Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Pearson VUE revoked my SAA-C03
Hi AWS Team, I scheduled my exam for AWS SAA-C03 on 08-10-2021 and the Pearson VUE proctor was revoked. That was not my mistake, the proctor was trying to connect through onVUE it was not connecting, then he pinged in the chat as, I am calling your mobile and just pick up the call then I picked up. Raised support with Pearson VUE on the same day and they said after 14day you can reschedule the exam, when I check with them after 14 days now they are saying to check with the AWS team Pearson VUE case ID: XXXXXXXX AWS Candidate ID: AWS03045655 I have already raised the AWS support case using https://support.aws.amazon.com/#/contacts/aws-training. I haven't heard back yet. I need to complete the certification ASAP as per my company guidelines. Kindly do the needful to reschedule the exam. Thanks. * Edit: Removed case ID — Aimee K.
Do EKS encrypts secrets by default?
I was going by the following [documentation](https://aws.github.io/aws-eks-best-practices/security/docs/data/#secrets-management). After reading this I understood about using Kms with EKS, but I am not able to understand whether EKS encrypts secrets by default because kubernetes by default does not encrypt and stores secrets in base64encoded format, however EKS uses AWS managed keys for EBS volumes used for etcd nodes as mentioned in documentation. Pretty confusing. >Kubernetes secrets are used to store sensitive information, such as user certificates, passwords, or API keys. They are persisted in etcd as base64 encoded strings. On EKS, the EBS volumes for etcd nodes are encrypted with EBS encryption.
Missing Authentication Token for createRestrictedDataToken operation
Executing the POST method of the createRestrictedDataToken operation of the Tokens API. I always get the same response: "message": "Access to requested resource is denied.", "code": "MissingAuthenticationToken". I'm not sending any authentication token information in my POST call because there are no instructions telling how, when or where to do that. What am I missing? Or, am I asking for access to the wrong path/data elements? I have set up my user and added roles within IAM management. Is that where the autehntication comes from?
How to delete a service-linked role
I am trying to delete Roles by [AWS instructions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role). It says, "If the role is being used, then you must wait for the session to end before you can delete the role". Unfortunately, I have no idea about ending sessions. Here I attach the profile of the Role, where you can see many services. What should I do to delete this Role? Any suggestions and help will be appreciated! My account was hacked, I have to delete the Roles that the hacker created. ---- ![Error report, and the profile of the role to be deleted](/media/postImages/original/IMi2RPouT-SseD5Gw29teQug)
How to export AWS Security Hub findings to CSV format
I'm trying to deploy this solution (https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/) but running into this particular error ``"Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy;"``. I'd appreciate it if someone could help me figure out what I could be doing wrong. Thanks all.
AWS Control Tower - Controls report false positive
We've recently noticed that the AWS Control Tower control: "Detect whether MFA is enabled for AWS IAM users of the AWS Console" is reporting a false positive result (NON_COMPLIANT) for a user that was deleted over a week ago. One thing we have noticed is that the false positive result is being picked up in us-east-2 when normally IAM non-compliant is picked up in us-east-1 so I don't know whether this may be related to the incorrect results being displayed. Has anyone experienced this issue before? How do we get it resolved as the results are misleading to user? Note: We have tried re-evaluating the AWS Config for the control and redeploying the Controls and Landing Zone in case it was a configuration issue but it seems more related to a data issue being report from IAM.
Cognito vs Identity Center (SSO)
I am building a web application. Customers should have a valid AWS account to onboard. Each customer could be a whole corporate on their own with their own Identity provider. The application should authenticate users of each Customer's org and authorize their access to certain APIs within my application. The application should also be able to run automation in the customer's AWS account by assuming certain IAM role. Looking at Identity solutions from AWS, I see native IAM, Cognito, and SSO. Native IAM doesn't present the identity of the user and their group membership to my application. Cognito seems to fit my use case. I can provide the customer with Cloudformation template to run in their account to prepare things: Cognito user pool, certain group name that my application looks for, certain IAM roles for my application to assume, and Cognito Identity pool to exchange the user's authenticated Identity with IAM temp creds to run automation in their account within certain permissions scope. The customer can integrate Cognito with their own IDP to have centralized user and group management. Does this solution look sane? Does SSO provide better integration for my application? If yes, does SSO allow me to provide the customer with a Cloudformation template to configure their SSO before they can onboard to my application? Related Q prior to rePost era: https://stackoverflow.com/questions/48767172/whats-the-difference-between-aws-sso-and-aws-cognito - but it is not answered yet.
Automatic resource creation and ID checking.
Hey guys! Need a solution for a simple issue. Is there an automatic process to create resources on AWS and check its IDs on whether it has particular numbers and letters? Like having a VPC, EC2, RDS, or S3, where the ID doesn’t have the letter S or have the number 8s in it. Like having a preferred id of YcdrbA57Zfs6y5t28, and not, ZoqhRtgfDfg4089g45. Maybe setting a stack or cloudformations, or with policies. If not, then delete the resource and create a new one. Keep repeating it until it achieves the target IDs. Thanks!
Analytics Dashboard using AWS with access control
Hi, We want to publish an analytics dashboard with access controls to corporate clients. The login will be their corporate email and want to give them an ability to change their password. The dashboard will have functionality to view tabular data, charts and also provide ability to download CSV file for the data. Today, we have a low-cost & low-code solution where we we use AWS Lambda to write data to Google Sheets and then display the sheets data using Google Data Studio (GDS). For GDS, we are able to grant access basis gmail credentials but not able to limit it to corporate emails. Was wondering if there is any AWS solution which can help with this? We don't want to setup a separate EC2 webserver for this exercise and want to use some equivalent of GDS, Tableau, BI which solves the use case. Regards, dbeings
Amazon Gamelift: How to tell what VPC the servers are running in - Verifying Servers' access to backend services
Hello, An expansion to an original question: https://repost.aws/questions/QU0MPwSTJGQhKDcl9Zw1e_zQ/aws-game-lift-server-best-solution-for-generating-and-rotating-api-keys-for-aws-server-authentication Is there a way to find which VPC and addresses the individual game servers are running on within Gamelift? Actually, in writing this, I found this thread as well: https://repost.aws/questions/QUoLdwDhJRSCy4EhLSJwzvxw/running-a-proxy-process-on-gamelift We are just trying to make sure that certain calls to our backend services originate from within the actual servers running within game lift and not via an outside client. UE4 packages the server and client code together, so we just want an extra layer of security check.