Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
I know all the doc says objects with compliance mode turned on DEFY deletion while it's in retention period.
Is there really no way around this? For instance can AWS engineers delete them on their end or are they locked up just forever?
An extreme case would be somehow the bucket's default policy is compliance mode + retention period of 100 years(maximum), is the data uploaded into this bucket permanently staying in this case?
Thanks!
Hi,
I urgently need assistance on how to download or create my AWS Domain SSL certificate.
* We created a new domain in AWS yesterday.
* It has been purchased and is correctly provisioned
* We now need that domain's SSL certificate to use in another platform from another service provider.
* The service provider is asking for
- SSL Wildcard Certificate,
- SSL key for this Certificate and
- ca-bundle File (it could be in zip format) for the specified domain.
- The wildcard certificate should cover all sub-domains
We need to obtain this SSL certificate and email it to the service provider.
We have searched all AWS documentation, but cannot find anything to do with obtaining the SSL certificate.
We need to send this SSL certificate to the service provider, but we cannot find anyway to obtain it in AWS.
Please could anyone assist?
As the owner of the organization I've lost control over my AWS environment.
What I can do:
* login as Root User
* login as IAM User
* access services from IAM (Dynamo DB, S3 end else)
What I cannot do:
* delete rights or users on IAM level
* delete rights or users in Root
* activate access credentials from console
What confuses me:
* There is no IAM user when I look at my organisation from root
* There is no organisation when I look at it from IAM
What I am not familiar with:
* CLI (whatever we find, it should be done on AWS console)
Thank you in advance.
I know app runner can access secrets manager, explain in this article -> https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/
I already implemented it, and it works just in run phase. In build phase, I cannot access secrets manager.
I'm using App Runner configuration file (https://docs.aws.amazon.com/apprunner/latest/dg/config-file-examples.html)
any insight related this?
Thank you.
I have a use case where I am trying to use CLI to see the policies attached to each role that list write based policies.
However, the only data I hae is the service of the role. Opposed to the actuall role itself.
I'm wondering if there's a process to do this and receive this information for services such as Lambdas, EC2, and ECS instances?
I had to update my CLI on a few devices, and I am now unable to access anything pertaining to gamelift's API via an explicit denial. I double checked the permission policy that I assigned to the IAM user, and while it is set to allow full access to resources, it will not work.
Any suggestions or recommendations? I have also tried re-creating the policy via JSON and the visual GUI. I even tried creating a new user to use, and nothing works. I even ended up uninstalling the CLI tool and deleting the configuration and credential files multiple times trying to see if that would fix the issue.
Policy below:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "gamelift:*",
"Resource": "*"
}
}
https://us-east-1.quicksight.aws.amazon.com/sn/dashboards/494b0867-1f4a-44c7-a08d-e251d610bd53/sheets/494b0867-1f4a-44c7-a08d-e251d610bd53_e516ef43-05d2-497e-b4a2-193ef271a40f
I've always been able to access the Detailed View tab for internal reporting on the Engage Reporting Quick Site report until this morning. It now has restricted access due to low level security rules. Can I please regain access.
Hello there AWS team!
I'm currently working on an IoT system that uses ESP32 microcontrollers. At the moment I'm able to connect to AWS IoT core and publish/subscribe to topics.
Now, I would like to provision different ESP32 without the need to create Thing, policies, rules, and so on.
I found this tutorial from AWS to use JITP: https://github.com/aws-samples/aws-iot-device-management workshop/blob/master/AWS_IoT_Device_Management_Workshop.md#JITP
If I understand correctly, I just need to upload those certificates and keys to my ESP32 memory, and then it will be business as usual?
My device is headless, so I don't have access to any command line and the current CA and keys are stored in memory.
It is the same process to do JITP?
Thanks in advance :)
Suppose a customer has multiple AWS accounts, and their keys are sprawling across multiple regions and he wants to provide an org level service account credentials which has access to AWS KMS for all regions and accounts.
Can we discover all AWS keys across regions and accounts at the org level using the single parent credential?
So I have a SSO Role, and I added ec2:CreateImage to the permission set attached to it, and resource is "*". It works fine. As soon as I add a condition like "StringEquals", with the condition being a tag, i.e. aws:ResourceTag/Example, it will not work. It does not have some explicit deny etc. The tag value is correct. I've tried different key,values to rule out spelling errors or some silly mistake.
I have tested this in two different environments and I trouble shooted using the Policy Builder (So no syntax issues). I have double checked by deleting the permission (and seeing it blocked), adding the bare permission without conditions (it passes), and then adding a condition (it then fails).
I dont see anything in the documentation or dependencies that would cause this to fail. Any reason?
As described in [Best practice guidance to avoid "CloudFormation cannot update a stack when a custom-named resource requires replacing"](https://repost.aws/questions/QUOH_QkOY4RPWxO9YRG5rQKg/best-practice-guidance-to-avoid-cloud-formation-cannot-update-a-stack-when-a-custom-named-resource-requires-replacing) I ran into the same issue when doing updates to [AWS::IAM::ManagedPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html).
However, what is not intuitive is that the update of [Description](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description) is causing the need to replace the resource and an error as a result, while the update of [PolicyDocument](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument) is not.
Is there any reason behind choosing what properties could be causing this errors? With the [ list of resources that support custom names](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html#w2ab1c33c10d430b9c13) being quite large, the chance of stepping into this issue is high. In some cases, like here with the description of managed policies, I don't understand the reason behind the need to replace the resource on the update. In other cases, the general mechanism is, as described in the linked post from the beginning, not easy to work with from the automation perspective.
asked a month ago
Greetings,
I need some verification on S3 encryption. We have multiple buckets that have default encryption enabled, however when inspecting the individual objects within these buckets, they say server side encryption is disabled, and they have to be manually toggled.
Does this effectively mean the default encryption is doing nothing, or is the encryption setting on the individual objects an extra layer of encryption?
The end goal is to have all of our objects encrypted at rest. But it's confusing as to whether or not that's happening.
Thanks!
asked a month ago