Questions tagged with Security
Content language: English
Sort by most recent
Hello,
Brand new EKS cluster latest version.
Followed the first example in this guide: https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html
Created an OIDC Identity provider on Account1 accepting requests from the EKS cluster on account 2.
In the EKS cluster, my k8s ServiceAccount resource have an annotation eks.amazonaws.com/role-arn pointing to an IAM role in account1.
Application running in the pod is a .NET6 app with the AWSSDK.DynamoDBv2 nuget package making DynamoDB queries.
It worked for a while, until at some point I got this exception:
```
Amazon.Runtime.AmazonClientException: Error calling AssumeRole for role arn:aws:iam::AcccountNumber:role/EKS-ServiceAccount
---> Amazon.SecurityToken.Model.ExpiredTokenException: Token expired: current date/time 1680295159 must be before the expiration date/time1680281898
---> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.
```
I do see doing a kubectl describe on my pod these information:
```
Environment:
AWS_ACCESS_KEY_ID:
AWS_SECRET_KEY:
AWS_STS_REGIONAL_ENDPOINTS: regional
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
AWS_ROLE_ARN: arn:aws:iam::AcccountNumber:role/EKS-ServiceAccount
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Mounts:
/var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mq27b (ro)
Volumes:
aws-iam-token:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 86400
```
I also found [this page](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html) mentioning it should renew at 80% expiration time and [this page](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html) with the minimum required SDK version. I can confirm I use AWSSDK.DynamoDBv2, AWSSDK.SecurityToken and AWSSDK.Core all version later than that (3.7.100.14).
I was expecting the EKS cluster to automatically renew the token from the OIDC provider.
Why isn't it doing it?
Hi team,
we are working in accelerator account AWS ASEA, that has no outbound connectivity
we can not connect to internet to download anything (libraries, ....)
the VPC is private only.
our task is to fetch data from twitter and do
- twitter data processing
- sentiment Analysis
..
we would like to know **if there is a way to achieve this when our account doesn't have outbound(internet) connectivity**?
could you please advice best practices/architecture to do this scenarios (twitter data processing, sentiment Analysis) ?
Thank you
I'm trying to write an Eventbridge event rule to detect a Security Group inbound rule change which allows ingress on SSH or RDP from 0.0.0.0/0. However, I'm getting error "Event pattern is not valid" for ipRanges on below rule:
```
AWSTemplateFormatVersion: '2010-09-09'
Description: SecurityAlerting
Resources:
SGEventRuleNew:
Type: 'AWS::Events::Rule'
Properties:
Name: detect-SG-insecure-inbound
Description: An Event Rule that triggers on SG changes.
State: ENABLED
EventBusName: default
EventPattern:
source:
- aws.ec2
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- ec2.amazonaws.com
eventName:
- AuthorizeSecurityGroupIngress
requestParameters:
ipPermissions:
items:
- fromPort:
numeric:
- 22
- 3389
toPort:
numeric:
- 22
- 3389
ipRanges:
items:
- cidrIp:
match: 0.0.0.0/0
```
A sample event is as below:
```
{
"version": "0",
"id": "xyzxyzxyz",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.ec2",
"account": "123456789123",
"time": "2023-03-31T13:44:17Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA:XYZ",
"arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
"accountId": "123456789123",
"accessKeyId": "XYZ",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XYZ",
"arn": "arn:aws:sts::123456789123:assumed-role/XYZ",
"accountId": "123456789123",
"userName": "XYZ"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-03-31T13:15:37Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-03-31T13:44:17Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.1.1.1",
"userAgent": "AWS Internal",
"requestParameters": {
"groupId": "sg-12346789456",
"ipPermissions": {
"items": [{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges": {
"items": [{
"cidrIp": "0.0.0.0/0"
}]
},
"ipv6Ranges": {},
"prefixListIds": {}
}]
}
},
"responseElements": {
"requestId": "546416541321654654164",
"_return": true,
"securityGroupRuleSet": {
"items": [{
"groupOwnerId": "123456789123",
"groupId": "sg-12346789456",
"securityGroupRuleId": "sg-12346789456",
"isEgress": false,
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"cidrIpv4": "0.0.0.0/0"
}]
}
},
"requestID": "546416541321654654164",
"eventID": "546416541321654654164",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789123",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}
}
```
Please suggest how I can correct the syntax to validate the rule and match the event.
Working with a vendor to set up SSO and their technical team indicated the following:
> The entity ID is too long for our system to handle.
