#aws - July 2020

hey everyone, does anyone know a solution for this: https://stackoverflow.com/questions/56259431/persistent-storage-on-elastic-beanstalk-docker-container
I have tried searching everywhere it’s almost as if there’s no direct solution to this

I need iam role policy help..

I want to be able to force at least one security group on RunInstances, but then the ability to also select whatever other security group… I was thinking like this, but looks like this is treating as an OR and would want an AND… any ideas on how would accomplish something like this?

        {
            "Sid": "RunInstancePermissionsWithSG",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws-us-gov:ec2:us-east-1:*****:security-group/sg-1234567889",
                 ### Would want this to be an AND not an OR
                "arn:aws-us-gov:ec2:us-east-1:*****:security-group/*"
            ]
        },

Hey guys sorry in advance if I am asking something stupid but I am not very experienced with infrastructure development 😄 Can someone describe at very high level how to achieve having an EC2 accessible only through Open VPN in a AWS setup? Currently I have a VPC with a private/public subnet and an EC2 instance which runs open vpn in that public subnet. I can connect fine to the VPN but now I am trying to create a new EC2 instance in the private subnet which is only accessible through the vpn. Any pointers to achieva that? Thank you in advance!

Hey for any ECS users here — Any 3rd party tools that you use with that service that you recommend / swear by? I’m giving a talk on ECS this coming week and I’m including a list of recommended tools. Looking for more to fill out the list.

So I recently started with amazon I’m in the noob phase. I’m struggling with terraform and assigning the certificate to my site. When I use cloudposse or acm cert module, it doesn’t load my web application at all. I was able to assign it without using cloudposse module or the other acm terraform module but when I do it it still doesn’t give me the secured up top as I would like. If anyone can help me I’ll greatly appreciate it

whats a good way to compare ecs ec2 to ecs fargate cost ?

probably a dumb question but what are the cons of running a fargate container as root user instead of a non root user?

quick reminder that the AWS Cloud Container Conference (C3) is going on now from 9am to 6pm PST

https://www.twitch.tv/aws

https://aws.amazon.com/blogs/containers/the-inaugural-aws-cloud-containers-conference/

Does anyone know how reliable Route53 geolocation is? Is it any worse than Lambda@Edge?

I've been looking for a nice way to separate environment/account config from cfn templates, so we can ensure stacks are identically configured between accounts. I've used terraform previously, but my new team are cfn based. Does anyone have any experience using Sceptre for deploying their stacks as it seems to do what I want (and also have the bonus of handling assume-role with mfa prompt)

anyone here use cloudflare + global accelerator? do they play nicely together?

Anyone familiar with API gateway? is it possible to have public API gateway endpoint that only allow certain aws accounts/roles to access and deny everyone else ?

Hi all, I'm looking for a solution to root MFA storage for an enterprise environment where the teams that manage each account are regionally split. Due to the pandemic everyone is now remote first and we would like to have a solution whereby certain members have access to MFA remotely and then a DR emergency backup physical universal 2nd factor device. Does anyone have any experience with a solution like this?

I’m looking at using serverless framework to deploy lambda functions with api-gateway and integrating into Microsoft Teams with messaging extensions to try and provide some chatops type solution.

I’m newer to API Gateways and the looking for a 101 on what makes it secure to call from Teams with authentication since I’ll have it do some specific admin functions.

Anyone wrote up something on this or willing to dive into more in a thread or even jump on a zoom call to chat for a few on this? I’m done with using a standard chatbot in Teams as it’s all message queue based, with no activity indicators or anything. I figure Lambda functions with API Gateways will be a better way to go if I can get my head around this.

Hi all, is anybody running ECS with autoscaling and capacity providers?

Any happy users of rundeck right now? Thinking of trying it out after waffling between using SSM Docs, Azure Pipelines, and other tools. If I could run in fargate I might be able to demo the benefits and get some buy it, but only want to explore further if it’s really good to help promote more “self-service” activity from teams/devs.

Say:
• runbook — > add me to allow light for specfic group
• Run powershell command to using dbatools and restore a sql server database
• Backup a copy of a database - pause for approval - continue and output the results to teams
Etc. Seems like it’s the only common platform for this of it’s type. Is it something I’ll regret or has it made your life better?
Not a big fan of ssm docs as they are clunky, hard to stream output and use overall, so not really self-service.

Hi everyone!

Hi Everyone.

Is there any framework that would help me add a front end, basic approval , and lambda functions to make a simple "self service portal"?

