14 messages
Discussion related to Amazon Web Services (AWS)
Archive: https://archive.sweetops.com/aws/
Yaakov Amarabout 1 year ago(edited)
Hey CloudPosse community!🎉
Heads up on a critical AWS EBS policy change that could cause issues if not addressed (for example). AWS's notification only covers policies used in the last 90 days, potentially missing infrequently used ones in large environments.
To help tackle this, I've created an open-source Python CLI tool that scans ALL policies, regardless of recent usage, and outputs a CSV based on policy statements. This can help catch and identify every affected policy, even rarely used ones.
The tool is available for anyone to use: https://github.com/JacobAmar/aws-policy-checker
All you need to do in order to generate a csv file containing all the policies that contains this statement is simply run:
Hope this helps fellow DevOps pros facing this challenge across various organizations!
Feel free to check it out, contribute, or share feedback!
Cheers!🍻
Heads up on a critical AWS EBS policy change that could cause issues if not addressed (for example). AWS's notification only covers policies used in the last 90 days, potentially missing infrequently used ones in large environments.
To help tackle this, I've created an open-source Python CLI tool that scans ALL policies, regardless of recent usage, and outputs a CSV based on policy statements. This can help catch and identify every affected policy, even rarely used ones.
The tool is available for anyone to use: https://github.com/JacobAmar/aws-policy-checker
All you need to do in order to generate a csv file containing all the policies that contains this statement is simply run:
python3 main.py --region us-east-1 --workers 50 (workers are optional but good to use when you have a lot of policies) --statement ec2:CreateVolume (or any other statement)Hope this helps fellow DevOps pros facing this challenge across various organizations!
Feel free to check it out, contribute, or share feedback!
Cheers!🍻
jaysunabout 1 year ago
anyone have experience with both of these aws cli tools?
• https://github.com/synfinatic/aws-sso-cli
• https://www.granted.dev/
we're all in on aws iam identity center (SSO) so both of these work for us, but i'm curious if anyone has pros vs cons to share ❤️
• https://github.com/synfinatic/aws-sso-cli
• https://www.granted.dev/
we're all in on aws iam identity center (SSO) so both of these work for us, but i'm curious if anyone has pros vs cons to share ❤️
shannon agarwalabout 1 year ago
Anyone have experience with AWS Resource Explorer?
jaysunabout 1 year ago
wats everyone here using for costs visibility / management for aws? we used quicksight years ago and it wasn’t the best… it also was terrible for eks costs, but I hear they’ve integrated kubecost under the hood. aws cost management is a nightmare so looking for some advice.
Rishavabout 1 year ago
It might be early, but I'm willing to bet this is the best feature that AWS will ship this year:
AWS Management Console now supports simultaneous sign-in for multiple AWS accounts
AWS Management Console now supports simultaneous sign-in for multiple AWS accounts
Juan Pablo Lorierabout 1 year ago
Hi, I'm using the latest EKS node group module and even though I see that the module uses
Terraform still errors with existing nodegroup everytime it needs to recreate the nodegroup. Could this be due to some time required for the destroy to be processed in AWS before allowing the recreation?
lifecycle {
create_before_destroy = false
ignore_changes = [scaling_config[0].desired_size]
}Terraform still errors with existing nodegroup everytime it needs to recreate the nodegroup. Could this be due to some time required for the destroy to be processed in AWS before allowing the recreation?
Eduardo Silviabout 1 year ago
Hi folks!
I'm trying this terraform module to craete a client VPN to let developers access resources under my private subnets.
But something isn't working, the module creates the server and the client certificate inside AWS certificate manager, but I cannot download them. I suppose I have to manually download them as when I try to download the .ovpn conf file of the client vpn endpoint, it only contains the CA, not the others.
How can I correctly setup my vpn? I think I'm doing something wrong
I'm trying this terraform module to craete a client VPN to let developers access resources under my private subnets.
