Browse through the questions and answers listed below or filter and sort to narrow down your results.
check best pratices ans security compliance for AWs accounts
Hi team, we want to do some audits on all our projects using AWS accounts, Are there any first items to start checking or any specific checklist to go over when doing the audit to make sure that best practices and security are implemented? Thank you!
Is it a good idea to have single security group for multiple apps?
We are having multiple apps which are more or less using the same incoming traffic rules. For half of the apps we are in a condition where we frequently need to change the outgress IPs for a port. That requires us to rerun the Cloudformation stack everytime it changes. Is it a good idea to have a single Security group for all apps which we map on all app Cloudformation stacks to reduce efforts. I also have security considerations and best practices rule in my mind, I just wanted to have wise opinions.
secure document transmission for face image extraction
We are trying to get customer's face image details using AWS rekognition's `detectface `API. We are passing the document in bytes as input, but this is highly restricted data as it contains Unique Customer Information. `List<FaceDetail> detectFaces(@NonNull final byte bytes) ` We know service supports over HTTPS and encrypted with TLS. Is this client to server channel safe from any external intrusion?? OR Does this AWS rekognition provide any encrypted input data transmission support for e.g. client side encryption at rest ?
SecurityHub to EventBridge
I have integrated GuardDuty with SecurityHub I am looking to filter and process Only the GD findings that come via Securityhub in eventbridge when I go to create a rule to process the messages in eventbridge do I need to select the event source as GuardDuty or security hub?
Lambda in private subnet cannot reach DynamoDB
Hi! We are working on a POC related to hardening network security & resources. We used as model the reference of Building Basic Web Application, link: [https://aws.amazon.com/getting-started/hands-on/build-web-app-s3-lambda-api-gateway-dynamodb/](), where a Lambda invoke from API Gateway post data in to a DynamoDB table. Here are the changes made: * The lambda was set to be inside the VPC and within a private subnet. * A NAT Gateway was added for internet access and linked to the route table of the private subnet. * A VPC Gateway endpoint was also added so the communication between the lambda and DynamoDB can be done thru the endpoint instead over routes. This endpoint has also been added to the route table of the private subnet. If we take out the lambda out of the VPC and configure it as "NONE" in the VPC settings, it works fine, just as it suppose to work from the reference previously shared. We created another lambda, using the "Hello World" template, we added it to the same VPC and it works fine. The problem here is wih the Lambda that post data in to a DynamoDB table. Error message from Lambda: Task timed out. It seems that the issue is between the communication from Lambda to DynamoDB, since the other Lambda works fine inside the VPC. Any advice? Kinldy/please help! Thank you! ![Reference Architecture](https://repost.aws/media/postImages/original/IMig5QmJK6Re-eqxLh5LLYvQ)
What is main difference between DDoS testing and Stress/load test?
In many case, ddos test is one kind of the stress/load test. In the article "Network Stress Test" ((https://aws.amazon.com/tw/ec2/testing/)) it's not allow to do simulate ddos test to try the limitation to the service while dstress/load test is OK. What is the difference between ddos test and stress/load test in AWS definition? Are there any clarify explains can provide to me ?
How does AWS reconfigure it's network infrastructure on-the-fly?
As a former CCNA holder and someone who has both worked for Internet Service Providers as well as visited some of the very data centres that AWS likely operates out of (though it's of course impossible to confirm), I'm curious as to how exactly AWS manages the impressive feat of reconfiguring it's network programatically. The term Software Defined Networks spring to mind. But why is there so little transparency about it? Security through obscurity? I thought that died out a long time ago. It seems like AWS doesn't talk about it. Is this AWS policy?
How to Connect Private RDS PostgreSql Instance using Pgadmin locally?
![Enter image description here](https://repost.aws/media/postImages/original/IMdXBKQnVzQzS4I4yl9xEFog) Hello experts, From above Architecture diagram you can able to get all the required information. Here is the doubts: * **My goal is to connect RDS Postgresql Engine from my pgadmin locally and to build a dashboard using tableau from that RDS Database.** * My Ec2 instance will do data extraction process and store it into DB, Now I need to access the database whenever my EC2 instance is turned off or directly connect to DB from my pgadmin locally, However it should present in private subnet. Any guidance and help will be really thankful to you. As I'm beginner please help to solve this problem. 🙏🙂🙏
AWS S3 port 444 is open to the public internet
Hi, So I got a security assesment from my customer stating a port 444 is open on their S3 buckets. I checked and it is common for all buckets created. The https port 443 is open with bucketname.s3.region.amazonaws.com and the SSL certificate is correct. ![https 443 access is fine](https://repost.aws/media/postImages/original/IMtvcHr-CGTOir32EBcPe3qQ) Now lets see the access on 444 port ![https 444 is SSL error](https://repost.aws/media/postImages/original/IMmU4ewSkpTjy647q55H0gGQ) As you can see, its SSL cert is for *.s3.region.vpce.amazonaws.com So I tried to access the bucketname.s3.region.vpce.amazonaws.com domain and it isn't publicly resolved which is understood since it only needs to be resolved inside a VPC since it is for the VPC endpoint service. ![vpce domain is not resolved](https://repost.aws/media/postImages/original/IMRkVbkp-RRkev2vKmPx0t_g) So I checked the IP with hosts command and apparently my bucket domain name is an alias of s3-r-w.ap-south-1.amazonaws.com with the IP 126.96.36.199 I added it to my hosts file and the SSL for the 444 port with vpce domain works (expected) ![SSL issue is fixed after using vpce domain](https://repost.aws/media/postImages/original/IMt_lIGZ4ERymiPXmpxdHiLQ) Now my question is why does this port exist. While we access it via the VPC endpoint we still access 443 port. So is there a port forwarding while going through VPCE or is this port open for something else. Since S3 has gateway VPC endpoint, does that mean all the publc IPs need to be open? We don't put vpce also in the domain when we call S3 endpoint with VPCE, so does that means there is a domain rewrite also? If someone can let me know how this works, it will be really great. I can also inform my customer as such. Thank you.