How would I create an SCP which will deny all other services except for IAM for a given AWS account?
Related
I need to access EKS Cluster through EC2 instance sitting in same VPC in which EKS Cluster is created, and we do not have secret key available for that role?
I have tried created the roles with all admin permission and assign that role to EC2 instances and try to access it through system manager but I could not able to authenticate the EKS cluster. By default I am using EC2privateDNSconfig role which is there in AWSAuth.
Can I create a user and assign a role and add it to AWSAuthConfig and able to access the EKS cluster?
I have developed a google analytics management app using google API's and oauth2. I could add localhots:8001 successfully in redirect URI.
Now I have deployed my app in aws ec2 instance. I need to add my aws ec2 instance domain name as redirect uri. It is not taking my ec2 domain name. It says domain must be added in authorized domain list.
I would need to know what are the basic steps to figure out such situations.
The only way to add a redirect uri is if you own the domain. Then you can point the domain to to your server (ec2 address).
If you already own the domain, then see the process for pointing the domain to a server in your domain registrar.
Then use that url for redirect after auth.
The problem here is I have a s3 bucket (cross account). I only want the application I deployed to the ec2 instance to access the bucket (through ec2 instance role). But I still want, says User A (without any role to access the s3 bucket) to ssh to the instance to perform some debugging. I definitely don't want User A who can ssh to ec2 to access that S3 bucket. Is there a way to prevent this?
Pretty sure an ec2 role applies to the entire machine, so any user that has login rights would be able to execute requests using the role.
To avoid having to debug locally from the instance, you could setup log shipping and export metric data to cloudwatch logs/metrics. You can also setup AWS SSM Run command to allow execution of specific commands/scripts against the instances. Both CloudWatch and the Run command can be secured with IAM policies to control who has access to what.
I'm trying to solve the following:
I have a Tomcat web application which is configured (and should be) to accept ANY IP.
e.g: (protocol://host:port/MyApp/)
What I want to do is to only allow certain IP's to enter a directory stored inside my web app AND when entering, being prompted a username and password.
e.g:(protocol://host:port/MyApp/Directory)
I think the configuration should be done in context.xml and/or web.xml but I don't know how.
You can star from the following links
How to add security to your Web Application: http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html
How to deny access based on IP or host:
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Host_Filter
I want to have an ftp account thisaccount#mydomain.com that does not access my normal mydomain.com server but accesses any other remote server from some service provider.
How do i do this with still keeping mydomain in the address? Which service providers would just give me an ftp account without moving my domian there? Do i need to investigate ftp redirects?
Any direction appreciated?
One option is to setup a dns CNAME to yourftpprovider.com from ftp.mydomain.com.
An example entry in the zone file for mydomain.com:
ftp IN CNAME yourftpprovider.com.