I'm in a cognito user pool configuration, and I tried to change the MFA requirement on the pool to allow TOTP. It gave me this error: > [AccessDeniedException] Failed to update MFA configuration for us-east-1_FLnPt9UKE > requestId: 0660fb15-2cc4-4f63-9c8f-657b71b320d9 > time: Sat May 21 2022 16:16:18 GMT-0400 (Eastern Daylight Time) > code: AccessDeniedException > message: User: arn:aws:iam::384426254369:root is not authorized to perform: iam:PassRole on resource: > arn:aws:iam::745623467555:role/cognito_sms_role because no resource-based policy allows the iam:PassRole > action I'm confused because I am logged into the console as the root user, which should have permission to EVERYTHING. I do not, however, really have a role named "cognito_sms_role." Is that the problem? If so, how do I fix it?

I wrote a really simple post-auth lambda for cognito like this: ```go func HandleRequest(ctx context.Context, e events.CognitoEventUserPoolsPostAuthentication ) error { eventJson, _ := json.MarshalIndent(e, "", " ") eventString := strings.ReplaceAll(string(eventJson), "\n", "\r") log.Printf("EVENT: %s", eventString) return nil } func main() { lambda.Start(HandleRequest) } ``` It's only there - for now - to log activity. But when I actually attach it to the user pool as a post-authentication trigger it makes OAuth2 not work. The error message is "contact administrator." I'm thinking that I need to actually do something besides return error = nil. I'm not having much luck finding any examples of this in go, though. The javascript example ends with: ``` // Return to Amazon Cognito callback(null, event); ``` Is that what the expectation is in 'go' as well - that I return `(events.CognitoEventUserPoolsPostAuthentication, error)` and just send it back the original event?

Hi While using the AWS Console to create an EC2 Spot instance request, I fill in all the details and set an IAM instance profile but when the spot request is created in the instance details section the IAM role is empty and the EC2 instance launched also has an empty IAM role. This issue did not happen the last time we launched a new Spot fleet request 24 days ago, so it seems like a new bug, can anyone confirm if the issue is present on their console also? I have also tried doing it via CLI but again the IamInstanceProfile parameter in the json: "IamInstanceProfile": { "Arn": "arn:aws:iam::xxx" } is ignored when the spot fleet is created. There is no error in the history log for the spot fleet request regarding failure to apply IAM role, so im not sure what seems to be the problem? Here is trusted entities for that IAM role ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com", "codedeploy.eu-west-1.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } ``` thanks Wasim

I have a multi region AWS Managed Microsoft AD Enterprise directory set up in Directory Service. The primary region is us-east-1 and the secondary region is us-west-2. I need to downgrade from Enterprise to Standard (separate topic) but before I do so, I need to change the Primary Region from us-east-1 to us-west-2. I don't see any way to do this in the documentation or in the management console. Is it possible to change the Primary Region in Managed AD Enterprise? If so, how? Thanks!

Unfortunately I didn't see or skipped over the fact that the user portal URL is permanent. I'm not sure why AWS decided this was a good idea but regardless, does anyone know if AWS support can reset this or are we forced to setup a brand new tenant? Thanks for your assistance.

I have a flask application that needs to access some configuration files stored in s3 and I don't want to stored these in my git repo as there are sensitive information. I want to use boto3 to read in these files into the ec2 instance. **I need to know how I will be able to access those files on s3 using boto3**. The **ec2 instance is authorized to access the s3 bucket** and since the application will be running on the ec2 (that is authorized) is it safe to say that any code run on that instance will also have these access. Note that I am going to run these script to read in these "**config files**" from my **codedeploy "appspec.yml"**. In summary will my codeploy instance be able to use the authorization on my ec2 instance to access the said s3 bucket or **I need to give the codedeploy instance access too**? I am aware I can add my **access keys** in my **environment** on my computer to run this script but how does it work on codedeploy?

Hi, in my organization root account, i have delegated admin to a security account and enabled the access analyser When i go to my security account and try to enable access analyzer with the org setting. i get the error: ``` Access Analyzer Service Linked Role is not in the organizational management account ```

We are attempt to update our IaC code base to CDK v2. Prior to that we're deploy entire stacks of our system in another test environment. One part of a stack creates a TLS certificate for use with our load balancer. ``` var hostedZone = HostedZone.FromLookup(this, $"{config.ProductName}-dns-zone", new HostedZoneProviderProps { DomainName = config.RootDomainName }); DnsValidatedCertificate certificate = new DnsValidatedCertificate(this, $"{config.ProductName}-webELBCertificate-{config.Environment}", new DnsValidatedCertificateProps { HostedZone = hostedZone, DomainName = config.AppDomainName, // Used to implement ValidationMethod = ValidationMethod.DNS Validation = CertificateValidation.FromDns(hostedZone) }); ``` For some reason, the synthesised template defines the hosted zone ID for that AWS::CloudFormation::CustomResource has *something else other than the actual zone ID* in that account. That causes the certificate request validation process to fail - thus the whole cdk deploy - since it cannot find the real zone to place the validation records in. If looking at the individual pending certificate requests in Certificate Manager page, they can be approved by manually pressing the [[Create records in Route 53]] button, which finds the correct zone to do so. Not sure where exactly CDK is finding this mysterious zone ID that does not belong to us? ``` "AppwebELBCertificatetestCertificateRequestorResource68D095F7": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AppwebELBCertificatetestCertificateRequestorFunctionCFE32764", "Arn" ] }, "DomainName": "root.domain", "HostedZoneId": "NON-EXISTENT ZONE ID" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "App-webELBStack-test/App-webELBCertificate-test/CertificateRequestorResource/Default" } } ```

We have members that use multiple workspaces in N.Virginia (us-east-1) region. The base configuration includes Simple AD. Initially, workspaces were created in this region, yet staff can be working from other regions. This leads to performance/lag problems. I'd like to clone workspaces to other regions (both preserving the installed apps and user profile on D drive). I've followed the best practices to create an image. Image Checker did not report any problems. Then I used this image, and copied it to another region (Let's say eu-west-1). I created a new bundle with the image. So far no errors. Then, attempting to launch a new WS by using the bundle, I am prompted to create a new directory. If I create a new directory, I'm required to create a new user. (Because directories are different original user is not listed in Show All Users section). Upon launching the new WS using the settings above, indeed I see an emtpy/fresh Workspace with both installed apps lost and user profile does not retain changes in the image. Based on the info above, what could be wrong? Do I need to switch to Active Directory setup? Do we have to use external tools to make a true clone? Please kindly share your knowledge. Thank you for reading. If needed I can provide additional information.

