Questions tagged with Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Hi, Is there any way to setup IP filtering on database (MySQL) that is hosted on Lightsail? I can only see public/private access option.
1
answers
0
votes
30
views
Dataedo
asked a month ago
Hi, I would like to setup a web acl to challenge only direct traffic. Eg traffic with no referrer. There does not seem to be any option to configure traffic by referrer in the dashboard that I can see
1
answers
0
votes
31
views
Tom
asked a month ago
I am loading streaming data from DynamoDB using Lambda into Opensearch. I followed this guide. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/integrations.html It works well except updating attribute to "specific data". the "specific data" is just type of list whose type of element is map. The error code from the CloudWatch is below. [2022-12-26T10:03:23,509][WARN ][r.suppressed ] [c7774434fcaeecfe83007fef2ce67395] path: __PATH__ params: {metric=nodes, settings_filter=plugins.security.ssl.transport.pemkey_filepath,plugins.security.cert.oid,plugins.security.enable_snapshot_restore_privilege,plugins.security.audit.config.pemtrustedcas_filepath,reindex.ssl.supported_protocols,opendistro_security.compliance.history.external_config_enabled,plugins.security.ssl.transport.truststore_password,plugins.security.ssl.transport.keystore_alias,plugins.security.ssl.transport.keystore_type,plugins.security.check_snapshot_restore_write_privileges,plugins.security.advanced_modules_enabled,reindex.ssl.truststore.password,opendistro_security.*,plugins.security.ssl.transport.truststore_alias,plugins.security.unsupported.accept_invalid_config,plugins.security.audit.config.webhook.format,plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath,plugins.security.audit.config.pemkey_password,plugins.security.background_init_if_securityindex_not_exist,plugins.security.ssl.transport.enabled,plugins.security.audit.config.webhook.ssl.verify,plugins.security.ssl.transport.keystore_keypassword,plugins.security.protected_indices.roles,plugins.security.audit.config.index,plugins.security.ssl.http.keystore_alias,plugins.security.audit.config.webhook.url,plugins.security.allow_unsafe_democertificates,plugins.security.unsupported.restapi.allow_securityconfig_modification,plugins.security.allow_default_init_securityindex,plugins.security.ssl.http.truststore_type,plugins.security.ssl.transport.keystore_password,plugins.security.audit.config.log4j.logger_name,reindex.ssl.keystore.key_password,reindex.ssl.truststore.type,plugins.security.ssl.http.keystore_filepath,plugins.security.kerberos.krb5_filepath,plugins.security.ssl.transport.keystore_filepath,plugins.security.ssl.client.external_context_id,plugins.security.ssl.transport.pemcert_filepath,plugins.security.unsupported.inject_user.enabled,plugins.security.ssl.http.pemkey_password,opendistro_security.audit.enable_rest,reindex.ssl.key_passphrase,opendistro_security.audit.resolve_bulk_requests,plugins.security.restapi.password_validation_regex,plugins.security.unsupported.allow_now_in_dls,plugins.security.audit.config.type,plugins.security.ssl.transport.truststore_type,plugins.security.audit.threadpool.max_queue_len,plugins.security.audit.config.pemcert_filepath,plugins.security.audit.config.password,plugins.security.ssl.transport.enforce_hostname_verification,plugins.security.unsupported.restore.securityindex.enabled,plugins.security.*,plugins.security.config_index_name,plugins.security.audit.config.pemtrustedcas_content,plugins.security.ssl.transport.pemtrustedcas_filepath,reindex.ssl.truststore.path,plugins.security.ssl.http.pemcert_filepath,reindex.ssl.keystore.password,reindex.ssl.certificate_authorities,plugins.security.compliance.disable_anonymous_authentication,opendistro_security.audit.resolve_indices,plugins.security.audit.config.pemcert_content,plugins.security.ssl.http.truststore_password,plugins.security.ssl.http.crl.prefer_crlfile_over_ocsp,plugins.security.audit.config.pemkey_filepath,opendistro_security.compliance.history.read.metadata_only,opendistro_security.compliance.history.write.log_diffs,plugins.security.ssl.transport.extended_key_usage_enabled,plugins.security.unsupported.load_static_resources,plugins.security.compliance.salt,plugins.security.filter_securityindex_from_all_requests,reindex.ssl.certificate,plugins.security.ssl.http.crl.validate,reindex.ssl.verification_mode,opendistro_security.audit.enable_transport,plugins.security.ssl.http.crl.validation_date,plugins.security.audit.config