> Does AWS allow for virtual identity IDs to be created? Some identity providers allow for one ID to be presented to SPs that maps to the original ID withing the IDP.
Is there a way to support this?
asked a day ago
I am trying to find a way to create Athena queries that handle information from AWS Security Hub, such as the 'Findings' displayed within it. Athena's input data comes from S3. Is there a way to specify a location in S3 that will receive the findings from AWS Security Hub, or is there already a location I should try looking into? Is there any other way to feed Security Hub information into Athena?
Curious what best practices are in designing a VPC. Is it best to isolate each hosted customer on a separate VPC or do most have a single VPC with multiple subnets for each customer? I know it can get quite expensive having separate VPCs for each customer with security appliances, load balancers, etc configured for each. Please let me know your thoughts.
Thank you
I've imported a x509 certificate with ECDSA P256 key into ACM.
I want to use this certificate in my application by Nitro Enclave.
I'm following this link to create the configurations.
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
But when I'm running command : aws ec2 --region region associate-enclave-certificate-iam-role --certificate-arn certificate_ARN --role-arn role_ARN
I met a error: An error occurred (InvalidCertificateArn.Malformed) when calling the AssociateEnclaveCertificateIamRole operation: The request must contain a valid certificate arn
I've confirmed the arn is correct by using 'aws acm descritbe-certificate --certificate-arn'
I read this page https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html, it says that
> If you enable secrets encryption for an existing cluster and the KMS key that you use is ever deleted, then there's no way to recover the cluster. If you delete the KMS key, you permanently put the cluster in a degraded state.
My question is what does degraded state means ?
We will enable Kubernetes secret encryption in Production environment. However, our dev environment already set Kubernetes encryption to enabled. So we cannot test if there's downtime when enabling Kubernetes secret encryption.
This is for preparation and comms to user.
Explaining the previous environment would be too complicated, so I'll change the environment I'm curious about to make it simpler.
vpc A (10.0.0.0/16) created subnet A (10.0.10.0/24).
Then, the private IPs of ec2 A and ec2 B are assigned to subnet A. And the routing table puts "destination local/destination 10.0.0.0/16" and "destination internet gateway 0.0.0.0/0" in subnet A.
A web application using port 80 is running on ec2 B.
The security group was set up in vpc A as follows.
In security group A, the inbound port is any, and the IP is 10.0.10.0/24, which is subnet A. (Outbound is port any, IP range is set to any.)
Using this, security group B has set up and created port 80 by referring to security group A. (Outbound is set to port any and IP range is set to any.)
For the test, security group C was set to port 80 and ip to ec2 B's IP.
To connect to EC2 A, security group D was set to inbound port 22 and ip 0.0.0.0/0, and then connected to ec2.
Assigned eip to ec2 A.
After connecting security group B to ec2 B,
When I connected to ec2 A via ssh and checked with curl "ec2 private ip":80, I got a 504 error.
However, after connecting security group C to B,
When I connected to EC2 A via ssh and checked with curl "ec2 private ip":80, the connection was 200 normally.
What is the reason why security group reference should not be ip band? If you look at "https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing", it is said that the private ip and the network to which you belong are referred to the security group.
If so, does the security group reference mean that only a security group with one ip can be referenced?
Login request was received, the username and password were correctly extracted from the request body, and a user with ID 1 was found in the database. The form still 504 fails eventually.
my index.js, db.js, users.js, and login.html all seem fine.
I'm on Lightsail so unfortunately I've had to use SQL Workbench this whole time.
Not sure if there's an issue with the Lightsail to DB communication? It's been a pain to try to figure out Lightsail with the 'module' stuff like databases.
