34 messages
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
Michael Dizonover 3 years ago
i’m trying to create an alarm that is sort of like a heartbeat for cloudtrail logs. right now i’m trying to force it into an alarm state but can’t seem to get it to work
Michael Dizonover 3 years ago
my filter_pattern is
{ ($.eventVersion = "1.08") } ,i’ve also tried it with a blankMichael Dizonover 3 years ago
when i test the filter pattern in the aws console, it works fine
Michael Dizonover 3 years ago
but when i create the metric filter, it does not work
Michael Dizonover 3 years ago
fwiw, i’m using the https://github.com/cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms repo
Michael Dizonover 3 years ago
and i’ve updated the custom_alerts.yaml
Adnanover 3 years ago
How to construct a trust policy for allowing role assumption from multiple / all clusters in one account?
This is the docs example:
This is coupled to one particular OIDC provider i.e. one cluster.
I there are a way to make it cluster independent?
This is the docs example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<http://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub|oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub>": "system:serviceaccount:default:my-service-account",
"<http://oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud|oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud>": "<http://sts.amazonaws.com|sts.amazonaws.com>"
}
}
}
]
}This is coupled to one particular OIDC provider i.e. one cluster.
I there are a way to make it cluster independent?
Brent Garberover 3 years ago
What's the AWS best practice to move to once you start running into SG rule limits?
Manoj Kumarover 3 years ago
HI, I am creating an Ingress with kubectl using a yaml file. The ingress in cluster gets created but I get no ALB got created in AWS. Does anyone have idea how can I get alb got created in aws when i create an ingress in eks cluster?
Thanks
Thanks
Calesover 3 years ago
I've been pondering a thought lately but I'm not sure it's a good one...
When setting up new AWS account set for a product team (prod, staging, sandbox, etc...) our current go-to is for the terraform state to reside a bucket that is part of the account it controls.
Given that the terraform state can contain sensetive information and all that, would it not be sensible to setup a separate account per account set where the product team has limited permissions to read and write state in a designated bucket and which is otherwise separated from the actual product account. Good idea or complete overkill ? Looking forward to your thoughts :)
When setting up new AWS account set for a product team (prod, staging, sandbox, etc...) our current go-to is for the terraform state to reside a bucket that is part of the account it controls.
Given that the terraform state can contain sensetive information and all that, would it not be sensible to setup a separate account per account set where the product team has limited permissions to read and write state in a designated bucket and which is otherwise separated from the actual product account. Good idea or complete overkill ? Looking forward to your thoughts :)
Yoav Mamanover 3 years ago(edited)
Hi,
I’m trying to figure out how to create a dashboard showing the most used API gateway keys over time. I can’t find these metrics in CloudWatch and looking through the API reference for a solution, anyone knows what’s the best way to approach this?
Edit: I guess I’ll be using the
I’m trying to figure out how to create a dashboard showing the most used API gateway keys over time. I can’t find these metrics in CloudWatch and looking through the API reference for a solution, anyone knows what’s the best way to approach this?
Edit: I guess I’ll be using the
/usageplans/usageplanId/usage endpoint for all usage plans without specifying a key
azecover 3 years ago
Not sure if there is a better channel for sharing this, but AWS SAM CLI now supports Terraform (not just CloudFormation):
https://aws.amazon.com/blogs/compute/better-together-aws-sam-cli-and-hashicorp-terraform
https://aws.amazon.com/blogs/compute/better-together-aws-sam-cli-and-hashicorp-terraform
taskinerover 3 years ago
hi folks, first of all sorry if this is not a best place to ask this topic. I’ve been working on AWS SSM and AWS Config to design a FIM (File Integrity Monitoring) solution on AWS. I am collecting
I failed to create an aws config rule to detect changes on FileData resources. I suspect I might have to develop a custom lambda rule but wanted to ask here first to see if anyone dealed with this before. any feedbacks, thoughts appreciated.
AWS::SSM::FileData without any problems and seeing ManagedInventories on AWS Config side.I failed to create an aws config rule to detect changes on FileData resources. I suspect I might have to develop a custom lambda rule but wanted to ask here first to see if anyone dealed with this before. any feedbacks, thoughts appreciated.
A
Andrea Cavagnaover 3 years ago
Hi everyone!
Sorry for missing this community in the last weeks!
Today I’m here to share an automation I’ve added to improve my work with AWS:
Ability to open multiple AWS consoles concurrently in the same browser, directly from a central point
https://twitter.com/a_cava94/status/1593235007828422656
I hope this is something that can help you and I hope to hear as much feedback as possible
@Erik Osterman (Cloud Posse) see you at the re:invent?
Sorry for missing this community in the last weeks!
