I have one root user for aws amplify account. I have created 4 apps. I wanted to give access to only 1 app to the users. How do I do that?
Trying to understand roles & users
Related
I intend to develop an application using firebase authentication.
Companies will be able to sign up and in turn create accounts for their employees.
There will therefore be a "master" account which will be able to manage the operators (add them, modify them, disable them and delete them) and then the "employee" account that can use the platform.
I would like it to be possible that the master account, by entering the client id and the secret key of their oAuth server in a hypothetical administration dashboard, would make it possible for its employees to access with google.
The question is this, would it be possible to manage multiple oAuth servers (from the same provider, e.g. Google) in the same Firebase project?
Thank you in advance.
I want to check if AWS Security Hub integration is enabled for particular aws account ID and particular region using AWS Security Hub SDK?
For checking this, follow the below steps:
Your AWS account needs to have connector permissions (AWS-SD-Connector-Role) to target aws account
Assume role using the target account ARN (Amazon Resource Name) and get the temporary session credentials of a target account.
Now using the temporary session credentials get the security-hub object of a target account and check which all product subscriptions are enabled in it.
I'm building a Java application which needs to access the DynamoDB. The application is intended to be used by several end users (not all of them are trusted). From my understanding, in order to access the AWS service,the AWS credentials need to be loaded at runtime on end users' machine via several ways described at https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
However I don't feel it'll be safe to directly hardcode the access key and token into the application code, as this can be easily exposed. Given my end users don't have too much technology background, I don't want to add too many "pre-setup" steps before they can use the application.What will be best/feasible practise to distribute the credential to them?
Thanks for all opinions.
You probably need to be looking at AWS Cognito
An Amazon Cognito user pool and identity pool used together
See the diagram for a common Amazon Cognito scenario. Here the goal is
to authenticate your user, and then grant your user access to another
AWS service.
In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials
through an identity pool.
Finally, your app user can then use those AWS credentials to access
other AWS services such as Amazon S3 or DynamoDB.
I am having an issue with Azure Active Directory App Registration.
The app is created by my supervisor who have some admin permissions.
What should we do to confirm that we have admin permission and what other issues could have caused this?
Your application needs to be registered under your Azure Active Directory tenant. It is okay to have subscriptions and resources in another tenant, and you can even deploy the app to a resource group under a different tenant, but the registration itself must be under your AAD tenant.
Even if this is set correctly, this error sometimes also occurs when your APP ID/Client ID, tenant ID, or Client Secret settings in your config or app settings do not match what's in the portal. Check to ensure that these match exactly. If you have the permission to do this, you can delete the old app registration and re-register the app under the proper tenant.
I want to store some analytical information about the use of mobile apps into Amazon DynamoDb. I have the following requirements:
exactly one DynamoDb table per one mobile app
an app can do only PutItem method
all users of apps are unauthenticated (guests)
To provide to mobile apps a way to access a table in DynamoDb I see two options:
hardcode credentials with limited permissions into apps (permissions to do PutItem to a specific table);
use Amazon Cognito to get temporary credentials for unauthenticated users in runtime.
The second option Amazon strongly recommends as a much more secure. In my case a malicious user can either get access to hardcoded credentials or to a hardcoded identity pool ID with the same result: getting access to an AWS resource.
Question: does the use of Cognito in my case give any security improvements and if yes, how?
Cognito identity is totally free - you wouldn't have to pay anything.
Your point that using Cognito doesn't add any security to unauthenticated requests isn't correct. From the Cognito FAQs:
Q: How does Cognito Identity help me access AWS services securely?
Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your AWS resources. You can use Cognito Identity to securely access other AWS services from your mobile app without requiring your AWS account credentials. You can also use the unique identifier generated for your app users in your Identity and Access Management policies. For example you can create a policy for an S3 bucket that only allows a particular user access to their own folder.
The same thing described for S3 can be done with dynamo - see this blog post for specifics.