#aws - September 2022

Let’s say I have a S3 bucket called “abc” and a folder in it like “abc/tmp”. I already restricted IAM policy to restrict access to only PutObject in “abc/tmp” and “abc/tmp/*”. But somehow the api I created can still upload files to a random folder like “abc/tmp99999”… Any other restrictions I have to set??

Hi, Anyone aware of avoiding bot attacks ? my project has been attacked by bots, my infra is aws and cloudflare.

This is going to make a lot of people happy: https://aws.amazon.com/about-aws/whats-new/2022/09/aws-iam-identity-center-apis-manage-users-groups-scale/

AWS is launching additional APIs to create, read, update and delete users and groups in AWS IAM Identity Center (successor to AWS Single Sign-On)

Anyone else using Account Factory for Terraform and having issues with the CodeBuild job for creating the customization pipeline layer for Lambda looping and being built on every terraform plan and apply?

So right now we have a bunch of S3 buckets and each bucket has their own lambda function and corresponding IAM roles/policies to be sure that said function can 100% only access that bucket. Is there a way to consolidate down to a single policy for all but still enforce that least-access principle? Playing around with conditionals TagKeys and ResourceKeys , but can't seem to find the proper DWIW.

anyone using the terraform-aws-eks-cluster and terraform-aws-eks-node-group modules setting the ENABLE_POD_ENI for the aws-node to tell the CNI to utilize pod security groups?

We are uploading our product to AWS marketplace. Where do I need to provide this one license secret key?
Thanks!

Hi, everyone aware sitemap.xml, my problem is ngnix will take sometime to load the proxy pass.

Hey all!
I’m using route53 as my DNS provider and Nginx-ingress-controller as ingress in my k8s env. I want to redirect between 2 ingresses, for example, all request that go to app.x.io will redirect to app.x.com.
tried to create an CName alias but it doesn’t work. Does someone have an idea?

Hey all, can we have same size of cpu and memory in ecs fargate. ex: cpu=2048 and memory = 2048 ?

Curious what tags people think are critical? Here's a list of the ones I think are generally useful, but would sure love to learn more:

• environment: [dev, qa, staging, prod, whatever]
• version control: [github, gitlab, whatever]
• cicd: [circle, github, gitlab, whatever]
• needs-to-stay-on-24hours: [true, false]
• various-can-cannot-be-public: true, false]
• chargeback_id: 123456789
• department: [finance, it, eng, whatever]
• repo: some-github-repo
• product_owner: <mailto:foo@bar.com|foo@bar.com>
still thinking

can anyone help me to ..assign ecs fargate public ip to target group, now private ip is assigned on target group.

Hello I am having problems with Cloudmap + ecs service discovery. I am not able to ping or dig a container from another container(using ecs exec) in the same ecs fargate cluster(awsvpc mode). Anyone had a similar problem? Looking forward for replies. Thanks!

When my AWS managed node groups (created with terraform-aws-modules/eks/aws//modules/eks-managed-node-group) change using Terraform (or related launch configs, security groups, etc.), and the MNG's ASG is recycled, I have a min/max/desired or 1/2/1, and during the recycling, it spins up up to 7 additional EC2 instances, before settling down on a single one.

Anybody else see this and/or know how to manage it?

Hello all, I am having trouble with terraform . Basically the problem is somewhat related to unreadable vpc_id although I can see it gets read on the state file. Anybody has similar error before?

Hello!


I would like to clarify about cloudposse/eks-node-group/aws, so is it possible to disable random_pet ?

Hey all
Small question about Route53, I’m using Kinsta as my domain host and Route53 as my DNS mgmt. i need to renew my SSL Certificate in my domain. I didn’t understand to the end what is the process to do it with the TXT record on Route53, someone is able to few questions?

Hi all, Our database has been attacked by sql injection, we are using aurora mysql and cpu utiliztion almost 100%, how can i stop this any suggestions ?

anyone got an advice on how I could better present a service in EKS as an origin for a cloudfront distribution? I'm currently just going through my ingress controller to a domain name that the distribution reads, but that means I have an intermediate domain name for the ingress as well as a public origin that I'd rather secure down to just cloudfront.

