We are a small startup currently in prototype phase. We are still in development phase, and are using AWS to host our application and (test) domain. We have hosted our domain on Route 53, and registered that with SES for email services.
I am new to AWS, and have used domination to understand how to set these things up. Now it appears that our account(s) have been compromised/hacked and someone is missing it to send malicious emails. I am unsure what is the extend of hack, and if the users is only managed to get access to SES and Database credentials. I received an email from SES team, which shows emails have been send through my domain (not by me), but I never created that email on my domain.
Additionally, I have noticed that someone is trying to access my database (from China) and database is always at 100%. Database log says it has blocked IP (which is based in China).
We are using GitHub to store code, and in our code we had credentials for AWS and SMTB servers so I think its possible that someone stoke keys from there (we have taken credential out of GitHub now).
Can someone help me understand what steps do I need to take. I am thinking to shut down this environment and create a new one, but I am unsure how to get hold of my domain and shut down all emails created by spammer on my domain. I am also unclear what is the extend of hack, and if this will come back.
Cam someone please help.
You should never store your credentials in github.
In fact, you should use roles instead of credentials stored directly in the code.
So, step by step you should:
Remove the credentials from github and from your code (done)
Reset your credentials and do not store them
Create a role with the policy according to your needs
Assign that role to your resources.
Here you can found more info
Related
I'm working with a client right now that has a legacy application hosted by a 3rd party vendor on their amazon account. That legacy app was using Amazon SES for their mailing.
I created the clients own amazon account (as I don't have access to continue the build out on clients account), and am now seeing the issue where I need to transition the SES DNS validation over to their account.
I'm wondering what kind of downtime I would see, or problems I'd create by updating the DNS entry of _amazonses.mydomain.com from what it was on the past account to this new account.
My concern is by updating that entry, I would break the legacy system which I don't have the ability to update.
Thank you
You don't have any downtime, you can verify the domains in two different account, it just you need to add multiple TXT value to the record "_amazonses.mydomain.com".
e.g: _amazonses.mydomain.com
"txt-value-1"
"txt-value0-2"
As long as your clients are using their own credentials, emails flow just fine, once you confirm everything is good, you can remove your record from there.
If no,
You can still use SES sending authorization and allow them to use the domain verified in your account, doing this, they can only use your sending domain to send emails but emails will go from their account and they will be charged, their account should be in production.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization.html
I'm building a service where the end users can create organizations. Other users may then be added to the organization, and each organization may have a number of administrators.
The service is built on AWS.
Now, when an organization is created, I'd like to automatically create an email address corresponding to the organization, and forward all messages sent to this address to the external e-mail addresses of the administrators of the organization.
So for example let's say the domain of my service is example.com, and Alice (alice#somewhere.com) creates an organization called Foobar. She also adds Bob (bob#somewhere.com) as a second administrator.
I'd then like to register admins-foobar#example.com as a valid mailbox, and whenever someone sends e-mail to this address, it should be forwarded to alice#somewhere.com and bob#somewhere.com, ideally also with the reply path set to the original sender, so that Alice and Bob can answer support questions.
The purpose of this is to have a single point of contact for support issues etc for all the users within an organization.
I've used AWS SES and AWS WorkMail in the past, mostly for transactional mail, notifications and for statically created incoming mailboxes for support etc, but I cannot seem to find if what I want is possible to do through the AWS SDK.
First of all, I'm not sure if what I want to do requires AWS WorkMail at all or if this is somehow possible to solve using AWS SES and trigger rules, but I first looked at WorkMail. The AWS WorkMail SDK enables creating users and enabling mailboxes for them through the SDK, and users are grouped into organizations. However, I cannot find a way to create organizations through the SDK, only through the AWS web console!
Second, I cannot find how I can programmatically set up e-mail rules for forwarding e-mail sent to the created users' mailboxes.
Is this possible at all using AWS services?
I am totally newbie with AWS, my first project with it.
I was trying to deploy my Django app with Elastic Beanstalk, using CodeCommit, following a tutorial. I was getting an error while trying to connect to the repo. Searching around that error, I got to the conclusion that I probably needed to enable AWSElasticBeanstalkFullAccess policy for my user. However, before doing that I 'detached' the first (and I think the only) policy that I had attached to my account. I think it was 'AdministratorAccess' or something similar (the first option in a large policies list). I just wanted to fit my user to the tasks that would be required and I interpreted that having admin privileges is not safe. Later I read that I should have created a new user with no root privileges, and work with that new user on a daily basis. I promise I will do that the next time.
