#aws - September 2020

Hi, Is GuarDuty required for CIS Benchmarks for AWS ?

anyone knows ?

https://aws.amazon.com/bottlerocket/ BottleRocket has gone GA

Anyone tried S3 upload from browser directly using POST policy - to a bucket with AWS Signature Version 4?
I have the code which generates policy and signature - it’s working with old buckets, but not anymore with new ones, as AWS made required sig-v4 for new buckets after June2020. My form contains:
<input type=“hidden” name=“x-amz-algorithm” value=“AWS4-HMAC-SHA256” />
still getting “The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.”
Any idea?

Is enabling key rotation on an existing kms key safe?

what's a good strategy for turning on and off agents on a golden ami using tags ? cannot find any blog post on it

Does anyone have a cool way to generate the equivalent of a temporary s3 “dropbox” for a client to securely upload with a token, and tear down? I was thinking of just doing a AWS Automation doc that would create a randomized s3 bucket, create scoped credentials for just that bucket and upon finish tear it down. This AWS SSM Automation doc would be a self-service dropbox option for larger database transfers and all.

is there a better way to do this?

aws-vault just released v6, looks like some good stuff in there... https://github.com/99designs/aws-vault/releases/tag/v6.0.0

anyone use this for okta as a replacement for gimme-aws-creds from nike?

https://www.okta.com/blog/2020/05/how-okta-aws-sso-simplifies-admin-and-adds-cli-support/

anyone here knowledgeable about Envoy proxy?

anyone knows of a way to identify if a user already has the "login-profile" enabled?

What's a good way to profile my AWS API usage? We're hitting some RateLimitExceeded exceptions, and it would be great to start with data on what the calls are (you know, profiling instead of guessing). I've googled without success so far.

I've been troubleshooting an IAM policy , Objective - Give EC2 permission to add/remove security group rules , Inbound and Outbound , This is the policy I'm using , Funny thing is it works if I attach it to an IAM user and Use awscli ( I checked , the IAM user has no other permissions than what the policy grants ) , but when I attach an IAM role with same policy to ec2 , it doesn't , does iam users and roles interact with aws differently , Thanks in advance :)

`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arnec2:us-east-1:acnumber:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "$NameOfTheSecurityGroup"
}
}
}
]
}`

hi has anyone knowledge around the iam role association to pods through service-account , Im able to do assume the role (assume-role-with-web-identity) of the same account , but now I need to assume a role present in a different account, I already tried out with attaching assume-role policy to my role for that (role present in 2nd account ) and even editing its trust relationships.
Thanks in advance 🙂

AWS IAM Service Account assuming role in various other accounts in Terraform Cloud

Background:
I have 8 AWS Accounts.
I have 8 terraform cloud plans for deploying an IAM Service Account to each.
Each get’s its own key.

I want to have
• create each of the service account users in a “home account”
• deploy the role for the service account to the remaining 7 (probably with group/role)
• in terraform cloud stop using the access keys (using data source lookup from terraform cloud state for the service account). Instead, I want to use assume role for all the other accounts.
My main questions
1. Anyone have a module laying this basic structure out?
2. Is there a problem with using assume role with terraform cloud agents?
3. I believe there are limitations when assume role is used, such as can’t update IAM role or something (haven’t gone to double check exact limits). Does this become problematic with using Terraform Cloud because things will start failing due to inherent limitations on an assumed role?

I’m ready to begin refactoring this from the access key approach to better design, but hoping someone else has laid this out in a blog post or willing to talk through it here or on call.

For someone that switches between accounts a lot, is there a better workflow with aws-vault than to remember to log out first and then use the cli to log in?

This question's a bit different, but I need some opinions: https://twitter.com/iamvlaaaaaaad/status/1303727463072239616

^^^ you can reply here, I just posted the Tweet link so I don't have to copy/paste the photos

I know it's a broad question , but how would you approach compliance in aws Let's say ISO27017 or any other as a startup granted you've limited resources , may be share some of your stories :)

We use a 3rd party agent that requires the ec2 describetags perms. We were thinking of creating a managed policy and attaching this policy to all of our roles since this agent will be installed on everything.

