|
There’s also Wasabi if you’re even cheaper and want to backup Linux ISOs basically
|
# ? Apr 3, 2022 22:51 |
|
|
# ? May 21, 2024 13:53 |
|
Can someone help me with syntax? For the PrivateIpAddress, I'm trying to import the value of PrivateSubnet3OctetCIDR from outputs but also add a string of .10 to the end of it. The syntax is incorrect. I've tried numerous iterations with no luck.code:
"PrivateIpAddress": {"Fn::Join" : ["",[{"Fn::ImportValue" : {"Fn::Sub" : "PrivateSubnet3OctetCIDR"}},.10]]}, Scrapez fucked around with this message at 16:28 on Apr 5, 2022 |
# ? Apr 5, 2022 03:33 |
|
What are people doing here to manage and harden AMIs? Trying to push for us to at least patch the base AMIs at creation before they make it to production. Image builder seems like the go to but wondering what folks use.
|
# ? Apr 5, 2022 15:24 |
|
Packer all the way for our Linux amis, now using the Amazon-chroot builder because the ebs one is slow as poo poo
|
# ? Apr 5, 2022 17:56 |
BaseballPCHiker posted:What are people doing here to manage and harden AMIs? Trying to push for us to at least patch the base AMIs at creation before they make it to production. Image builder seems like the go to but wondering what folks use. Packer for us as well. We use Amazon Linux 2 as our base AMI. Security updates are installed automatically on instance boot.
|
|
# ? Apr 5, 2022 21:30 |
|
Working on setting up an ECS service with an auto scaling group. Both the ASG and the service require a security group, and the application will require sending and receiving traffic to and from EFS and SQS. Should the autoscaling group and ECS service be in the same security group? Coming from a rewrite of a bunch of CDK code that was given to us by a consultant who might have been doing this for the first time so I have no idea what's correct and what's not. Current setup is EFS, SQS, the ECS service and the Auto Scaling groups are all in their own security groups with a web of inbound/outbound permissions on each.
|
# ? Apr 8, 2022 14:39 |
|
Hughmoris posted:Does anyone have any experience, or heard of experiences, for working at an AWS DoD gig? I might be doing this soon. Still in the hiring process for SRE at an agency (on contract). IC/SMIL AWS does exist, I use mission apps on it every week.
|
# ? Apr 9, 2022 21:01 |
|
Woof Blitzer posted:I might be doing this soon. Still in the hiring process for SRE at an agency (on contract). IC/SMIL AWS does exist, I use mission apps on it every week. Good luck! I actually had an AWS recruiter reach out to me last week but it was for non-cleared work, some sort of Cloud Support Engineer. Passed on it for now since but can hopefully revisit the opportunity down the road.
|
# ? Apr 12, 2022 19:09 |
|
Hughmoris posted:Good luck! I've been there for 7 years and don't hate it but it is highly dependent on whether your management chain sucks as you can expect at a company so big. There are definitely cleared gigs in support/technical account management as well as jobs on airgapped networks but those are on-site only of course. I could throw your resume against the right listings if you'd like to shoot me a PM. My brother in law just got an entry level gig at Oracle in Seattle as an SRE that required clearance as well.
|
# ? Apr 14, 2022 04:19 |
|
Any IAM experts here? Trying to settle an internal debate. Some dev has a secret in secrets manager saying with a policy of secretsmanager:ListSecrets open to principal: AWS:"*" and resource:"*". While this is bad, my coworker is saying that would limit the ListSecrets to that particular account, while I am arguing that this effectively allows anyone within AWS org to make a ListSecrets api call. I think he is thinking that the policy has to explicitly list other accounts with permissions for cross account access while I am arguing that the "*" is effectively doing that. So long as the trusted account has permissions to make ListSecrets call they could do so.
|
# ? Apr 14, 2022 13:09 |
|
BaseballPCHiker posted:Any IAM experts here? Trying to settle an internal debate. Try it and tell them their secret if it works, make sure to take a picture of their face for posterity.
|
# ? Apr 14, 2022 13:55 |
|
Arzakon posted:I've been there for 7 years and don't hate it but it is highly dependent on whether your management chain sucks as you can expect at a company so big. There are definitely cleared gigs in support/technical account management as well as jobs on airgapped networks but those are on-site only of course. I could throw your resume against the right listings if you'd like to shoot me a PM. My brother in law just got an entry level gig at Oracle in Seattle as an SRE that required clearance as well. Thanks for the offer to help. I'm going to hold at $newJob for a bit longer but I might PM you down the road when I start looking again.
|
# ? Apr 14, 2022 15:10 |
|
Does Access Analyzer tell you about it?
|
# ? Apr 14, 2022 15:13 |
|
Just-In-Timeberlake posted:Try it and tell them their secret if it works, make sure to take a picture of their face for posterity. I did try it! And nothing exciting. The resource policy doesnt allow for the use of the GetSecretValue api call. So you can see some data associated with key but nothing that useful, at least in my mind. Will tell them to fix and move on.