But something isn't working, the module creates the server and the client certificate inside AWS certificate manager, but I cannot download them. I suppose I have to manually download them as when I try to download the .ovpn conf file of the client vpn endpoint, it only contains the CA, not the others.
How can I correctly setup my vpn? I think I'm doing something wrong
Erik Osterman (Cloud Posse)about 1 year ago
It’s best to use #terraform for terraform questions
Shlomo Sfezabout 1 year ago
Is anyone else experiencing issues with AWS Client VPN configured with SSO (Google)?
Specifically, frequent disconnections that require reconnection after every short MacBook sleep / network disconnections?
Specifically, frequent disconnections that require reconnection after every short MacBook sleep / network disconnections?
Soren Jensenabout 1 year ago(edited)
Hi All, I need a bit of help picking the right solution.
Problem description: I have an API deployed on an EC2 instance. I want the EC2 instance protected in a private subnet, and part of an auto scaling group.
Users should authenticate to the API with an API key, ideally also rate limiting and throttling.
Solution: API gateway REST API with a usage plan requiring an API token should handle this. I like to setup the API Gateway with the greedy path /{proxy+} forwarding the complete path to an Application load balancer. The ALB will have a HTTP Listener and forward the traffic to one of the EC2 instances in the auto scaling group.
Issues: It's not working 💥
1) The complete path is not passed onto the ALB resulting in always returning /, not the requested path.
2) The ALB has to be public for it to work, but this leaves the API vulnerable as auth is done by the API Gateway, but it can very easily be bypassed by going directly to the ALB?!
💫 Any help will be much appreciated.
Could be a link to a public repo with a terraform with APIGW -> ALB -> EC2 or argue why my idea is flawed and how I should design it instead..
Problem description: I have an API deployed on an EC2 instance. I want the EC2 instance protected in a private subnet, and part of an auto scaling group.
Users should authenticate to the API with an API key, ideally also rate limiting and throttling.
Solution: API gateway REST API with a usage plan requiring an API token should handle this. I like to setup the API Gateway with the greedy path /{proxy+} forwarding the complete path to an Application load balancer. The ALB will have a HTTP Listener and forward the traffic to one of the EC2 instances in the auto scaling group.
Issues: It's not working 💥
1) The complete path is not passed onto the ALB resulting in always returning /, not the requested path.
2) The ALB has to be public for it to work, but this leaves the API vulnerable as auth is done by the API Gateway, but it can very easily be bypassed by going directly to the ALB?!
💫 Any help will be much appreciated.
Could be a link to a public repo with a terraform with APIGW -> ALB -> EC2 or argue why my idea is flawed and how I should design it instead..
managedkaosabout 1 year ago
Get ready to say farewell to the OG viewer in CloudFormation! 🙋♂️🏾 🥹
Ihor Urazovabout 1 year ago
Does anyone configure AWS ARC Zonal autoshift? It sounds really interesting on paper. But in practice it requires CloudWatch Alarm for each managed resource, which blocks the whole approach in my case, as I don't use CloudWatch for monitoring/alerting. And without CW Alarm is isn't allowed to enable autoshift and practice runs. https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html#arc-zonal-autoshift.edit-delete-practice-run
I'm tempted to create a dummy CW Alarm, just to pass this validation. It's just I don't know is it really worth it. Hence my original question. Do you configure Zonal autoshift, and does it work for you?
I'm tempted to create a dummy CW Alarm, just to pass this validation. It's just I don't know is it really worth it. Hence my original question. Do you configure Zonal autoshift, and does it work for you?
Eduardo Silviabout 1 year ago
Hi folks, I've created an AWS Client VPN using the module
How could I solve this, without restarting the network interface or the machine every time I close the vpn?
thanks
cloudposse/ec2-client-vpn/aws. I recently enabled split tunneling, and everything works fine except for the fact that when I disconnect from the VPN, my local routing table has no default entry (only specific ones), which prevents me from navigating the web.How could I solve this, without restarting the network interface or the machine every time I close the vpn?
thanks