Questions tagged with Security, Identity, & Compliance
Content language: English
Sort by most recent
Hello AWS Team. We are trynig to implement ABAC instead of RBAC. on 2023 it is support for all services on AWS?
Regards,
Diego
Is Lightsail HIPPA Compliant for Hosting Website
I followed this procedure, but I wasnt able to find the option of Automatic Provisioning, where can I find it?
In Step 3, it says for an Information Box which is also not available on IAM Console.
How can I create a new user in Redshift who has SELECT access to all existing schemas, but has full permissions to create and modify their own schemas?
I want to create a Custom I AM policy with custom IAM Actions.
something like below:
`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"myCustomService:MyCustomAction",
"myCustomService1:MyCustomAction1",
],
"Resource": "*"
}
]
}`
I need this to control clients/ users/ clientApplication access to my application running in EKS cluster.
thanks in advance.
I use a hardware security key (yubikey) to log into the AWS console. The AWS console app for iPhone does not appear to support this login method. Am I just out of luck?
I wanted to obtain the latest AOC issued to prove AWS’ compliance with PCI DSS. I found the latest document in the AWS Artifact. The name of the document claims that it is the latest report valid until dec 2023. However, upon opening the document and following the instructions that led me to the AOC, I see only outdated documentation, dated 2018.
Where can I find the latest AOC? As this information is supposed to be publicly available, I would expect that anyone can find and access it, but it seems not ti be the case.
I received an error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Add the role to your account if it's not present, and try again." after "Retry" of setting Landing zone.
Control tower decommission was also done previously
I will start my saying I know I should be using IAM roles and we are converting a LOT, some will take a little longer so I want to rotate them out due to them getting old. So this key simply has access to AmazonSesSendingAccess and things are working as expected. I have a simple python script that sends mail to confirm.
From that IAM user, I select [security credentials], I see the existing, select Create Access Key and with the menu simply select the using on an EC2 and checking the box saying I know I am creating a key. I download the CSV as well use the copy icon and paste replacing the old one.
Now when I test I am getting the following;
**Error: (535, b'Authentication Credentials Invalid')**
I uncomment the old and things work as expected. I see nothing else as its the same user (so permissions are the same), and I am 100% stuck. Any help or suggestions are appreciated.
Our auditor request SOC 1or 2 report (Jan 1 2021 - Mar 31 2021), but I can't found in Artifact, is too old report so hidden or start from 1 Apr 2021 to Current ?
When we start with control tower, 2 accounts within security OU, i.e. log archive and audit accounts are created. On this structure I have a few questions:
1) I read detective guardrails are implemented by AWS config. But why can't I see those under config rules of AWS Config service.
2) I understand that Audit account has power to access other accounts programmatically. I thought this is the reason why security services like security hub, aws config and other security related services are hosted here. But in my project, security services are hosted in a separate account rather than audit account. If so, what is the purpose of audit account. Also, is it necessary for the account which holds centralized aws config aggregator, security hub etc. to have a programmatic access on other accounts?
3) By default, does log archive account just collects cloudtrails from all other accounts. Under AWS best practices, I see that audit account holds all the security services and also acts as a AWS config aggregator. At the same time, all logging (including DNS, VPC etc.) happens under Log archive account. If so, do we need to explicitly send aggregator logs in audit account to centralized s3 bucket under archive account.
Hello, I see where AWS GovCloud mentions endpoints are FIPS compliant but it never mentions validated. So I was looking for confirmation that just like in AWS commerical regions, in order to use FIPS validated endpoints I would need to specifically call them, add them to code or otherwise use env variables and the like for the AWS CLI or SDK.
I ask this question because I'm the past some people have argued that endpoints in GovCloud are FIPS by default and we don't need to specify them, this is probably a confusion of compliant and validated, but I believe for the FIPS validated endpoints we still do need to explicitly do so.
https://aws.amazon.com/compliance/fips/