I want to check if AWS Security Hub integration is enabled for particular aws account ID and particular region using AWS Security Hub SDK?
For checking this, follow the below steps:
Your AWS account needs to have connector permissions (AWS-SD-Connector-Role) to target aws account
Assume role using the target account ARN (Amazon Resource Name) and get the temporary session credentials of a target account.
Now using the temporary session credentials get the security-hub object of a target account and check which all product subscriptions are enabled in it.
Related
The following page explains how to use a managed ID with ACS, but is there any other way to register with the Creating an Azure Active Directory Registered Application, such as the Azure Portal or PowerShell?
https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/identity/service-principal-from-cli#creating-an-azure-active-directory-registered-application
Yes, you can do it all in the Azure Portal. First, you create the service principal:
Then, you assign permissions to it. Either on the subscription level:
Or on the Communication Service resource level:
I'm trying to verify an app that manages a user's Firestore collections using Google Cloud APIs.
After submitting for verification, I received this email from the API dev team:
Dear Developer,
Thank you for submitting an OAuth App Verification request for the following Cloud scopes:
https://www.googleapis.com/auth/cloud-platform.read-only
https://www.googleapis.com/auth/cloud-platform
Three-legged OAuth2 scope grants are intended for human users to grant access to all of their data hosted on a particular API. Access to your requested OAuth2 scopes would provide overly broad access for Google Cloud Platform customers. Google Cloud Platform only supports grants to specific resources for specific users/services, with access controlled using Cloud IAM Policies.
Follow the instructions below to gain access to the Cloud scopes you requested:
Create a service account to represent your service and to access data from your users’ Google Cloud Platform project
Instruct your customers to grant your service account appropriate access to their Cloud data via IAM Policies
Note that you may want to create a service account for each customer to avoid confused deputy problems.
I already have 3 service accounts (I think they were created automatically by GCP or Firebase), but I'm having trouble understanding what the second point is and what action should I take.
The app makes requests from the client using my Firebase API Key to read and write on Firestore collections on the users' behalf. These are the scopes I'm using:
email
profile
openid
../auth/cloud-platform.read-only
../auth/cloud-platform
I expect the app verification process to complete successfully so the users don't see the "Unverified application" screen when logging in.
You are trying to grant yourself access to a customer's account/data using your Project's OAuth Client ID. This is very dangerous as you can receive an Identity Token and Refresh Token that can make it difficult for a customer to revoke your Access Token. Most customers/developers do not know how to do this.
Google is tightening the level of access that you can request. You have asked for permissions that are too privileged. The correct approach is for the customer to grant you access to their account via Google Cloud IAM. These privileges can be to a service account created by your Google account or to your Google Account email address. Both methods require the customer to grant permissions in their GCP account using IAM.
Your problem can be solved in three steps:
1) Delete the following scopes as Google will not approve your app with them without an audit.
cloud-platform.read-only
cloud-platform
Note: If you only require access to a very specific service, change the scope for that service. You might not get approved.
2) Create a service account in your Google Cloud Platform account. Provide the email address of your service account to each customer. They will need to add the email address to the Google Cloud Platform console under the IAM section and assign the required IAM permissions.
Note: You may want to create one service account per customer for better security, separation, and logging.
3) Use the service account instead of a Client Application.
Note: If you require Google Console access to your client's Google Cloud Platform account, provide them with your Google Account email address. They can assign your email address the required permissions to access the console for their project.
I'm building a Java application which needs to access the DynamoDB. The application is intended to be used by several end users (not all of them are trusted). From my understanding, in order to access the AWS service,the AWS credentials need to be loaded at runtime on end users' machine via several ways described at https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
However I don't feel it'll be safe to directly hardcode the access key and token into the application code, as this can be easily exposed. Given my end users don't have too much technology background, I don't want to add too many "pre-setup" steps before they can use the application.What will be best/feasible practise to distribute the credential to them?
Thanks for all opinions.
You probably need to be looking at AWS Cognito
An Amazon Cognito user pool and identity pool used together
See the diagram for a common Amazon Cognito scenario. Here the goal is
to authenticate your user, and then grant your user access to another
AWS service.
In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
Next, your app exchanges the user pool tokens for AWS credentials
through an identity pool.
Finally, your app user can then use those AWS credentials to access
other AWS services such as Amazon S3 or DynamoDB.
When we store the Service principal certificate/appKey in the VM (to access the keyvault), we could limit access to that file to just the user account running the program. Other users or accounts wouldn't have access to the secrets in keyvault.
When we use Azure Managed Service Identity to access keyvault from an IaaS VM, my understanding is that any user logged into the VM or any program running on the machine can access the keyvault secrets - is this true?
And if it is, doesn't that decrease the security in case one of the user accounts is compromised?
According to the article access Azure Key Vault, it seems this is true. If MSI is enabled, just need to invoke web request in the VM without e.g. appKey.
And if it is, doesn't that decrease the security in case one of the user accounts is compromised?
It should be, but the prerequisites of the access to the secret in the keyvault is the VM service principal was added as a role in Access control (IAM) and Access policies.
If you want to increase the security, you may need to remove the VM service principal in the Access policies, then it will not be able to access the secret, if you want to the service principal does not have the access to the keyvault at all, remove its role in Access control (IAM).
For more details, you could refer to: Secure your key vault.
Update:
From the doc #Arturo mentioned, it is the fact.
Any code running on that VM, is able to call the managed identities for Azure resources endpoint and request tokens.
I have an application that runs in a Service Fabric(SF) cluster and I wan't to access Key Vault from it.
The cluster hosts a number of applications and I want to give access to a Key Vault for my application without giving access to the other applications. By default an application runs under the same user as the SF cluster, but each applicatiuon has it's own unique name, mine has the name fabric:/application1.
My question is, is it possible to create an Active Directory application account for fabric:/application1 and grant access to the key vault?
I know it is possible to use the RunAs options in the SF manifest, but that requires me storing an encrypted password in the manifest/source code and I want to try and avoid this if possible.
AFAIK,
The only way to have this flexibility is using ClientID & Secret or Service Principal certificates and each application manage their own credentials.
Service Principal Certificate is already integrated to AD, but does not require the application, the user or the Host to be part of the domain, the only requirement is setup an user on AD to grant the permissions on Keyvault.
There are other solutions using AD integration, like Managed identities for Azure resources(Former: Managed Service Identity) but I am not sure if you are able to restrict access per application like you described, because the MI add this as a service in the node, so technically other applicaitons would have access as well, worth a try to validate if you can restrict this.
If you want to try this approach, you can use with Microsoft.Azure.Services.AppAuthentication for implicit authentication of the services running in your cluster, where the nodes are setup with Managed Identities extension like described here.
Something link this:
When you use the Microsoft.Azure.Services.AppAuthentication, the Step 2 will be handled by the library and you won't have to add much changes to your key vault auth logic.
When you run your code on an Azure App Service or an Azure VM with a
managed identity enabled, the library automatically uses the managed
identity. No code changes are required.
The following docs describe other options you can use for KeyVault Authentication.
PS: I've done other KeyVault integrations using Client Secrets and Certificates and they are secure enough, With Certificates you can store it on the managed store or with the application, I would recommend MI only if is a requirement for your solution.