Questions tagged with Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I am looking at ec2 instance connect and it seems it just allows you to impersonate any user that exists on host by default. i am testing it with IAM role that has all privileges ``` mssh my_user@1.2.3.4--region eu-west-2 --profile myprofile -t $INSTANCE_ID ``` logs me on as myself, fine. ``` mssh some_other_user@1.2.3.4 --region eu-west-2 --profile myprofile -t $INSTANCE_ID ``` logs me on as some other user that already exists on this server. Looks like this behaviour is by design. And anyone with required IAM permissions for `ec2-instance-connect` can impersonate any user on the host. Document below mentions how you can scope user permission so your IAM policy only allow you to 'push public key' as a specific user by leveraging ‘ec2:osuser’ value, although it is not clear whether it means `this is how you stop users impersonating someone else` https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html I only need "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission to allow AWS pricipal to use ec2-instance-connect. The restriction for IAM that is mentioned in the document refers to 'The ec2:osuser condition. This specifies the name of the OS user that can push the public key to an instance'. I.e if I don't set this condition, i can just create any ephemeral public key for any user just by merit of having "Allow: ec2-instance-connect:SendSSHPublicKey" IAM permission in my principals policy So i can imagine this scenario: 1.IAM for a user has a single entry "Allow: ec2-instance-connect:SendSSHPublicKey" added 2. User can impersonate anyone on the server 3. Now, to limit user, you need explicitly to add 'ec2:osuser' condition. This looks very counterintuitive to me.
1
answers
0
votes
39
views
SergeiV
asked a month ago
We want to move our AWS Batch computing environment from a private subnet to a public subnet to reduce communication costs for the NAT Gateway, but are there any security risks associated with doing so? Even if we assign a public IP, we do not see any problem as long as the inbound rules for the security group are properly configured.
2
answers
0
votes
52
views
kakeke
asked a month ago
I'm trying to find a way to block requests that are not inspected due to the size constraints; for example, if a rule is longer than 8k and the entire rule is not inspected due to the size constraint, I would want this blocked. To satisfy this solution would I use "MATCH"? My Queston is similar to this here - https://repost.aws/questions/QU_QAauDSSTR6hmnKQj3F19g/how-to-set-oversize-handling-waf Though my confusion is regarding the blocked vs allow. If the reqeust happens to be over 8k does that mean an attacker can bypass the WAF inspection? For example, if the request is longer than 8k and the WAF doesn't inspect the requests that exceeds the 8k, would that be "ALLOWED" if I set the WAF handling to "CONTINUE"?
2
answers
0
votes
58
views
asked a month ago
I was sent an email indicating I need to apply **a size constraint rule or define oversize handling behavior on Body or JSON body rules for all of your AWS WAF web ACLs.** The message also mentions: **To help you update Body or JSON body rules, we are developing a 1-click tool which will be available by early December.** I'm trying to find this "1-click tool" the message refers too. Is this the one-click-tool in the documentation below? I'm reviewing this documentation here - https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-size-conditions.html Also for **Continue** in the documentation, it mentions it will inspect contents that are within the size limitations. I'm under the assumption that it's AWS who automatically enforces these size limitations and it's the customer (me) who must define the way the size limitations are handled, if I'm not mistaken. I'm also wondering is there any best practices or suggestions on what approach to take when defining options for oversize handling? Thanks
2
answers
0
votes
50
views
asked a month ago
Is there any problem with AWS security policy to install Nessus on EC2 and vulnerability check to another account's AWS EC2 or external server outside of AWS? According to the penetration testing policy published by AWS, it is not a problem to test EC2, so I feel that using AWS resources for testing should not be a problem, but....
1
answers
0
votes
25
views
asked a month ago
Hi, my users do not want to use the Cognito Hosted UI for loging in and prefer to authenticate with a custom api gateway endpoint. We thought it was working fine, but when we try to secure a different api gateway endpoint. We do not have the scopes that will validate when using the access_token I have tried the .net SDK InitiateAuthAsync call and I am also trying raw http calls to the oauth2/token endpoint "https://{our domain}.auth.us-east-1.amazoncognito.com/oauth2/token" The InitiateAuthAsync only returns scope: "scope": "aws.cognito.signin.user.admin", the Oauth endpiont does not allow the password grant type according to this web page: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
0
answers
0
votes
43
views
asked a month ago
Is there a way to set up alerts on WAF rules when BLOCKS from certain rule crosses a minimum threshold? Please advise then we shall discuss implementation.
1
answers
0
votes
34
views
asked a month ago
We have API Gateway deployed in account A and want to send Access Logs to a Firehose in account B so all auditing services and billing are separated. But after Firehose ARN from account B was set in API Gateway, we are getting the error "Invalid ARN specified in the request. ARN must belong to account A and region should be X". Is it possible that we are missing some permission configuration here? Or is just that API Gateway does not have the option to send Access Logs to another account?
2
answers
0
votes
36
views
asked a month ago
Hello, since a couple days all of my datasets in Quicksights with a connection to Salesforce won’t refresh anymore. The error message states that the OAUTH token is not valid anymore but so far I haven’t found a solution to refresh it. In Quicksights useremanual it says that you can’t edit a Saleforce connection. In one of my attempts to fix this problem I recreated the data source and loged in to Saledforce again. That worked for a couple days until the OAUTH token expired again. I also set the following settings in Salesforce OAUTH settings: - Permitted Users: All users may self-authorize - IP Relation: Relex IP restrictions - Refresh Token Policy: Refreshtoken is valid until revoked
0
answers
0
votes
15
views
samelka
asked 2 months ago
I want to restrict the upload to specific IP address while using the aws post policies, how can this be done, if not then what are the alternates ??
2
answers
0
votes
35
views
asked 2 months ago
Currently I am unable to delete a VPC Endpoint Service due to an inbound VPC Endpoint from another account which I don't control. Is there any way to a) revoke the Endpoint permissions and make the Endpoint connection go away, or b) force deletion of the VPC Endpoint Service in my account?
1
answers
0
votes
23
views
AlexR
asked 2 months ago
Hi, I would like to get in contact with your Vulnerability Management Solution (AWS Inspector) team or the manager/executive person responsible of making the purchase decision for the same. Reason: I have created a software to find the Remediation information directly from NVD for multiple CVEs all at once. This will reduce MTTR - Mean Time To Remediate from week/months to just few mins/days for your clients, help you improve your vulnerability management solution, attract new customers and therefore increasing you revenue. The Problem with current Vulnerability Management Solution: CVE remediation information is either missing, very complicated to act upon or stated as None Provided, even though the remediation exist according to NVD. Also, It is extremely painful for a Security Analyst to spend countless hours in researching and grabbing this information to fix their CVEs. I have created a software that fixes this issue and I want to sell my software to you (AWS). Please let me know if you are interested. Thanks
0
answers
0
votes
28
views
asked 2 months ago