|
# ? Apr 14, 2022 17:26 |
|
A resource-based policy such as the one attached to a secret, when using Principal: AWS: "*", you're effectively applying s3 public access to that resource. It configures access for all users including anonymous users and you probably shouldn't do it, in general. It is still only 1/2 of the required permissions for cross account access, but it doesn't implicitly scope to "AWS accounts in my org" or anything (see link). A malicious actor will certainly configure the other half of the required permissions themselves and then there's nothing stopping this Secrets Manager config from allowing ListSecrets or whatever. If your developer intends to allow access to the org, they'd want to layer a Condition block in there using one of the global condition keys appropriate for their intent, at the minimum. Better would be to explicitly enumerate the principals that should have access.
|
# ? Apr 14, 2022 17:29 |
|
Thank you, thank you, thank you. I looked at a ton of different docs around cross account access, resource access, etc, and the one you linked was exactly what I needed to see. You're right so long as the attacker/whoever explicitly grants themselves access they could access that resource. This definitely clears it up for me, thanks again!
|
# ? Apr 14, 2022 20:47 |
|
I've opened a ticket with AWS on this but perhaps someone here knows the answer... I created four EIPs outside of cloudformation. Those EIPs have been whitelisted by customers and changing to new EIPs would be a problem. I have a cloudformation template that has since been developed that creates four EIPs and associates them with ENIs that are created in the same template. Is there some way to "replace" the EIP resources that cloudformation created with the EIP resources that were created outside of cloudformation? I've since discovered the DeletionPolicy: Retain option so that if I can get these EIPs to be managed by the cloudformation template, I won't ever lose them theoretically.
|
# ? Apr 15, 2022 22:14 |
|
I’m mostly familiar with terraform rather than CF, but it looks like importing resources is supported? Does this doc help? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html
|
# ? Apr 15, 2022 22:28 |
|
Hughmoris posted:Good luck! Yeah I am an SRE in the IC now. We'll see what transpires...
|
# ? Apr 15, 2022 23:12 |
|
Docjowles posted:I’m mostly familiar with terraform rather than CF, but it looks like importing resources is supported? Does this doc help? https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html It did help. Ultimately support helped get it resolved. Turns out you have to remove the EIP associations from your template when your do the importing because they're not supported. Then, once your EIPs have been imported, add the associations back in and update the template. Fairly easy steps in the end but knowing that little wrinkle was key.
|
# ? Apr 21, 2022 03:55 |
|
I'm working on a minimalist website in Terraform on AWS as a combination jump-through-hoops for interview and learning how to use Terraform again (I have forgotten everything since I used it two years ago). I need to force HTTPS, I know that's possible with an ALB but at this point I'm planning on just running one EC2 instance or even just an S3 bucket with a static web page. Is it possible to do that kind of redirection with a network security group? Barring that I guess I could set up an ALB anyway, or maybe Cloudfront has something like that although it seems kind of silly to make a static hello world page use Cloudfront. On the other hand, I suppose I'm spending nothing but my time and a few bucks bringing it up, testing it, and then destroying it, it's not like I'm actually paying out of pocket to keep this up 24/7.
|
# ? Apr 22, 2022 23:27 |
|
I don't think security groups can redirect. So alb is necessary, or you could use nginx and do the ssl redirection in that. I'm using that method for a simple website where I don't want to pay for an alb, seeing as it costs 5 times as much as the t3a.nano ec2 instance.
|
# ? Apr 23, 2022 00:21 |
|
S3 static websites support redirects, and you can force https that way. You have to write it in some Json. I'm not sure how that works in tf. If you can't figure it out I'll check and see if I can figure it out.
|
# ? Apr 23, 2022 00:33 |
|
An easy option is just using Cloudfront with TLS termination. At least I think that’s doable. Easy fix; no ALB / EC2 costs for a reverse proxy. I haven’t looked at my blog code in years but I’m like 90% that’s what I ended up doing for that back when I can’t remember if Cloudfront does the redirect but S3 can do that easily if not Edit: and yeah Cloudfront is silly for it but also cheap as poo poo and easy / zero overhead to manage generally Walked fucked around with this message at 00:39 on Apr 23, 2022 |
# ? Apr 23, 2022 00:36 |
|
Thank you, I'm using nginx for the server currently that I set up before thinking "hey what about an s3 bucket" so I might do it that way since that scales more easily if the site wanted to be more than a static page. Or Cloudfront since that takes care of some of that future work for me. I'm thinking once I have this done I'm going to expand it into a full fledged WAF-compliant environment with a containerized Python application that I wrote for another job interview to run in Docker that simulates D&D dice rolls. I've been meaning to learn to k8s anyway, I'd like to get my cka this summer. E: Walked knows all about that Python app
|
# ? Apr 23, 2022 00:43 |
|
Cloudfront's free tier is quite generous now; it should work well for your needs.