Is there a better way to solve this problem?

Hello Guys, how do you manage the deployment for containers in ECS? I have one service and one task, how to utilize the ec2 instances because right now I have two ec2 instances but only one has my containers and the other empty. and If I make it one instance only will not able to deploy the new version.

Any recommendations on a dashboard for business users to review upcoming scheduled events (CloudWatch Rules)?

Can someone ELI5 how cpu_options works in a Launch Template? https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#cpu-options

Hi guys, I’ve a question.
In QA environment how do you provision and deploy the containers?
For example if I have a lot of QAs and all of them want to run in the same time, images tag are following the branch name, and we are using terraform, and userdate to run the docker-compose file and run the containers, and after we finish the testing we destroy the resources using terraform destroy, but I’m feeling this is a bad way, so any recommendations? or how you guys do it?

hello peoples, anyone know why the commit hash doesn't appear when the buildproject is automatically triggered.? I'm expecting refs/head/master^{commit_hash}  but i get refs/head/master when i don't trigger it manually

What do you all recommend for deploying to ECS, specifically need to just change a task definition json to modify the image tags and then deploy it up to a service. I have this automated via github actions using the aws-actions, but I need a “break glass” in case that isn’t working right or need to revert to an older image tag. I’m leaning just interacting with the AWS api myself and using jq to do the image tag substitution - probably best…

Anyone have seen this error before ?

rror: lost websocket connection with ECS Telemetry service (TCS): websocket: close 1008 (policy violation): InvalidContainerInstance: Missing container instance arn" module=handler.go

This is really strange, so I have an ALB and a Target Group with a path based health check, for some reason the ALB is hitting my application at / periodically (along with the normal healthcheck that hits the /health-check/path 🤔

anyone know a safe and fast way of rebuilding an ecs cluster ? we recently opted into long arn format but have to recreate the cluster to take advantage

anyone having IAM issues right now?

yes, it's down hard

Probably impacting other things since I just got some alerts about ASG activity that shouldn't happen...

anybody have any experience with or recommendations for AWS WAF alternatives like signal science or anything.

Hey folks, anyone using pro version of localstack to be able to use cognito locally? Does it work as expected and is the $15/per month/per developer worth the price?

Can anybody help me with advice on what is the best practice for creating IAM users for multiple aws accounts? Ideally I'd like to create users in a "root" type account and then those users are granted access to perform actions in other actions dependent on what type of account it is e.g. Dev/prod

If there's a way to do this with an SSO type product like Okta that would be even better.

Thank you

is there a way to route your AWS ALB to a different target group if the first target group fails a healthcheck?

Has anyone migrated their orgs into control tower? looks like pain in the butt

Simplest static site hosting in aws that I can use security groups with to keep internal?

Thinking a fargate task that cicd builds with static site and hosts with something like "ran" and done. S3 buckets don't seem to have anything with groups and ec2 while ok wouldn't allow me to set target tasks at 1 for it to autoheal itself.

Any better way?

anyone know any fancy cli magic to find ec2 instances that are NOT in SSM ?

Looking to get alerts when AWS Secrets Manager rotation fails. There's no CW metric, rather Secrets Manager events go to Cloudtrail. Don't have much experience with Cloudtrail, how does one get alerts based off the cloudtrail event history?

is there a metadata file on ec2 amzn linux 2 instances that could possibly share the original ami that was used to create the instance ?

