Security, Identity, & Compliance

Securely run your business with the most flexible and secure cloud computing environment available. Benefit from AWS data centers and a network architected to protect your information, applications, and devices. Meet core security requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.

Recent questions

see all
1/18

How to get access to s3 for .NET SDK with the same credentials used for awscli?

I am on a federated account that only allows for 60 minutes access tokens. This makes using AWS difficult since I have to constantly relog in with MFA, even for the AWS CLI on my machine. I'm fairly certain that any programmatic secret access key and token I generate would be useless after an hour. I am writing a .NET program (.NET framework 4.8) that will run on a EC2 instance to read and write from an S3 bucket. As per the documentation example, they give this example to initalize the AmazonS3Client: ``` // Before running this app: // - Credentials must be specified in an AWS profile. If you use a profile other than // the [default] profile, also set the AWS_PROFILE environment variable. // - An AWS Region must be specified either in the [default] profile // or by setting the AWS_REGION environment variable. var s3client = new AmazonS3Client(); ``` I've looked into SecretManager and ParameterStore, but that would matter if the programmatic access keys go inactive after an hour. Perhaps there is another way to give the program access to S3 and the SDK... If I cannot use access keys and tokens stored in a file, could I use the IAM access that awscli uses? For example, I can type into powershell `aws s3 ls s3://mybucket` to list and read files from s3 to the ec2 instance. Could the .NET SDK use the same credentials to access the S3 bucket?
1
answers
0
votes
4
views
asked 3 hours ago

How to deal with multiple duplicate keys (Fn::Sub) in a aws cloudformation template?

I have a policy that is being made in a cloudformation template. I want to add two resources to the policy, they end up being `arn::bucket` and `arn::bucket/*`. The issue is that the `arn` is a parameter and I get the error: `[cfn-lint] E0000: Duplicate resource found "Fn::Sub" (line 161)`. I understand that it doesn't like the duplicates. ``` "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "GetGEBucketPutCustomerBucket", "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:GetObjectTagging", "s3:ListBucket", "s3:DeleteObject" ], "Effect": "Allow", "Resource": { "Fn::Sub": [ "${arn}/*", { "arn": { "Ref": "CustomerS3BucketARN" } } ], "Fn::Sub": [ "${arn}", { "arn": { "Ref": "CustomerS3BucketARN" } } ] } } ] }, "Roles": [ { "Ref": "InstanceRole" } ] }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "a713fcc6-95c8-423f-a5b8-0020a81e5ce4" } } } ``` However, this cloudformation is allowed to run, but produces errors. When viewing the policy in IAM console window after create, I see that both of the resources were not created. ![IAM Console](/media/postImages/original/IM-C-6juMgR12vBi6kAOuH5Q) IAM policy editor gives me this error. `Ln 1, Col 0Missing Version: We recommend that you specify the Version element to help you with debugging permission issues.` since the resource than ends with `/*` wasn't created by cloud formation.
0
answers
0
votes
1
views
asked 3 hours ago

Programmatic login using cognito hosted ui

We have an application that uses cognito user pool to authenticate its users. In the development environment, our users provide their username and password, they are simple users created in cognito user pool. The application is sending requests that are handled by API gateway. There is a cognito client set up, no client secret. (Maybe relevant: after authenticating with cognito, the user lands on our application via a cloudfront distribution. The redirect uri is set to that.) Everything works fine when I log in using the cognito login ui from my browser. The flow goes like this: - Browser application logs in using `https://<HOSTEDDOMAIN>.auth.eu-central-1.amazoncognito.com/oauth2/authorize`, sends `client_id`, `redirect_uri`, `response_type: "code"`, `code_challenge_method: "S256"`, `code_challenge`: some random string generated. (I am not the Frontend developer, I don't really understand everything yet, our function is called `getPkceChallengeForVerifier` :D). - After successful login, the app gets tokens posting the `/ouath2/token` endpoint. We set `grant_type: "authorization_code"`, same `client_id`, `redirect_id`, and the `code` we have acquired just logging in. - For each request towards the API gateway we set the header `Bearer <ACCESS TOKEN>` What I am now trying to achieve is some automated smoke-tests against our api, **NOT** bypassing the authentication part. To do this, first I tried to use the InitiateAuth endpoint calling ``` response = boto3.client("cognito-idp").initiate_auth( ClientId=cognito_client_id, AuthFlow="USER_PASSWORD_AUTH", AuthParameters={ "USERNAME": os.environ["COGNITO_USERNAME"], "PASSWORD": os.environ["COGNITO_PASSWORD"] } ) ``` Authenticating with the access token or id token I got both resulted in 401 errors. I digged into the troubleshooting docs https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cognito-401-unauthorized/ and I have realized, that we have a custom scope and our api gateway is specifying that, but there is no such scope in the token I got from the initiate auth endpoint. When I decode the token payload, it is only containing the scope `'aws.cognito.signin.user.admin'`. I did some research to find out that there is no way to obtain tokens containing custom scopes. Based on the documentation, my understanding is that the app works because it does not specify any scopes so it gets every custom scope in the token. Based on what I have found, it seems there is no other way to obtain proper access tokens than using the hosted ui. https://stackoverflow.com/questions/59916001/aws-cognito-admininitiateauth-all-custom-scopes-are-missing https://stackoverflow.com/questions/55116702/cognito-authorization-code-grant-flow-for-custom-ui/55120568#55120568 Now in my test, I first `GET` `https://<HOSTEDDOMAIN>.auth.eu-central-1.amazoncognito.com/oauth2/authorize` using the same `client_id`, `redirect_uri`, `response_type: "code"`. I get `200`, and the login url prepared with params: `'https://<HOSTEDDOMAIN>.auth.eu-central-1.amazoncognito.com/login?client_id=<CLIENT_ID>&redirect_uri=<URLENCODED_REDIRECT_URI login endpoint>&response_type=code&state=<MYSTATE>` But when I try to `POST` this url with `data={"username": username, "password": password}`, (using python `requests.post`), I get response `400`. Part of the content says `An error was encountered with the requested page.` The second Stack Overflow answer refers to an archived post so I am bringing this question to repost now: https://forums.aws.amazon.com/thread.jspa?messageID=832982&#832982 When I inspect our application doing a successful login via cognito, I have caught a request with a form data, where not only `username` and `password` are set, but also `_csrf` and some special fields `cognitoAsfData` that is a jwt token encoding some data about my browser client and a field called`signingSubmitButton` that has a value of `Sign+in`. How could I reliably nicely emulate these fields from my test code? Alternatively, is there any way I might have missed to leverage the id token or access token we get using the `boto3.initiate_auth` method to obtain a code grant with more scopes? Or is there another api?
0
answers
0
votes
9
views
asked a day ago

Popular users

see all
1/18