Questions tagged [amazon]
The amazon tag has no usage guidance.
74 questions
1
vote
1
answer
173
views
Can I escalate my privileges if I have read-write access to IAM service in AWS?
We are trying to convince folks in our company to grant developers full privileges to all services in "dev" account (current policy does not allow developers to create anything in our AWS ...
- 113
1
vote
2
answers
461
views
How to manage Encryption Key for Server Side Encryption in AWS S3
I need to encrypt personal data like email, phone number, etc. I am using AWS KMS for managing the encryption keys. This is the system that is already implemented is as follows:
All the existing data ...
- 11
1
vote
2
answers
3k
views
Amazon AWS S3 Unrestricted File Upload
While I was pentesting a web application, I found out that files that are uploaded to the web application are stored in an AWS S3 instance. Based on my experience, when a web application needs to ...
- 143
1
vote
0
answers
100
views
Enforce user to set Mfa before using services he's allowed to use [closed]
There is an answer to this question to this link.
Is there a better way, a more automated way, instead of making the user go in the console and look for how to manage the authenticator?
What happens ...
- 111
1
vote
1
answer
1k
views
Is the Amazon S3 Pre-Signed URL protected from brute force attack?
I want to know that whether Amazon S3 Pre-Signed URL is protected from brute force attack.
For example, if I am the only person who knows the Pre-signed URL, is it extremely unlikely that somebody use ...
1
vote
1
answer
2k
views
Cutting down phishing attacks from AmazonSES
I am trying to work on cutting down on the amount of spam, phishing, and malicious emails coming through via AmazonSES burners.
Has anyone devised a method or certain IOCs to block on?
- 11
1
vote
1
answer
292
views
Does this official "Enforce MFA" AWS policy make any sense?
At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/ the AWS officially recommends to have this policy
{
"Sid": "...
- 173
0
votes
2
answers
2k
views
How might this Amazon account hack occur?
My mother recently had her Amazon account (buyer, not seller) hacked. She is not a security expert but does work in database management, so she is definitely not computer illiterate. I am also not a ...
- 101
0
votes
3
answers
5k
views
Did I fall for an Amazon scam? (Amazon Photos Credit)
So just 30 minutes ago, I was looking through some emails that ended up in my scam, and as usual there are amazon emails with recommendations based on past purchases and stuff like that. Then there is ...
- 11
6
votes
1
answer
2k
views
How is a bad actor able to disable Amazon's 2-step verification without supplying a OTP?
My wife's Amazon account was hacked yesterday. She discovered the purchases, changed her password to both gmail and Amazon, and enabled Amazon's 2-step verification (2FA) through SMS on her phone and ...
- 203
3
votes
2
answers
6k
views
Why is my computer connected to amazon instances
When I run the command netstat -a to see the actual connections on my computer, I see all the time that my computer is connected to something like this ec2-xx-xx-xx-xx, not just one address it changes ...
- 133
5
votes
3
answers
11k
views
How to make S3 Presigned url single use only?
Issue: I have a presigned url which is valid for 15 minutes. Upload can be initiated any number of times if the presigned url is captured in this time frame.
I want to make an S3 presigned url for ...
1
vote
1
answer
236
views
Has it been proven, that Google Home & Alexa do not record before their respective key phrases?
The way Alexa & Google Home should work, is that they listen for a specific trigger word, after which they start sending data to their servers.
However, there have been some court cases, in which ...
- 329
0
votes
1
answer
598
views
Why does Amazon verify a TLS certificate?
Show site information, then Connection for https://support.mozilla.org indicates Verified by: Amazon
Why is this? Is Amazon spying on me?
- 9
0
votes
1
answer
874
views
Is amazon.com allowing authentication based on browser cookies only?
So I found out a couple of days ago that amazon.com has changed its behavior when trying to make a purchase. For years and up until recently, I could open a browser, log into amazon, close the browser....
- 11
0
votes
0
answers
120
views
Why was I not asked for CVV in amazon.com for my debit card? [duplicate]
I ordered some items in amazon.com .Payment mode was through mastercard debit and I was not asked for cvv. This is the first time i added the debit card though I initially had my credit card details ...
2
votes
1
answer
409
views
What would be required to monitor Amazon Alexa traffic?
I had this interaction with a friend's robot today:
"Alexa, are you spying on me?"
"I only send audio data back to Amazon when I hear you say the wake word."
If I wanted to ...
