Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Hello,
A little background, we are attempting to roll out a new stand-alone directory to enable smartcard RDP authentication for a pool of existing servers.
I have deployed an AWS Managed Directory and domain-joined Enterprise Root CA and set up the GPO/drivers required by our smartcard vendor.
Where we are getting stuck at is it does not look like the domain controllers are receiving the new Kerberos/Domain Authentication certificate which was published. There is open communications between the DC and CA. I know that I can't just request the certificate from the domain controller Certificates snap-in. We published the template and set a group policy for enrolling the certificate, yet it does not appear in either of the DC certificate stores. Has anyone else run into this? Our smartcard RDP authentication is failing, I assume because kerberos/dc auth is failing. It seems like the options for doing this outside of GPO are limited by AWS, are there any common issues which would prevent the DC from enrolling, and by extension causing smartcard RDP session auth to fail?
Since this is a test setup before deploying to production, I am using a single tier enterprise root CA, although we plan to use a 2-tier PKS for the final product.
Hello!
I am a very novice customer and normally do not deal with VPN. However a couple of times now incidents have been identified where our team VPN has been used in probing/brute force attacks. For reference we allow BYoD and the VPN is used mainly for WorkDocs/Workmail access.
I have asked users to scan their devices for malicious soft to stop the attacks. However I need assistance with two issues:
-how do I identify exactly which of my users' devices is the source of issue
- is there a way to configure my VPN to prevent it from allowing similar brute force attacks from being carried out in the future?
Appreciate any assistance in advance.
I want to enable secret encryption in EKS. Base on this page : [Enabling secret encryption on an existing cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html), permission `kms:DescribeKey` and `kms:CreateGrant` are required.
My question is which one is the preferable way to assign these permission? Is it assign the permission manually or giving key usage permission to the eks-role ?
Hi,
In action [AttachCustomerManagedPolicyReferenceToPermissionSet](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html#singlesignon-AttachCustomerManagedPolicyReferenceToPermissionSet-request-CustomerManagedPolicyReference) I lack a condition which would allow to control which CustomerManagedPolicyReference can be attached.
For example, I would like to restrict that only Policy Reference which starts with "some-prefix" can be attached or referenced Policy has "some-tag" assigned.
My question - is there a workaround which would allow to control which Policy Reference can be attached to Permission Set?
Thank you
Is it possible to use one ATP rule to protect more than one login page in the AWS WAF?
For context, I have one ACL on WAF protecting one login page. We're expanding some systems and adding some new separate login pages. I would like to keep the protection under one single ACL but I'm struggling to figure out a way to have the ATP rules applying to more than one login page.
I'd like to use AWS service in advance.
1. How can I pay in advance? There is an option called 'Advanced Pay' in the manual, but I don't know where the billing console is.
* The first attached photo is related to the manual.
* The second picture attached is the billing console I am looking at.
2. Is the pre-payment method a method of using as much as the pre-payment and additional payment is made for the additional part of the service? Or is the service suspended if I use all the pre-paid ones? If possible, I would like to use the latter method, is it possible?
Please can someone help? I created a business AWS account earlier this week for my team to set up an SFTP. For some unknown reason, a few days later i am unable to sign into the account. When i try to sign in as a Root User, i receive the message 'Signing in with the root user is disabled for your account. You need to re-enable this feature.' When i try to recover my password, i receive the message 'Password recovery is disabled for your AWS account root user. You need to re-enable this feature.'. I can't seem to access the Support Center, as whenever i try, i am taken back to the login page. When i try to sign in as an IAM User, i receive the message 'You authentication information is incorrect'. When i click on 'Forgot Password', i receive the message 'Account owners, return to the main sign-in page and sign in using your email address. IAM users, only your administrator can reset your password.' I am literally going round in circles and can't seem to find a way into my account. Can anyone help? TIA
asked a month ago
I have cluster in EKS with NLB (internet-facing) and then ingress-nginx. During Qualys PCI scan i got CVE-2004-0230 alert on 80 and 443 port (Tested on port 80/443 with an injected SYN/RST offset by 16 bytes.) How i can fix it? I cant found where this problem can persist, on load balancer or on ingress side. Maybe anyone can help?
Thanks in advance!
Hello everyone, I have a question about vulnerabilities in the administration portal of aws, we made a vulnerability scan in the url of the portal adminsitration like this https://x-xxxxxxxx.awsapps.com/start and we found many vulnerabilities with high level the most of them are problems with the tls protocol if exist any chance to make a remedation in this kind of url I research a little and found that this url belongs to aws workspaces,
Need Some help!
I want to integrate AWS secrets manager in EKS.
One way I tried is Secrets Store CSI Driver (SSCSID). It mounts the secrets directly into Pod.
If I want to set an environment variable using secret then we need to enable the secretSync option of SSCSID, because of which the SSCSID creates a kubernetes secret for our secret data.
This is similar to using the k8s secrets which is base64 encoded.
What I want to have is, the k8s secret should not contain the actual data, it should contain the place-holder, and then the driver/k8s should replace the place-holder with data from aws secrets manager at time of mounting/using the secret inside the pod.
Can anyone please suggest the right way or tool for it?
Thanks
I have created a terraform project to build eks with karpenter, but when I try to build certain projects I get the problem that I show below, does anyone know how to fix it or what terraform configuration I need to apply to do it.
```
Warning FailedMount 25m kubelet MountVolume.SetUp failed for volume "kube-api-access-xxxxx" : write /var/lib/kubelet/pods/xxxxxx-xxxxx-xxxxxx/volumes/kubernetes.io~projected/kube-api-access-xxxxx/..2023_02_15_09_10_29.2455859137/token: no space left on device
Warning FailedMount 5m57s (x8 over 24m) kubelet Unable to attach or mount volumes: unmounted volumes=[kube-api-access-xxxx], unattached volumes=[kube-api-access-xxxx]: timed out waiting for the condition
Warning FailedMount 3m39s (x13 over 24m) kubelet (combined from similar events): Unable to attach or mount volumes: unmounted volumes=[kube-api-access-xxxxx], unattached volumes=[kube-api-access-xxxxx]: timed out waiting for the condition
```
I created a certificate which I needed for my elastik beanstalk app but the status is showing failed.
However, it shows the reason for failing is that "ACM requires additional information to process this certificate request. If you don't have a support plan, post a new thread in the ACM Discussion Forum"
Hence this thread. Please help.