|
# ? Apr 23, 2022 01:09 |
|
We have a bunch of static sites using S3 and CloudFront, you just set CF to only allow HTTPS and you’re done, it’ll redirect HTTP to HTTPS automatically.
|
# ? Apr 23, 2022 16:26 |
|
CloudFront in front of S3 using Amazon-generated certs is how I handle HTTP to HTTPS redirects, hosting static content (e.g. images for mail signatures), and redirects to other places (using the redirect feature in S3). Every couple of years when I remember I will go into the CloudFront distribution and change the security template it uses (the thing that decides what ciphers to support) to whatever the latest recommended one is.
|
# ? Apr 23, 2022 16:29 |
|
I run a lot of work through SQS queues and want to display stats on a web portal: outstanding jobs, number of jobs over 1/6/24 hours, stuff like that. If I use boto3 I can get a few of these stats at a moment in time, but not the history. I guess I could snapshot this and roll my own stats on my Django database, but I assume I'm not the first person to need to solve this problem. What should I be looking at?
|
# ? Apr 24, 2022 03:23 |
|
You can add cloudwatch as a data source in Grafana, that’s the first thing that comes to mind.
|
# ? Apr 24, 2022 04:38 |
|
Hed posted:I run a lot of work through SQS queues and want to display stats on a web portal: outstanding jobs, number of jobs over 1/6/24 hours, stuff like that. If I use boto3 I can get a few of these stats at a moment in time, but not the history. Cloudwatch?
|
# ? Apr 24, 2022 04:42 |
|
I’ll offer an alternative which is that SQS metrics don’t always align 1-1 with the way your business logic tracks job status and progression. Imo it’s a better choice to surface metrics from your publishers and your consumers. Maybe run a Grafana instance and push custom metrics there rather than trying to map SQS metrics to your own logic.
|
# ? Apr 24, 2022 15:29 |
|
I’m trying to use SES from Lambdas and other hosted stuff to send email. Is it worth making a subdomain to send or doing domain verification on the existing one? This will be internal emails saying reports are ready or go here, not for an ELP blast. Our current email domain is hosted Office365
|
# ? May 11, 2022 04:36 |
|
I've always been a fan of having a dedicated subdomain for things that send email. Makes it a lot easier to manage and lock down.
|
# ? May 11, 2022 07:06 |
|
Or even a domain name dedicated to it.
|
# ? May 11, 2022 08:28 |
|
22 Eargesplitten posted:I'm working on a minimalist website in Terraform on AWS as a combination jump-through-hoops for interview and learning how to use Terraform again (I have forgotten everything since I used it two years ago). I need to force HTTPS, I know that's possible with an ALB but at this point I'm planning on just running one EC2 instance or even just an S3 bucket with a static web page. Is it possible to do that kind of redirection with a network security group? Barring that I guess I could set up an ALB anyway, or maybe Cloudfront has something like that although it seems kind of silly to make a static hello world page use Cloudfront. On the other hand, I suppose I'm spending nothing but my time and a few bucks bringing it up, testing it, and then destroying it, it's not like I'm actually paying out of pocket to keep this up 24/7. Why wouldn’t you just open 443 and 80 to the internet in your SG and on your web host set up a listener on 80 to redirect to 443? Apache, IIS and Nginx can all do this fairly trivially. Alternately a new customer gets 750 hours, 15gigs and 17 LCUs of ALB per month. That plus certificate services will allow you to solve this problem of site redirection in about 30 seconds. Agrikk fucked around with this message at 15:10 on May 11, 2022 |
# ? May 11, 2022 15:07 |
|
For your consideration, some absolute fuckin insanity: https://twitter.com/xssfox/status/1524228883259994112
|
# ? May 11, 2022 15:47 |
|
Pile Of Garbage posted:For your consideration, some absolute fuckin insanity: My guess was that the IP's were in an allow-list somewhere and this was their idiotic scheme to ensure the app could only "dynamically" choose from 1 or 2 IP's in the subnet. Reading the comments I wasn't that far off.
|
# ? May 11, 2022 21:19 |
|
I'll bet that the problem is that the terraform for the SG on the other side isn't on the same VPC, so it has to use the subnet or cidr specifically and not the SG that the ECS instance is in (probably it's two different accounts linked by a transit gateway or VPN). The two Terraform for the ECS and the SG that it reaches a separate so you can't really call a var or resource from the other one to get the subnet directly. You can use datasources or remote state with outputs, but it's stupid. They probably hardcoded the SG with some subnet like 192.168.100.0/29, but only want .2 and .3 to be used by the containers. That said, why not just use a /30? Doesn't AWS reserve the first for broadcast and the second IP for the internal router?
|
# ? May 11, 2022 21:54 |
|
|
# ? May 21, 2024 13:53 |
|
TIL I can get a desktop/GUI out from an AWS Lambda based docker container image. This makes diagnosing why some webscrapers are having issues much easier and maybe someone in this thread needs to know this.
|
# ? May 12, 2022 00:22 |