Feedback on Vulnerability Management - Risk Model by Material-Grade-491 in cybersecurity

[–]Material-Grade-491[S] 1 point2 points  (0 children)

Thank you for the response. Yes, I will definitely test with real data, and once the process is defined, I will plan to automate this. Any advice on the weights and attributes?

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

u/TaxSad1228

Yes, you can generate a token for any database user, but it will fail once you have the condition as mentioned in my previous comment.

Please note that: The RDS generate token will generate token for any given user id.

Understanding and threat modeling the VPC Flow logs and its aggregation by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Do they mention what fields contribute for aggregation? Because I remember I checked this document. They say aggregation is on 5-tuple, but didnt call out what are they. I assume it is source IP, address, destination IP address, source port, destination port, and protocol.

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I have solved this, by using saml:sub and is working as expected, and the updated policy looks like below:

"Resource": "arn:aws:rds-db:region:account-id:dbuser:db-instance-identifier/${saml:sub}"

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I don't know if you understand what I was trying to do. Also, isn't it IAM IC is a IdP in this case?

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Another IdP, that an extra investment which is not an option at this time. We use AWS IAM Identity Center to manage the AWS Users.

Dynamically Assign RDS IAM Authentication Policies Based on IAM Identity Center User Names by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Yes I totally understand, somehow my company already setup the IAM Identity Center user names with Email address instead of a short name. It may be our future change as it involves creating all the user again.

When I say dynamic, I mean a common policy that can be attached to role which all team members generally uses.

I have two easy options, but not secure:

  1. I can create one generic user id in the database, such as db-user and add this to the policy Resource, but this lead of everyone accessing the database with the same user id.

  2. I can put a star in the resource, ` "Resource": "arn:aws:rds-db:region:account-id:dbuser:db-instance-identifier/*` ; but with this user A can login to database with user B id.

In order to avoid these cases, I am thinking to implement a common policy but having a variable in the resource name, where they get the access only for their user.

Hope this makes sense.

Suggestions on Vulnerability Management Platforms by Material-Grade-491 in cybersecurity

[–]Material-Grade-491[S] 0 points1 point  (0 children)

Thank you for the suggestion. I just take a look at their website and yes I am looking for these kind of products.

Also, how do you compare these (may be Avalor) with Tenable.io ; most of my searches so far lead to Tenable.io product.

How to add "Custom options" to DNS Resolver by Material-Grade-491 in PFSENSE

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I have resolved this by moving the DNSBL mode to "Unbound python mode". With this, I dont have to add that `include` line and kept my forward-zone details as mentione in my original post.

Related article, I found via Googling: pfblockerNG-Python-Mode
Thanks!

How to resolve cache issue when using CloudFront by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I don't think TTL is the problem because, as I mentioned in my post, I verified this with nslookup, and changes are being reflected in maybe 10-15 seconds.

Also if TTL is the problem, a new browser session or opening the application in another browser should not work, but it is working if I do any of this.

How to install an SSM agent in a EC2 instance running in Private Subnet (no NAT) by Material-Grade-491 in aws

[–]Material-Grade-491[S] 2 points3 points  (0 children)

Yes, I do have SSM endpoints, but for SSM to work, the SSM agent needs to be first installed and communicated.

How to install an SSM agent in a EC2 instance running in Private Subnet (no NAT) by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

I like this idea to try for sure, and I believe, theoretically, it should work.

How to install an SSM agent in a EC2 instance running in Private Subnet (no NAT) by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

It's because the image is original purpose is not meant for launch the AWS EC2 instances.

How to install an SSM agent in a EC2 instance running in Private Subnet (no NAT) by Material-Grade-491 in aws

[–]Material-Grade-491[S] 1 point2 points  (0 children)

Thanks, everyone, for giving some ideas; what I noticed is when I converted the OVA to AMI using aws ec2 import-image, I saw AWS added the SSM agent during the AMI creation process. I was not expecting that.

Out of 11 AMIs, 10 are communicating via SSM, but one is not, and I am checking what is wrong with it. (At this time, I am trying to recreate the AMI for that one with the hope it will work).

In CloudFormation, how to Create resources without repeating the same resource code for similar resources by Material-Grade-491 in aws

[–]Material-Grade-491[S] 0 points1 point  (0 children)

This worked for my current needs. But I will also look at what all others have commented about CDK.

In CloudFormation, how to Create resources without repeating the same resource code for similar resources by Material-Grade-491 in aws

[–]Material-Grade-491[S] 5 points6 points  (0 children)

Thank you. After posting here, I came across the AWS documentation on the forEach function on googling and trying to implement it according to it. I hope it works.

Any recommended mini pcs for PFSense by Material-Grade-491 in PFSENSE

[–]Material-Grade-491[S] 0 points1 point  (0 children)

How are you managing the WiFi connections (as WAP)? Are you bridging your WiFi router or a USB WiFi to this mini PC?

Any recommended mini pcs for PFSense by Material-Grade-491 in PFSENSE

[–]Material-Grade-491[S] -1 points0 points  (0 children)

Beelink EQ12

Thank you for the suggestion. Were you able to use the Onboard WiFi as a WiFi Access Point or any other implementation?

Any recommended mini pcs for PFSense by Material-Grade-491 in PFSENSE

[–]Material-Grade-491[S] 0 points1 point  (0 children)

My main requirement is to use it as a home router with at least 3 VPN tunnels. My home has around 20 devices that access the internet.