Cloudformation create-stack generates an Athena access denied while writing error. The problem is generated when writing to the athena-results bucket. I'm logged in with a SSO role with AdministratorAccess access via CLI. I can create the specified object from the command line via "aws s3 cp" and I'm able to execute "aws athena start-query-execution" without trouble. It's only via cloudformation. Bellow the specific error: ResourceStatus: CREATE_FAILED ResourceStatusReason: 'Resource handler returned message: "[Simba][AthenaJDBC](100071) An error has been thrown from the AWS Athena client. Access denied when writing to location: s3://cost-athena-results-123456789012/8fefd451-2a3f-4bc9-881e-84061de8db91.csv [Execution ID: 8fefd451-2a3f-4bc9-881e-84061de8db91]" (RequestToken: b0d4b7d5-998b-6ca8-22c6-657fa2433fe8, HandlerErrorCode: null)' ResourceType: AWS::QuickSight::DataSource

Under *Guardduty > Settings* there's an option to export findings to an S3 Bucket. It requires KMS and a KMS key that has been configured. I consistently get the following error: "Failed to configure export options because GuardDuty does not have permission to the KMS key, the S3 bucket, or the specified location in the bucket." To fix this I've tried: * Changing the ACL for the S3 bucket * Regenerating the Key Created the key following these instructions: (see Step 3) https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html

When to propose AWS Network Firewall vs 3rd party such as Paloalto VM Series for network inspection, IDP/IPS etc. In which scenarios native soltuion will not work?

I use AWS S3 API to upload files to some buckets, however, I need to create a new user that only has permission to upload to certain buckets and only through restricted IPs, other IPs should be blocked. Another permission I need is to delete objects, but only from an allowed IP. Regarding the download, anyone on the internet can access this file (if they have the link). The problem is that I think I found some articles that would help me with this issue, but they don't tell me exactly which menu within the AWS Console I should access to be able to perform these actions. For example, this link ([https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html]()) seems to talk about how to restrict the access to a bucket, but it doesn't tell me exactly which location/menu in the console I use to access this setting. TLDR: What is the path/menu in the Console to set Policies and Permissions in Amazon S3 on a bucket in S3?

Hi , I created data delivery stream and create IAM role by default as proposed by AWS but still I got error "Access was denied. Ensure that the trust policy for the provided IAM role allows Firehose to assume the role, and the access policy allows access to the S3 bucket." While the IAM role is defined by AWS auto, what should I do now? If I need something to add what should I add, kindly need a brief help?

I encountered following erorr when I tried to create a new project in SageMaker Studio. I tried to add `AdminAccess` to `role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole`, but still doesn't help. What could be the problem? ``` Error getting the details of Service Catalog Provisioning Parameters. Error message: ValidationException: Access denied while assuming the role arn:aws:iam::XXXXXXXXX:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole. Args: {"productId":"prod-xxxxxxxx","provisioningArtifactId":"pa-xxxxxxxxx","pathId":"lpv2-xxxxxxxxxx"} ``` [printscreen](https://raw.githubusercontent.com/qinjie/picgo-images/main/qerpoijsdfijsadfjaosdjfqwefasdfasdfasdfasdf.png)

Hi, I am working through general LoRaWAN functions and applications as part of a larger IoT project. I'm having trouble connecting my gateway (Multitech Conduit) to AWS. I've gone through all the steps provided in the AWS help documentation and documentation from the manufacturer, including creating new Gateway Cert Manager permissions/roles (AWS steps here https://docs.aws.amazon.com/iot/latest/developerguide/connect-iot-lorawan-rfregion-permissions.html). Still, when I try to add my gateway I get an error message saying that I do not have the correct permissions set to add a gateway. Has anyone run into this? Is there a way to associate the role/permission with my IAM account? or should it be set for the root account?

Team, I have created AWS glue container using aws glue image . When I am logging into docker using bash command I can see aws credentials are set in docker . When I am running aws s3 ls from docker it s providing me list of s3 buckets. I have written small code to test to connection to aws but it is giving error . ``` import os import boto3 boto3.__version__ client = boto3.client('sts') response=client.get_caller_identity() ``` error I am getting is : An error was encountered: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid. Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 314, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 612, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid. I have tried unset the existing credentials and set new still getting same issue I am using 1.0 glue image.

I am trying to execute athena queries from a lambda function but I am getting this error: `Athena Query Failed to run with Error Message: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14` The bucket `bkt_logs` is the bucket which is used by AWS Glue Crawlers to crawl through all the sub-folders and populate Athena table on which I am querying on. Also, `bkt_logs` is an encrypted bucket. These are the policies that I have assigned to the Lambda. ``` [ { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::athena-query-results/*", "Effect": "Allow", "Sid": "AllowS3AccessToSaveAndReadQueryResults" }, { "Action": [ "s3:*" ], "Resource": "arn:aws:s3:::bkt_logs/*", "Effect": "Allow", "Sid": "AllowS3AccessForGlueToReadLogs" }, { "Action": [ "athena:GetQueryExecution", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetWorkGroup", "athena:GetDatabase", "athena:BatchGetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetTableMetadata" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "AllowAthenaAccess" }, { "Action": [ "glue:GetTable", "glue:GetDatabase", "glue:GetPartitions" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "AllowGlueAccess" }, { "Action": [ "kms:CreateGrant", "kms:DescribeKey", "kms:Decrypt" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "AllowKMSAccess" } ] ``` What seems to be wrong here? What should I do to resolve this issue?