users.js :
```
const connection = require('./db');
const bcrypt = require('bcrypt');
const saltRounds = 10;
class User {
constructor(id, username, password, email, createdAt, updatedAt) {
this.id = id;
this.username = username;
this.password = password;
this.email = email;
this.createdAt = createdAt;
this.updatedAt = updatedAt;
}
static create(username, password, email) {
const now = new Date().toISOString();
const sql = `INSERT INTO loginserver (username, password, email, created_at, updated_at) VALUES (?, ?, ?, ?, ?)`;
bcrypt.hash(password, saltRounds, (err, hash) => {
if (err) {
console.error('Error hashing password:', err);
return;
}
const values = [username, hash, email, now, now];
connection.query(sql, values, (err, result) => {
if (err) {
console.error('Error creating user:', err);
return;
}
console.log('User created with ID', result.insertId);
const user = new User(result.insertId, username, hash, email, now, now);
return user;
});
});
}
static getByUsername(username) {
const sql = `SELECT * FROM loginserver WHERE username = ?`;
connection.query(sql, [username], (err, results) => {
if (err) {
console.error('Error getting user by username:', err);
return;
}
if (results.length === 0) {
console.log('User not found');
return null;
}
const { id, username, password, email, created_at, updated_at } = results[0];
console.log('User found with ID', id);
const user = new User(id, username, password, email, created_at, updated_at);
return user;
});
}
checkPassword(password) {
return new Promise((resolve, reject) => {
bcrypt.compare(password, this.password, (err, isMatch) => {
if (err) {
console.error('Error checking password:', err);
reject(err);
} else {
resolve(isMatch);
}
});
});
}
update() {
const now = new Date().toISOString();
const sql = `UPDATE loginserver SET username = ?, password = ?, email = ?, updated_at = ? WHERE id = ?`;
const values = [this.username, this.password, this.email, now, this.id];
connection.query(sql, values, (err) => {
if (err) {
console.error('Error updating user:', err);
return;
}
console.log('User updated with ID', this.id);
this.updatedAt = now;
return this;
});
}
delete() {
const sql = `DELETE FROM loginserver WHERE id = ?`;
connection.query(sql, [this.id], (err) => {
if (err) {
console.error('Error deleting user:', err);
return;
}
console.log('User deleted with ID', this.id);
return;
});
}
}
module.exports = User;
```
index.js :
```
const express = require('express');
const https = require('https');
const socketIO = require('socket.io');
const path = require('path');
const fs = require('fs');
const mysql = require('mysql');
const User = require('./server/users');
const bodyParser = require('body-parser');
const app = express();
const server = https.createServer({
key: fs.readFileSync('/etc/letsencrypt/live/ispeedrun.tv/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/ispeedrun.tv/fullchain.pem')
}, app);
const io = socketIO(server);
// Add this before the routes
app.use((req, res, next) => {
console.log('Request received');
next();
});
app.use(express.static(path.join(__dirname, 'views', 'public')));
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.get('/', (req, res) => {
res.sendFile(path.join(__dirname, 'views', 'index.html'));
});
app.get('/live', (req, res) => {
res.sendFile(path.join(__dirname, 'views', 'live.html'));
});
const connection = mysql.createConnection({
host: 'ls-7f5846c26112d5a110aa9ce17f20838297ce7c51.cdnunzehdfq0.us-east-2.rds.amazonaws.com',
port: '3306',
user: 'dbmasteruser',
password: '',
database: ''
});
connection.connect((err) => {
if (err) {
console.error('Failed to connect to MySQL:', err);
return;
}
console.log('Connected to MySQL database');
});
io.on('connection', (socket) => {
console.log('WebSocket connection established');
socket.on('message', (msg) => {
console.log('message: ' + msg);
io.emit('message', msg);
});
socket.on('disconnect', () => {
console.log('WebSocket connection closed');
});
});
// add this route to handle form submission
app.post('/login', (req, res) => {
console.log('Received login request');
console.log('Login request received:', req.body); // Log the received request
const { username, password } = req.body;
User.getByUsername(username, (err, user) => {
if (err) {
console.error('Error getting user:', err);
res.status(500).send('Internal server error');
return;
}
if (!user) {
res.status(401).send('Invalid username or password');
return;
}
user.checkPassword(password, (err, isMatch) => {
if (err) {
console.error('Error checking password:', err);
res.status(500).send('Internal server error');
return;
}
if (!isMatch) {
res.status(401).send('Invalid username or password');
return;
}
res.status(200).send(); // Send a 200 status code to indicate a successful login
});
});
});
// Add this after the routes
app.use((req, res, next) => {
console.log('Response sent');