.enable_ssl_client_auth,plugins.security.ssl.http.pemtrustedcas_filepath,plugins.security.ssl.http.keystore_keypassword,plugins.security.ssl_only,opendistro_security.compliance.history.write.metadata_only,opendistro_security.audit.log_request_body,plugins.security.unsupported.inject_user.admin.enabled,plugins.security.audit.config.webhook.ssl.pemtrustedcas_content,plugins.security.ssl.http.pemkey_filepath,plugins.security.ssl_cert_reload_enabled,plugins.security.audit.config.username,plugins.security.ssl.http.crl.disable_crldp,plugins.security.audit.threadpool.size,plugins.security.roles_mapping_resolution,plugins.security.audit.config.pemkey_content,reindex.ssl.keystore.path,plugins.security.ssl.http.enabled,plugins.security.kerberos.acceptor_keytab_filepath,plugins.security.system_indices.enabled,plugins.security.audit.config.cert_alias,reindex.ssl.client_authentication,reindex.ssl.keystore.type,plugins.security.audit.config.log4j.level,plugins.security.ssl.transport.truststore_filepath,plugins.security.audit.type,plugins.security.disabled,reindex.ssl.cipher_suites,plugins.security.disable_envvar_replacement,plugins.security.restapi.password_validation_error_message,plugins.security.ssl.http.crl.check_only_end_entities,opendistro_security.compliance.history.internal_config_enabled,opendistro_security.audit.exclude_sensitive_headers,secret_key,plugins.security.ssl.http.enable_openssl_if_available,plugins.security.ssl.http.clientauth_mode,plugins.security.protected_indices.enabled,plugins.security.unsupported.disable_rest_auth_initially,reindex.ssl.key,plugins.security.ssl.http.crl.file_path,plugins.security.audit.config.enable_ssl,plugins.security.kerberos.acceptor_principal,plugins.security.cert.intercluster_request_evaluator_class,reindex.ssl.keystore.algorithm,plugins.security.audit.config.verify_hostnames,plugins.security.ssl.http.keystore_type,plugins.security.ssl.http.truststore_filepath,plugins.security.cache.ttl_minutes,plugins.security.ssl.transport.pemkey_password,plugins.security.system_indices.indices,plugins.security.ssl.transport.enable_openssl_if_available,access_key,plugins.security.ssl.http.keystore_password,plugins.security.ssl.http.crl.disable_ocsp,plugins.security.ssl.http.truststore_alias,plugins.security.ssl.transport.principal_extractor_class,plugins.security.protected_indices.indices,plugins.security.ssl.transport.resolve_hostname,plugins.security.unsupported.disable_intertransport_auth_initially, filter_path=nodes.*.attributes.di_number,nodes.*.attributes.box_type} OpenSearchSecurityException[OpenSearch Security not initialized for __PATH__] at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:296) at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:154) at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:193) at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionFilter.apply(PerformanceAnalyzerActionFilter.java:99) at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:193) at org.opensearch.action.support.TransportAction.execute(TransportAction.java:170) at org.opensearch.action.support.TransportAction.execute(TransportAction.java:98) at org.opensearch.client.node.NodeClient.executeLocally(NodeClient.java:108) at org.opensearch.client.node.NodeClient.doExecute(NodeClient.java:95) at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:433) at org.opensearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:730) at org.opensearch.client.support.AbstractClient$ClusterAdmin.state(AbstractClient.java:760) at org.opensearch.rest.action.admin.cluster.RestClusterStateAction.lambda$prepareRequest$0(RestClusterStateAction.java:129) at org.opensearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:128) at org.opensearch.security.filter.SecurityRestFilter$1.handleRequest(SecurityRestFilter.java:128) at org.opensearch.rest.RestController.dispatchRequest(RestController.java:306) at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:392) at org.opensearch.rest.RestController.dispatchRequest(RestController.java:235) __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ __AMAZON_INTERNAL__ at org.eclipse.jetty.server.handler.GzipHandler.handle(GzipHandler.java:301) __AMAZON_INTERNAL__ at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52) __AMAZON_INTERNAL__ at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:370) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at __PATH__(Thread.java:829) I don't understand why this happens only for specific data. Anyone has some idea about this?