I've moved away from chatops for Microsoft Teams and instead was thinking of simple utilities like
- lookup a row in database based on fuzzy match
- turn a test environment off
- turn a test environment on
- request a backup of a database, but since it's prod wait for the manual approval from specific set of users


I'm currently doing some of this in Azure Pipelines but it's not really a "runbook" tool. If I can't find a better solution I'll stick with azure Pipelines but wanted to explore a nice "self-service" option if there was one that I could keep entirely private in my VPC. I just don't want to reinvent and build all the pieces, esp to hopefully leveraging IAM auth for certain actions.

One last option I was considering, was maybe building a simple go CLI interface. Been wanting to do that anyway. Have a couple options in there, and that would solve using Iam auth. I could just wrap up call in the lambda functions. Any approval workflow would be in step functions.

I guess the last option as much as I'm not a big fan of them could be to use AWS ssm automation docs more. Many of the devs don't have access to the web console so that would be another thing to figure out I guess. SSM automation docs are a bit annoying to troubleshoot too.

Any ideas?

recently stuck cloudtrail logs into s3 and made them searchable using athena. I've found some good queries online by googling them, seeing aws docs, cloudonaut, etc. Any additional queries you folks have found ? We're doing a hack week at my company and I'd love to add more juicy queries 😄

what are your athena cli tools of choice? im experimenting with this at the moment : https://github.com/dbcli/athenacli

Does anyone know of a tool to export a report (csv,json, etc) on IAM Users? Something with fields such as Name/Username/Group/Console Signin/Last Creds Use/MFA Status etc...

Does anyone know if i can CloudWatch event pattern for SNS in same account. i want to come up with a rule, SNS event activity to trigger RUN Command.
Thanks.

I know UI/UX adoption is a thing, but the new Route53 interface... Feels like Plesk.

Anyone have a solution for sending AWS Config noncompliant alerts to prometheus?

Also.. is is strange that there exists no Cloudwatch metrics for creating Alarms for AWS Config and AWS State Manager failed associations?

i've always found the limit of 10 attached policies to a role to be a real limiting factor in well designed granular iam policies - does anyone have any patterns or techniques that they use to get around this?

i really want to be able to have policies that are "Allow-This-Specific-Thing" rather than "Allow-These-20-Things-That-This-Specific-Service-Needs", as I think it's a much easier pattern to reason with

Hello all, Might be a basic query. is the Resource block Mandatory in Resource Policies?
if i'm attaching the resource policy to a bucket i was hoping the only required fields are effect allow and principal
as a minimum requirement

Has anybody seen this error message?

Error: Error setting SSLNegotiationPolicy: InvalidConfigurationRequest: external-tls can be associated only with a listener with one of HTTPS, SSL as frontend protocol
        status code: 409

I haven't found anything helpful. I opened a case with AWS, but wondering if the genius pool here might come up with something. Thanks!

Does Cognito integrate at all into Cloud Map / Service Discovery? I'm moving some ECS fargate service that are behind an ALB (with Cognito auth) to use Service Discovery, but am unsure how to force beyondcorp auth

I setup a terraform service account creator for multiple accounts. It uses Cloudposse iam user service user module.
That means I have 7-8 plans in Terraform Cloud that any update automatically runs and deploys.

Then I get the benefit of all my jobs running a data source = this plan = get aws access key.

However, I’d prefer to avoid iam keys and use roles when possible.
Is this the correct thought process?

1. Create home user account with the same approach.
2. Create roles in each account for the terraform-service account
3. Add trust relationship and allow the iam home account principle user to assume role
4. Ensure MFA not set on this particular user
5. Done?
I’ve have such a time of it in the past with roles I had given up due to time. I’m ready to revisit to setup better, and think this is the correct way to go about it, otherwise I have iam creds for each account/user, which isn’t really preferred.

anyone come up with a terraform method of switching between launch_type=EC2 and launch_type=FARGATE with zero downtime ? looking for a terraform-y way to do this.

im wondering if the code deploy method would work

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codedeploy_deployment_group#blue-green-deployments-with-ecs

AWS re:Invent 2020 is officially going virtual and free.
re:Invent will be presented across 3 weeks from Nov. 30 - Dec. 18, 2020
https://reinvent.awsevents.com/

Hello All,
I have been working on a CW Alarm solution for a Project, where we are moving all the logs from text files to CW Logsgroups logs. I have to filter a particular line from AWS CW log-groups log and send SNS . I am able to do so via custom metrics.

However I am looking for customisation where I would look to get the complete Message of CW Log Group if there is a match in string?
Any help would be appreciated.
Thanks
Biswajit

Anyone knows AWS SSM Documents can be shared between regions? I can see sharing option with other AWS account only
I have tried it, and I can see shared document only in the same region.
Should I replicate all my documents in every used regions? Thanks

Aws elb throttling. Any idea how can I avoid it?

Use NLB? :-)