Questions tagged [aws]

Amazon Web Services (AWS) are a set of cloud services offered by Amazon.

257 questions
34
votes
4 answers

Is serverless code immune to DDoS attacks?

In classic hosting we have a virtual machine with limited resources allocated by hosting provider for running our web application. But with serverless code such as AWS Lambda or Azure Functions, our code is executed by hosting provider (Amazon or…
Mr. Engineer
  • 684
  • 1
  • 4
  • 10
28
votes
3 answers

Pentesting against own web service hosted on 3rd party platform

I want to pentest websites and services programmed by our company, which is fine as long as we test it on our own infrastructure. What are the (legal) implications when pentesting our services once they have been deployed to other platforms like…
knipp
  • 589
  • 5
  • 14
27
votes
3 answers

Is an AWS "Access Key ID" a secret?

AWS's "Secret Key" is (obviously) a secret, but should an "Access Key" alone (without the corresponding secret key) be considered a secret too?
Daniel Serodio
  • 677
  • 2
  • 7
  • 13
26
votes
13 answers

Is starting an AWS instance with only ssh to port 22 significantly insecure?

Unless someone has my private ssh key, how is leaving an aws instance open to 0.0.0.0 but only on port 22 via ssh insecure? The ssh key would be distributed to a small set of people. I prefer to not need to indicate their source IP addresses in…
23
votes
2 answers

How critical is encryption-at-rest for public cloud hosted systems?

I work as a solutions architect for web-based systems on AWS. As part of this role, I often respond to Information Security questionnaires. Nearly all questionnaires request information about data encryption at-rest and in-transit. However only a…
jdog
  • 355
  • 2
  • 7
23
votes
4 answers

More than three domains hosted on the same IP address

Not on purpose I did a reverse IP address look up on my site, and it shows that there are three other websites hosted on my server, and now I'm worried. My web is arturofm.com, and here is the…
Arturo
  • 363
  • 3
  • 8
22
votes
2 answers

How to use AWS KMS securely?

I am investigating using AWS KMS (Amazon Web Services Key Management Service) to decrypt an encrypted symmetric key (i.e: envelope encryption). However, to use the KMS, I need to pass it my amazon access key and secret key. So I am no longer storing…
Vanita
  • 415
  • 4
  • 9
20
votes
2 answers

Keeping AWS account ID secret

Must my AWS account ID be kept secret? Can anything at all be done using just the AWS account ID? From the AWS documentation: The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon Resource Names (ARNs).…
16
votes
2 answers

What is the threat model for AWS EBS volumes encryption?

AWS provides the ability to encrypt EBS volumes, the value of which I am wondering about. In the "Overview of Security Processes (October 2016)" whitepaper, page 24, they say: Encryption of sensitive data is generally a good security practice, …
Greendrake
  • 669
  • 1
  • 8
  • 17
12
votes
1 answer

Hijacking stale DNS entry to point to your own website

Context and system configuration: AWS EC2 instance with a public IP address AWS Route53-managed DNS with a somesubdomain.somedomain.io pointing to the above IP address Above AWS EC2 instance was not running all the time, it was stopped most of the…
automatictester
  • 652
  • 3
  • 11
12
votes
2 answers

AWS Security - Dev Test Staging Production Environments

Right now all our systems are in a traditional data center and traditional network topology. We're planning to migrate to AWS and in doing so we're trying to figure out how to implement our dev/test/staging/production environments. Should we: 1)…
Brad
  • 613
  • 6
  • 12
12
votes
2 answers

Best practices for managing AWS EC2 Key Pairs

Our organization uses Amazon Web Services (AWS), and we have multiple EC2 instances running in different subnets (VPCs) for different clients. Our application is in development and we have need to remote (SSH or RDP) into these instances. EC2…
Lemonseed
  • 253
  • 1
  • 3
  • 8
11
votes
1 answer

Does the TLS 1.0 support on CloudFront create a vulnerability when only TLS 1.2 is enabled on the Origin side?

We currently host our website on AWS with CloudFront. CloudFront currently does not support disabling TLS 1.0 or 1.1 on the Viewer side. It only provides support for limiting access to TLS 1.2 on the Origin side. I have also limited access to only…
10
votes
2 answers

Is there any risk to enabling CORS with a wildcard on S3?

By default, Amazon S3 blocks cross-origin requests. However, it allows users the ability to set up per-bucket CORS policies. It offers fairly elaborate controls for which domains and methods the user wants to enable. To me, such conservative…
user2719333
  • 101
  • 1
  • 3
9
votes
1 answer

What does Spectre mean for public cloud computing?

From a tweetstorm by security journalist Nicole Perlroth: The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals data from other customers renting space on that same…
Anders
  • 64,406
  • 24
  • 178
  • 215
1
2 3
17 18