Amazon Web Services (AWS) are a set of cloud services offered by Amazon.
Questions tagged [aws]
257 questions
34
votes
4 answers
Is serverless code immune to DDoS attacks?
In classic hosting we have a virtual machine with limited resources allocated by hosting provider for running our web application. But with serverless code such as AWS Lambda or Azure Functions, our code is executed by hosting provider (Amazon or…
Mr. Engineer
- 684
- 1
- 4
- 10
28
votes
3 answers
Pentesting against own web service hosted on 3rd party platform
I want to pentest websites and services programmed by our company, which is fine as long as we test it on our own infrastructure. What are the (legal) implications when pentesting our services once they have been deployed to other platforms like…
knipp
- 589
- 5
- 14
27
votes
3 answers
Is an AWS "Access Key ID" a secret?
AWS's "Secret Key" is (obviously) a secret, but should an "Access Key" alone (without the corresponding secret key) be considered a secret too?
Daniel Serodio
- 677
- 2
- 7
- 13
26
votes
13 answers
Is starting an AWS instance with only ssh to port 22 significantly insecure?
Unless someone has my private ssh key, how is leaving an aws instance open to 0.0.0.0 but only on port 22 via ssh insecure?
The ssh key would be distributed to a small set of people. I prefer to not need to indicate their source IP addresses in…
WestCoastProjects
- 371
- 3
- 8
23
votes
2 answers
How critical is encryption-at-rest for public cloud hosted systems?
I work as a solutions architect for web-based systems on AWS. As part of this role, I often respond to Information Security questionnaires. Nearly all questionnaires request information about data encryption at-rest and in-transit. However only a…
jdog
- 355
- 2
- 7
23
votes
4 answers
More than three domains hosted on the same IP address
Not on purpose I did a reverse IP address look up on my site, and it shows that there are three other websites hosted on my server, and now I'm worried.
My web is arturofm.com, and here is the…
Arturo
- 363
- 3
- 8
22
votes
2 answers
How to use AWS KMS securely?
I am investigating using AWS KMS (Amazon Web Services Key Management Service) to decrypt an encrypted symmetric key (i.e: envelope encryption). However, to use the KMS, I need to pass it my amazon access key and secret key.
So I am no longer storing…
Vanita
- 415
- 4
- 9
20
votes
2 answers
Keeping AWS account ID secret
Must my AWS account ID be kept secret? Can anything at all be done using just the AWS account ID?
From the AWS documentation:
The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon Resource Names (ARNs).…
octothorpe_not_hashtag
- 323
- 2
- 7
16
votes
2 answers
What is the threat model for AWS EBS volumes encryption?
AWS provides the ability to encrypt EBS volumes, the value of which I am wondering about. In the "Overview of Security Processes (October 2016)" whitepaper, page 24, they say:
Encryption of sensitive data is generally a good security practice,
…
Greendrake
- 669
- 1
- 8
- 17
12
votes
1 answer
Hijacking stale DNS entry to point to your own website
Context and system configuration:
AWS EC2 instance with a public IP address
AWS Route53-managed DNS with a somesubdomain.somedomain.io pointing to the above IP address
Above AWS EC2 instance was not running all the time, it was stopped most of the…
automatictester
- 652
- 3
- 11
12
votes
2 answers
AWS Security - Dev Test Staging Production Environments
Right now all our systems are in a traditional data center and traditional network topology.
We're planning to migrate to AWS and in doing so we're trying to figure out how to implement our dev/test/staging/production environments. Should we:
1)…
Brad
- 613
- 6
- 12
12
votes
2 answers
Best practices for managing AWS EC2 Key Pairs
Our organization uses Amazon Web Services (AWS), and we have multiple EC2 instances running in different subnets (VPCs) for different clients. Our application is in development and we have need to remote (SSH or RDP) into these instances.
EC2…
Lemonseed
- 253
- 1
- 3
- 8
11
votes
1 answer
Does the TLS 1.0 support on CloudFront create a vulnerability when only TLS 1.2 is enabled on the Origin side?
We currently host our website on AWS with CloudFront.
CloudFront currently does not support disabling TLS 1.0 or 1.1 on the Viewer side. It only provides support for limiting access to TLS 1.2 on the Origin side.
I have also limited access to only…
Charles Green
- 121
- 6
10
votes
2 answers
Is there any risk to enabling CORS with a wildcard on S3?
By default, Amazon S3 blocks cross-origin requests. However, it allows users the ability to set up per-bucket CORS policies. It offers fairly elaborate controls for which domains and methods the user wants to enable.
To me, such conservative…
user2719333
- 101
- 1
- 3
9
votes
1 answer
What does Spectre mean for public cloud computing?
From a tweetstorm by security journalist Nicole Perlroth:
The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals data from other customers renting space on that same…
Anders
- 64,406
- 24
- 178
- 215