Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Deny access of read for i am user for instance attribute user data
i have an requirement that i want to hide instance user data from any user, like I don't want to allow any iam user/role to read what my instance user data has, I did tried to deny DescribeInstanceAttribute with condition for attribute "UserData"but that didn't worked. i just want to know is it possible to hide this specific instance attribute "userData" from user?
Auditing Infrastructure Changes made via AWS Console
Our environment manages most of the infrastructure component changes via code. Additionally, certain administrators have access to make infrastructure changes to applicable resources directly via console (although direct changes are not encouraged or frequently made). Our auditors are indicating that as administrators have access to make direct infrastructure changes via console, they cannot rely on the population of infrastructure changes made via code (obtained from Git), and also want us to evidence that no direct infrastructure changes were made by administrators directly from the console. I wanted to understand the following: 1. How can we obtain population of direct infrastructure changes made from the console? We are thinking of obtaining the cloudtrail logs, but is there any other efficient way to obtain this population? 2. Also, does it make sense to restrict administrator access to prevent from making any direct infrastructure changes? What is the industry standard in terms of restricting administrator access? 3. Are there any other ways to evidence that no direct infrastructure changes were made outside of code changes?
How does ECS Fargate manage clock sync?
Hi everyone! I've been trying to understand the clock sync mechanism on ECS with Fargate mode to know its compliance with industry controls such as ISO certifications, I found that local time is managed on the host where containers are running but with Fargate mode which could be that host? I'm still not able to find any AWS documentation that clarifies this other than the usage of the [time sync service](https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-the-amazon-time-sync-service/), this document leads to a post explaining the usage of Network Time Protocol (NTP) and how it utilizes a fleet of redundant satellite-connected and atomic reference clocks in AWS regions, which seems to be a very good explanation but is there something else that I cloud be missing when understanding Farcate clock sync? Thanks in advance
Fetching VAST Meta Data from Amazon Media Tailor
In order to adhere to ad policies, I need to display "why this ad" overlays when an ad shows on the stream generated by Media Tailor. The VAST 3.0 returned from the ADS contains this information within the <Creatives> <Creative> <Linear> <Icons> <Icon> structure that is part of the spec of VAST 3.0 However, that information is not passed through the client side tracking JSON supplied by MT as per the documentation [here](https://docs.aws.amazon.com/mediatailor/latest/ug/ad-reporting-client-side.html) I need to fetch this information in order to correctly construct the overlays, am I missing something? is there a way to get this information from MediaTailor? Thanks!
SPF And DKIM Compliance For Sending Emails
AWS has verified our DKIM records. When we run a DMARC report, we receive messages that the following IP addresses from amazonses.com are not SPF or DKIM-aligned: 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 There is also another 6 IPsd not listed in the report. How can we ensure these IPs meet SPF and DKIM alignment?
Need to restrict IAM user
We have production and UAT environment in same AWS account now my requirement is to restrict IAM user **A** can manage all activities related to only UAT instances like an admin access and same way IAM user **B** can manage Production instances only. Is it possible within same AWS account?
AWS Inspector Suppression Rules
Requirement: To Suppress all Inspector findings without the image tag equal to 'latest' Configuration: Suppression rules filter: Image tag NOT_EQUALS latest Behaviour: Inspector DOES supresses all findings without the image tag equal to 'latest', however it DOES NOT suppress <untagged> images. Is there a filter I can use to suppress untagged images?
Optimal Way To Collate Multiple Acct/Role --> Security Pane-of-Glass
I see several different ways to get a single pane-of-glass for AWS services but not getting clarity on what is the optimal/simplest solution. We need to pipe event/log data into a SIEM (not in AWS) - what is best way to get data from those into one place?
Can we publish SNS PushNotification to crossaccount endpoints?
We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account. But when trying to publish PNs with our java-service in different AWS accounts, we get `com.amazonaws.services.sns.model.AuthorizationErrorException`. For Example: My PlatformApplication arn => `arn:aws:sns:<region>:<account-id>:app/GCM/my-mobile-app-name` Once user register his device against this PlatfromApplication arn, a device endpoint will be created as => `arn:aws:sns:<region>:<account-id>:endpoint/GCM/my-mobile-app-name/<uuid>` So, while publishing message to above endpoint arn from different AWS account resulting in `AuthorizationErrorException` There seems no option to provide a resource-based policy for these SNS PlatformApplications (SNS PlatformApplications are not regular SNS topics). How can we solve this? Thanks in Advance!
Check ARNs for AssumeRole regularly not hitting quota limits
Hello, we need to do a regular check of all our customers who gave us permissions for AssumeRole in case they drop the permission/role/user. In respect to [quota limits](https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-account-level-limits-table), what would be the best possible way of doing that? I am thinking: * For each customer account (ARN) * Perform AssumeRole for that ARN * Perform some "ping" operation (e.g. DescribeRegions) * Delay so we don't hit the service quota limits (e.g. DescribeRegions has 20 operations per second bucket). It is not clear how service quota limits are applied when doing AssumeRole. Is that applied against ours (service) account, or customer (assumed) account? What are the limits for the STS operations, specifically AssumeRole? There is not much in the docs in this regard, or I am missing it. Is there some always-available "ping" operation we could call or some STS API request that would confirm us that the ARN is valid? Is there a place we can check the consumption of quota limits so we can fine-tune our background checker? Thanks