Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Our auditor request SOC 1or 2 report (Jan 1 2021 - Mar 31 2021), but I can't found in Artifact, is too old report so hidden or start from 1 Apr 2021 to Current ?
When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:
1) I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.
2) I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?
3) By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.
Hello, I see where AWS GovCloud mentions endpoints are FIPS compliant but it never mentions validated. So I was looking for confirmation that just like in AWS commerical regions, in order to use FIPS validated endpoints I would need to specifically call them, add them to code or otherwise use env variables and the like for the AWS CLI or SDK.
I ask this question because I'm the past some people have argued that endpoints in GovCloud are FIPS by default and we don't need to specify them, this is probably a confusion of compliant and validated, but I believe for the FIPS validated endpoints we still do need to explicitly do so.
https://aws.amazon.com/compliance/fips/
Hi,
i have 2 aws accounts and i use eventbridge to emit events from x account to y account.
i have configured the respective roles on both emitting side and receiving side and they work perfectly well.
As a security measure i want to use an external id when giving access to resources for other accounts, which is recommended in aws iam docs.
i have surfed the internet for a while but couldn't find any examples or guides that helps me in achieving this.
i know that i can add a condition on receiving role policy with that external id from docs but unable to figure out how to send the external id when calling the put events.
i use python with boto3 sdk. the answer need not by language specific. i would be glad if an approach is suggested.
I would like to give very specific, temporary permissions to a user/role to allow them to send an SMS, restricting the body template and the Sender ID.
I know I can do this in SES (https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_SendEmail.html), but is it possible with Pinpoint (or even SNS)?
Thanks for the help! :)
I didn't understand the concept of delegating admin access to member account for certain services (Say guard duty etc.). Why is that delegation required. Generally at an enterprise level, AWS sso in management account is integrated with IDP(mostly Azure) and users/groups would be able to access the member accounts as per the permission sets and scps defined.
If I gave the security account access to particular group/user in Azure AD and restricted the access to all others, what is this concept of delegation. Can anyone help me with this.
I want to be able to implement Attribute Based Access Controls on a complex data system.
To implement this, I want to use a dynamic verification ideally completely in IAM to preserve performance.
For example:
Person A has been given permissions to see objects with Green, Purple and Blue categories, but cannot see objects that have a Vehicle category.
Person B can see Purple and Vehicle but cannot see Green or Blue.
Object A is stored in the Vehicle category S3 and is also contains Blue data.
We initially looked at tags, but the customer currently manages thousands of tags and that equates to billions of potential tag combinations - and this number is always growing.
I am looking for a clean way to implement this access control that would meet these requirements.
Hi team,
I followed this [blog](https://aws.amazon.com/blogs/security/extend-aws-iam-roles-to-workloads-outside-of-aws-with-iam-roles-anywhere/)
to use IAM role for a workload outside AWS
in my case I want a Pipeline running in Azure devops to push an image into amazon ECR for example
following the blog I was able to generate credentials from the IAM role and hit AWS s3
but I'm not sure how this is applicable for a workload running in azure for example
what are the steps to follow to make a Pipeline in Azure assume an IAM role in AWS and push images to ECR
I don't know how to apply the IAM role anywhere principle in Azure
is there AWS docs /blog explaining the steps?
Thank you!
Hello we have an organization with several AWS accounts under and we are in the process of adding SSO to them with AWS IAM Identity Center. However that is a cluster of this accounts that belongs to our Security People which we want to keep independent from; yet they would like to have the benefits of SSO in their accounts if possible. So, Is it possible to delegate so that they can have their own independent Directory Service based IAM Identity Center to use only on their accounts?
To sum this up; we would like to have multiple IAM Identity Center (by different AWS Directory Services on different accounts) to manage SSO to different sets of accounts within the same AWS Organization. This would allow to fully keep our Infosec folks fully independent from out Cloud Engineering/ IT people while providing SSO to the different teams.
Can the Amazon Monitron App be integrated onto Grafana? If so, what would the steps be? I understand the Monitron can, but can the app be integrated as well? I appreciate any theories/answers. Thanks in advance
Hello, my question is just whether or not I could use the kms:ViaService condition key in a IAM policy with FIPS endpoints specified? I need to use FIPS endpoints for compliance reasons and I can't find any documentation that details this. The Kms:Via Service supported services table does not include FIPS endpoints (Services that support the kms:ViaService condition key - example elasticfilesystem.AWS_region.amazonaws.com). See here - https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service
An example of the IAM policy would be - https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "elasticfilesystem.us-east-2.amazonaws.com",
"kms:CallerAccount": "111122223333"
**But I would like to use -**
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "elasticfilesystem-fips.us-gov-east-1.amazonaws.com",
"kms:CallerAccount": "111122223333"
Should this work? I feel like it would because for compliance reasons a lot of GovCloud workloads are required to use FIPS endpoints and this seems like a gap otherwise.
Hi all,
as a **Security Requirement** we need to setup a **notification system** using **SNS** to notify our **Security Team** when someone access an AWS Account using a specific SSO PermissionSet "for example : **AdministratorAccess** " as shown in the image below :
I'm trying to setup a simple **EventBridge Rule** based on the **IAM Identity Center** **Federate** Event on **Cloudtrail** with an **SNS topic** as a target but I can't get it working.
**CloudTrail Event** :
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"principalId": "xxxx-43ce-996a-0530772c083a",
"accountId": "xxxxxxxxxxx",
"userName": "userName"
},
"eventTime": "2023-03-23T00:07:29Z",
"eventSource": "sso.amazonaws.com",
"eventName": "Federate",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
"requestParameters": null,
"responseElements": null,
"requestID": "c99b-48ea-a9e4-fc2194bc0f27",
"eventID": "415e-b57e-99764a0f0fdf",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "xxxxxxxxxx",
"serviceEventDetails": {
"role_name": "AWSAdministratorAccess",
"account_id": "xxxxxxxx"
},
"eventCategory": "Management"
}
```
**EventBridge Event Pattern** is the Following :
```
{
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["sso.amazonaws.com"],
"eventName": ["Federate"]
}
}
```
anyone could help on how to get this working ?
Thanks in advance