Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Hi,
I've started an Amazon Grafana workspace where I am using SAML for authentication. I am able to login to the grafana workspace using my IdP but I am not able to login with admin privileges. I don't mind others from my org logging in as admin, so I've set the **Assertion attribute role** to the *mail* attribute and the **Admin role values** to *\** i.e. allow all users to be admin. I've also explicitly tried setting the **Admin role values** to my email, even then I was not able to log in as an admin and am logging in as a *Viewer*.
The weird part is I was able to view the admin dashboard in one of the logins but once I logged myself out and logged back in, I started seeing the viewer dashboard again.
Note that the "I want to opt-out of assigning admins to my workspace." button is not selected in my configuration. Any help on the matter will be greatly appreciated. Thank you!
Hi,
S3 has static website enabled and configured through cloud front using OAI.
When s3 is public accessible , the cloudfront url is working , once S3 Public access is disabled , even website is not being accessed by cloudfront url and getting access denied.
https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html
The IdentityStore API was extended some time ago and you can finally list users and get information about users. Sadly, one of the most important attributes from there is missing: The "Active" attribute. Because of this we still need to work with a 3rd party library that reverse engineers the web interface to pull out the information from there. This recently broke and we have to deal with that now.
Why is this attribute not in there? When do you intend to add it into the DataType/Responses?
Hi, the SecurityHub dashboard seems to provide a "resource tags" filter, however after entering any tag name and value which I know that some of the resources affected by existing findings have, no results are returned.
The same goes for the API, I tried running the following:
```
aws securityhub get-findings --filters ResourceTags='[{Key=owner,Value=MY_EMAIL,Comparison=EQUALS}]'
```
and no results were returned.
I don't see anything about this in [MapFilter](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_MapFilter.html) and or [AwsSecurityFindingFilters](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFindingFilters.html) docs.
What is the correct way to use this filter?
Hi,
we configured SSO for QuickSight and followed the instructions in this blog:
https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/
However, in this article every user will be an admin, because https://aws.amazon.com/SAML/Attributes/Role will always be mapped to arn:aws:iam:: <YourAWSAccount ID>:role/QuickSight-Admin-Role - the role does not depend on the user group.
As described in the article, we created 3 IAM roles and Azure AD groups (Admin, Author, Reader). How can we assign IAM roles to the AD group? We already tried using claims in Azure AD, as described here: https://aws.amazon.com/de/blogs/big-data/enabling-amazon-quicksight-federation-with-azure-ad/
Hi team,
in my team, we have our code and pipelines in AWS code commit and codePipeline,
**our AWS account doesn't allow creating IAM users nor long-lived credentials. also, outbound connections are blocked in our ASEA AWS account (no internet access)**
we need to integrate with other teams using AzureDevops (ADO),
in this case, how can we allow to deploy to AWS from ADO?
is there a specific AWS role to allow another cloud vendor to deploy to AWS (ADO --> AWS)
Thank you!!
I'm setting up a test instance of AWS identity Centre using Azure AD as the external provider. I've set it up using the instructions provided but get a very generic error of "Looks like this code isn't right. Please try again." My Googling hasn't bought up anything specific.
When I test the SSO from Azure, it says that it successfully issued a token. So it is presumably an issue on the AWS side.
Has anyone come across this before?
hello
When i try to make new instance but i got below alert msg.
"This account is currently blocked and not recognized as a valid account. Please contact aws-verification@amazon.com if you have questions."
what is wrong?
and
How can i UNBLOCK my account?
I have recently used a 100% AWS associate voucher to book an exam schedule on VUE. However, I would like to cancel this schedule to take back the voucher and apply the voucher to my friend's account. Is this possible? If so, what are the steps I need to follow?
I appreciate your assistance and prompt response on this matter.
I received an email from AWS entitled "Update Root User Email Address for AWS Account". I'm trying to understand what it's actually asking me to do. The complete body of the email is below.
Is it saying that I'm using the same email address for AWS (the cloud platform) and Amazon.com (the store) and that I need to change the email address in AWS to something different?
I find this message *incredibly* difficult to parse.
> You are receiving this message because we have identified that you are currently using the same email address for this AWS account (as listed in the Subject line) and for additional AWS account(s), which are associated with your Amazon.com account. We strongly recommend that you update the root user email address [1] for this AWS account as soon as possible to separate access to your additional AWS account(s) linked to your Amazon.com account. If you do not take any action by April 10, 2023, we will require you to update your email before accessing this AWS account when you sign in next to your account.
>
> After you have changed the root user email address for this account, you will be able to use it to access your account. At that point, we can finish separating your additional AWS account(s) from your Amazon.com account.
>
> The following are your additional AWS account(s) linked to your Amazon.com account:
> 999999999999
>
> After you receive a confirmation email from no-reply@update.signin.aws, you can then sign in with the existing root email address for the additional AWS Account(s) and access new features. This can include enhancing the security of your sign-in experience with other Multi-Factor Authentication (MFA) device types, including hardware security keys [2], and monitoring root user activity through AWS CloudTrail [3].
I've got a use case where I would like to connect to Lex from a client app (desktop app).
I would not like the user to abuse the credentials, and also have full control on how many AudioInput events can be sent. The documenation for Lex v2 states that we cannot use temporary credentials.
Is there any alternatives?
My organization has a few users who were using AWS before we officially began managing it. Their accounts are using the same domain as us, but we're unable to see which users these are. Is there a way to see these users? What happens to these users login when we enable SSO?