Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
How does ECS Fargate manage clock sync?
Hi everyone! I've been trying to understand the clock sync mechanism on ECS with Fargate mode to know its compliance with industry controls such as ISO certifications, I found that local time is managed on the host where containers are running but with Fargate mode which could be that host? I'm still not able to find any AWS documentation that clarifies this other than the usage of the [time sync service](https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-the-amazon-time-sync-service/), this document leads to a post explaining the usage of Network Time Protocol (NTP) and how it utilizes a fleet of redundant satellite-connected and atomic reference clocks in AWS regions, which seems to be a very good explanation but is there something else that I cloud be missing when understanding Farcate clock sync? Thanks in advance
Fetching VAST Meta Data from Amazon Media Tailor
In order to adhere to ad policies, I need to display "why this ad" overlays when an ad shows on the stream generated by Media Tailor. The VAST 3.0 returned from the ADS contains this information within the <Creatives> <Creative> <Linear> <Icons> <Icon> structure that is part of the spec of VAST 3.0 However, that information is not passed through the client side tracking JSON supplied by MT as per the documentation [here](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-reporting-client-side.html) I need to fetch this information in order to correctly construct the overlays, am I missing something? is there a way to get this information from MediaTailor? Thanks!
SPF And DKIM Compliance For Sending Emails
AWS has verified our DKIM records. When we run a DMARC report, we receive messages that the following IP addresses from amazonses.com are not SPF or DKIM-aligned: 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 There is also another 6 IPsd not listed in the report. How can we ensure these IPs meet SPF and DKIM alignment?
Need to restrict IAM user
We have production and UAT environment in same AWS account now my requirement is to restrict IAM user **A** can manage all activities related to only UAT instances like an admin access and same way IAM user **B** can manage Production instances only. Is it possible within same AWS account?
AWS Inspector Suppression Rules
Requirement: To Suppress all Inspector findings without the image tag equal to 'latest' Configuration: Suppression rules filter: Image tag NOT_EQUALS latest Behaviour: Inspector DOES supresses all findings without the image tag equal to 'latest', however it DOES NOT suppress <untagged> images. Is there a filter I can use to suppress untagged images?
Optimal Way To Collate Multiple Acct/Role --> Security Pane-of-Glass
I see several different ways to get a single pane-of-glass for AWS services but not getting clarity on what is the optimal/simplest solution. We need to pipe event/log data into a SIEM (not in AWS) - what is best way to get data from those into one place?
Can we publish SNS PushNotification to crossaccount endpoints?
We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account. But when trying to publish PNs with our java-service in different AWS accounts, we get `com.amazonaws.services.sns.model.AuthorizationErrorException`. For Example: My PlatformApplication arn => `arn:aws:sns:<region>:<account-id>:app/GCM/my-mobile-app-name` Once user register his device against this PlatfromApplication arn, a device endpoint will be created as => `arn:aws:sns:<region>:<account-id>:endpoint/GCM/my-mobile-app-name/<uuid>` So, while publishing message to above endpoint arn from different AWS account resulting in `AuthorizationErrorException` There seems no option to provide a resource-based policy for these SNS PlatformApplications (SNS PlatformApplications are not regular SNS topics). How can we solve this? Thanks in Advance!
Check ARNs for AssumeRole regularly not hitting quota limits
Hello, we need to do a regular check of all our customers who gave us permissions for AssumeRole in case they drop the permission/role/user. In respect to [quota limits](https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-account-level-limits-table), what would be the best possible way of doing that? I am thinking: * For each customer account (ARN) * Perform AssumeRole for that ARN * Perform some "ping" operation (e.g. DescribeRegions) * Delay so we don't hit the service quota limits (e.g. DescribeRegions has 20 operations per second bucket). It is not clear how service quota limits are applied when doing AssumeRole. Is that applied against ours (service) account, or customer (assumed) account? What are the limits for the STS operations, specifically AssumeRole? There is not much in the docs in this regard, or I am missing it. Is there some always-available "ping" operation we could call or some STS API request that would confirm us that the ARN is valid? Is there a place we can check the consumption of quota limits so we can fine-tune our background checker? Thanks
Pearson VUE revoked my SAA-C03
Hi AWS Team, I scheduled my exam for AWS SAA-C03 on 08-10-2021 and the Pearson VUE proctor was revoked. That was not my mistake, the proctor was trying to connect through onVUE it was not connecting, then he pinged in the chat as, I am calling your mobile and just pick up the call then I picked up. Raised support with Pearson VUE on the same day and they said after 14day you can reschedule the exam, when I check with them after 14 days now they are saying to check with the AWS team Pearson VUE case ID: XXXXXXXX AWS Candidate ID: AWS03045655 I have already raised the AWS support case using https://support.aws.amazon.com/#/contacts/aws-training. I haven't heard back yet. I need to complete the certification ASAP as per my company guidelines. Kindly do the needful to reschedule the exam. Thanks. * Edit: Removed case ID — Aimee K.