I have 2 cloudfront dists with alternate domain names as `a.example.com` and `b.example.com` and theyre setup in route53 so when i access either one, it gets to the correct cf dist. Now I want to create a new subdomain `c.example.com` in route53 which will use weighted routing (125-125) so the traffic is evenly split and I want to route traffic to `a.example.com` and `b.example.com`. I've setup routing, but im getting the following error when i access `c.example.com` ``` Secure Connection Failed An error occurred during a connection to c.example.com. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Learn more… ``` My cert is managed by ACM, and it has both `*.example.com` and `example.com` domains listed. My goal is to be able to create a new subdomain which can route traffic to existing cf dists. Any ideas if this is possible?

I am using the AWS Config Service across multiple Accounts within my Organization. My goal is to write a query which will give me a full list of non-compliant resources in all regions, in all accounts. I have an Aggregator which has the visibility for this task. The Advanced Query I am using is similar to the AWS [Example in the docs:](https://docs.aws.amazon.com/config/latest/developerguide/example-query.html) ``` SELECT configuration.targetResourceId, configuration.targetResourceType, configuration.complianceType, configuration.configRuleList, accountId, awsRegion WHERE configuration.configRuleList.complianceType = 'NON_COMPLIANT' ``` However, the ConfigRuleName is nested within `configuration.configRuleList` - as there could be multiple config rules, (hence the list) assigned to `configuration.targetResourceId` How can I write a query that picks apart the JSON list returned this way? Because the results returned do not export to csv for example very well at all. Exporting a JSON object within a csv provides an unsuitable method if we wanted to import this into a spreadsheet for example, for viewership. I have tried to use `configuration.configRuleList.configRuleName` and this only returns `-` even when the list has a single object within. If there is a better way to create a centralised place to view all my Org's Non-Compliant Resources, I would like to learn about it. Thanks in Advance.

Hi, I can't figure out which scp is Disallowing access to de rds-db:*... We have the Basic, out of the Box scp's enabled. Nothing else. The IAM policy generator states: ``` denied Denied by AWS Organizations. ``` And this also reflects in the IAM RDS connection: ``` FATAL: PAM authentication failed for user ``` Which according to the documentation indeed states the thing that the Policy generator finds... https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/

I created an IAM user and attached a [Permission Boundary Policy to it ](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/). The permission boundary does not work when I deploy a CDK stack. My terminal setup with access_key_id, and secrete_access_key of the IAM user (attached permission boundary). ``` cdk deploy iamUserWitthAdminAccess ``` Here is the stack ``` new aws_iam.User( this, "IamUserWithAdminAccess", { managedPolicies: [ aws_iam.ManagedPolicy.fromAwsManagePolicyName("AdmininstratorAccess")] } ) ``` Then an IAM user with AdminAccess was able to created. Can any one explain? and what is the best practice to prevent CDK to create Admin Users?

What I am trying to do: * Use Eventbridge to schedule an AWS Batch job to run daily. The problem: * I've created a rule in Eventbridge for a working AWS batch job., but it's is not being kicked off at the scheduled time. The only thing that I can think of that is going wrong is maybe I don't have the correct role type, trust relationship and policy for the rule? Any help provided would be greatly appreciated, thank you! Role Information Role use case type: Allows EC2 instances to call aws services on your behalf Trust Relationships ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` Permissions (related to EventBridge only): AWSBatchServiceEventTargetRole ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "batch:SubmitJob" ], "Resource": "*" } ] } ```

I'm trying to use Lambdas to cater for some required processing in Cognito. I don't seem to be able to find examples of any POCOs to cater for the requests data sent by Cognito to the lambdas. Are there any NuGets with these classes in, or a suggestion of how to deal with this another way? Thanks

Secrets Manager Error Message: The json key does not exist in this secret Seeing above error while trying to build a new branch of package in Codebuild. I created a secret for a particular isengard account. Then created a policy which was attached to the role I am using to build the package.

I have configured the Application Load Balancer to sit in front my application hosted in ECS. The load balancer has a rule to Authenticate using Cognito User Pool and then forward the request to a target group. I get the prompt to enter my Google credentials the login appears to be successful, with the url in the format https://{domain}/oauth2/authorize?client_id={id}&redirect_uri=https%3A%2F%2{domain}.%2Foauth2%2Fidpresponse&response_type=code&scope=openid&state={state here} The problem here is I get "414 Request-URI Too Large". I have no indication that this is from my application and this is a response from the load balancer. The length of the State in the url is 20,514 characters My question is this a bug or what am I doing wrong?

I am following this tutorial https://aws.amazon.com/blogs/security/deploy-dashboard-for-aws-waf-minimal-effort/ but when I select my region and load a template I get error api_error_message_500 Why I am getting this error? Is there any other quick way to start getting WAF logs on Kibana Dashboard?

I need to be able to guarantee that a user's actions can always be traced back to their account regardless of which role they have assumed in another account. What methods are required to guarantee this for? * Assuming a cross-account role in the console * Assuming a cross-account role via the cli I have run tests and can see that when a user assumes a role in the CLI, temporary credentials are generated. These credentials are seen in CloudTrail logs under responseElements.credentials for the assumeRole event. All future events generated by actions taken in the session include the accessKeyId and I can therefore track all of the actions in this case. Using the web console, the same assumeRole event is generated, also including an accessKeyId. Unfortunately, future actions taken by the user don't include the same accessKeyId. At some point a different access key is generated and the session makes use of this new key. I can't find any way to link the two and therefore am not sure of how to attribute actions taken by the role to the user that assumed the role. I can see that when assuming a role in the console, the user can't change the sts:sessionName and this is always set to their username. Is this the suggested method for tracking actions? Whilst this seems appropriate for roles within the same account, as usernames are not globally unique I am concerned about using this for cross account attribution. It seems placing restrictions on the value of sts:sourceIdentity is not supported when assuming roles in the web console.

