Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
I am using Cognito's Authentication Code Grant. After logging in, a user is given a code inside the callback URL which is later exchanged for an `access_token`.
In my web application, after logging in, a user can access a "console" (similar to AWS). Each time the user interacts with the console (like accessing a service) it does it through an api in API Gateway.
Unauthenticated users should not access the console and all its services. Hence, the way I am doing this is that every time the user wants to make a request to these REST endpoints the `access_token` is required.
However, this `access_token` should be stored somewhere so that the user can pass it in the request headers for later calls.
Where should this `access_token` be stored?
Which is the right way to do this? Maybe requiring the `access_token` in every API endpoint is not right?
I'm creating a Spotify data analysis tool to communicate with the company API so I can provide a service on my web for people to see some insights of their spotify profiles. To do so, I need to incorporate the SSO on my web with the OAuth2.0 protocol (given by Spotify to use their API).
I would like to know if someone can guide me into the steps to do this since I have no prior experience working with external users authentication.
I'm trying to setup a scp to prevent iam:CreateUser and iam:CreateAccessKey for all the IAM users except the administrators. The issue is administrators IAM role arn is like arn:aws:iam::--------:role/aws-reserved/sso.amazonaws.com/eu-north-1/AWSReservedSSO_AWSAdministratorAccess and its dynamically changes for every account.
Any idea how I can define a common IAM role arn which covers all administrator's IAM roles across my accounts
Hello everyone,
I am trying to figure out a way to automate access key rotation for IAM users. We have several users that have their own IAM programmatic access key and I am trying to figure out a way to force the user to rotate their access key after 90 days. It would be nice to also have some sort of SNS topic that will inform the user.
I attempted to use the ASA Key Rotation document that AWS provided but kept on running into CloudFormation template errors which include Malformed Document and missing resources in the .PY files.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html
Any guidance on this would be awesome.
Thank you!
We have many customer certificates issued by Certificate Manager. One of these certificates appears to have been re-issued. The certificate in question was valid from 8/26/2022-9/24/2023. Now it is valid from 2/24/2023-9/24/2023. This caused some issues with our customer.
I checked CloudTrail and no one from our organization made any changes. I haven't seen any notification from AWS about this.
The certificate transparency logs still shows the original certificate and hasn't been revoked.
I'm just curious how and why this happened.
asked 21 days ago
Hi team,
I am using the revoke token API to revoke the refresh token and it revokes the refresh token as well I can see that I am not able to generate the new access token using that refresh token but I tried to call the revoke token API again with the same refresh token but it didn't throw any error.
I am expecting it should throw an error something like refresh token has already been revoked.
Here is how I am revoking access token:
```
RevokeTokenRequest revokeTokenRequest = new RevokeTokenRequest();
revokeTokenRequest.setClientId("client-id");
revokeTokenRequest.setToken("refresh_token");
revokeTokenRequest.setClientSecret("client-secret");
awsCognitoIdentityProvider.revokeToken(revokeTokenRequest);
```
I want to create an EMR Cluster. To do that, I need to select a service role in the last step, but when I click the drop box, no role appears. When I looked at someone's tutorial, there was a default role called EMR_DefaultRole. Why can't I see this?
This picture is my screen when I click the dropbox to search roles (but no roles appear)
This picture is from other man's tutorial (He searched EMR_DefaultRole)
Hello,
do you have any Information on when AWS Elastic Disaster Recovery will support Ubuntu 22.04 LTS in the near Future? We got Production Critical On-Premise Linux Machines that need 2b replicated with AWS for Failovers.
A lot of the Servers are Ubuntu 20.04 LTS that work like a charm wit h the Service, but the Main Servers won't.
Would appreciate some update on this. Thanks in advance
I've been trying to setup multi-account config aggregation and recording at org level.
I'd been trying to do it with Terraform, but ended up re-doing it via the console, and also while logged in under the root account for the org, to make sure there weren't delegation issues.
I've got the config aggregator setup, logging to S3, and I'm seeing events come in and getting written, but only from the org account itself. I see the sub-accounts in the aggregator and the status shows up "Ok" for each of them (this was true even previously, when I'd set it up from an IAM account with admin privs), however, I'm not yet seeing any configurations or events coming through. Resources from the org itself are showing up fine.
* Config aggregator is using a custom role based on `AWSConfigRoleForOrganizations` as well as an `sts:AssumeRole` policy attachment
* The recorder has "Use an existing AWS Config service-linked role" (`AWSServiceRoleForConfig`) selected currently
https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data-troubleshooting.html mentions "Enable AWS Config in the source account", but based on the other docs, it seems like that should not actually be necessary with this type of setup?
Presumably since the recorder and aggregator are in the org account, as well as the target bucket, the other accounts within the org don't need any permissions for the bucket, right?
Also, will all the stuff from sub accounts show up under `[bucket]/AWSLogs/[org account ID]/Config/us-east-2/2023/2/24/ConfigHistory/` if that's where the aggregator itself is? or would I expect them to show up in the same structure as cloudtrail logs etc. where they're under the org ID and then sub account ID (`[bucket]/AWSLogs/o-XXXXXXXX/[sub account id]/Config`)?
Aggregator menu view in console
Detail of one sub account's status
Aggregator main page only shows the org account.
A couple of days ago a friend logged into my AWS account. And it turns out that now it says that my account is at risk but it's not like that, because it was under my authorization, I already did what the account asked me to do and I still can't create new distributions. Please help
I have a log use case and I'm looking for a best practice in the context of Control Tower.
With Control Tower we have an org level cloud trail that consolidates CloudTrail logs into our logging account, dividing them up by sub-folder for each account.
The teams that own the accounts would like to have access to their own logs. What's the best way to do this? Should I sync the logs out of that central bucket and back out into the individual accounts? Establish a second trail within the account itself?
Hello. I'm reading [this](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/s3-example-photos-view.html) aws documentation and I have a question.
Why create and identity pool if you are just going to set the s3 buckets to public? Shouldn't the example code in section 'Configuring the SDK' be using an authentication library in order to use a signed url?