wso2 iot 2 policies can not be assigned to a device on the server at the same time?
Why does not the other one work when a policy is defined?
https://wso2.org/jira/secure/attachment/40091/PolicyPriorityUI.png
IoT server does not support adding multiple policies to the device at the same time. Only one policy can be assigned to the device at a given time.
Related
There is a default policy managed by AWS (ha-all-AWS-OWNED-DO-NOT-DELETE) that is assigned by default to any rabbitmq exchange due its priority (0) and wildcard .* .
I am trying to match another policy with my exchanges with the definition:
federation-upstream-set: all
Since I am trying to create a federation upstream but any policy gets overridden by the default amazon policy, all my policies are being ignored so federation upstreams are unable to run.
Anyone has managed to make a federation upstream work using Amazon MQ?
Thanks.
Did you configure queues in Classic Mode or in Quorom Mode?
I think you cannot attach policies on quorum queues because they're not supported by Amazon MQ. These rule is applicable for cluster configuration.
Take a look there: https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture-cluster.html
Hi and thank you for your time!
I want to use a IDaaS for my project and Google Identity Platform is one of the options I was considering. One of the considerations is the availably of the service, so I am trying to come up with a solution for disaster recovery.
I can't seem to find information to answer my question anywhere in Google's doc: is Google Identity Platform region based? And if it is, is there a way for Google Identity Platform to support multiple regions in case of an outage?
For example:
Amazon's Cognito is region based and migrating/replicating user credentials from one region to another is not supported by Amazon. It is a manual process to replicate some of the data between regions. In the event the region hosting your Cognito user pool becomes unavailable, the user will have to reset their password when authenticating to the pool in another region https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html
Just wondering if Google Identity Platform will handle this more gracefully.
Thank you again!
is Google Identity Platform region based?
Google Identity Platform is global. Google describes this service as planet scale.
is there a way for Google Identity Platform to support multiple
regions in case of an outage?
Although Identity is global, the service is replicated to each region. Occasionally there is a region outage. For example in 2020 there was an outage. Google publishes details on service imparement. Example incident here. Service outage list here.
For example: Amazon's Cognito is region based and
migrating/replicating user credentials from one region to another is
not supported by Amazon. It is a manual process to replicate some of
the data between regions.
Google manages the service. There is nothing for you to do in the event of a region outage except for waiting for Google to bring the service back online. This does not effect other regions and typically the service continues to work globally except in the impaired region.
I am trying to make a connection between AWS IoT and my React JS APP.
I followed this tutorial (https://medium.com/serverlessguru/serverless-real-time-reactjs-app-aws-iot-mqtt-17d023954045), and it is not clear to me how to attach the Cognito Identity ID to the AWS IoT Policy.
During all my investigation, I found that this process must be done through command line.
In the article above, theses process is done by the following command line:
• Note that the “identity_pool_id” has to be considered in this command.
In the aws documentation (https://aws-amplify.github.io/docs/js/pubsub), it says to write the “identity_id” in the command line:
When I use the “identity_pool_id” in the command line, and I try to publish a message from AWS IoT, I got the following error:
When I use the “identity_id” in the command line, I can perform the communication between AWS IoT and the Frontend successfully:
The problem is that the “identity_id” is a different code for each user. Considering that I am going to have a lot of user in my application I don’t know how to perform this task.
• Am I doing the right process to consider the “identity_id” instead of “identity_pool_id”?
• If yes, how could I automatically attach the Cognito ID to the AWS IoT Policy every time I have a new user signedIn in my application?
• Are there any problem to have thousands of Cognito certificates attached in a AWS IoT Policy?
Following answer is in chronological order corresponding to 3 questions.
You can attach only identity_id (user) to IoT policy. Also, I can see you have used "attach-principal-policy" API which is deprecated now, so instead of that please use AttachPolicy API
I'm unsure here, still I'd recommend to evaluate and verify it on Cognito's post confirmation trigger
Absolutely right, you can attach a IoT policy to myriad of certificates; technically it is known as Simplified Permission Management
For #3, Relevant Snippet from AWS (Ref - https://aws.amazon.com/iot-core/faqs/ where find Q. What is Simplified Permission Management?)
"You can share a single generic policy for multiple devices. A generic policy can be shared among the same category of devices instead of creating a unique policy per device. For example, a policy that references the “serial-number” as a variable, can be attached to all the devices of the same model. When devices of the same serial number connect, policy variables will be automatically substituted by their serial-number."
I am setting up our telephony system in AWS and we're utilizing AWS Single Sign On for our primary SAML authentication. This has worked fine for normal cli and console access but has kind of been a struggle for implementing Amazon Connect through the SSO Cloud Applications configuration.
