Questions tagged with Security
Content language: English
Sort by most recent
Hi
We would like to protect our APIs developed on AWS API Gateway with OAuth2.0. I am not able to find enough documentation on this. Does anybody guide me on how to implement OAuth2.0 on AWS API Gateway for authentication and authorization?
How do I enable a WAF rule for an website hosted in LightSail ?
asked 15 days ago
I ordered the free Yubico Key from AWS and have successfully set it up with the root user account from my computer. The root account also uses a virtual key for someone else in the company to access since they live in a different city. However, in Security Hub -> Security standards -> CIS AWS Foundations Benchmark v1.4.0 the compliance status is still marked as FAILED even though it has been weeks since this has been done. AWS Foundational Security Best Practices v1.0.0 also shows Failed, but shows No Data under CIS AWS Foundations Benchmark v1.2.0. Also show Failed under Findings. Is there something that I am missing to allow the check to be successful?
I use Sentry and AppSync with lambda resolvers. I figured out how to get sentry distributed tracing hooked up but it [requires](https://develop.sentry.dev/sdk/performance/#header-sentry-trace) the sentry-trace-id and baggage headers.
The sentry headers aren't being sent because AppSync sets `Access-Control-Request-Headers` to a restrictive list of allowed headers in the pre-flight OPTIONS response.
There is a way to set the header in a mapping template - https://docs.aws.amazon.com/appsync/latest/devguide/http-helpers-in-utils-http.html but that doesn't affect the OPTIONS response for CORS.
It would be great if there was a way to add more allowed headers for AppSync CORS requests so that I can enable distributed tracing of requests from the frontend to my AppSync resolver lambda functions.
Looking at the Resource summary page for EC2, I just find out that I have VPCs, subnets and security groups active in various AWS regions. I honestly don't remember how I created them so I wonder if they gets created automatically in some way?
Do I need them? I only have EC2 instances in us-east-1.
Am I going to be charged for them? If so, how can I do some clean-up?
Thanks
I have an app with in instances EC2, the request or consult to the app is using ALB, the ALB is public for internet but, I would like restrict that only ip´s from MEXICO access to the APP.
What service of AWS is recommended for our architecture?
We are building a web application that asks users to login using their aws account and uses the auth token generated to access specific resources from the user's aws account.
This is similar to the support in Azure and GCP:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
https://developers.google.com/identity/sign-in/web/sign-in
What is the correct way of implementing this for aws?
Investigation done so far:
- Aws Cognito - We explored aws cognito and it seems like it is a solution to manage our own user pool. Users will need to sign up and signed-in users can sign in. We are looking to access the aws user pool, instead of managing our own user pool.
- Aws STS - STS has APIs to generate temp credentials for an IAM role, but the STS SDK itself needs to be initialized using our aws credentials. So this scenario is not feasible for web applications.
We are looking for a way which uses the oAuth2 protocol to authenticate the user and return an access token to the web application.
Currently set of admin users can close the account. Trying to come up with a policy to prevent the users from doing it and this is the policy I wrote.
`{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"account:CloseAccount"
],
"Resource": "*"
}
]
}`
Even after the above policy, I am able to see the Close Account action on the web page.
i was demote my previous domain name & restarted. so now i connect the RDP & cant login local Administrator account.it says
""the security database on the server does not have a computer account for this workstation trust Relationship"
please acknowledge this
Hi,
We are trying to setup a **SCP** which will deny some **DynamoDB** actions based on the **IP Ranes ** of our Network, the way that IAM Users for example can't Scan or Query a DynamoDB table outside of our Network.
In this SCP we need to add a**n exception** to some AWS Services (Like: **EC2** or **Lambda**) which can freely Query/Scan a DynamoDB table if they have the necessary permissions.
We tried with the following SCP and it worked fine for the first case "IAM Users" but failed for the Lambda case as we still recieving an AccessDenied Error trying to Query a DynamoDB table from a Lambda Function :
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"NotIpAddress": {
"aws:SourceIp": [
"IP Range"
]
}
}
}
]
}
```
Do you know how we can manage to add this exception for all AWS Services which need to perform any DynamoDB action without the need to use the ARN of specific IAM Role used by these service ?
Hello Team,
I want to import our internal third-party intelligence feeds into guard duty. Is there any manual way or automated way to do so? Please let me know if any unconventional solutions are available that I can use in my situation.
Thanks in advance!!
I am writing a python script which will iterate through the AWS accounts and fetch all Encryption key details.
In BOTO3 i can see only AWS_KMS key api.
My question is how can I fetch information of the Imported Keys from external KMS using BOTO3?