#aws - July 2022

Hello, do you have any recommendations on unified (or SSO) for SSH? We do not want to manually copy-delete ssh keys all over our EC2 instances.

Thanks @Andrey Taranik. Any alternatives? We tried Teleport but for some reason we keep needing restarting services every now and then and I don’t find it straightforward

or just build your own solution as described in smallstep blog https://smallstep.com/blog/diy-single-sign-on-for-ssh/

Does anyone know if it's possible to see how much electricity your aws resources are consuming? Alternatively find a co2 footprint of the resources?

Anyone have any flakiness issues with codedeploy? I have a lot of services using it and when I trigger too many codedeploys at once it seems the whole thing just freezes but not always, it's weird.

I am currently at at EKS version 1.20.
Do you know if there is a deadline for upgrading this version?

I’m having a trouble finding an answer on AWS docs, Anyone happens to know whether it’s possible to configure an Application Load Balancer to accept requests only from API gateway?

I meet an error when using terraform-aws-eks-cluster.
Error: Invalid count argument
on .terraform/modules/eks/main.tf line 34, in resource "aws_kms_key" "cluster":
34: count = local.enabled && var.cluster_encryption_config_enabled && var.cluster_encryption_config_kms_key_id == "" ? 1 : 0

Hey I was wondering where I could find documentation for all the arguments s3_replication_rules accepts for https://github.com/cloudposse/terraform-aws-s3-bucket#input_s3_replication_rules ?

The documentation just says a list(any)

Anyone know how to have session manager sit behind OpenVPN, so user is required to connect to OpenVPN before a session can be started

this should be AWS CLI not via console

Hey all!
im trying to install your Aws-ebs-csi-driver by that guide
https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html
created all the roles and policies.
on a quick look at the ebs-csi-node pod at my k8s env i can see that i get that error from ebs-plugin container :

`I0628 10:44:05.130666 1 metadata.go:85] retrieving instance data from ec2 metadata
I0628 10:44:05.135264 1 metadata.go:92] ec2 metadata is available
panic: could not get number of attached ENIs
goroutine 1 [running]:
<http://github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.newNodeService(0xc0000c6f00)|github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.newNodeService(0xc0000c6f00)>
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver/node.go:86 +0x269
<http://github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.NewDriver({0xc000609f30|github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver.NewDriver({0xc000609f30>, 0x8, 0x55})
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/pkg/driver/driver.go:95 +0x38e
main.main()
/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/cmd/main.go:46 +0x365

`
im using v1.7.0-eksbuild.0 deriver version and 1.20 k8s version.
do you now how can i solve it ?
Thanks !

Is here the right channel for questions regarding cloud formation ?

Question. Is it more common to do VPC Peering Connections with vendors of managed services such as Databases? Or is it more common to do VPC PrivateLink & Endpoints?

I have been asked to move 2 .Net Core applications that are running as apps on Azure App Services to AWS. What is the best method to deploy these apps
Would the deployment need a beanstalk per .Net CORE App or would this option be more suitable. I am after the quickest solution!!
https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/deployment-beanstalk-multiple-application.html

Hi all!

We have an Aurora Serverless PostgreSQL instance in a private subnet. Now our customer wants to connect an externally hosted application (on Azure) to it. As a temporary fix we have manually created a new "Regional Cluster" (non-serverless) based off a snapshot of the Serverless DB Cluster, gave it a public IP and firewalled it to the customer-provided subnets.

However, they would need more up-to-date information. I would like to prevent deleting the old DB regional cluster + re-creating it on a daily/weekly basis since it would give a new IP every time.

For this I am currently leaning toward setting up a fresh (public, firewalled, SSL-enforeced) DB and using DMS to sync the databases so that the external party always has access to the most recent data without needing access to the actual DB instance. The snapshot alone is 76GiB and the sync should be done outside of office hours, which makes it a bit more tricky.

Would this be a good approach or are there better/easier alternatives? Thanks!

A friend of mine is the CEO of this early-stage startup and asked that I share it around, in case anyone finds it interesting: https://www.usage.ai/

Hi I am trying to incorporate congnito with an ALB, but i am getting this error when creating the listener rule and with "client_credentials" oauth flow:

│ Error: Error creating LB Listener Rule: InvalidLoadBalancerAction: The authorization code grant OAuth flow must be enabled in the user pool client

I don't understand why client credentials does not work with the ALB.

hello all, Is there a way to renew a cert where we have only private hosted zone? I cannot access the main public domain so cannot do my trick to point it to a new public zone until cert will be renewed.

Hi! Is there anyone who is going to the AWS reInforce?

Hello all. Is there a way to programmatically upgrade the Kubernetes version of an EKS cluster (on AWS) ?

💌 AWS Security Digest Newsletter #79 is out!

1️⃣ Fourteen AWS Security Best Practices in IAM
2️⃣ [VIDEO] Speeding Up AWS IAM Least Privileges
3️⃣ Open-source proof-of-concept client for IAM Roles Anywhere

📖 Read more: https://asd.zoph.io

hi folks, am trying to get a feeling of what sort of solutions/ approaches you took to manage/ adhere to IAM least privilege principle ?

I find that the granular we go the higher the cost is to manage it for various users. AWS Managed policies are too "open" and then when you combine that across various accounts is getting even harder.

If going with AWS SSO then we need to work on permission sets and the main prob around manage them is still there imo.

Did anybody experience latencies with one service calling a service in another subnet/AZ?

I have an issue where an app/pod running in EKS, is responding much faster to requests when running in a specific subnet/AZ compared to running in the other subnets/AZ's.

The only obvious characteristic of the "fast" subnet/AZ is that a Elasticache/Redis is running in it which the app is heavily using.

Ideas about how to debug this?

Hello team! I require some advice/help on this.

I just deployed terraform-aws-elasticsearch (7.10) from this module https://github.com/cloudposse/terraform-aws-elasticsearch via terraform.
Then via the aws console i updated my ES cluster to opensearch v1.2.

Now i wonder if my terraform code would be synced to the changes? i believe it will not be sync. Can i still use this same module for opensearch??

I'd be interested to hear if anyone else has tried to have private hosted zones for services within a given region but also want to have a public hosted zone that can point to the active regional resource. I'm trying to figure out of there's an automatic way to go about this or if I need to look at crafting something external

Hey Everyone.. Wondering a easy yet effective way to do a bulk deletion of EBS snapshots. Got a list (thousands) of older snapshots to be cleaned. Appreciate your inputs.

do you know anything about xcurrent issue ? any eta to solve ? all clusters in OHIO are down 😞

Mine seems to have come back up for now, lol. Datadog ddos'd my voicemail though.

it comes back and goes down... flacky...

Yeah, for sure.

they wrote only 1 az affected, but I saw errors on all AZ-s

Yeah, it was def all of them, even if it was brief. I literally saw all of my AZ's go down lol

👋 Hello, team!
https://github.com/cloudposse/terraform-aws-emr-cluster
Does this module support instance fleet?