- 121
3
votes
1
answer
513
views
AWS Flowlog for Private Subnet Showing Routable IP's
When reviewing Flowlogs for a host on a private subnet in an AWS VPC that routable IP addresses are being rejected. How is that possible? I expect IP addresses from the private subnet could be ...
- 2,270
0
votes
2
answers
2k
views
Blind SQL Injection on Amazon RDS
I found a vulnerability which allows me to run any query on an Amazon RDS server. I was able to extract the user hashes by using the --passwords parameter of sqlmap, and one of the hashes was cracked ...
- 269
0
votes
1
answer
162
views
How to fix AWS security hole ALAS-2018-1045?
I am researching about the security hole CVE-2018-12020 and learned that you need to update to min version 2.2.8 to fix the issue.
I need to fix this for my EC2. I read information from this offical ...
- 113
21
votes
2
answers
11k
views
Keeping AWS account ID secret
Must my AWS account ID be kept secret? Can anything at all be done using just the AWS account ID?
From the AWS documentation:
The AWS account ID is a 12-digit number, such as 123456789012, that ...
1
vote
1
answer
928
views
What are the risks of placing Amazon Resource Names (ARNs) in VCS repositories?
Amazon Resource Names (ARNs) uniquely identify AWS resources. Amazon requires an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational ...
- 111
4
votes
1
answer
6k
views
Amazon AWS KMS - Concept of signing in general and with JWT
Looking into Amazon AWS KMS (Key Management System).
Got confused since the methods exposed via Amazon AWS API are only to encrypt and decrypt (https://docs.aws.amazon.com/kms/latest/APIReference/...
- 1,007
1
vote
1
answer
821
views
Setting up linux to be SOC 2 compliant
We are setting up AWS servers to become SOC 2 compliant, to do that we need to discontinue support for the identified cipher suites and TLS 1.0
As I understand we need to leave only these suites
...
- 21
3
votes
1
answer
720
views
Why http request signatures are useful? [closed]
Please provide pros of signing http api requests.
For instance, Amazon requires requests to their web APIs be signed.
If traffic is not encrypted, then a signature can prove your identity as a secret ...
- 31
3
votes
2
answers
457
views
Are Amazon AWS instanceIds security sensitive?
For troubleshooting, it's useful to include HTTP response headers that indicate proxy and backend EC2 instance ids, such as:
X-Backend: i-8af67c92e0f3d89b6b
X-Via: i-5b8146e7102940c75b-us-east-2b
Is ...
- 543
44
votes
8
answers
32k
views
Amazon let me place an order without me ever being asked for 3-D secure password
I have set a "3-d secure password" for my debit card, on my bank's website. But when I purchased something in amazon.co.uk, I went through the whole process without ever being asked for that 3D ...
- 979
1
vote
2
answers
587
views
Email SPF record integrity
I have been reviewing my company's SPF record with a number of our SAAS providers.
One service advised me to use 'include:amazonses.com' in my record to allow emails to be validated.
I am rather ...
- 11
0
votes
2
answers
251
views
Is Amazon Prime DRM able to scan a LAN for devices and services? [closed]
My company has signed up for Amazon Prime to watch some videos. They were asked to enable Amazon Prime DRM. Will this open up a security hole in our LAN?
I am worried that they could start scanning ...
- 103
0
votes
2
answers
1k
views
Looking for a CIS Bechmark Tool to run against Amazon Linux 2016.09
I have been tasked with ensuring the CIS Bechmark on Amazon Linux 2016.09.
Does anyone know of an examination tool that will output the difference between the current and the benchmark?
...
- 103
1
vote
1
answer
1k
views
Do AWS and GAE use DMZ?
The system I am working on primarily use Google App Engine for my main web app and Amazon Cloudfront/S3 for hosting static data.
Now as an audit exercise this question is out to me:
Are the ...
- 209
1
vote
0
answers
123
views
What is Amazon's S3 template and can it be exploited?
I'm trying to make a vpn on CloudFormation following this guide. It's telling me to use the template given here. I'm not familar with what an S3 template does and whether if I should trust this guide ...
- 115
3
votes
1
answer
981
views
OpenSSL version causes PCI Compliance failure
We have a client on AMI Linux (Amazon), which is currently using OpenSSL 1.0.1k-15.99.
As far as I can tell Amazon is very good about backporting security patches as per this page: https://alas.aws....