Today I’m here to share an automation I’ve added to improve my work with AWS:
Ability to open multiple AWS consoles concurrently in the same browser, directly from a central point
https://twitter.com/a_cava94/status/1593235007828422656
I hope this is something that can help you and I hope to hear as much feedback as possible
@Erik Osterman (Cloud Posse) see you at the re:invent?
John Reedover 3 years ago
Link to download?
Darren Cunninghamover 3 years ago(edited)
his dev.to write up has all the deets (link in the Tweet thread too)
Balazs Vargaover 3 years ago
when you desing a new whole structure. what apps/tools do you use to draw it ?
Darren Cunninghamover 3 years ago
https://www.cloudcraft.co/ — feature rich paid option
https://excalidraw.com/ - (there is a library you can add) quick and free
https://excalidraw.com/ - (there is a library you can add) quick and free
J Normentover 3 years ago
Has anyone ever used transit gateway to allow access to a vendor bucket in another region? I'm trying to build something that does this over privatelink ... and finding it a little tricky to implement ... VPC peering is undesirable here, as a matter of sec policy. ... I'm looking for an example ... preferably for a TF implementation, but any IAC would be helpful. I'm hoping for something that I can run in a lab environment to browse through how all the pieces fit together.
John Reedover 3 years ago
Would be easier for the vendor to put it behind an ssl secured/Authed cloud front distro that’s accessed via https
Ronak Jainover 3 years ago
Hi Everyone!
Amazon opened their online training and certifications for free. You can find the course list here
Enhance your skills with this opportunity 💪.
Amazon opened their online training and certifications for free. You can find the course list here
Enhance your skills with this opportunity 💪.
venkataabout 3 years ago
Ronak Jainabout 3 years ago
Hi Guys, I am trying to open my startup but don't have much money to host my all services on aws billing.
So aws provide free credit ?
AWS Activate Build your startup on AWS
So aws provide free credit ?
AWS Activate Build your startup on AWS
Ronak Jainabout 3 years ago
Please let me know if It's beneficial AWS Activate Build your startup on AWS.
Darren Cunninghamabout 3 years ago
Activate is great if you can get it, they recently opened it up to the world to apply (used to be that you had to have a code from a partner) so I’m sure their swamped with requests. However the credits are infamous for expiring. IMO it’s best to try to implement your solution within the free tier limits as long as you can and then apply for Activate when you’ve grown to the point where you have enough monthly usage to really benefit from the credits.
bradymabout 3 years ago
I'm curious what other fully remote teams do to secure their root AWS account? Every piece of advice I've seen about keeping it secure is to have an MFA device and store it in a safe in the office or something similar. What if you don't have an office?
With the news of multiple MFA devices being supported for IAM accounts, I'm thinking maybe you do a zoom with whoever should have access to the root account and have them each associate an MFA device with it?
Is there something better for teams that don't have a physical location?
With the news of multiple MFA devices being supported for IAM accounts, I'm thinking maybe you do a zoom with whoever should have access to the root account and have them each associate an MFA device with it?
Is there something better for teams that don't have a physical location?
j labout 3 years ago
Hi folks
Sorry if this is not the right forum for my question. I have doubts between this and #kubernetes channel.
I am using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/ in order to create internet-facing NLB through a service (UDP) in Kubernetes.
I am using following annotations
I wonder whether is possible reusing same eip-allocation for all my other different Kubernetes services with same requirement
If I try to reuse them, I get
Sorry if this is not the right forum for my question. I have doubts between this and #kubernetes channel.
I am using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/ in order to create internet-facing NLB through a service (UDP) in Kubernetes.
I am using following annotations
<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>: "nlb-ip"
<http://service.beta.kubernetes.io/aws-load-balancer-scheme|service.beta.kubernetes.io/aws-load-balancer-scheme>: "internet-facing"
<http://service.beta.kubernetes.io/aws-load-balancer-proxy-protocol|service.beta.kubernetes.io/aws-load-balancer-proxy-protocol>: "*"
<http://service.beta.kubernetes.io/aws-load-balancer-eip-allocations|service.beta.kubernetes.io/aws-load-balancer-eip-allocations>: "eipalloc-xxx, eipalloc-yyy, eipalloc-zzz,"
<http://service.beta.kubernetes.io/aws-load-balancer-subnets|service.beta.kubernetes.io/aws-load-balancer-subnets>: "subnet-xxx, subnet-yyy, subnet-zzz,"I wonder whether is possible reusing same eip-allocation for all my other different Kubernetes services with same requirement
If I try to reuse them, I get
Failed deploy model due to ResourceInUse: ││ The allocation IDs are not available for use
Niv Weissabout 3 years ago
Hey, we’re using eks fargate and monitoring it using cloudwatch in the meantime.