Hey folks — Quick AWS Route53 question I have while migrating a client’s DNS architecture:

Is it possible to have two Route53 Hosted Zones control the same domain (e.g. .example.com) across separate accounts? In that I have some records for www.example.com and .example.com on Hosted Zone #1 and then I have similar records for *.example.com on Hosted Zone #2 as well?

I am hoping so if they both point their NS records at the correct, authoritative nameservers, but I figured I’d check here before I tested this out.

Hi all,

I have a pod in EKS configured with a ServiceAccount which configures a role for the pod to use. so AWS_ROLE_ARN=arn:aws:sts::000000000:assumed-role/podrole

 aws sts get-caller-identity
{
    "UserId": "0000E:botocore-session-0000000",
    "Account": "000000",
    "Arn": "arn:aws:sts::000000000:assumed-role/podrole/botocore-session-222222222"
}

i want to allow this role to assume another role in a different account via a profile in ~/.aws/config

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
credential_source = Environment

this is an example from the docs here. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

i was hoping credential source would pick up the AWS_ROLE_ARN env vars set by the service account.

aws sts get-caller-identity --profile marketingadmin
Error when retrieving credentials from Environment: No credentials found in credential_source referenced in profile marketingadmin

does anyone have a work around?

Hi all!
A quick aws security question. Is there anyone who is using aws security hub and aws config with aws organizations? I am not able to see the resources from member accounts and I have “Config.1 AWS Config should be enabled” error. Do I need to enable aws config in each member account manually?

I am trying to get the aws-ebs-csi-driver helm chart working on a EKS 1.23 cluster.

The message I am getting from PVC events

failed to provision volume with StorageClass "gp2": error generating accessibility requirements: no topology key found on CSINode

The CSI topology feature docs say that:

• The PluginCapability must support VOLUME_ACCESSIBILITY_CONSTRAINTS.
• The plugin must fill in accessible_topology in NodeGetInfoResponse. This information will be used to populate the Kubernetes CSINode object and add the topology labels to the Node object.
• During CreateVolume, the topology information will get passed in through CreateVolumeRequest.accessibility_requirements.
I am not sure how to configure these points.

hello. what is the limit of the subaccounts ? If I would like to run customer cluster in separate subaccount is that possible? Or i have a limit ?

there’s a soft limit of 10 accounts but that can be increased with a service request - largest org I’ve seen was ~220 accounts but I’m sure there are larger ones

thanks

One thing to be aware of is it takes a lot more effort to delete an account than creating one. So depending on how long engagement you expect from your users it might not be worth the hassle.

cross-posting from hangops since I’m really looking for a solution:

does anyone know if there’s an automatic way to block pulling/consuming of a Docker image from AWS ECR if the said image has been discovered to have vulnerabilities? By automatic here I am thinking of even updating IAM policies with a DENY statement…

Hello all, I am testing aws organization with SSO with extrnal IDP. Is that possible that only saml is the possible option and no oidc ?

can I find a good nodejs module for scim api for autoprovisioning ?

Hello all, Can I store docker images into S3 instead of ECR in order to optimize cost?

For example:
If I use ECR with VPC endpoints (ecr.dkr, ecr.api), then Pricing will be, per VPC endpoint per AZ ($/hour) which is costly but If I store docker images in S3 with gateway VPC endpoint for S3 which is free and use S3 docker image path inside tasks definition then cost might be less.

What is the best practice?
What would be the disadvantages of storing docker images into S3 instead of ECR?
Is this correct approach to store docker images in S3?

you probably could rig up a solution to publish images to S3 and pull them via s3, but the cost of all that complexity (and likely marooning yourself from the integrations with image scanning, eks, fargate, etc) just isn’t worth it.

Hi everyone, when i restored aws aurora instance , i have to create reader instance manually or else it will create reader instances manually??