next();
});
const PORT = process.env.PORT || 6611;
server.listen(PORT, () => {
console.log(`Server running on port ${PORT}`);
});
```
login.html :
```
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>iSpeedrun.TV - Login</title>
<link rel="stylesheet" href="styles.css">
<style>
/* Keep the same styles as index.html */
.main-container {
display: flex;
flex-direction: row;
}
.video-container {
width: 1280px;
height: 720px;
margin-right: 20px;
}
.video-container iframe {
width: 100%;
height: 100%;
}
.sidebar {
width: 300px;
height: 720px;
display: flex;
flex-direction: column;
justify-content: space-between;
}
.sidebar-item {
display: flex;
align-items: center;
padding: 10px;
background-color: #222;
color: #fff;
font-size: 14px;
}
.sidebar-item img {
width: 60px;
height: 60px;
margin-right: 10px;
}
header {
display: flex;
justify-content: space-between;
align-items: center;
background-color: #222;
color: #fff;
padding: 10px;
}
nav ul {
display: flex;
list-style: none;
padding: 0;
margin: 0;
}
nav li {
margin-right: 20px;
}
nav a {
color: #fff;
text-decoration: none;
font-weight: bold;
font-size: 16px;
text-transform: uppercase;
}
nav a:hover {
color: #ff0000;
}
.login-container {
background-color: #fff;
padding: 40px;
border-radius: 10px;
width: 70%;
margin: 20px auto;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.5);
}
.login-container label {
font-size: 20px;
margin-bottom: 20px;
}
.login-container input[type="text"],
.login-container input[type="password"] {
width: 100%;
height: 40px;
margin-bottom: 30px;
padding: 10px;
font-size: 16px;
border-radius: 5px;
border: none;
box-shadow: 1px 1px 5px rgba(0, 0, 0, 0.3);
}
.login-container button[type="submit"] {
display: block;
width: 100%;
height: 50px;
background-color: #e74c3c;
color: #fff;
border: none;
border-radius: 5px;
font-size: 18px;
cursor: pointer;
transition: background-color 0.2s;
}
.login-container button[type="submit"]:hover {
background-color: #c0392b;
}
#message {
font-size: 18px;
color: red;
margin-bottom: 15px;
}
</style>
</head>
<body>
<header>
<h1>iSpeedrun.TV - Login</h1>
<nav>
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="livestream.html">Live Streams</a></li>
<li><a href="about.html">About Us</a></li>
<li><a href="contact.html">Contact</a></li>
<li><a href="login.html">Login</a></li>
</ul>
</nav>
</header>
<main class="main-container">
<div class="sidebar">
<div class="sidebar-item">
<img src="https://via.placeholder.com/60x60.png?text=User+1" alt="User 1">
<p>User 1</p>
</div>
<div class="sidebar-item">
<img src="https://via.placeholder.com/60x60.png?text=User+2" alt="User 2">
<p>User 2</p>
</div>
<div class="sidebar-item">
<img src="https://via.placeholder.com/60x60.png?text=User+3" alt="User 3">
<p>User 3</p>
</div>
<div class="sidebar-item">
<img src="https://via.placeholder.com/60x60.png?text=User+4" alt="User 4">
<p>User 4</p>
</div>
</div>
<div class="video-container">
<form class="login-container" action="/login" method="post" id="login-form">
<label for="username">Username:</label>
<input type="text" id="username" name="username">
<label for="password">Password:</label>
<input type="password" id="password" name="password">
<div id="message"></div>
<button type="submit">Login</button>
</form>
</div>
</main>
<script>
const form = document.getElementById('login-form');
const message = document.getElementById('message');
form.addEventListener('submit', async function(event) {
console.log('Form submitted');
event.preventDefault(); // Prevent the form from submitting normally
const username = document.getElementById('username').value;
const password = document.getElementById('password').value;
try {
console.log('Sending request to server');
const response = await fetch('/login', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ username, password }),
});
console.log('Server responded with status:', response.status);
if (response.status === 200) {
localStorage.setItem('loggedIn', 'true');
window.location.href = 'index.html';
} else {
const error = await response.json();
message.textContent = error.message;
}
} catch (error) {
console.error('Error:', error);
message.textContent = 'An error occurred. Please try again.';
}
});
</script>
</body>
</html>
```
MY VPS DOES NOT WORK, WHEN I OPEN IT IT TAKES 2 MINUTES TO JUST OPEN AND WHEN I DOES I GET A BLACK SCREEN AND AFTER A FEW SECONDS IT JUST TURNS OFF AND RETURNS ME TO MY DESKTOP.
TO SUM IT ALL UP YOUR VPS DOES NOT WORK AT ALL, I DONT HAVE A PROBLEM INDISE THE VPS I HAVE A PROBLEM WITH THE VPS IT SELF ,IT DOES NOT RESPOND TO ANYTING ITS COMPLETELY USELSS AND I HAVE LEFT MY TRADING EA ON YOUR VPS TO RUN , AND IT DOES BUT NOW I NEED TO GO INSIDE THE VPS TO TURN IT OFF BECUASE IM CURRENTLY LOSING MONEY BECAUSE OF YOUR SHITTY PRODUCT.
PLEASE TURN OF MY VPS AND CANCEL MY SUBSCRIPTION IMEDDIATELY!!!!!!!!!