So I am locked right now. I have just one user with privileges for doing absolutely nothing. I cannot even purchase development support (29$/month), to solve this situation... I don't know what to do. I could forget that account and open a new one, but I think there must be something I could do.
I tried searching for almost 2 hours, but I couldn't find anything that could work for me. I repeat that I am completely newbie on AWS and probably I didn't use the correct words in my searching process.
Any help will be appreciated. Thanks in advance.
Ok, finally solved. I explain.
While following the tutorial, I signed up AWS and created a user called 'username' for the deployment process in Elastic Beanstalk. I thought the user I created following the tutorial was my current user in AWS, but (fortunately) it wasn't.
I logged in with the 'username' user and detached the AdministratorAccess policy from that user, so the user has privileges to do nothing.
After some more reading, I found that if you login to AWS with your email (not the 'username'), you log as the root user. That allowed me to attach the correct policies to the user.
Here the difference between IAM users and root user:
From IAM users docs:
An IAM user with administrator permissions is not the same thing as the AWS account root user.
From root users docs:
When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
I have a lot to learn around AWS, but I hope my story helps somebody...
I'm a beginner to AWS and a bit confused regarding the AWS Cognito system.
I have an AWS Elasticsearch service behind a VPC. I'm trying to access the Kibana endpoint using AWS Cognito, but when I navigate to the log in screen I see a blank page.
Is what I'm trying to do feasible or do I need to VPN first into the VPC in order to get to the log in screen? If so, how can I grant public users access to Kibana (without the trouble of a VPN?) Would a better solution be to have a reverse proxy point to Kibana and couple this with AWS Cognito? Thanks for your help.
Note: I'm using Elasticsearch 6.2
I had the same output while I was setting up the same setup but don't remember exactly which stage solved it.
At this stage it looks like you already set your access policy to use the Cognito role otherwise you wouldn't end up on the cognito login page (even though blank for now).
I would check the identity provider config on the Cognito User Pool App client settings:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-identity-providers
It wasn't linked to a lack of access (ie. no VPN) or a missing UI customization and it's definitely achievable.
Let me know if you want me to look deeper into it.
EDIT: when i go directly to the domain url of my cognito pool (ie. https://yourdomain.auth.your-region.amazoncognito.com) I still get a blank page. It's only when going to the protected application (kibana) that the login page is filled in (probably linked to the above app client settings).
I created a wiki page in my GitHub Repo because I did this EXACT (Public ESS and Cognito) same thing over the last couple days. You can get the info HERE and I hope it helps clear things up!
I am a longtime Amazon.com customer, and now I am interested in using Amazon Web Services (AWS). So I have a question on creating an AWS account.
Do I have an option to create an AWS account that's completely separate from my Amazon.com account (with different email addresses)?
What would happen if I use the same email address for AWS and Amazon.com?
Soooo..... Ages ago... I made an AWS account, it will not let me log in to normal amazon.com with that account telling me every time my password is incorrect which it is not.... attempting to create a new account with same email asks me if i want to disable my old account..... so yea it seems the answer is:
YES: simply create the account from AWS.
If creating accounts at amazon.com THEN aws with same e-mail, you will have one linked account to log in to both.
On the other hand if both are created seperately on different e-mails, and somehow one gets compromised the other doesn't, but then you have two different logins to deal with.
So as it turns out they lied about it disabling my aws account, I decided to try it, and now I have two accounts under the same e-mail, with different passwords... So if you want that, create on aws first, then create with same email on amazon.com and when it says it will disable the other account, don't worry it won't, however it will require you to choose a different password.
Oh and one last thing... If I try to log into AWS with Amazon.com password it brings me to create a new AWS account and it's a pain to get out of that screen...
My Amazon Retail account was compromised last week. I closed it and guess what - no access to my Amazon AWS account. On querying this I was told (by Amazon) that you have to have an Amazon Retail account and that it has to be THE SAME account as your AWS one.
So a service that is a honeypot for criminals gives them the keys to your Web based business, and Amazon have zero interest in separating the two. That is nuts - sites are moving next week, can't take the risk.
