By using AWS re:Post, you agree to the Terms of Use
/Security Identity & Compliance/

Security Identity & Compliance

Securely run your business with the most flexible and secure cloud computing environment available. Benefit from AWS data centers and a network architected to protect your information, applications, and devices. Meet core security requirements, such as data locality, protection, and confidentiality with our comprehensive services and features.

Recent questions

see all
1/18

Cognito - CustomSMSSender InvalidCiphertextException: null on Code Decrypt (Golang)

Hi, i followed this document to customize cognito SMS delivery flow https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html I'm not working on a Javascript environment so wrote this Go snippet: ``` package main import ( "context" golog "log" "os" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" ) // USING THIS TYPES BECAUSE AWS-SDK-GO DOES NOT SUPPORTS THIS // CognitoEventUserPoolsCustomSmsSender is sent by AWS Cognito User Pools before each mail to send. type CognitoEventUserPoolsCustomSmsSender struct { events.CognitoEventUserPoolsHeader Request CognitoEventUserPoolsCustomSmsSenderRequest `json:"request"` } // CognitoEventUserPoolsCustomSmsSenderRequest contains the request portion of a CustomSmsSender event type CognitoEventUserPoolsCustomSmsSenderRequest struct { UserAttributes map[string]interface{} `json:"userAttributes"` Code string `json:"code"` ClientMetadata map[string]string `json:"clientMetadata"` Type string `json:"type"` } func main() { lambda.Start(sendCustomSms) } func sendCustomSms(ctx context.Context, event *CognitoEventUserPoolsCustomSmsSender) error { golog.Printf("received event=%+v", event) golog.Printf("received ctx=%+v", ctx) config := aws.NewConfig().WithRegion(os.Getenv("AWS_REGION")) session, err := session.NewSession(config) if err != nil { return err } kmsProvider := kms.New(session) smsCode, err := kmsProvider.Decrypt(&kms.DecryptInput{ KeyId: aws.String("a8a566c5-796a-4ba1-8715-c9c17c6f0cb5"), CiphertextBlob: []byte(event.Request.Code), }) if err != nil { return err } golog.Printf("decrypted code %v", smsCode.Plaintext) return nil } ``` i'm always getting `InvalidCiphertextException: : InvalidCiphertextException null`, can someone help? This is how lambda config looks on my user pool: ``` "LambdaConfig": { "CustomSMSSender": { "LambdaVersion": "V1_0", "LambdaArn": "arn:aws:lambda:eu-west-1:...:function:cognito-custom-auth-sms-sender-dev" }, "KMSKeyID": "arn:aws:kms:eu-west-1:...:key/a8a566c5-796a-4ba1-8715-c9c17c6f0cb5" }, ```
0
answers
0
votes
0
views
AWS-User-1153293
asked a day ago

Unsupported Action in Policy for S3 Glacier/Veeam

Hello, New person using AWS S3 glacier and I ran across an issue. I am working with Veeam to add an S3 Glacier to my backup. I have the bucket created. I need to add the following to my bucket policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:ListBucket", "s3:AbortMultipartUpload", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:DescribeKeyPairs", "ec2:RunInstances", "ec2:DeleteKeyPair", "ec2:DescribeVpcAttribute", "ec2:CreateTags", "ec2:DescribeSubnets", "ec2:TerminateInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:DescribeAvailabilityZones", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:ModifyVpcAttribute", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeRouteTables", "ec2:DescribeInstanceTypes" ], "Resource": "*" } ] } ``` Once I put this in, the first error I get is "Missing Principal". So I added "Principal": {}, under SID. But I have no idea what to put in the brackets. I changed it to "*" and that seemed to fix it. Not sure if this the right thing to do? The next error I get is for all the EC2's and s3:ListAllMyBuckets give me an error of "Unsupported Action in Policy". This is where I get lost. Not sure what else to do. Do I need to open my bucket to public? Is this a permissions issue? Do I have to recreate the bucket and disable object-lock? Please help.
2
answers
0
votes
5
views
amatuerAWSguy
asked 2 days ago

Mqtt connection between the user's iot devices and the user's phone

I want the communication to be done with publish and subcribe methods over mqtt. I don't want to use Shadow services. With the JITR method, devices can easily authentication with the AWS IoT by using device certificate that was signed by my unique CA. Each device has a unique certificate and a unique policy associated with that certificate. The following policy has only been added to a device's certificate. ``` Device's client id is = edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923 ``` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:<REGION>:<USER-ID>:client/edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923" }, .......... ......... ] } ``` The user who buys the IOT device performs the following steps during registration with the iot device: 1. Sign up the AWS Cognito Service. 2. Policy name and client id info are sent from the iot device to the phone via Bluettoth. 3. It registers the Cognito identity with Policy using AttachPolicy. [https://imgur.com/a/hfWqjkD]() I found out that it only accepts a single connection with the client id. That's why the above didn't work. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": [ "arn:aws:iot:<REGION>:<USER-ID>:client/edb656635694fb25f2e6d50f361c37d64aa31e72118224df19f151ee70cc2923", "arn:aws:iot:<REGION>:<USER-ID>:client/mobileUser1" ] }, ``` When I changed the identity as above, the system worked. With this method, I was able to restrict the resources of both iot devices and phone users. But I did the above process manually(adding a new line to policy), What should I do for mass production? At the same time, another iot device will have its own policy. How can the user communicate with iot devices? At the same time, more than one client can be paired to an iot device. I think I'm on the wrong way please guide me.
0
answers
0
votes
1
views
AWS-User-8111104
asked 2 days ago

How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?

Hello, I have a landing zone created with Control Tower (Audit and Logging account and so on) In the logging account I have an S3 bucket in which I want to receive the VPC Flow logs from all current and future accounts from that organization. So, I want to create a bucket policy that only allows receiving VPC Flow logs as long as the source account is in the organization. The new accounts are created with Control Tower account factory by other teams in a self service fashion so I need to filter by organization, not account ids or specific ARNs. According to the VPC Flow logs user guide, you have to add the following statement (and another similar one but let's simplify things) to the S3 bucket policy to the destination bucket: ``` { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": {"Service": "delivery.logs.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "my-s3-arn", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": account_id }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:region:account_id:*" } } } ``` As I need to filter by organization and not by account, I tried using the aws:PrincipalOrgID condition key instead of the SourceAccount and SourceArn. However, I get an error saying that the aws:PrincipalOrgID does not support service principals and I cannot create the policy. I also tried with the aws:PrincipalOrgPaths condition key. Then, it lets me create the policy but when I try to create the Flow log it says "Access Denied for LogDestination: bucket_name. Please check LogDestination permissions." I have also tried keeping the principal as "*" and adding the "aws:PrincipalServiceName": "delivery.logs.amazonaws.com" to the condition but I get the same error when trying to create the Flow logs. Does anyone have any idea on how can I do that? Thanks in advance
1
answers
0
votes
7
views
AWS-User-3850534
asked 5 days ago

Popular users

see all
1/18

Learn AWS faster by following popular topics

1/1