1. On which metrics do you monitor?
2. Are you using any other observability tools other than cloudwatch that works well with eks fargate nodes?
1. On which metrics do you monitor?
2. Are you using any other observability tools other than cloudwatch that works well with eks fargate nodes?
Abdul Aziz Tettehabout 3 years ago(edited)
Hi everyone, I'm working on a VPN tunnel to a third party and I was given an IP to NAT with which is outside my network CIDR for the VPC I'm connecting.
What I've tried:
• I created AWS site-to-site VPN by using a transit gateway to connect a VPC I created with a CIDR to get the NAT IP that was shared and tried to use that to direct traffic but I realise the AWS VPN doesn't use the NAT so I'm unable to route traffic through it as I had thought.
• I also thought about creating NAT instances in the shared VPC and sharing that through the other VPC by vpc peering but didn't work either.
• I'm currently considering going with a software VPN on an EC2 instance (something like Strongswan) to do this and do the NAT on there.
Any ideas on how to go about this? Or anything I might be missing? Or any guidance will be much appreciated. Thank you.
What I've tried:
• I created AWS site-to-site VPN by using a transit gateway to connect a VPC I created with a CIDR to get the NAT IP that was shared and tried to use that to direct traffic but I realise the AWS VPN doesn't use the NAT so I'm unable to route traffic through it as I had thought.
• I also thought about creating NAT instances in the shared VPC and sharing that through the other VPC by vpc peering but didn't work either.
• I'm currently considering going with a software VPN on an EC2 instance (something like Strongswan) to do this and do the NAT on there.
Any ideas on how to go about this? Or anything I might be missing? Or any guidance will be much appreciated. Thank you.
Erik Osterman (Cloud Posse)about 3 years ago
PePe Amengualabout 3 years ago
can you have a aws VPC with a CIDR like 10.0.0.0/16 for private subnets and a 192.168.x.x/16 for the public subnets?
johnnyabout 3 years ago
Stretching out to my communities in hopes someone may have insight.
Anyone familiar with windows nodes on EKS? I’ve thrown in a gitlab-runner on a windows node. It struggles to clone the repo with failure to resolve.
Anyone familiar with windows nodes on EKS? I’ve thrown in a gitlab-runner on a windows node. It struggles to clone the repo with failure to resolve.
12:23:40.247417 exec-cmd.c:237 trace: resolved executable dir:
C:/Program Files/git/mingw64/bin
12:23:52.415550 http.c:703 == Info: Could not resolve host:
<http://gitlab.com|gitlab.com>
12:23:52.415550 http.c:703 == Info: Closing connection 0
fatal: unable to access
'<https://gitlab.com/[MASKED]/sandbox/test-windows.git/>': Could not resolve
host: <http://gitlab.com|gitlab.com>D
deniz gökçinabout 3 years ago
Hi all
I have a question about rightsizing ecs tasks. I have a few task definitions where each contains an app and an nginx sidecar. I noticed that, although the task cpu and task memories are the smallest values possible(256 cpu 512 memory) the waste of cpu and memory is around 99 percent. What adjustments can I make to reduce my costs since I feel like I am paying a lot for resources that I am not utilizing.
Thanks
I have a question about rightsizing ecs tasks. I have a few task definitions where each contains an app and an nginx sidecar. I noticed that, although the task cpu and task memories are the smallest values possible(256 cpu 512 memory) the waste of cpu and memory is around 99 percent. What adjustments can I make to reduce my costs since I feel like I am paying a lot for resources that I am not utilizing.
Thanks
Shreyank Sharmaabout 3 years ago
Hello All,
We have to clean up the AWS Active Directory service which is created in 2017 by an old employee. but there is no documentation on where it is used/or if is it just created for the test.
I do not see any ec2 instance in the VPC where Active Directory exists
it configured like this
Directory type: Simple AD
Directory size: Small
I don't know the password and there is no proper documentation.
I checked that are all the CLI commands I can use to list users in this AD
https://docs.aws.amazon.com/cli/latest/reference/ds/index.html I couldn't find any
is there any way to know who are the users part of this AD,
and how to know this AD is in use
thanks in advance
We have to clean up the AWS Active Directory service which is created in 2017 by an old employee. but there is no documentation on where it is used/or if is it just created for the test.
I do not see any ec2 instance in the VPC where Active Directory exists
it configured like this
Directory type: Simple AD
Directory size: Small
I don't know the password and there is no proper documentation.
I checked that are all the CLI commands I can use to list users in this AD
https://docs.aws.amazon.com/cli/latest/reference/ds/index.html I couldn't find any
is there any way to know who are the users part of this AD,
and how to know this AD is in use
thanks in advance