Questions tagged with Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS Inspector V2 and AWS Inspector Classic findings are different

I am using Ubuntu 20.04 EC2 Instances and was investigating the difference between AWS Inspector Classic and AWS Inspector V2. There seemed to be many differences but the main one was the actual findings. With Inspector Classic a number of CVE would be found while with Inspector V2 the same instance once scanned would say `No Findings`. ### Inspector Classic finds 53 CVE's ![Enter image description here](/media/postImages/original/IM7H1iE2k8S2iL21F4CODGEQ) ### Same instance with InspectorV2 Just show `No findings` ![Enter image description here](/media/postImages/original/IMLgoOIjGzSqm7eZcT5bGH4Q) ------- With Inspector Classic I did attach a rule called `Common Vulnerabilities and Exposures-1.1`. I'm not sure what Inspector V2 actually checks against either. During my search to make this work did find that I needed the following Systems Managers manager Association needed to work `InspectorInventoryCollection-do-not-delete`. It's working now and show success for all ec2 instances. I am unsure if the `InvokeInspectorSsmPlugin-do-not-delete` Association needs to work as well. Not quite sure what this is used for but it shows skipped for all instances and when I look at the detailed status output on a specific instances is just says `InvalidPlatform`. Not sure if this is related. Can InspectorV2 actually be used to check Ubuntu 20.04 CVE's. If so how. Is there some special IAM or SSM config/setup that needs to be applied?
1
answers
0
votes
25
views
profile picture
dili
asked 15 days ago

Invalid certificate for AWS RDS in ap-east-1

# Issue Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration: ``` jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME} ``` But I got the error: `unable to find valid certification path to requested target` # Investigation Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command: ``` echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem ``` [certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT) Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command: ``` openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem ``` Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result: ``` CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US error 20 at 0 depth lookup: unable to get local issuer certificate error certificate.pem: verification failed ``` So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Then I tried to get the AWS CA certificate information by issuing the following command: `openssl x509 -in $AWS_RDS_CA_PEM -noout -text`. And the result shows the strange validity: ``` ... Validity Not Before: May 25 21:30:33 2021 GMT Not After : May 25 22:30:33 2061 GMT ... ``` I checked the certificate information using AWS CLI command and got the following result: ![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g) Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both?
0
answers
0
votes
29
views
asked 17 days ago

IAM Policy Grammar - Clarification

Had a question around the policy grammar of IAM. In https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes, towards the end of the grammar it says, ``` <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = [<condition_value>, <condition_value>, ...] <condition_value> = ("string" | "number" | "Boolean") ``` However, in this page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html, I see the following example, ``` "Condition": { "StringEqualsIgnoreCase": { "aws:PrincipalTag/department": [ "finance", "hr", "legal" ], "aws:PrincipalTag/role": [ "audit", "security" ] }, "StringEquals": { "aws:PrincipalAccount": "123456789012" } } ``` So, shouldn't the grammar be the following? ``` <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list>, <condition_key_string> : <condition_value_list>, ... }, <condition_type_string> : { <condition_key_string> : <condition_value_list>, <condition_key_string> : <condition_value_list>, ... }, ... } <condition_value_list> = [<condition_value>, <condition_value>, ...] ``` Did I not understand correctly? If I did, which one is correct, the example or the grammar?
1
answers
0
votes
35
views
asked 19 days ago