I am attempting to deploy two cloudfront distributions in cn-northwest-1 and I cannot seem to get ACM certificates attached to them, terraform keeps returning the following error ``` error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate source isn't available in this region. │ status code: 400 ``` The ACM certificates are being generated in us-east-1 and the validation is completing successfully, but it seems that the cloudfront distribution which is created in china cannot access the certificates in the account with access to us-east-1 and RAM does not work for ACM Certificates as far as I could find. Has anyone run into the similar issue, is the only solution here using SSL/TLS certificates and manually importing them?

The certificate renewal process was unsuccessful due to Cloudflare configuration for our domain(Cloudflare just blocked Let's Encrypt validation requests). Approximately 7 hours ago we updated the Cloudflare configuration and it shouldn't block Let's Encrypt anymore, but we still didn't receive any requests from them, and our SSL certificate is still pending validation. Unfortunately for us, this certificate expires today, and we don't have a lot of time for that. I've tried requesting a new one, but it was also unsuccessful(certificate validation failed), and importing the Cloudflare origin certificate also was unsuccessful(import failed). I can't find any logs to debug that, and can't force Cert Manager to try to validate us one more time. Please help us.

Is there a solution for the *fatal* message *0x6c6* that shows up in git-bash for Windows? It's annoying since it appears that operations continue normally other than the "fatal" part. My coworkers using Windows experience the same problem. I've included the full error along with the *GIT_TRACE=1* info. 09:45:39.933420 run-command.c:654 trace: run_command: 'git credential-manager-core store' 09:45:40.042896 exec-cmd.c:237 trace: resolved executable dir: C:/Users/xxxxxxxx/AppData/Local/Programs/Git/mingw64/libexec/git-core 09:45:40.042896 git.c:748 trace: exec: git-credential-manager-core store 09:45:40.042896 run-command.c:654 trace: run_command: git-credential-manager-core store fatal: Failed to write item to store. [0x6c6] fatal: The array bounds are invalid This is a newly setup Win10 Pro system. I'm using the following: git 2.36.1, Python 3.10.4, git-remote-codecommit 1.16, and we use a non AWS identity provider for SSO. $ aws --version aws-cli/2.6.3 Python/3.9.11 Windows/10 exe/AMD64 prompt/off Here's ~/.gitconfig on the affected system. [credential "url pointing to aws codecommit"] provider = generic [protocol "codecommit"] allow = always Here's part of the repo .git/config [core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true symlinks = false ignorecase = true [submodule] active = . [remote "origin"] url = codecommit::region://repo-name fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master Linux systems don't have this problem.

Hi, We have a greenfield environment and I am looking at the best way to set up AWS Organization and underlying OUs with accounts. We also use SSO. According to https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.pdf#benefits-of-using-multiple-aws-accounts , we should only have any services in management account. I am trying to figure out OU/account should SSO go to according to that document. Should it go to Shared Infra? Or are there any limitations that I should know of and SSO must be part of Management account?

Hi Guys, Whenever I try to save a page, WAF Rules (Fortinet Rules) are blocking these web requests, especially below Rules. Cross-Site-Scripting-02 Web-Application-Vulnerability-Exploit-02 Web-Application-Vulnerability-Exploit-01 Could someone tell what are the commands inside these rules and how to find them. Thanks in Advance, Venkatesh, M.

For cognito user - Using Amplify I was able to login using ``` await Auth.signIn(this.email, this.password); ``` And logout using: ``` Auth.signOut(); ``` For federated user - Using Amplify I was able to login using ``` await Auth.federatedSignIn({ customProvider: 'customProviderName' }); ``` But logout doesnt support using: ``` Auth.signOut(); ``` How can I signout federated user, so that when I try to login again, it ask my permission to login ?

Hi, I was able to configure AWS session manager to use SSH keys over session manager tunnel as it is described here -> https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html. But now i need to force user to provide SSH keys, because now, even tho i can use SSH keys to authenticate into the EC2 instance, im still able to to it without providing SSH keys, just by using `aws ssm start-session` command. As i suppose i can add some kind of policy for that, something like: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::accountid:user/test-user" }, "Action": [ "ssm:TerminateSession", "ssm:ResumeSession" ], "Condition": { "StringEquals": { "ssm:StartSession/RequireSSH": "True" ( parameters made up, by me ) } } } ] } ``` But im not sure what should be in the place of `"ssm:StartSession/RequireSSH": "True"`, Any help will be appreciated Joann

After trying to access AWS account via Okta, users are getting the "It's not you, it's us We couldn't complete your request right now. Please try again later." message. It's been occurring for more than a week. Integration was configured by following this guide: https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html and previously worked fine with another AWS account.

We would like to control which services are available for use in which accounts and regions while still being able to review everything: - Allow ReadOnly across all services in all regions - Allow Write on specified services in certain regions We are aware of the general policy to [restrict actions not in specific regions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region) but this is too restrictive and results in unnecessary confusion when users experience permission errors on various service dashboards. Thus far we have been unable to construct an SCP, or combination of SCPs, that provide the intended effect given [the attachment and size limits.](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values) Is what we are looking for even possible with Service Control Policies alone? We would like to avoid: - Managing this via User/Role Permissions - Having "Bypass" Roles as shown in the documented example above.

We have setup an identity provider to use Azure AD to authenticate users that access an AppSteam stack. This is a new build. I used the link below to do the set up. Everything seems to be working from the authentication side as I can get logged in (can see the user logged if I'm logged into the console and then it refreshes when not using in private browser window). However, when it redirects to the AWS Appstream page, I'm getting Error: Bad Request.(Error Code: INVALID_RELAY_STATE);Status Code:400. This suggests a malformed relay state URL, but I have verified that it appears to be the correct syntax (variables and stack name case-sensitive). The SAML response appears to be clean using the browser code analysis tools and the SAML decoder. The only thing that seems odd is that cookie analysis from the browser reports the credentials are expired (there are several errors in the capture i.e. Cookie "aws-creds" has been rejected because it is already expired). The 400 response header shows the statement "expires:Tue, 03 Jul 2001..." which is bizarre. Any help would be greatly appreciated. https://aws.amazon.com/blogs/desktop-and-application-streaming/enabling-federation-with-azure-ad-single-sign-on-and-amazon-appstream-2-0/

Can a customer use the Microsoft AD on the cloud as the only AD for his company that employees authenticates to. What does it take to join the PCs and Users to the domain. Will it be over the internet. How much will the customer be paying for a team of about 20 personnel..