0
answers
0
votes
23
views
asked a month ago
I'm trying to use ***ec2_client.describe_network_interfaces*** for boto3 [here](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_network_interfaces) to return a network firewall if there is one attached to the subnet. I'm using filters to filter on subnet id. I'm wondering what attributes in response will return the value or data necessary to determine if there's a network firewall attached?
2
answers
0
votes
40
views
asked a month ago
I am currently checking route tables to determine which routes are public or private. However, I'm wondering if there's a way to call a subnet or determine what subnet has network firewalls in it. This will enable to be more confident on to which subnet is private (since our private subnets are pointing to network firewalls) and to check those route tables with that subnet id. I was thinking this would be a better option opposed to just checking all the route tables inside the vpc. Any advice or suggestions will help. Is there a way to use ***describe_network_interfaces*** to achieve this solution well?
2
answers
0
votes
55
views
asked a month ago
I'm sensing an anti-pattern in my company when it comes to creating roles and policies for a given workflow. I'm sitting on a development team, we are far from experts in AWS but we are learning fast. We are building an application and trying to follow as much as possible all AWS's security standards. As we develop we need to create specific roles bearing proper policies. There is security team in my company who owns the IAM side when it comes to creating policies therefore the development team doesn't have permissions to create/edit/delete policies to assign to the roles. Development team is only allowed to create/edit/delete/read roles and read policies. Development team faces a lot of frustration with this situation as it cannot proceed with our developments independently. After questioning the security team about the reasons it was stated that: * In the past people would go wild in creating policies, so we had to cut them short as it was easily becoming a total mess * We needed to protect the AWS account from its users. * We needed to protect the team from himself. I would really appreciate the community input on this to understand what/how other companies are organizing themselves when it comes to "allowing" creation of policies.
1
answers
0
votes
26
views
asked a month ago
Is there a way to get alerted on Security Vulnerabilities related to Cloud and application Development? so that as a service provider we could start fixing the code accordingly or even intimating clients upfront on global security issues. I usually check the security bulletin once in a while, but the challenge is there are plenty of updates everyday, which makes it hard to read everything. https://aws.amazon.com/security/security-bulletins/?card-body.sort-by=item.additionalFields.bulletinId&card-body.sort-order=desc&awsf.bulletins-flag=*all&awsf.bulletins-year=year%232022 Is there any specific cloud service that provides such alerts?
1
answers
0
votes
46
views
asked a month ago
I spinned up windows server on amazon ec2 and i cannot ping the server. all security groups were enabled, which is smb, http, rdp and all icmp ipv4 enabled. i ping other servers from my local machine but not the server created from my aws account on ec2 even when all necessary security groups has been enabled. do i have an issue in spinning up a server with my account ?
1
answers
0
votes
59
views
akuracy
asked a month ago
I've been trying unsuccessfully to apply CIS hardening to Workspaces. There is limited documentation of what's know to break Workspaces in terms of GPOs, it doesn't appear to cover the issues we've had, and support doesn't appear to be familiar with CIS, although they are a well-established authority. Windows on Workspaces needs hardening, this falls on the CSC side of shared responsibility, but it's a struggle given what documentation I've been able to find thus far. Does anyone have documentation on exceptions required for Workspaces when running Windows Server 2019?
2
answers
0
votes
49
views
asked a month ago
Hi, Is there a way to federate the SSH connection with O 365 accounts? I am looking to get the benefit of SSO with the SSH connection to my EC2 instances.
1
answers
0
votes
29
views
asked a month ago
Traceroute not working via TGW and VPC, have checked all acls and security groups in the path.
3
answers
0
votes
61
views
Tarun
asked a month ago
Is there a way to add a RSA SecurID hard token MFA to the root account? I've tried going through documentation with no luck. Whenever I try to add it I get the following error and have ensured everything is typed in correctly. ![Enter image description here](/media/postImages/original/IM3XADzVabQOmle7leTf5kWw)
3
answers
0
votes
28
views
asked a month ago