IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [amazon]

75 questions
44
votes
8 answers

Amazon let me place an order without me ever being asked for 3-D secure password

I have set a "3-d secure password" for my debit card, on my bank's website. But when I purchased something in amazon.co.uk, I went through the whole process without ever being asked for that 3D password. I was asked for a card number and its…
Stefan Monov
  • 959
  • 1
  • 7
  • 10
23
votes
2 answers

Why is Amazon's home page not encrypted?

I've been working on my very first web application and I usually refer to Amazon.com as my role model. I'm very interested in deploying my web application with SSL/TLS. However, there is one thing that I can't understand. Why isn't Amazon's home…
T.O
  • 239
  • 2
  • 3
20
votes
2 answers

Keeping AWS account ID secret

Must my AWS account ID be kept secret? Can anything at all be done using just the AWS account ID? From the AWS documentation: The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon Resource Names (ARNs).…
octothorpe_not_hashtag
  • 323
  • 2
  • 7
12
votes
1 answer

Why is EC2 not vulnerable to VENOM?

I saw the advisory stating that EC2 instances are not vulnerable to VENOM. My understanding is that EC2 runs on Xen, and that VENOM affects XEN. Can anyone explain why EC2 is not vulnerable? Do they remove the floppy drive emulation? Or did they…
pkaeding
  • 1,024
  • 7
  • 12
12
votes
8 answers

Is this "security update" from security-update@amazon.com an advanced phishing scam or a real security measure from Amazon?

I just got either a helpful security update from Amazon or an advanced phishing attempt by an Amazon impersonator falsifying the email origin. The title is "Your Amazon password has been changed". There seem to be mixed claims about the validity of…
J.Todd
  • 1,300
  • 1
  • 10
  • 20
12
votes
1 answer

Can personnel who manage AWS datacenters access my ec2 instances and monitor data in use in my application?

I am building an Express (NodeJS) app and plan to host with AWS ec2. I want to protect my users' data as much as possible and am considering even outlier scenarios. And so the question arose: The ec2 instances are physical managed in some Amazon…
ryd3r
  • 387
  • 3
  • 7
7
votes
2 answers

What are the compliance requirements or standards for a non-US firm hosting personal data in the US?

I work for a head hunting company with offices in Canada and Asia. We migrated our custom built CRM system from our own servers hosted in Japan to an Amazon hosting service meaning that all our data is now held on Amazon servers in the US. Data…
Nicholas Adams
  • 179
  • 1
5
votes
3 answers

ASUS RT-AC68 login page is redirecting to some Amazonaws page?

Has my ASUS router been hacked or just glitchy? When I tried to login to 'router.asus.com' it would redirect to "[censored just in case].us-west-2.compute.amazonaws.com/find/device.html" and it said that I would have to connect to the router…
user3272992
  • 61
  • 1
  • 5
5
votes
3 answers

How to make S3 Presigned url single use only?

Issue: I have a presigned url which is valid for 15 minutes. Upload can be initiated any number of times if the presigned url is captured in this time frame. I want to make an S3 presigned url for upload as secure as possible, so that uploaded file…
Sneha Rathod Solanki
  • 51
  • 1
  • 3
5
votes
2 answers

Why does Ubuntu make requests to these Amazon EC2 IPs at startup?

Each time I bootup and login to Ubuntu 16.04, and before I launch any software/browser, I watch in Wireshark that Ubuntu has some requests to and from these IPs: 54.173.79.111 54.231.40.234 Whois suggests they are Amazon EC2. I know Ubuntu…
fpghost
  • 283
  • 1
  • 5
5
votes
2 answers

AWS declined to give me details on Multi-Factor Authentication reset procedure

I asked AWS: How do I recover access to AWS Account in case I lost device with Google Authenticator installed? In case my email was hacked, what will prevent hacker from removing MFA? Their answer essentially…
Oleg M
  • 251
  • 1
  • 4
5
votes
2 answers

Security mechanism differences between Google and Amazon APIs

Does anyone know why Google and Amazon (AWS)'s API have such different ways to deal with security? For example, Google has a simple API key which you can revoke at any time, while Amazon has this public/secret key mechanism in addition to a complex…
Nicolas Bouvrette
  • 103
  • 8
5
votes
1 answer

Why would Amazon include an already trusted Root CA in the bug report they filed to get into Mozilla's truststore?

Amazon will soon be a trusted Root CA. To this end Mozilla Bug #1172401 was filed a while back to get into Mozilla's trust store. Along with 4 of their own Root CAs they've included a fifth one (Starfield Services Root Certificate Authority - G2) to…
Mayank Pundir
  • 51
  • 3
4
votes
1 answer

How is a bad actor able to disable Amazon's 2-step verification without supplying a OTP?

My wife's Amazon account was hacked yesterday. She discovered the purchases, changed her password to both gmail and Amazon, and enabled Amazon's 2-step verification (2FA) through SMS on her phone and figured the matter was done. However 3 times now…
Mordred
  • 183
  • 8
4
votes
2 answers

Minimum required processes with open ports on AWS?

I recently started an AWS box to be used for a public web site and it seems to have the following ports open... I was long ago convinced that it's a good idea to minimize the attack surface on any box by shutting down anything not actually needed,…
Gus
  • 143
  • 5
1
2 3 4 5