Questions tagged with Security
Sort by most recent
Browse through the questions and answers listed below or filter and sort to narrow down your results.
Change of sending IP
Hello, my account has recently been hacked. It seems that everything is fixed, however, now I am doing tests and all the emails arrive in the SPAM folder, before the hack it did not happen. When I was hacked I sent massive emails and the health of the account got much worse. They reset it, now the health is fine, but the emails go to SPAM. Is it possible to change my sending IP or fix it somehow? Thanks.
Irregular activity in your AWS account - Suspicious Billing with SageMaker
Hi, I have been charged for almost 2400€ for AWS SageMaker that i didn't use or had activated in my account. I use a password with a combination of Letters, Numbers and special characters and also use MFA authentication to my AWS account . Checking the Event History without any login from my side or using my credentials i see all the following events done in my account : | Event name| | --- | | Data |GetRole ListPolicies AttachRolePolicy CreatePolicy CreateRole CreateEndpoint CreateEndpointConfig CreateModel DescribeRepositories GetAuthorizationToken CreateRepository ListEndpoints GetServiceQuota On those events are the creation and activation of the SageMaker , how can it be possible to someone activate roles\services or anything on a "secure" account without the user login credentials and MFA authentication code !!! I've followed all the steps that AWS support had sent to remove all the active services that i didn't activate, also i have a ticket open for 14 days to be refunded for the value that was charged to my card, talked several times in the support chat and the answer is that "I've checked in with the service team and there's no update as yet" ... How can we trust and be safe if is possible to activate services on our account without our credentials and MFA authentication code ????
Remember device to suppress MFA challenge using Cognito Hosted UI
We are currently using the Cognito Hosted UI for the authentication of our web application. For extra security we've set MFA enabled with a TOTP code. For convenience we'd like to ask our users if they want to remember their device (device tracking). However, it seems not possible to setup device tracking when users sign in using the Hosted UI. Is this true and how can we make the device tracking work, do we need to create a Custom UI?
How to collect OS level logs on from Mobile devices attempting access to Application behind Application Load Balancer
Need help identifying how to collect OS level data on mobile applications attempting to log into web server hosted on an EC2 windows machine. We are using Cognito as well as an ALB to route traffic. Would like to collect OS level information (Iphone SE, Samsung Galaxy etc.) Is there a way to configure this natively in AWS via Cloudwatch or Cloudtrail? Was not able to see from the documentation. Thank you
CloudFront and Google Analytics
I have deployed Google Analytics Script on my Lightsail-based WordPress (bitnami) website and using CloudFront for content delivery. Besides I am using Wordfence Firewall on my website and accordingly enabled X-Forwarded-For HTTP header as well as whitelisted all IP Blocks of Cloudfront to get users ip. The issue I am facing is that Google Analytics is displaying all visitors as originating from the desktop devices instead of mobile devices. How I can fix it? The link to the website is [https://pricetoday.com.pk](https://pricetoday.com.pk)
Which headers are considered invalid by AWS in ALB attribute routing.http.drop_invalid_header_fields.enabled?
I couldn't find any official AWS documentation on which headers are considered invalid by the Application Load Balancer when the routing.http.drop_invalid_header_fields.enabled attribute is enabled. Which of my headers will be dropped? Which characters are allowed and which are not? Is there a standard which is followed here? I found this guide from TrendMicro but would still like to see some official AWS documentation: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELBv2/drop-invalid-header-fields-enabled.html
AWS Game Lift Server: Best Solution for Generating and Rotating API Keys for AWS Server Authentication?
We are currently setting up some authentication systems for our UE4 game servers so that we are sure they are the only devices/users that are capable of accessing our internal API / LAMDBA functions. With that in mind, there is a desire to not hard code any COGNITO user ID's or tokens into the actual server-code itself. Instead, we would like to pursue having these tokens be generated and cycled through on AWS's side, to keep it decoupled. We are undecided whether these tokens should be for the life of the Gamelift server or for a set period of time—whichever is most feasible. This way, if we need to adjust access to certain features down the road, it will not require an update to the deployed Unreal Engine server build. Does AWS API or LAMDBA have any features out of the box to check if an API request is coming from within AWS, ideally from one of the active Gamelift instances? While we may still need to create a COGNITO identity for the servers, or just check the local IP of the running Gamelift servers, the ideal flow would look like: 1) UE4 game server on AWS asks for a token on Startup. 2) LAMDBA Authorization script checks to make sure it is valid and coming from within AWS/Gamelift 3) Once Validated, LAMDBA function provides a token to enable server to use in backend LAMDBA functions. 4) Before Gamelift Server shutdown, revoke access or add to a "black-listed" token Database to prevent second use before token expiration.
UE4 on Gaemelift: What are the best practices for securing and separating server only code from client - Updating Databases etc?
What is the best practice for securing and separating a UE4 server's ability—hosted via Gamelift—to update databases and perform other tasks that ***only*** the server should see and have access to? The methods we have come up with are: 1) With an Auth Token to an internal API: utilize Pre-processor directives so that these functions and tokens are never even shipped with the client. (The downside to this is that most of our team is allergic to formal code, so we are not sure how UE4 handles segregated, pre-processor directives that are Blueprint callable functions. Will this cause problems if the Blueprint UFunction ends up being removed on the client?) 2) Same as 1, but have the servers make a GET request on startup to receive dynamically generated and cycled auth tokens. What method should we be pursuing to secure our UE4 server's ability to modify databases etc?
Retrieve access token after logging in to ALB with Cognito
We have our web app and backend services running in a VPC. It is reachable through an Application Load Balancer (ALB) which requires login through the hosted UI with a Cognito user pool. After logging in, any request send through the ALB gets an access token added in the `X-Amzn-Oidc-Data` header which is good. However for our `websocket` connection to the backend, we need to specify any relevant data in the `connectionParams` client-side. I see two possible solutions but I am not sure about the implementation: 1. After logging in with the hosted UI, the `AWSELBAuthSessionCookie` is set in the browser. If I could exchange that client-side for an `access_token`, I could just add the token to the `connectionParams`. However for the [token endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html), I would need the `client_id` and the `client_secret`, but I just have the cookie at that point. 2. Another approach might be to intercept the `onConnect` request via websockets in a reverse proxy behind the ALB and take the automatically added header `X-Amzn-Oidc-Data` and write it to the `connectionParams`. But I am somewhat out of my depth on `websocket` to know how to do that. Could anyone help me with option 1 or 2?
Amazon Linux 2022 ECR Basic Scan
From another post regarding an updated [GLIBC of 2.27+](https://repost.aws/questions/QUrXOioL46RcCnFGyELJWKLw/glibc-2-27-on-amazon-linux-2), it was suggested to use preview of Amazon Linux 2022. This does in fact solve a request to update GLIBC, however, also introduces a new issue where images built from AL2022 fail the Basic Scan in ECR with `UnsupportedImageError: The operating system 'amzn' version '2022' is not supported.` Is there a recommended way to push/scan new images from AL2022 since the AL2 images were supported for basic scans?
Server Migration from on-premises VMWare ESXi to AWS using AWS SMS
Hello, I would like to ask if Amazon Linux 2 is one of Linux VMs that supported with migration. As the list in this document, they didn't mention AL2 https://docs.aws.amazon.com/server-migration-service/latest/userguide/prereqs.html#os_prereqs Thanks.