Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Do EKS encrypts secrets by default?
I was going by the following [documentation](https://aws.github.io/aws-eks-best-practices/security/docs/data/#secrets-management). After reading this I understood about using Kms with EKS, but I am not able to understand whether EKS encrypts secrets by default because kubernetes by default does not encrypt and stores secrets in base64encoded format, however EKS uses AWS managed keys for EBS volumes used for etcd nodes as mentioned in documentation. Pretty confusing. >Kubernetes secrets are used to store sensitive information, such as user certificates, passwords, or API keys. They are persisted in etcd as base64 encoded strings. On EKS, the EBS volumes for etcd nodes are encrypted with EBS encryption.
Missing Authentication Token for createRestrictedDataToken operation
Executing the POST method of the createRestrictedDataToken operation of the Tokens API. I always get the same response: "message": "Access to requested resource is denied.", "code": "MissingAuthenticationToken". I'm not sending any authentication token information in my POST call because there are no instructions telling how, when or where to do that. What am I missing? Or, am I asking for access to the wrong path/data elements? I have set up my user and added roles within IAM management. Is that where the autehntication comes from?
How to delete a service-linked role
I am trying to delete Roles by [AWS instructions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role). It says, "If the role is being used, then you must wait for the session to end before you can delete the role". Unfortunately, I have no idea about ending sessions. Here I attach the profile of the Role, where you can see many services. What should I do to delete this Role? Any suggestions and help will be appreciated! My account was hacked, I have to delete the Roles that the hacker created. ---- ![Error report, and the profile of the role to be deleted](/media/postImages/original/IMi2RPouT-SseD5Gw29teQug)
How to export AWS Security Hub findings to CSV format
I'm trying to deploy this solution (https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/) but running into this particular error ``"Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy;"``. I'd appreciate it if someone could help me figure out what I could be doing wrong. Thanks all.
AWS Control Tower - Controls report false positive
We've recently noticed that the AWS Control Tower control: "Detect whether MFA is enabled for AWS IAM users of the AWS Console" is reporting a false positive result (NON_COMPLIANT) for a user that was deleted over a week ago. One thing we have noticed is that the false positive result is being picked up in us-east-2 when normally IAM non-compliant is picked up in us-east-1 so I don't know whether this may be related to the incorrect results being displayed. Has anyone experienced this issue before? How do we get it resolved as the results are misleading to user? Note: We have tried re-evaluating the AWS Config for the control and redeploying the Controls and Landing Zone in case it was a configuration issue but it seems more related to a data issue being report from IAM.
Cognito vs Identity Center (SSO)
I am building a web application. Customers should have a valid AWS account to onboard. Each customer could be a whole corporate on their own with their own Identity provider. The application should authenticate users of each Customer's org and authorize their access to certain APIs within my application. The application should also be able to run automation in the customer's AWS account by assuming certain IAM role. Looking at Identity solutions from AWS, I see native IAM, Cognito, and SSO. Native IAM doesn't present the identity of the user and their group membership to my application. Cognito seems to fit my use case. I can provide the customer with Cloudformation template to run in their account to prepare things: Cognito user pool, certain group name that my application looks for, certain IAM roles for my application to assume, and Cognito Identity pool to exchange the user's authenticated Identity with IAM temp creds to run automation in their account within certain permissions scope. The customer can integrate Cognito with their own IDP to have centralized user and group management. Does this solution look sane? Does SSO provide better integration for my application? If yes, does SSO allow me to provide the customer with a Cloudformation template to configure their SSO before they can onboard to my application? Related Q prior to rePost era: https://stackoverflow.com/questions/48767172/whats-the-difference-between-aws-sso-and-aws-cognito - but it is not answered yet.
Automatic resource creation and ID checking.
Hey guys! Need a solution for a simple issue. Is there an automatic process to create resources on AWS and check its IDs on whether it has particular numbers and letters? Like having a VPC, EC2, RDS, or S3, where the ID doesn’t have the letter S or have the number 8s in it. Like having a preferred id of YcdrbA57Zfs6y5t28, and not, ZoqhRtgfDfg4089g45. Maybe setting a stack or cloudformations, or with policies. If not, then delete the resource and create a new one. Keep repeating it until it achieves the target IDs. Thanks!
Analytics Dashboard using AWS with access control
Hi, We want to publish an analytics dashboard with access controls to corporate clients. The login will be their corporate email and want to give them an ability to change their password. The dashboard will have functionality to view tabular data, charts and also provide ability to download CSV file for the data. Today, we have a low-cost & low-code solution where we we use AWS Lambda to write data to Google Sheets and then display the sheets data using Google Data Studio (GDS). For GDS, we are able to grant access basis gmail credentials but not able to limit it to corporate emails. Was wondering if there is any AWS solution which can help with this? We don't want to setup a separate EC2 webserver for this exercise and want to use some equivalent of GDS, Tableau, BI which solves the use case. Regards, dbeings
Amazon Gamelift: How to tell what VPC the servers are running in - Verifying Servers' access to backend services
Hello, An expansion to an original question: https://repost.aws/questions/QU0MPwSTJGQhKDcl9Zw1e_zQ/aws-game-lift-server-best-solution-for-generating-and-rotating-api-keys-for-aws-server-authentication Is there a way to find which VPC and addresses the individual game servers are running on within Gamelift? Actually, in writing this, I found this thread as well: https://repost.aws/questions/QUoLdwDhJRSCy4EhLSJwzvxw/running-a-proxy-process-on-gamelift We are just trying to make sure that certain calls to our backend services originate from within the actual servers running within game lift and not via an outside client. UE4 packages the server and client code together, so we just want an extra layer of security check.
Help with AWS/Palo Alto firewalls and SSL Decryption
Hello. One of our customers has an AWS solution with Palo Alto firewalls. Sitting in front of those is a load balancer and in the trust zone a web server. We have been asked to enable inbound ssl decryption on the Palo Alto's following a security issue earlier this year. We have created a web server cert and private key pair, imported to the palo's and created decryption profile and rules but the firewalls will not decrypt due to 'private key not matching public key'. We are wondering if this is due to the cert on the client (essentially the load balancer) being different. Traditionally the client would have the same cert as the server but in this case the client has an amazon cert. How do we get around this, what is the best way to set up, create a cert on the load balancer and use that on the client and web server? thanks
Successful WAF CAPTCHA challenge is not updating aws_waf_token cookie
My application is rendering the CAPTCHA challenge from a WAF intercepted 405 response in an iframe. While successful completion of the puzzle renders the "That is correct, Success! You will be redirected shortly" text, the aws_waf_token cookie does not get updated in the chrome/firefox/safari/edge browser. Looking more closely at the network traffic, when user submits the puzzle answer a successful POST call from the challenge.js to the "verify" endpoint completes but the subsequent POST request to the "voucher" endpoint fails with an 'InvalidRequest' 400 error. The request payload for the failed voucher call has two properties: 1. a 'captcha_voucher' with the value taken from the verify response 2. a 'existing_token' property with a value of null. Given that the CAPTCHA challenge is essentially a black box, I'm at a loss on how to address this issue. Has anyone else run into this?