_temp lake formation blueprint pipeline tables appears to IAM user in Athena editor, although I didn't give this user permission on them below the policy granted to this IAM user,also in lake formation permsissions ,I didnt give this user any permissions on _temp tables: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1652364721496", "Action": [ "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetDataCatalog", "athena:GetDatabase", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetTableMetadata", "athena:GetWorkGroup", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListEngineVersions", "athena:ListNamedQueries", "athena:ListPreparedStatements", "athena:ListQueryExecutions", "athena:ListTableMetadata", "athena:ListTagsForResource", "athena:ListWorkGroups", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:BatchDeleteTable", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition" ], "Resource": [ "*" ] }, { "Sid": "Stmt1652365282568", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::queryresults-all", "arn:aws:s3:::queryresults-all/*" ] }, { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess" ], "Resource": [ "*" ] } ] }

I have requested for an ssl certificate with certificate id :92260d29-8a31-4d7c-b44d-8a1ad0cda7ac and it is in pending state and it is now 72 hours

Hi all. I am trying to configure AWS network firewall using Domain list. I can select the http protocol in the configuration, but http seemed to be inspected regardless of the port because it was inspected even if I used a port other than 80. Is it possible to change/limit the target port?

Hi, I am trying to configure statefull rule using the new AWS network firewall managed signatures . I am seeing that firewall is detecting some malicious traffic but its not blocked. Any idea how i can change the action to block or drop? Thanks

AWS secrets-manager does not decode my key/values when retrieving... what am I missing? Hi when I retrieve my SecretString from Secrets-manager i get: `'{"username": "***","password": "***" ,"engine":"mysql","host":"***","port":"***","dbname":"***""dbInstanceIdentifier":"database-1"}',` Instead of `{"username":"my_real_username","password":"my_real_password","engine":"mysql","host":"my_real_host","port":"my_real_port","dbname":"my_real_dbname","dbInstanceIdentifier":"database-1"}` I have tried using both my buildspec.yml file doing: ``` env: secrets-manager: DB_TEST_HOST: "test:host" DB_TEST_NAME: "test:dbname" DB_TEST_PORT: "test:port" DB_TEST_USER: "test:username" DB_TEST_USER_PASSWORD: "test:password" ``` And implemented the code suggested in secrets-manager. Both give the the bad result. I have also attached "SecretsManagerReadWrite" policy and kms:Decrypt policy to the role used when trying to retrieve these parameters.

Suppose I have a Cognito Identity Pool. I want to grab info about the user itself rather than their Cognito Identity ID. Is there any way to read off the principal tags from the assumed Cognito Identity or the underlying IAM Role? Alternatively I could parse the "sub" attribute from the oidc provider (via the cognito identity's amr block) and work backwards with the identity provider to get more info... but this is resource intensive and I see no reason why I can't access the principal tags passed into the cognito identity...

Hi all, Last 2 weeks i am facing Remote desktop connection problem. I am new in AWS. A few day back, I had received an account suspension mail because of payment due. I made all the payment done. Now i am getting this error on login with RDP. "RDP credential were use to connect did not work, please enter new credential " During this I followed some steps to solve the error: 1.) My Security Group setting:- Inbound rules are:- Http, Https, SSH, RDP, all TCP, All Traffic, Custom TCP for IPV4 and IPV6. Outbound Rules are: All Traffic, HTTP, Custom TCP, HTTPS, SSH for IPV4 and IPV6. 2.) IAM Manager :- Create Role for AmazonEc2RoleforSSM Policy This My Inline Policy ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": [ "arn:aws:ssm:us-east-2:939764493069:parameter/EC2Rescue/Passwords/i-063933c590287f4d2" ] } ] } ``` 3.) By using System Manager Run command, Changed the current password of windows as well but it's not working. 4.) Also Tried to ping the Public IPv4 address from the local machine but it's working. firewall also take off. 5.) Also tried changing internet service provider. I don't know what am I doing wrong. Is my account is isolated ? Is my setting is wrong? Could you please provide solution.

I create a rule i.e. Type --> Regular rule Field to match --> URI path Positional constraint ---> Contains string Search string ----> /test/* Text transformations --> Lowercase (Priority 0) Action --> Block Custom response code --> 404 But after loading a url https://a.xyz.com/test/a or https://a.xyz.com/test its still works but not blocking. Why? What is wrong with the rule. Can anyone guide me please

Hi, I need to assign ssh key pairs to the EC2 instances for multiple IAM users. So what i want to have: IAM users `[user1,user2,user3]`, out of them `[user1,user2]` should have separate (each IAM user should have its own user in VM) SSH access to the `[VM-1,VM-2]` EC2 instances, and the `[user3]` should have access **only** to the `[VM-3]` instance. Do i need to generate ssh key pairs, create users inside the EC2 instance, assign permissions for those users - manually, and then also manually add those SSH pub keys in the EC2 instances? Or AWS has service that can do it automatically for me? Joann

I have implemented WAF on CDN . When I download docx, excel file via CDN through android app , file is downloaded successfully and url looks like https://data.mydomain.com/doc_file But when I try to download pdf and audio wav file via CDN though android app request, the file doesn't open and prompt message "Cannot be displayed " and url looks like http://data.mydomain.com/pdf_file. Http comes instead of https. But when I disable WAF file is downloaded from this link http://data.mydomain.com/pdf_file. How to redirect Http to https for pdf download when accessed through CDN and WAF enabled? I have enabled Redirect HTTP to HTTPS in CDN behavior.

