Questions tagged with Security
Content language: English
Sort by most recent
Team Email Alias Permissions
Hi. I want to create a workdocs folder that has permissions for L7 and up. In order to keep the permissions up to date I want to use a alias that includes all members on it. is there a way for me to use a team alias or do I have to upload each individual and manually update the permissions.
Do EKS encrypts secrets by default?
I was going by the following [documentation](https://aws.github.io/aws-eks-best-practices/security/docs/data/#secrets-management). After reading this I understood about using Kms with EKS, but I am not able to understand whether EKS encrypts secrets by default because kubernetes by default does not encrypt and stores secrets in base64encoded format, however EKS uses AWS managed keys for EBS volumes used for etcd nodes as mentioned in documentation. Pretty confusing. >Kubernetes secrets are used to store sensitive information, such as user certificates, passwords, or API keys. They are persisted in etcd as base64 encoded strings. On EKS, the EBS volumes for etcd nodes are encrypted with EBS encryption.
How to export AWS Security Hub findings to CSV format
I'm trying to deploy this solution (https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/) but running into this particular error ``"Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy;"``. I'd appreciate it if someone could help me figure out what I could be doing wrong. Thanks all.
AWS Glue Security Group error confusing
I am receiving the following error from a glue job I am trying to run: > JobName:... and JobRunId:... failed to execute with exception At least one security group must open all egress ports.To limit traffic, the source security group in your outbound rule can be restricted to the same security group (Service: AWSGlueJobExecutor ... I have verified that creating an outbound rule for ALL Traffic, All Ports, and Destination 0.0.0.0/0 resolves the problem, but I would ideally like to restrict the traffic as much as possible, and I am stuck on the second part of the error where it claims >To limit traffic, the source security group in your outbound rule can be restricted to the same security group Problem is, last time I checked, outbound (egress) security group rules don't have a "source", they have a "destination". Am I missing something here, or is the error message problematic?
Kinesis Firehose firewall opening for private network HEC
I am trying to use firehose and stream the CloudWatch log to private network (not AWS) HEC. In this case we need to open firewall between two component, as i know firehose is regional based which i cannot get the ip like other component (e.g. MSK i may check the broker IP and use for firewall opening). So how i may resolve this in firehose case? I check in this page https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-splunk-vpc Or i just need to use the ip provided in the page? (e.g. 184.108.40.206/26 for Canada (Central)). If yes, i may have some concern since the IP may changed. if i need to change the firewall rules again once the IP change again?
Is there an API call I can make to multiple VPCs that will return the network firewalls associated with it?
I'm in progress of creating a custom config rule. I need to confirm upon creation of VPCs (doesn't have to be immediate) that there's a Network Firewall attached to the VPC. However, the issue is when I review the AWS documentation for boto3/cli calls to the API here https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpcs.html The describe-vpcs method doesn't return the Network Firewalls. I see that the describe-firewalls action does; however, I'm wondering if there's a way to call an API to determine if there's a network firewall associated with a vpc fro ma vpc standpoint. Example, listing all vpcs in account and metadata within them that INCLUDES the network firewall. If there's no way then at least I know there's no better solution. But I want to confirm this before moving on to network-firewall api call;as
Amazon Gamelift: How to tell what VPC the servers are running in - Verifying Servers' access to backend services
Hello, An expansion to an original question: https://repost.aws/questions/QU0MPwSTJGQhKDcl9Zw1e_zQ/aws-game-lift-server-best-solution-for-generating-and-rotating-api-keys-for-aws-server-authentication Is there a way to find which VPC and addresses the individual game servers are running on within Gamelift? Actually, in writing this, I found this thread as well: https://repost.aws/questions/QUoLdwDhJRSCy4EhLSJwzvxw/running-a-proxy-process-on-gamelift We are just trying to make sure that certain calls to our backend services originate from within the actual servers running within game lift and not via an outside client. UE4 packages the server and client code together, so we just want an extra layer of security check.
Help with AWS/Palo Alto firewalls and SSL Decryption
Hello. One of our customers has an AWS solution with Palo Alto firewalls. Sitting in front of those is a load balancer and in the trust zone a web server. We have been asked to enable inbound ssl decryption on the Palo Alto's following a security issue earlier this year. We have created a web server cert and private key pair, imported to the palo's and created decryption profile and rules but the firewalls will not decrypt due to 'private key not matching public key'. We are wondering if this is due to the cert on the client (essentially the load balancer) being different. Traditionally the client would have the same cert as the server but in this case the client has an amazon cert. How do we get around this, what is the best way to set up, create a cert on the load balancer and use that on the client and web server? thanks
Access External AWS GovCloud and AWS China accounts via SSO CLI
I have setup 2 external AWS accounts to be accessed via SSO. One is GovCloud and the other one is AWS-CN China. They are not showing up when I log in using the CLI. If I log in using the SSO Dashboard, I can get to them via the Management Console but I'm not presented with the temporary STS credentials. Is there a way to make this work for China and GovCloud AWS accounts?
Erase Default VPC
Hi, is it a good idea to erase/replace the default VPC that comes with a brand-new AWS account? some day, a person who knows a lot of AWS told me that he faced issues because he deleted the default 172.31.0.0 VPC. Can I delete and then create a new VPC with the same CIDR 172.31.0.0 or will this cause future issues? Thank you!