secrets are and is attached to all Windows Servers. This IAM role is to allow SSM Run commands to execute on these Windows machines and fetch the secrets values (eg, to get the secret of a user and create a local windows user with same name and password as it is in secret manager using powershell. Questions: Can you help with some sample IAM Policy for the role or the secret manager resource policy I can use to meet both the requirements?
1
answers
0
votes
16
views
asked 5 months ago
  • 1
  • 90 / page