hello. I'd like to get a secret key and access key ID as a cognito license. ``` cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function (result) { const idToken = result.getIdToken().getJwtToken(); AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:7fc9xxxx-xxxx-xxxx-xxxxx-xxxxx', Logins: { 'cognito-idp.ap-northeast-2.amazonaws.com/userPoolid': idToken, }, }) } ``` On the Cognito aws Identity Pool page, it is confirmed that the identity browser has become a credential. However, in getCredentials, "Could not load credentials from CognitoIdentityCredentials" is generated. ``` AWS.config.getCredentials(function (err) { if (err) return console.error(err.stack); else console.log('Access key:', AWS.config.credentials.accessKeyId); }) ``` If you look at the AWS.config.credentials console log, there are no values other than the parameters you put in. Problem not found. Is it right to get the secret key issued through Cognito Identity Credentials?

Hi, We've an odd issue with Amazon inspector. Recently we've pushed multiple Docker images into private ECR repositories, and we're scanning them with "Enhanced scanning" and "Continuously scan all repositories" - we have no scanning overrides on individual repositories and no suppression rules; our "*" filter is actively scanning all images. The scan results appear fine in ECR if you select a repository then click the "See findings" link under "Vulnerabilities" - we see critical package vulnerabilities. However: in Inspector, the "Critical findings" panel of the dashboard always displays "0 Critical" under "ECR Container". It also doesn't show the critical issue findings if you filter "By container image" or "By repository" - nothing. But: if you select "All findings" the critical ECR package issues are visible... We had thought this might be some sort of dashboard update issue, but it's been like that for over 12 hours now. What do we need to do to get our scanned critical ECR image vulnerabilities reported on the main Inspector dashboard stats? Thanks. [Dashboard Findings: Criticals 0](https://ibb.co/ZcNBFm3) [Container Image Findings: Empty](https://ibb.co/Zgtg5NZ) [All Findings - Criticals present and correct](https://ibb.co/NTw8vpX)

I have a Lambda function that is supposed to pass its own permissions to the code running in an ECS task. It looks like this: ``` ecs_parameters = { "cluster": ..., "launchType": "FARGATE", "networkConfiguration": ..., "overrides": { "taskRoleArn": boto3.client("sts").get_caller_identity().get("Arn"), ... }, "platformVersion": "LATEST", "taskDefinition": f"my-task-definition-{STAGE}", } response = ecs.run_task(**ecs_parameters) ``` When I run this in Lambda, i get this error: ``` "errorMessage": "An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:sts::787364832896:assumed-role/my-lambda-role...' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role." ``` If I change the task definition in ECS to use `my-lambda-role` as the task role, it works. It's specifically when I try to override the task role from Lambda that it breaks. The Lambda role has the `AWSLambdaBasicExecutionRole` policy and also an inline policy that grants it `ecs:runTask` and `iam:PassRole`. It has a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": [ "ecs.amazonaws.com", "lambda.amazonaws.com", "ecs-tasks.amazonaws.com" ] }, "Action": "sts:AssumeRole" ``` The task definition has a policy that grants it `sts:AssumeRole` and `iam:PassRole`, and a trust relationship that looks like: ``` "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com", "AWS": "arn:aws:iam::account-ID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS" }, "Action": "sts:AssumeRole" ``` How do I allow the Lambda function to pass the role to ECS, and ECS to assume the role it's been given? P.S. - I know a lot of these permissions are overkill, so let me know if there are any I can get rid of :) Thanks!

I am exploring how to delegate Cloudformation permission to other users by testing specifying a role when creating a stack. I notice that some resources like VPC, IGW and EIP can be created but error was prompted. The created resources cannot be deleted by the stack also during rollback or stack deletion. For example, the following simple template create a VPC: ``` Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.3.9.0/24 ``` I have actually created a role to specify during creation with policy which allow a lot of actions that I collected by querying the cloudtrail using athena. The following are already included: `"ec2:CreateVpc","ec2:DeleteVpc","ec2:ModifyVpcAttribute"` However, the following occur during creation: > Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: bf28db5b-461e-48ff-9430-91cc05be77ef)" (RequestToken: bc6c6c87-a616-2e94-65eb-d4e5488a499a, HandlerErrorCode: AccessDenied) Looks like some callback mechanisms are used? The VPC was actually created. The deletion was also failed but it did not succeeded. > Resource handler returned message: "You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: f1e43bf1-eb08-462a-9788-f183db2683ab)" (RequestToken: 80cc5412-ba28-772b-396e-37b12dbf8066, HandlerErrorCode: AccessDenied) Any hint about this issue? Thanks.

Does Cognito User Pools store tokens granted by *external* IDPs (such as **external** access_token and refresh_token)? If so, how can they be accessed?

We are attempting to create logging filters for our WAF policies. I created the following conditions for logging: > Rule action: BLOCK Keep in logs > Rule action: ALLOW - Drop from logs > Default logging behavior Drop from logs However, requests with the rule action ALLOW are still being logged. Are there any additional steps I can take to filter out log conditions?

Hi, according to the [List Identities documentation](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_ListIdentities.html#API_ListIdentities_RequestSyntax), the field `HideDisabled` hints that we can disable identities within an identity pool but I couldn't find further information how to accomplish this. Is my understanding correct, can we disable an identity within an identity pool and if so what are the steps?

I use Cognito Sync "updateRecords" function in JavaScript SDK v3 (https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoSync.html#updateRecords-property) and set "Op" in "RecordPatches" to "remove", but specified record(s) not deleted and "SyncCount" increased by 1. I also get the same result with same operation in AWS CLI. What is the right way to delete a record key (not just record value) in dataset ?