People have been shouting about it on the Amazon forum for years, so I think that whilst there may be workarounds the fundamental principle must be correct. I can't risk playing about with workarounds for something as dumb as this.
These are both great questions
First,
Yes, you can and SHOULD create an aws root account email that is unique for your AWS account(s). While approaches may vary, and your email server may filter out what would otherwise be perfectly applicable emails, here is how I do it
I create an email account that is ONLY for my AWS root accounts.
AWS Requires EVERY AWS account to have a unique email
here is my pattern: myname.aws.accts#gmail.com
I have an admin (Organization) account, so I use the following email: myname.aws.accts+admin#gmail.com
I have one prod, one test and one dev account. Here are the following email patterns:
myname.aws.accts+prod#gmail.com; myname.aws.accts+test#gmail.com; myname.aws.accts+dev#gmail.com.
I've also used the pattern: myname.aws.accts+123456789012#gmail.com where 123456789012 represents the AWS Account number.
These are all interpreted as unique by AWS but route to the same email account: myname.aws.accts#gmail.com
One last comment. I have another client who uses MS Exchange and for some reason the email+extension#mybiz.com has the 'extension' portion filtered out, and these emails do NOT process. In this biz we worked around this by creating alias' emails that are still unique to AWS and aliased them in the exchange server to the awsadmin# email. does the job. probably not best practice, but in a pinch...
Second
Yes. You can link your AWS and amazon.com accounts to the same root user email.
DON'T DO IT
This is generally an anti-pattern. NOT best practice, and fraught with problems...
I know of no good reason to do this. Once done, it is nigh near impossible to convince AWS - AMAZON to unlink these accounts. You WONT be able to separate them yourself - they are strongly coupled once the link is made. you might succeed in separating your AWS and AMAZON account if you are a paying customer of AWS business or Enterprise level support, and even then, they may tell you to just delete the AWS account if you don't want AWS and amazon shared.
Once the two accounts - store and AWS - are created with the same email account, I believe they are forever linked via a single master Amazon account, and there seems to be no way to separate them: If you change the password or email address on one, it reflects in the other.
When my only AWS use was an unimportant VM with a website, it was no big deal, but once I start hosting higher-value stuff, it gets a lot more scary.
As far as I can tell, the only way to separate them is to create a new AWS account (with different email address) and transfer your resources from the old to the new.
This appears to be a painful exercise, you can't directly move an EC2 instance, though you can transfer a snapshot of an image, but everything else I don't know about yet. I would be surprised if I could transfer a fixed Elastic IP, which means changing an IP address I've been using for a long time.
In the short term - as far as I can tell - the only way to secure AWS from your consumer account compromise is to put MFA on the AWS account and then use IAM for access. That's not a bad idea anyway.
I'll be creating a new AWS account (with different email address) for all stuff going forward, and transitioning old-to-new as I get to it, but this looks like a miserable (and unbillable) exercise.
It's just crazy that Amazon doesn't appear to have a way to address this.
Yay for me being an early adopter?
EDIT: It might be possible to link two accounts via "Organizations"; that might give some options for migration that are a bit less painful. Not sure yet.
EDIT Nov 2022: Amazon appears to have rolled out split credentials: when I logged into my unified account - same email for store and AWS - it invited me to create a diff password for the AWS stuff. This is wonderful!
So your AWS and Amazon are the same accounts so you cannot create a separate retail account with the same address. (Though you can get around it by doing email+SOMETHING#domain.toplevel) So if your amazon.com account gets compromised, they theoretically have access to your AWS account.
To keep your AWS account secure, there are a few things you can do. Firstly and probably most importantly, you need to make sure you have MFA setup on the account. In fact, you should do this whether you use amazon.com with the same account or not.
I heavily suggest looking at the Trusted Advisor Best Practice Checks on AWS' website.
The rule of thumb here: they are not interchangeable.
If you created AWS account it will not allow you to login automatically to Amazon.com.
The same with consumer account, it doesn't provide access to AWS by default, because AWS has separate verification process.
Amazon Music account means access to consumer Amazon.com but not to AWS.
Though, I never tried to delete AWS and don't know what happens if you delete either of them, whether this causes deletion of the other or not.