Questions tagged with Security

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

On reviewing [this page](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) for Application Load Balancers, it states that Security Policies `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08` are identical. However upon checking the output of `aws elbv2 describe-ssl-policies` for `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08`, they are not identical. `ELBSecurityPolicy-2015-05` has an additional cipher, `DHE-RSA-AES128-SHA`, that is not present in the output for `aws elbv2 describe-ssl-policies ELBSecurityPolicy-2016-08`. Do the docs need to be updated?
1
answers
0
votes
30
views
Rachel
asked 5 days ago
Hello, ive gone through these AWS docs regarding securing API gatways using MTLS which have you create your own CA, cert, key, etc, sign it and then create the PEM that is used alongside the truststore for MTLS - https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ That all works great... between my development laptop and my api gateway... Now im trying to get Amplify involved in the scenario. I've read elsewhere in the AWS docs on a deep hunt one night Amplify is a service that MTLS can be used with. The end goal is to protect a critical API that absolutely cannot withstand abuse. MTLS seems like a good way to do this. How excatly do I go about replicating the development machine steps that worked to lock down the gateway with Amplify instead of just my local machine? Is the path through using this pem/key I created with my Amplify sites code(this is self signed isnt it?) or do I need to gather the Amplify sites truststore/key and use that? Not really clear on how to proceed. Thanks!
1
answers
0
votes
20
views
oggie
asked 7 days ago
Is it possible to use codeguru only for performing security scans/checks. Though codeguru provides other scans, I am interested in using codeguru only for security scans. Does AWS provide such facility?
2
answers
0
votes
15
views
asked 7 days ago
Is it possible to configure an IAM policy that allow another "user/service account" to create a policy that allow another user to use/consume a particular service only and no other resources. Is there a way to achieve this goal ? Example: User XYZ creates a policy to allow other user ABC to create a policy to allow managing SQS resources within the policy created by User ABC
1
answers
0
votes
13
views
AWS
asked 8 days ago
Hi, This might be a basic question, but I can't understand on how topology would look like. "You can place a network interface on each of your web servers that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a backend network (subnet) where the database server resides. Instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end, initiates a connection to the backend, and then sends requests to the servers on the backend network." Source https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/scenarios-enis.html Please shade some light. Thank you.
2
answers
0
votes
24
views
Aman
asked 9 days ago
On reviewing [this page](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) for Application Load Balancers, it states that Security Policies `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08` are identical. However in the table on [this page](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) for Classic Load Balancers, Security Policy `2015-05` has an additional Cipher, `DES-CBC3-SHA`, that is not listed as being present in Security Policy `2016-08`. Are the Security Policies offered for Application and Classic Load Balancers different, or is there a mistake in documenting them on one of these pages?
2
answers
0
votes
32
views
Rachel
asked 10 days ago
Lightsail wordpress image under attack... help........... I am new to AWS so for one of my learning sessions I moved 10 wordpress sites from Godaddy to AWS Lightsail Wordpress Instances... Within 24 hours I seen my /wp-admin/ under attack.. some of the sites or about 4 years old and never had one attack now I dont know why but its under attack.. 100s of IP address are trying to login each night to the /wp-admin/ Can someone please help me on how I can address this fast? I have a plugin that is blocking them one at a time but its it anything I can do on a AWS side?
1
answers
0
votes
26
views
profile picture
asked 10 days ago
Hi everyone. Just got a quick question about AWS. In any Region I can launch an instance and have a dummy hello world website with basic code get it to work. yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html It works in all regions except for Africa ( cape town - af south 1 ). When I create it, it just tries to load. So I assumed it's a security group issue. I have checked security groups ( even with new security group ) and have allowed http in allowed inbound list and have tried to compare to other regions security group but only thing I can think of is that I have to manually change it to have a public IP ( other regions this is set to public ip as default ) and then it needs a subnet. No other regions need subnets. What else can I check? Thanks Lionel
2
answers
0
votes
30
views
Leo
asked 10 days ago
Hello Eveyone, We found in Cost Explorer a large amount of data recorded in the metric USW2-NatGateway-Bytes in a single day. About 10TB. This is absolutely unusual and I would like to find the source and destination of all this traffic. So I created a CloudWatch dashboard of all my EC2 instances and configured it with various parameters in hopes of finding something that would show the source of the problem. So far no parameter used has shed light on the issue and I still haven't figured out what happened. I would like your help to try to identify where all this traffic came from. Thank you!
2
answers
0
votes
36
views
asked 11 days ago
Hi, I am currently working on a college project for a company along with my batchmates. Our team has been provided client access to AWS workspace but has been given only one user id. How can we ensure that each member of the team can work on the code simultaneously while ensuring that this doesn't affect the work of the other individual? Is there any way to duplicate the contents of this workspace and add users? Or can I add different users to the same workspace? Right now the issue is that since there is only 1 login credential, only 1 person can access the workspace at a time. Please suggest alternatives. Can we do something about this ourselves or do we need to talk to the company which has admin credentials?
3
answers
0
votes
42
views
Ak
asked 11 days ago
I'm trying to setup an authorization function for a specific request (here: topic subscription for push notifications). The function should be invoked anytime when someone calls the corresponding "function"/type. As far as I understand the following code should setup a type, that runs the authorization function: ``` type Mutation { subscribe(topic: String, subscription: String): String @aws_lambda(name: "isAuthorizedToSubscribe") } ``` The *request mapping template* looks as follows: ``` { "version" : "2018-05-29", "operation": "PutItem", "key" : { "topic": { "S" : "$ctx.args.topic" }, "subscription": $util.dynamodb.toDynamoDBJson($ctx.args.subscription) } } ``` Lambda function `isAuthorizedToSubscribe`: ``` exports.handler = (event, context, callback) => { console.log("*** Authorization handler for subscription was called ***") return {isAuth: false} } ``` Problem: <br> The lambda function does not get called and the request always goes through. Notes: - The lambda function `isAuthorizedToSubscribe` has the permission to be invoked by AppSync. - This question is only about authorization for a call. It's not about authentication (which should be done earlier in the process via other measures (API key, cognito, ...)) - I also tried adding `"authorizationFunction": "cbe-trial2-push-isAuthorizedToSubscribe",` into the mapping template, but that resulted in `Unsupported element '$[authorizationFunction]'.` upon request.
Accepted AnswerAWS AppSyncSecurity
1
answers
0
votes
31
views
Peter
asked 12 days ago
I have been looking information but nothing, and it is not clear if it is supported or not the use of FIDO passwordless authentication for apple and android OS in mobile devices in combination with Amazon Cognito. If supported, references appreciated.
1
answers
0
votes
29
views
profile picture
AWS
asked 15 days ago