Questions tagged with Security
Content language: English
Sort by most recent
I want to add range of IPs in outbound rules in security group. How can I do that ?
When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:
1) I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.
2) I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?
3) By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.
Hello everyone,
I think you have also experienced this problem. I deleted the google authenticator app on my old phone and didn't move the account. On my new phone, I can't get the verification code. How can I re-enable 2fa app for my root account. I looked at many articles and progressed by marking troubleshooting, but it keeps looping. As a result, how can you disable and re-enable 2fa in your root accounts without entering the console?
Best regards
I'm trying to modify the networking configuration for my ECS cluster. During the creation process, I was able to specify the VPC and subnets, but I did not see an option to specify a security group. How can I specify a security group for my ECS cluster, and how can I add additional security groups to the cluster after it has been created? Thank you.
I want to be able to implement Attribute Based Access Controls on a complex data system.
To implement this, I want to use a dynamic verification ideally completely in IAM to preserve performance.
For example:
Person A has been given permissions to see objects with Green, Purple and Blue categories, but cannot see objects that have a Vehicle category.
Person B can see Purple and Vehicle but cannot see Green or Blue.
Object A is stored in the Vehicle category S3 and is also contains Blue data.
We initially looked at tags, but the customer currently manages thousands of tags and that equates to billions of potential tag combinations - and this number is always growing.
I am looking for a clean way to implement this access control that would meet these requirements.
Why is Fail2Ban completely missing from AL2023 repos? Are there instructions, including dependencies for hand installation on AL2023? Why would Amazon leave this standard component of basic hacker prevention and security out of the stack?
I have securityAudit permission for a given account, I want to programmatically obtain the account alias/name for the target account? Closest I can find information is related to "Organizations" api (describe-account), but that can only be used on the target account itself (and only on root organization/delegated account). Is there any other API that I can call to get this information?
I am following the link:-
https://docs.snowflake.com/en/user-guide/admin-security-privatelink
This is to set up the private link between AWS and Snowflake.
The first command is aws sts get-federation-token --name sam
Here i am replacing the name Sam with Root user and executing in Cloudshell.
error occurred (AccessDenied) when calling the GetFederationToken operation: Cannot call GetFederationToken with session credentials
Not sure if it has to do with permissions. Please advise
Hello,
i'm trying to finish a lab, but got stuck at this one.
"create a policy called all-users which covers the following:
1. Users can create/list all MFA devices (including virtual) and list MFA device tags.
2. Users can only enable/deactivate their own MFA devices.
3. Users can only delete their own virtual MFA device on the condition that they have enabled MFA.
You'll need to use Policy variables such as ${aws:username}."
now, trying to create this, but never able to figure out what exactly has to be done where I can't go to next step.
could someone help figuring out what has to be done exactly?
Thank you
How can I extend the default time out period for SageMaker pre-signed URL ?
I want to specify a country/region for ip verification against ip geo location for SageMaker Studio access
I would like to pull CVSS scoring info for particular CVEs from alas.aws.amazon.com. I see endpoints like https://alas.aws.amazon.com/cve/html/CVE-2023-25751.html, and am wondering if a /json or /xml or similar endpoint exists. I've searched documentation, tried calling those directly, and looked through network traffic but don't see any requests that indicate those exist. Is there an API for this site (or another resource I'm not aware of), or do I need to parse the HTML to get that CVSS data?