Background
I have done a proof of concept with a single Amazon Connect instance and was able to federate login with a number of different permissions sets to simulate admin, developer, and user access for the single instance. This worked fine until I started adding additional instances and each time any user permission set tries to login to Amazon Connect they get Session Expired on the Connect screen.
Our setup is as follows:
Root account contains AWS SSO Directory
Dev Account has 1 Connect instance in the east
QA Account has 2 Connect instances total in east and west
Prod account has 2 Connect instances total in east and west
A lot of the documentation I've been reading seems it assumes the Amazon Connect instances are in the same account as the Amazon SSO service. Additionally the documentation mentions creating additional IAM Identity Providers for each Amazon Connect instance's SAML Metadata file, and a role associated that allows the SSO user to access that instance. I see where this would work in a single account, but I don't understand how to adopt the access role and implement it as a permissions policy in AWS SSO for the user group thats logging into the instance.
I've configured everything as close as possible to the Amazon Connect SAML Setup Guide, and I'm working on troubleshooting the permissions policy stuff to configure access, I'm just at a loss.
If anyone has previous Amazon SSO experience, or has done something similar with Amazon Connect that would be greatly appreciated. I just want to be able to validate whether this is feasible in the current iteration of Amazon SSO (granted its a newer service), or we need to architect and integrate a 3rd party SSO for Amazon Connect.
Thanks!
We recently have this kind of setup and requirements and still in the testing phase but so far, it is working as expected.
In the Amazon Connect SAML Guide that you linked, there's a lacking piece of information in there with regards to the Attributes Mapping (Step 10)
Change From:
Field: https://aws.amazon.com/SAML/Attributes/Role
Value:
arn:aws:iam::<12-digit-account_id>:saml-provider/,arn:aws:iam::<12-digit-account_id>:role/
To This:
Field: https://aws.amazon.com/SAML/Attributes/Role
Value:
arn:aws:iam::ACCOUNT-ID:saml-provider/IDP_PROVIDER_NAME,arn:aws:iam::ACCOUNT-ID:role/ROLE_NAME
Sample Value:
arn:aws:iam::123456301789:saml-provider/AWSSSO_DevelopmentConnect,arn:aws:iam::123456301789:role/AmazonConnect_Development_Role
The Setup:
Root AWS
Configured with AWS SSO
In AWS SSO page, you can have 1 or more Amazon Connect Applications here
AmazonConnect-Development
AmazonConnect-QAEast
AmazonConnect-QAWest
Dev AWS:
You have setup Amazon Connect
AmazonConnect-Development as the Instance Name (Record the ARN)
Create a new Identity Provider (for ex: AWSSSO_DevelopmentConnect)
Create a Policy (to be attached in the Role)
Create a Role (for ex: AmazonConnect_Development_Role)
See more here for the content of Policy
In Root AWS, configure your AmazonConnect-Development application to have the Attribute Mapping pattern same with my above example value.
You also specify the Relay State URL for you want the users to be redirected to a specific Amazon Connecct application.
xxx AWS:
Same steps will be applied as the above
Key Points:
For each AWS Account:
You will need to Create Identity Provider, name it with a pattern
Create a Policy to be attached in the Role
Create a Role and Choose SAML 2.0 Federation
Checked: Allow programmatic and AWS Management Console access
Link the Identity Provider with the Role
For the Applications that you configure in the AWS SSO page, make sure the additional Attribute Mappings have the correct value
I'm trying to set up a Site to Site connection between our on-premise server and our cloud infrastructure. In our premises we have a SonicWall firewall installed and, since SonicOS 6.5.1.0 it's now easy to put an AWS access key and AWS Secret Key and let the software configure everything via SDK.
The problem is that the tutorial on how to configure the firewall (p. 8) says:
The security policy used, either for a group to which the user belongs or attached to the user directly, must
include the following permissions:
• AmazonEC2FullAccess – For AWS Objects and AWS VPN
• CloudWatchLogsFullAccess – For AWS Logs
Since it's not ideal to give anyone the full access to Amazon EC2 do you know which features SonicWall actually needs so I can disable everything else and follow the principle of least privilege?
Without looking into the code for SonicWall itself, it is not going to be easy to know exactly which API calls it's going to make to EC2. If you are prepared to at least temporarily grant full EC2 access, you could use AWS CloudTrail to monitor exactly which API calls are being made by the IAM user associated with your on-premises server, and then update your specific policy to match those calls.
Alternatively, start with the full access IAM policy template and go through and deny any calls you think are completely unrelated to SonicWall's functionality.
If you trust SonicWall then probably the easiest thing to do is to just allow the full EC2 access it claims is required (or start there and gradually remove them until something breaks!)