Access an identity in cognito identity browser always redirect to cognito homepage. My account have AWSCognitoPowerUser role. Steps to reproduce: 1. go to Cognito service https://console.aws.amazon.com/cognito/home 2. select "Manage Identity Pools" 3. select an identity pool 4. select "identity browser" in the left side 5. select an identity id in the right side 6. EXPECTED: show records in this identity. ACTUAL: being redirected to Cognito service homepage (step 1) tested in multi web browsers and multi AWS account, this issue happens for months

Hi, I want to forbid IAM user (for example: support-IAM ) to authenticate to the EC2 instance user ( for example : root-EC2 ), but still be able to authenticate as other EC2 instance user ( for example: support-EC2 ) , for that, as i understood i need to forbid this user to set `--tags` with value `root-EC2` (or in my case, everything **except** `support-EC2`) while using command `aws sts assume-role`, but how can i do it? P.S im using `AWS session manager` Joann

When I create a new IAM role, in this case I am doing this in order to create an Export Job in AWS RoboMaker I get the following error: >AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxx@xxxxxx.it is not authorized to perform: iam:CreatePolicy on resource: policy AWSRoboMakerWorldForgePolicy_eeb50488-b552-91a1-3857-f28790842fd1 because no identity-based policy allows the iam:CreatePolicy action The point is that everytime I try to create the Export Job with the same settings (same S3 bucket as an output, same IAM role name), this error appears with the same structure, but with a different alpha-numeric sequence after the "AWSRoboMakerWorldForgePolicy_", hence it is unseful also to ask for this permission since it is always different. Does anyone have any idea?

Hello, I generated an MQTT client certificate using create-keys-and-certificate. The issuer of this certificate is: issuer= /OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US is there any way to access that intermediate certificate and any other intermediate ones in the chain? I've checked all the certificates here: https://www.amazontrust.com/repository/ but unfortunately none of them is that one. thank you!

I have a requirement to get data from aws using IAM API's , so I have access key , secret key , base url , service name and region of aws account we are trying to authenticate with bearer token , but we are getting the following error , I have generated bearer token using aws cli. URL : https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&access_token=<<token>> https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&Authorization=Bearer <<token>> Error : is not valid; the value of a query string parameter may not contain a '=' delimiter

Hi! I built a web app on an EC2 windows instance & want to put it on my clients domain. Once the server is on the domain, the users only have to go to the server name in their browser & the app renders. I haven't worked with AWS networking & want to know if I should I use Resolver, Amazon Active Directory, or AD Connector? Preferably quick & easy. I only need to join one ec2 windows instance to my clients network. Thanks in advance!

How to enable AWS WAF for CDN generated in Amplify ?

We are evaluating Babelfish migration from SQL Server but would like to know does IAM authentication works with Babelfish? Any guidance would be greatly appreciated.

I need to delete a user from our system access. When I delete the user does all of their uploaded files remain in the system or do they delete too?

My understanding is, Private Key should never leave HSM cluster. HSM-Client should pass key-handle, Mechanism and payload to the HSM-Server and HSM-Server should encrypt or sign the payload and give it back to the HSM-Client. But the [examples in the official documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-samples_5.html) generates KeyPair and use actual PrivateKey to encrypt. Please let me know if my understanding is correct and point me to some **Java example** where encryption and signing happens on HSM-Server and not on HSM-Client

I have an image I deploy to ECS that expects an environment variable called `DATABASE_URL` which contains the username and password as the userinfo part of the url (e.g. `postgres://myusername:mypassword@mydb.foo.us-east-1.rds.amazonaws.com:5432/mydbname`). I cannot change the image. Using `DatabaseInstance.Builder.credentials(fromGeneratedSecret("myusername"))`, CDK creates a secret in Secrets Manager for me that has all of this information, but not as a single value: ```json { "username":"myusername", "password":"mypassword", "engine":"postgres", "host":"mydb.foo.us-east-1.rds.amazonaws.com", "port":5432, "dbInstanceIdentifier":"live-myproduct-db" } ``` Somehow I need to synthesise that `DATABASE_URL` environment variable. I don't think I can do it in the ECS Task Definition - as far as I can tell the secret can only reference a single key in a secret. I thought I might be able to add an extra `url` key to the existing secret using references in cloud formation - but I can't see how. Something like: ```java secret.newBuilder() .addTemplatedKey( "url", "postgres://#{username}:#{password}@#{host}:#{port}/#{db}" ) .build() ``` except that I just made that up... Alternatively I could use CDK to generate a new secret in either Secrets Manager or Systems Manager - but again I want to specify it as a template so that the real secret values don't get materialised in the CloudFormation template. Any thoughts? I'm hoping I'm just missing some way to use the API to build compound secrets...

Hi, My first question - https://repost.aws/questions/QUS8M4w0jkS8iV6EzPmaRmag/ssh-key-managment-for-multiple-accounts Im trying to use "AWS system manager" - "session manager". As i was advised in my previous question, to be able to login into the EC2 instances located in multiple accounts, i will need to do something similar to https://aws.amazon.com/blogs/mt/vr-beneficios-session-manager/ But the problem is that i need to have for each IAM user their own user in EC2 instance, as i found out, i need to pass tag "SSMSessionRunAs" with the value of the username to witch im login in. But if i will use "group" roles (roles assigned for multiple users), they will be authenticating with the same user in EC2 instance, which will not work for me. Does that mean, that in my case i will need to create a role for each IAM user? or i can change tag of the role depending on the user assuming this role? Thank you very much. Joann

I'm new to AWS , I have my ec2 instance and loadbalancer setup outside lightsail and my domain careerboat.io is inside lightsail now i am unable to choose loadbalancer for A record (no options available) So frontend guys getting ssl error on login page :)

Hi, We need to achieve: 1) Possibility to create/delete ssh key pairs for instances hosted in multiple accounts, in one place (centralization) 2) Possibility to assign permissions for the user we are ssh'ing into inside the instance, for example : IAM - admin user, should have admin ssh key, which will give full read/write permissions in virtual machine in which user is ssh'ing, and the IAM - support user, should have support ssh key, which will give less permissions. Any suggestions, in what we can look into, are welcome. As i googled a bit, the "AWS system manager" - "session manager" looks like it would work for us, but does it work for instances hosted in multiple accounts? Joann

How do I renew my certificate or get a new one since it showing failed

I registered a new domain with AWS in route53 3 days ago, I then created an ACM certificate for the domain, with the same name and used the "Create record in Route 53" functionality, 3 days later my certificate is still in "Validation pending" state even though the validation record exists. Worth noting I can access the CNAME validation record with `nslookup`, is this just a case of waiting for propagation or something, I expected 3 days or ~60hours to be long enough.