Hello, any alternatives to run a Managed Private CA? I feel AWS Pricing is quite expensive (400$ per month + 0,75$ per certificate)

hello, can I create a 4eyes solution with aws resources for aws switch role ?
idea is to give read permission to user and give the admin role with switch role but only with approval

looking for a bit of inspiration, I want to walk my AWS Accounts, on a regular basis (say hourly) and catalogue all EC2 instances, that meet a certain set of tag conditions and display details in a 'status' type way, eg: filter all EC2 where tag1=false, tag2!=bob print {tag3, tag4, tag5} in a nice dashboard type table, I thought this would be easy to do with datadog and tags, but because it's using just tags or conditional tag searches, it's bad

Hi everyone, how can I automate...AWS aurora automate backup , partial data should be exported into S3 ??

Can I ask architecture questions? I want to deploy a dotnet 6 application that is backed by PostgreSQL. The application exposes a REST API and also has an internally scheduled process that runs batch processing.
I'm torn between splitting up the batch processing from the REST API, using Lambda+API Gateway for the API and a simple ECS container for the batch processing. OR, having containers for both things. I'm thinking about provisioned Aurora for PostgreSQL (serverless v2 seems really pricey for now)

I'm also torn between ECS and EKS, I feel that EKS might be overkill for now.

Any other options I'm missing?

Resurrecting an old topic. With aws-okta no longer maintained and no longer installable via Homebrew, what are folks using to grant CLI access to AWS via Okta? We use Okta SSO as a SAML provider for our AWS org.

Does anyone know why (technically) you can’t delete/modify an RDS instance that’s at stopped state?

https://www.reddit.com/r/kubernetes/comments/xlfcs2/what_should_make_me_consider_moving_from_ecs_to/

Has lots of good insights. But the one ❤️ is this only

Hi, does AWS Database Migration Service work between RDS to RDS transfer. We have a new site going live and we want to sync prod database with a new database and after everything is verified we will change the rds from the old one to the new one

Is there a way to force iam_policy_document to output the principals as a list even if there's a single element?

    principals {
      identifiers = ["arn:aws:sts::${local.account_id}:assumed-role/task-role/*"]
      type        = "AWS"
    }

gets spit out to

 "Principal": { "AWS": "arn:aws:sts::XXXXXXX:assumed-role/task-role/*" } 

but OpenSearch wants that as

"Principal": { "AWS": [ "arn:aws:sts::XXXXXXX:assumed-role/task-role/*" ] }

hello,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "MyOrgOnly",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::thebucketofmydreams",
        "arn:aws:s3:::thebucketofmydreams/*"
      ],
      "Condition": {
        "ForAnyValue:StringLike": {
          "aws:PrincipalOrgPaths": ["o-funny/r-stuff/ou-path"]
        }
      }
    }
  ]
}

what is the issue with this?
My goal is give access to subaccount in organiaztion under an OU to a resource that it is in another account in same organization

hello, another day, another question 😉
I have vpc in account A and private hosted zone in account B
I would like to associate them, but don1t want to use creds from a. I created a role, in a that can call from B, but how could I call it? I need to automate this 🙂

Hello! I have a dedicated connection with direct connect. According to the engineer who setup direct connect on their end, I should be able to Telnet a host on port 53. He told me that I need to set the primary and backup DNS to x.x.x.1 and x.x.x.2 (I guess this is done by changing the DHCP option sets in the VPC but I am not sure). Is that the right approach to set DNS as per the engineer's requests? If so how can I reach the instance via RDP on the private subnet? I think a RD Gateway could help but I am a bit lost, changing DHCP make the instance unreachable via vpc endpoints and SSM session

I did not find any info about transit gateway modify. My question is, will there be any outage if I modify the tgw to enable the cross account auto accept shared attachment

So I'm looking at being prepared to upgrade AWS EKS cluster to 1.23+ which requires the EBS CSI driver. Currently using the cloudposse/eks-cluster/aws module and looking to see if anyone else has already attempted this and if so what changes are needed