Browse through the questions and answers listed below or filter and sort to narrow down your results.
How to set up a recurring Security Hub summary email?
I have this recurring Security Hub email setup in all my accounts and they have been working great. I followed the directions from this AWS Security blog post- https://aws.amazon.com/blogs/security/how-to-set-up-a-recurring-security-hub-summary-email/ Just this past weekend I got a notification that AWS is going end of support for Node.js 12 runtime. After some tracking down, I found out that this function which sends the email is using Node.js 12. I am not a developer and cannot recreate this in Node.js 16, as is required by the AWS warning email. Since this is from AWS employees, will someone be updating this so that it doesnt go unsupported (maintenance and patching will end) by the AWS Lambda team?
How to block internet access for S3 buckets?
I have many ECS instances distributed in different vpcs, according to https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html, I can restrict the access source of bucket by using sourceVPC condition. However, this brings some problems. One is that the bucket policy needs to be modified when adding a new VPC, and the other is that my bucket cannot be accessed through the AWS Console/other AWS Services. My goal is to want to prevent internet access to objects in the bucket, but based on Amazon S3 documentation I didn't find a proper solution.
How are Access Keys more secure than a username and password?
I'm preparing to sit the Cloud Practitioner certification. I have a CCNA and some experience in Network Administration however I do not have a computer science qualification. I'm confused as to how Access Keys add to the security of access AWS resources. The documentation reads: > When you use AWS programmatically, you provide your AWS access keys so that AWS can verify your identity in programmatic calls. Your access keys consist of an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). How is a human or non-human user passing Access Keys more secure than passing Username and Password to access resources? It appears (in my ignorance) to add an unnecessary layer of complexity. Surely there is a logical reason, but I can't seem to identify it.
End-to-end encryption (to be or not to be)
Hi community, What is your position on end-to-end encryption (regardless of regulations), but from a practical security point of view. Scenario: classic scenario of a web service being front-ended by an application load balancer. No questions ask we do encryption in transit for the front end part. BUT for the communication between the load balancer and the server the security position of AWS seems to be "encrypt everything" but when i read AWS documentation from sysops perspective i get the following "Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. Network traffic between AWS resources can't be listened to by instances that are not part of the connection" As a security Practioner, i will push for end to end encryption but i willl like to understand this other point of view from AWS that, when reading it might suggest that the encryption between the load balancer and the EC2 is optional. I am in security now but my background is sysadmin and when i talk to operations people i dont like to just "impose" security regulations/standards/policies etc ... I like to explain why its required from a technical security point of view. When it comes to our on-prem applications ... its easy to explain the risks. But in AWS its a little bit confusing for me to justify my point when they show me AWS documentation stating that it might be enough just by encrypting the front end part of the communications.
API Gateway with mTLS request billing
We want to start using **public API Gateway** endpoints with AWS Lambda integration **secured with mTLS** [https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/] but it is not clear for us from the documentation whether rejected requests are billed or not, we analyze this situations: * **missing client certificate** - unauthorized access from anybody, bots etc. - request fails with `OpenSSL SSL_connect: Connection reset by peer` or something similar - missing information about this requests in any statistics on API Gateway dashboard * **invalid client certificate** - certificate from wrong Certificate Authority - API GW will respond with a *403 Forbidden* + response header `x-amzn-errortype: ForbiddenException`. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation * **expired client certificate** (but valid CA) - also *403 Forbidden* + response header `x-amzn-errortype: ForbiddenException`. These requests are visible under API Calls and 4xx error dashboard status, without lambda invocation * **valid client certificate** (common application state) - application will respond, lambda invoked, billed We assume that only a random request without client certificate is not charged, is that right? This information would help us to make a decision about this solution for security and potential costs. We don't consider using WAF yet, only if it will be necessary by our analysis. Thanks for any clarification
Amazon Linux 2 - How can I know if a CVE has been patched?