Hi, Is there a way to Enable SSO programmatically, either over CLI or SDK? I can do it through Web console, but I want to automate creation of AWS Organizations, accounts and AWS SSO. Thanks, Nemanja

Hi, the first call to the two methods below is very slow and after the same calls become fast. do you know why ? Method 1: var user = new CognitoUser(...) AuthFlowResponse resp = await user.StartWithCustomAuthAsync(new InitiateCustomAuthRequest()....) Method 2: RespondToAuthChalengeResponse verresponse = await provider.ResponseToAuthChallengeAsync(new RespondToAuthChalenge(){...}) thank you in advance best regards

My AWS account has been hacked, lots of technical things have been created that I don’t understand (VPS, Network Interfaces and such like) and I cannot delete them, nor get any Amazon customer ‘support’. What should I do??

Hi, im recently check throught this blog: https://aws.amazon.com/blogs/security/deploy-dashboard-for-aws-waf-minimal-effort/ but seems the cfn template link have a permission issues. Exist any updated version for that solution or another similar ? Thanks in advance,

How do I create a role for AWS Batch jobs on EC2 using the CLI? The role needs to have read-write permissions to an S3 bucket, e.g. s3://mybucket234. The role will be needed for the "aws batch create-compute-environment" command.

Are there plans to support ECC keys in IoT Greengrass V2 - So that security devices like the ATECC608A/B etc can be used to secure keys for Greengrass communications between devices and AWS cloud ? I believe that Greengrass V1 did support this, but support seems to have disappeared it doesn't seem to possible with the current V2 version. Is support for these devices dropped or is there a plan or roadmap for support ? https://devices.amazonaws.com/detail/a3G0L00000AAOCcUAP/ATECC608a-CryptoAuthentication-Secure-Element

As my understanding, there are two required steps. I think only 1) is ok. **Is this redundancy? ** 1) From AWS IoT core policies, grant access to cognito_identity_id ```shell aws iot attach-policy --policy-name 'myIoTPolicy' --target '<YOUR_COGNITO_IDENTITY_ID>' ``` 2) From Cognito side, attach AWSIoTDataAccess and AWSIoTConfigAccess to Cognito Authenticated Role

Hi, I have a certificate which i was using for API gateway for custom domain mapping. Recently i have created a new certificate and applied new certificate to all custom domains. Before I started using new certificate, i checked how many associations are with old certidicates and i saw there were 11 associations with AWS resources and each one wre in this format arn:aws:elasticloadbalancing:<Region>:<ID>:loadbalancer/app/prod-bom-1-cdtls-1-2-15/<SomeRandomId> When. moved all cusom domain i noticed, association with old startd going down and with new it started increasing and finally new one fot 9 association and old one left with 2. I waited for more then 2 hours and old certificate still have 2 assocition with some uknown resources in above format(which looks likee Api gatway rsource) I have checked EEC2 loadbalance, OpenSearch etc as pr following article but i dont see this old certificate used any where.(I am using certificates only in APi gwateway anyways) https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-resources/ Problem: I am unable to find where is old certificate used and so unable to remove the certificate. Thanks Ravi

Hi Team need to check if I have some Ecs task running on farget cluster I need to access task using RDS so can I get to know which iam policy do I need to give in ecs task role

Im not able to configure the AWS SSO authentication method during in configuration steps of **Grafana Service** workspace setup. The error does have much detail. Simply reports: **Network Failure** So, ¿Exist any precondition in the SSO configuration which can lead to this little explanatory error? Right now I have an SSO user configured. Although I have to point out that this SSO is configured in other availability zone (Paris) while I am configuring Grafana in Ireland (this service is not avaliable in Paris). Could this be the reason?

We are working for FHIR(Fast Healthcare Interoperability Resources). We have followed “FHIR works on AWS” and deployed the CloudFormation template given by AWS in our AWS environment.Following is the template that we have deployed https://docs.aws.amazon.com/solutions/latest/fhir-works-on-aws/aws-cloudformation-template.html Requirement : we want to maintain client specific/customized ids as primary key in the server. Problem : server not allowing us to override or mainain client specific (customized ) ids as primary key .Infact , in the runtime, it is generating its own ids and ignoring the id given by us.

I want to connect AWS AD with AWS SSO. I've synced the AD users with SSO and I'm able to login to the SSO application. But unable assume the role associated to the user and access the account. Giving 403 error.

We just had a pen test completed and one of the items was our password policy. I was looking at changing it, and I found this page: https://docs.aws.amazon.com/singlesignon/latest/userguide/password-requirements.html. It describes the password policy for the SSO identity store (which we are using), but not how to change the policy. Is it possible to change a password policy for the SSO identity store? Thanks!

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```

This is connector is in an Inoperable state. When attempting to delete it, I get the following error: Cannot delete the directory because it still has authorized applications. Any attempt to remove the AWS Console application fails. I see that others have had similar issues and it requires technical support to resolve. Is that still the case? Thanks, John

Hi, We try to configure the RDP connection to Windows EC2 via SSO via FleetManager. We have this error : An error occurred while establishing the Remote Desktop session. The GetCommandInvocation API operation failed to fetch the result in the given time. CommandId 94ce5f12-0545-4ae9-9f94-d6322bd1ec04 Can you help us? Regards, Jérôme

I am trying to customise my AWS SSO URL but it is not working ,is there any limitations on the naming convention .I have tried as many number of names with different combinations but noting worked for me .