Does anyone do AWS Access Key expiration / rotation via Terraform or otherwise in their org? Wondering how folks accomplish that without it being an “audit and ping team member” process.

is there a better way to put an acm cert on a static site without having to use cloudfront ?

this seems like it could have a lot of potential for simplifying authentication to api gateway endpoints and routes... https://aws.amazon.com/blogs/compute/introducing-iam-and-lambda-authorizers-for-amazon-api-gateway-http-apis/

Thought I’d ask here. I have a on-prem api accessible via VPN (and it has a public ip, although not accessible over internet) which I’m going to expose via api-gateway, however I see that NLB/ALB only supports private IP-ranges (https://aws.amazon.com/elasticloadbalancing/faqs/ “Can I load balance to any arbitrary IP address?“) - are there any elegant solutions to avoid having to deploy my own reverse proxy?

Using a lambda function is the best bet maybe?

Where do you want to place the ALB/NLB in that communication? It can be public facing.

Has anyone used https://github.com/awslabs/aws-securityhub-multiaccount-scripts to mass enable securityhub across many accounts? Does the "master" account referenced in the README, have to be the AWS Org master account? Or can we use a child-account as the "master" security hub account?

#aws
Build once and run everywhere, is a great concept behind docker and containers in general, but how to deploy these containers, here is how I used ECS to deploy my containers, check it out and let me know how do you deploy your containers?
https://www.dailytask.co/task/manage-your-containers-deployment-using-aws-ecs-with-terraform-ahmed-zidan

I was wondering the best way to enable remote access to private resources (RDS, etc.) across different AWS accounts.

Currently I have a bastion per account (dev stage & prod), but have seen solutions where there's another VPC that peers with the 3 environments, then has a bastion/VPN for access. The added benefit being only 1 point of entry.

Any ideas/best practices to how this is implemented in 2020?

Did you guys notice any sqs random timeouts in last couple of days?

In Us-east1 only

Anyone running ecs on 100% spot instances? Are there any risk of it terminating all my instances and not being able to provision new ones?

Anyone have any thoughts on Control Tower? We've our own half-baked landing zone impl in terraform, but could consider moving to Control Tower now that it supports enrolling existing accounts. It would require moving our AWS SSO to a different region however, which, oof 😒 but we'd like to spend less time managing the stuff Control Tower would do for us. Any success or horror stories?

at previous job we did a pretty extensive review of control tower for a national retail org and found the solution lacking in quite a few areas, as well as being hard to maintain or customise and extremely opaque to troubleshoot.

this was > 1 year ago and it might be much better now.

looking over the headlines briefly now it doesn't sound like they've added much.

i'd recommend approaching with caution.

how do you recommend creating new aws accounts programatically ?

We're onboarding us to the Control Tower on my new job. Thursday I have a demo from the engineer deploying it. Nice timing.

I just deployed it in a sandbox Org and I didn't see any CF at all, can't comment on what happens behind the scenes

It doesn't automatically setup securityhub and guarduty though, which is a PITA

It does configure cloudtrail however

I even tested the enrolling of existing accounts into Control Tower and it worked fine, once I added a role to the child account

Anybody attending the AWS summit today? Any good sessions you'd recommend? I just spent 10 minutes looking for an agenda or calendar of sessions...or anything and just bailed, due to lack of info.

So I want to run more tasks in docker containers.
I have some migration tasks and other things that are more long-running than a lambda really fits.


I'd use azure devops containers but they need to be able to access a private subnet so that's kind of out.

Couple basic questions
- if I deploy an ECS fargate task ... It still requires ECS cluster. Is it basically just metadata at that point since I don't have any running tasks and I'm not actually provisioning any server?
- the only reason I haven't done a lot more docker ad hoc type tasks is all the plumbing required to get that stuff running. Does the new docker and ECS integration hold a lot of promise for me to quickly deploy something I tested locally? This is for devops type tasks not running application stacks right now
- can I mix fargate test with Windows and Linux or is it still not support windows in fargate?

live streaming all day, https://www.twitch.tv/cdkday

Does anyone know if Service Discovery (Cloud Map) DNS can be used outside of ECS? It seems to work in Lambda, although I haven't tested it personally - my client tells me it does.

Ideally we need to resolve service discovery DNS on a Client VPN Endpoint.