Questions tagged [aws]
Amazon Web Services (AWS) are a set of cloud services offered by Amazon.
283
questions
2
votes
0
answers
18
views
Why is presence of SPN on an account causing Kerberos "failed to decrypt" error (KRB_AP_ERR_MODIFIED)
I am in a corporate environment with on-premises AD on the company.com domain.
We have an AWS VPC hosting some .Net APIs in IIS - the domain these are in is companycloud.com. These APIs are all on the ...
0
votes
0
answers
31
views
can non-rotatable secrets be stored in ciphertext form in a DB/file/etc.?
We have a service running on AWS. This service uses secrets such as API keys of third party services (in other words: secrets which do not rotate automatically). These secrets are stored in AWS ...
1
vote
0
answers
23
views
How to manage temporary AWS credentials for on-premises Kubernetes clusters?
We have several on-premises Kubernetes clusters that need to utilize AWS services. Currently, we use traditional IAM Users with static credentials, but we recognize this is a bad practice. We want to ...
1
vote
1
answer
126
views
Why does AWS strongly recommend a non-self-signed, code-signing certificate?
I am developing a hardware device that utilizes AWS IoT OTA via FreeRTOS. On this AWS web page, it says
We recommend that you purchase a code-signing certificate from a
company with a good ...
0
votes
1
answer
88
views
How do AWS "Pod Identities" compare to (OIDC) IRSA?
In Kubernetes clusters, we often wish to provide temporary credentials to the containerised processes running in a particular pod, usually marked by associating the pod with a service account.
...
0
votes
0
answers
75
views
AWS Key stolen out of Github Actions / Secret Store
Do you have an idea how my AWS credentials could be stolen in the following setup:
A 4 weeks old GitHub organization with 5 repositories & AWS Account
AWS CI User Credentials with Administration ...
1
vote
0
answers
41
views
Google SAML auth not working through APP tile but works with direct link
We've recently migrated from Okta to Google for work for AWS authentication.
Our amazon org authentication is setup through IAM Identity center. It was working flawlessly using Okta but since we ...
0
votes
0
answers
96
views
AWS IoT - Use a temporary certificate created at build time to authenticate a device for self-enrolment
Let's say we produce IoT devices and want them to access AWS IoT Core.
The best solution is something like: every device has a (unique) private key and a public X.509 certificate signed by a valid ...
2
votes
0
answers
119
views
How are companies automatically rotating secrets such as API keys?
We currently rotate AWS-specific secrets via AWS Secrets Manager without much issue. However, we are looking to also rotate secrets e.g. API keys for specific services, but AWS Secrets Manager does ...
1
vote
1
answer
125
views
Why is ip forwarding for a ECS instance being flagged as a vulnerability?
I am very new to this and was asked to address some security patches on various ec2 instances in our AWS account. Mostly this was a matter of using the Security Manager to connect to the instance and ...
0
votes
0
answers
94
views
Risk for a public RDS database on AWS
I have a RDS database on a VPC which is public with a password.
I have some lambda functions (that are not in a VPC) that communicates with this database. To be able to do that I had to modify the ...
3
votes
1
answer
448
views
How dangerous is disabling PHPHighRiskMethodsVariables_BODY from the AWS ACLs?
Problem
Users in my application are being blocked (by the AWS WAF) from uploading files with certain names. In the specific case I am trying to solve, the problematic string is .* System (.*).*.
...
0
votes
0
answers
82
views
Is it risky to include .env files in the .zip which is uploaded to Elastic Beanstalk for deployment? If so, what is the risk?
Is it okay to upload .env files containing client ID and client secret to elastic beanstalk? If not, what is the risk involved? How would one access those files?
2
votes
1
answer
625
views
Public client or Confidential client: should I generate a client secret?
I've read about this but I don't fully understand how to choose.
I have two options:
Public client
"A native, browser or mobile-device app. Cognito API requests are made from user systems that ...
0
votes
1
answer
115
views
Does using Apache/nginx actually improve security of a webapp?
Let's say there is a webapp where users can upload files with sensitive data and view analytics generated by the backend. Does using a reverse proxy like nginx or Apache actually help with the ...