Hi, My question is - how can we see what CVEs are patched? Where is it recorded if Amazon Linux has patched a particular CVE? There is the security centre here: https://alas.aws.amazon.com/alas2.html, however, that only lists the advisories as far as I can tell - it doesn't say what's patched and what isn't. Is it the case that if an item there shows that there are new packages, we can just assume it's patched in AL? Thanks in advance for any help. **Context** We've had a pen test conducted in our Elastic Beanstalk / Amazon Linux 2 environment. It flagged some potential common vulnerability & exposures (CVEs) - a number of which turned out to be false positives as Amazon Linux maintains its own release of packages. We found that Nginx running in our environment was not version 1.20.0 - vulnerable to CVE-2021-23017, but was version 1.20.0, release 2.amzn.2.0.4 - which according to https://github.com/aws/elastic-beanstalk-roadmap/issues/221 , has been patched against this vulnerability. Having the same version number for each seems like a recipee for disaster. It certainly cost me a few days time trying to look into the issue. ``` [ec2-user@ip-x ~]$ yum info nginx Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 207 packages excluded due to repository priority protections Installed Packages Name : nginx Arch : aarch64 Epoch : 1 Version : 1.20.0 Release : 2.amzn2.0.4 Size : 1.7 M Repo : installed From repo : amzn2extra-nginx1 ``` I've a number of other CVE's that I need to determine if our elastic beanstalk environment is potentially compromised by: If I can just look them up, it would be helpful. ``` OpenSSH <= 8.6 Command Injection Vulnerability CVE-2021-23017 Diffie-Hellman Ephemeral Key Exchange DoS Vulnerability (SSH, D(HE)ater) CVE-2002-20001 nginx <= 1.21.1 Information Disclosure Vulnerability CVE-2013-0337 OpenSSH 6.2 <= 8.7 Privilege Escalation Vulnerability CVE-2021-41617 OpenBSD OpenSSH <= 7.9 Multiple Vulnerabilities CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 OpenBSD OpenSSH Information Disclosure Vulnerability (CVE-2020-14145) CVE-2020-14145 SSL/TLS: BREACH attack against HTTP compression CVE-2013-3587 OpenSSH 'auth2-gss.c' User Enumeration Vulnerability - Linux CVE-2018-15919 OpenSSH 'sftp-server' Security Bypass Vulnerability (Linux) CVE-2017-15906 OpenSSH < 7.8 User Enumeration Vulnerability - Linux CVE-2018-15473 OpenSSH Information Disclosure Vulnerability (CVE-2016-20012) CVE-2016-20012 ```
Change of sending IP
Hello, my account has recently been hacked. It seems that everything is fixed, however, now I am doing tests and all the emails arrive in the SPAM folder, before the hack it did not happen. When I was hacked I sent massive emails and the health of the account got much worse. They reset it, now the health is fine, but the emails go to SPAM. Is it possible to change my sending IP or fix it somehow? Thanks.
Irregular activity in your AWS account - Suspicious Billing with SageMaker
Hi, I have been charged for almost 2400€ for AWS SageMaker that i didn't use or had activated in my account. I use a password with a combination of Letters, Numbers and special characters and also use MFA authentication to my AWS account . Checking the Event History without any login from my side or using my credentials i see all the following events done in my account : | Event name| | --- | | Data |GetRole ListPolicies AttachRolePolicy CreatePolicy CreateRole CreateEndpoint CreateEndpointConfig CreateModel DescribeRepositories GetAuthorizationToken CreateRepository ListEndpoints GetServiceQuota On those events are the creation and activation of the SageMaker , how can it be possible to someone activate roles\services or anything on a "secure" account without the user login credentials and MFA authentication code !!! I've followed all the steps that AWS support had sent to remove all the active services that i didn't activate, also i have a ticket open for 14 days to be refunded for the value that was charged to my card, talked several times in the support chat and the answer is that "I've checked in with the service team and there's no update as yet" ... How can we trust and be safe if is possible to activate services on our account without our credentials and MFA authentication code ????
Remember device to suppress MFA challenge using Cognito Hosted UI
We are currently using the Cognito Hosted UI for the authentication of our web application. For extra security we've set MFA enabled with a TOTP code. For convenience we'd like to ask our users if they want to remember their device (device tracking). However, it seems not possible to setup device tracking when users sign in using the Hosted UI. Is this true and how can we make the device tracking work, do we need to create a Custom UI?
How to collect OS level logs on from Mobile devices attempting access to Application behind Application Load Balancer
Need help identifying how to collect OS level data on mobile applications attempting to log into web server hosted on an EC2 windows machine. We are using Cognito as well as an ALB to route traffic. Would like to collect OS level information (Iphone SE, Samsung Galaxy etc.) Is there a way to configure this natively in AWS via Cloudwatch or Cloudtrail? Was not able to see from the documentation. Thank you
CloudFront and Google Analytics
I have deployed Google Analytics Script on my Lightsail-based WordPress (bitnami) website and using CloudFront for content delivery. Besides I am using Wordfence Firewall on my website and accordingly enabled X-Forwarded-For HTTP header as well as whitelisted all IP Blocks of Cloudfront to get users ip. The issue I am facing is that Google Analytics is displaying all visitors as originating from the desktop devices instead of mobile devices. How I can fix it? The link to the website is [https://pricetoday.com.pk](https://pricetoday.com.pk)
Which headers are considered invalid by AWS in ALB attribute routing.http.drop_invalid_header_fields.enabled?
I couldn't find any official AWS documentation on which headers are considered invalid by the Application Load Balancer when the routing.http.drop_invalid_header_fields.enabled attribute is enabled. Which of my headers will be dropped? Which characters are allowed and which are not? Is there a standard which is followed here? I found this guide from TrendMicro but would still like to see some official AWS documentation: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ELBv2/drop-invalid-header-fields-enabled.html