- 185
1
vote
1
answer
222
views
Network address (DNS) translation on Amazon Web Services (Ec2)
I am trying to figure out better ways to practice my computer defense/ infosec skills. If someone was to set up a honeypot (e.g., MHN) on AWS/EC2 server and then try to launch attacks from a local ...
- 93
3
votes
1
answer
1k
views
Amazon Echo/Dot on your network
I have been tasked with coming up with if we should or should not allow Amazon Echo/Dot devices on our network.
Below is the reasons I have come up with so far. This is still the rough list.
The ...
- 51
1
vote
1
answer
452
views
Open SFTP on the main server - the safe way?
We need to open an SFTP to allow some of our clients to upload files to our server. As I see it right now, there are two options:
Open SFTP on our main server with restrictions (directory, user, size,...
- 125
2
votes
3
answers
6k
views
How to get a SSL Certificate for a public IP
I am using Amazon's EC2 to host my RDS database. I access the database via http calls to the EC2 instance, which in turn contacts the database. I would like to use https instead to allow for a more ...
6
votes
2
answers
549
views
Why does Ubuntu make requests to these Amazon EC2 IPs at startup?
Each time I bootup and login to Ubuntu 16.04, and before I launch any software/browser, I watch in Wireshark that Ubuntu has some requests to and from these IPs:
54.173.79.111
54.231.40.234
Whois ...
- 293
0
votes
2
answers
366
views
Best way to use http get with php server for mobile app
I am using an http server on Amazon Web Services running php and connecting to an RDS DB, also on AWS.
I am sending GET requests to the server to get Information.
The requests dont contain any private ...
- 101
5
votes
2
answers
435
views
AWS declined to give me details on Multi-Factor Authentication reset procedure
I asked AWS:
How do I recover access to AWS Account in case I lost device with Google Authenticator installed?
In case my email was hacked, what will prevent hacker from removing MFA?
Their answer ...
- 251
8
votes
1
answer
8k
views
Why can't I delete the default AWS security group?
There are no inbound nor outbound rules. It's an empty group. What use does it serve?
- 1,788
1
vote
2
answers
762
views
CISecurity AMI EC2 Amazon
We are moving to Amazon our on-premise infrastructure and I'm trying to follow this document to increase our security of the ec2 instances :
CISecurity Benchmark for Amazon Linux
In the document, it'...
- 11
4
votes
2
answers
2k
views
Minimum required processes with open ports on AWS?
I recently started an AWS box to be used for a public web site and it seems to have the following ports open... I was long ago convinced that it's a good idea to minimize the attack surface on any box ...
- 143
1
vote
1
answer
1k
views
Cross-Device-Tracking on Facebook with partners like Amazon
I have a question regarding cross-device-tracking, especially on facebook. I'm interested in how this is done and I'm a bit concerned about my privacy.
Yesterday I surfed on amazon (logged in with my ...
- 386
6
votes
2
answers
519
views
Security mechanism differences between Google and Amazon APIs
Does anyone know why Google and Amazon (AWS)'s API have such different ways to deal with security? For example, Google has a simple API key which you can revoke at any time, while Amazon has this ...
0
votes
0
answers
131
views
I have to send my broken Tablet back, what should I do with my data?
The display of my Fire Tablet is broken, so I cannot do anything on the device. A member of support told me, when I remove the Tablet from my Amazon account via web browser, all data will be removed. ...
- 137
1
vote
1
answer
139
views
How can I protect myself from one of my AWS EC2 instances being subverted and creating other instances?
I'm running a custom server program on a free tier EC2 instance. I'm not a security professional, so while I've taken every step I know how to to secure my software, it's very likely that there's some ...
- 133
12
votes
8
answers
52k
views
Is this "security update" from [email protected] an advanced phishing scam or a real security measure from Amazon?
I just got either a helpful security update from Amazon or an advanced phishing attempt by an Amazon impersonator falsifying the email origin. The title is "Your Amazon password has been changed".
...
- 1,310
0
votes
1
answer
260
views
MySQL database (non-SSL) connections secured via origin/destination IPs, how unsafe are they?
I am testing an Amazon RDS MySQL solution: the database is provided by Amazon RDS but the application logic (php scripts) that accesses the data is hosted in another, different (non-amazon) server.
...
- 125
2
votes
1
answer
594
views
Amazon RDS MySQL SSL connection, is the password sent in clear?
I am testing Amazon RDS MySQL and I want to connect to MySQL instance using SSL. It works pretty well, but there is something that is not clear to me: reading the FAQs (https://aws.amazon.com/rds/faqs/...
- 125