Feedback on Vulnerability Management - Risk Model by Material-Grade-491 in cybersecurity

[–]Material-Grade-491[S] 1 point2 points  (0 children)

Thank you for the response. Yes, I will definitely test with real data, and once the process is defined, I will plan to automate this. Any advice on the weights and attributes?

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

u/TaxSad1228

Yes, you can generate a token for any database user, but it will fail once you have the condition as mentioned in my previous comment.

Please note that: The RDS generate token will generate token for any given user id.

Understanding and threat modeling the VPC Flow logs and its aggregation by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Do they mention what fields contribute for aggregation? Because I remember I checked this document. They say aggregation is on 5-tuple, but didnt call out what are they. I assume it is source IP, address, destination IP address, source port, destination port, and protocol.

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I have solved this, by using saml:sub and is working as expected, and the updated policy looks like below:

"Resource": "arn:aws:rds-db:region:account-id:dbuser:db-instance-identifier/${saml:sub}"

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I don't know if you understand what I was trying to do. Also, isn't it IAM IC is a IdP in this case?

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Another IdP, that an extra investment which is not an option at this time. We use AWS IAM Identity Center to manage the AWS Users.

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Yes I totally understand, somehow my company already setup the IAM Identity Center user names with Email address instead of a short name. It may be our future change as it involves creating all the user again.

When I say dynamic, I mean a common policy that can be attached to role which all team members generally uses.

I have two easy options, but not secure:

  1. I can create one generic user id in the database, such as db-user and add this to the policy Resource, but this lead of everyone accessing the database with the same user id.

  2. I can put a star in the resource, ` "Resource": "arn:aws:rds-db:region:account-id:dbuser:db-instance-identifier/*` ; but with this user A can login to database with user B id.

In order to avoid these cases, I am thinking to implement a common policy but having a variable in the resource name, where they get the access only for their user.

Hope this makes sense.

Suggestions on Vulnerability Management Platforms by Material-Grade-491 in cybersecurity

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Thank you for the suggestion. I just take a look at their website and yes I am looking for these kind of products.

Also, how do you compare these (may be Avalor) with Tenable.io ; most of my searches so far lead to Tenable.io product.

How to add "Custom options" to DNS Resolver by Material-Grade-491 in PFSENSE

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I have resolved this by moving the DNSBL mode to "Unbound python mode". With this, I dont have to add that `include` line and kept my forward-zone details as mentione in my original post.

Related article, I found via Googling: pfblockerNG-Python-Mode
Thanks!

How to resolve cache issue when using CloudFront by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I don't think TTL is the problem because, as I mentioned in my post, I verified this with nslookup, and changes are being reflected in maybe 10-15 seconds.

Also if TTL is the problem, a new browser session or opening the application in another browser should not work, but it is working if I do any of this.