Questions tagged with Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

[This page](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) for Application Load Balancers states that Security Policies `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08` are identical. When using region `us-east-1`, the two policies appear to be identical. When using region `us-east-2` or `ca-central-1`, the two policies are not identical. `ELBSecurityPolicy-2015-05` has an additional cipher, `DHE-RSA-AES128-SHA`, that is not present in the output for `aws elbv2 describe-ssl-policies ELBSecurityPolicy-2016-08`. I have not checked all regions. Either the documentation or the security policies per region should be updated.
0
answers
1
votes
20
views
Rachel
asked a day ago
Hi, I have been banging my head trying to get this working and cannot figure it out. I have an ECS fargate cluster in 2 private subnets. There are 2 public subnets with NatGWs (needed for the tasks running in Fargate). Currently I have S3 traffic going through the NatGWs and I would like to implement an S3 endpoint as "best practice". I have created CFN scripts to create the endpoint and associated security group. All resources are created and appear to be working. However I can see from the logs that traffic for s3 is still going through the NatGWs. Is there something basic that I have missed? Is there a way to force the traffic from the tasks to the S3 endpoints? The fargate task security group has the following egress: ``` SecurityGroupEgress: - IpProtocol: "-1" CidrIp: 0.0.0.0/0 ``` Here is the script that creates the enpoint and SG: ``` endpointS3SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Security group for S3 endpoint" GroupName: "S3-endpoint-sg" Tags: - Key: "Name" Value: "S3-endpoint-sg" VpcId: !Ref vpc SecurityGroupIngress: - IpProtocol: "tcp" FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref fargateContainerSecurityGroup # S3 endpoint endpointS3: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: 's3:*' Resource: '*' SubnetIds: - !Ref privateSubnet1 - !Ref privateSubnet2 VpcEndpointType: Interface SecurityGroupIds: - !Ref endpointS3SecurityGroup ServiceName: Fn::Sub: "com.amazonaws.${AWS::Region}.s3" VpcId: !Ref vpc ``` Thanks in advance. Regards, Don.
2
answers
0
votes
9
views
Don
asked a day ago
I used to have access to WorkDocs files that were shared with me, but now I don't. I requested permission but I have no idea where the request goes. How do I get access back?
1
answers
0
votes
6
views
asked 2 days ago
We want to implement an architecture such that we connected different physical sites (On-Premises * 10) to the internet through a transit gateway and having inspection by a network virtual appliance (Sophos). This will also allow the physical locations to communicate with one another. The idea is to have routers on premises that only send/receive traffic through the VPN connection, all other traffic is denied. I want to know if this setup is secure in general. Though all traffic flows this way, will it be protected from, for example, DDoS attacks on premises. AWS side of things can be protected by the firewall as well as maybe Shield Advanced but the on-premises networks. Is there a need to protect them as well or a Microtik router for example with free updated is enough, as they are connected to the internet through public IPs.
1
answers
0
votes
14
views
asked 2 days ago
I used to have HTTPS working on my Beanstalk environment but in the attempt of allowing access to another service I messed up something and I can't get it working again. ATM my configuration is: Elastic Beanstalk * An active listener on port 443 with the appropriate certificate * A process on port 80, Health check path: / EC2 and Security groups: * One security group allowing inbound from 443, 80 and 27017 * Outbound all ports all IPs What I think I messed up: How to determine the correct origin for the security groups? Also, is there anything wrong on this setup? I read many guides, I am not going to terminate the https connections like explained in this guide https://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-https-configuration/ simply because I haven't done it before and it was working. Do I really need it? thanks M
2
answers
0
votes
14
views
asked 2 days ago
I want to allowlist the Sagemaker studio IP so people can access certain allowlisted services from Sagemaker. I created a sagemaker domain in my private subnet of my VPC, so theoretically it should use the IP of the associated NAT gateway, right? But I see a different IP 🤔
1
answers
0
votes
19
views
asked 3 days ago
Hello, I want to implement my *own* transcoding (such as to output a different rendition ladder, add encryption, add additional playback token authentication such as per IP in my own CDN, and so on). Can I use an AWS IVS basic channel to simply transmux? For example: someone starts streaming to a basic channel AWS IVS rtmps endpoint. That fires an event. That event triggers a Lambda, which in turn starts an EC2, MediaLive (or some other compute to do the transcoding, on-demand). *That* transcodes the HLS .m3u8 generated by AWS IVS, so giving me complete control over its *output* ABR HLS delivered to viewers.
2
answers
0
votes
23
views
greg
asked 3 days ago
Suppose an 'EKS Cluster' was created, and if no loadbalancers exists, is there any way to associate the 'SSL Policies' without loadbalancer
1
answers
1
votes
9
views
asked 3 days ago
I want to connect my EventBridge's API Destinations to resources in my private VPC by calling the API endpoints at their private endpoints (not going through any public route like API Gateway). I saw this [doc](https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-related-service-vpc.html) from AWS China that says using PrivateLink it might be possible but also found other [sources](https://repost.aws/questions/QUF6vrV82RQDe7__jyGFK7cg/how-to-invoke-a-private-rest-api-created-with-aws-gateway-endpoint-from-an-event-bus-rule) that say EventBridge can't connect to VPC. How should I go about this?
1
answers
0
votes
26
views
asked 3 days ago
I have a task where I'm required to make sure all my GuardDuty logs from multiple accounts are logged to one account using a centralized logging solution. At the moment, I'm trying to find a way either via console or cli, or both to confirm if my guardduty logs are centralized in the account I am in. Is there an easy way to confirm this?
1
answers
0
votes
18
views
asked 3 days ago
When an AD is connected to IAM Identity Center Does the SSO portion of IAM Identity Center inherit the policies within the AD? when attempted to reset password does it restrict users to the password policy of the AD GPO and does it enforce timeouts? if so how does one set that up after connecting the AD to IAM Identity Center Thank you!
1
answers
0
votes
16
views
asked 4 days ago
Is the HSTS policy controlled by ALB? I don't see any option. How to fix this? I'm not using API gateway.
1
answers
0
votes
32
views
asked 5 days ago