|
No, federate or everyone will be sad.
|
#
¿
Apr 16, 2018 16:35
|
|
|
|
| # ¿ May 11, 2024 15:34 |
|
|
SnatchRabbit posted:Does anyone know if its possible in cloudformation to do a GetAtt on a resource that's already been created manually? Like, not something from another stack, just an Arn from say an SNS topic you turned on by hand in the console? Yeah I could make a parameter and have the user enter it at runtime, but what's the fun in that. It doesn't look like this is possible but figured I would ask. You could add a simple Custom Resource that fires a Lambda function that queries the arn and returns it as an attribute of the custom resource. If you can do it in node or python you can keep the function code in your cfn stack itself. Just drop a Lambda function resource with the code and a custom resource that calls the Lambda function when the stack is created.
|
|
#
¿
Apr 20, 2018 08:48
|
|
|
Bootstrapping deployments from S3 on launch and just terminating your old instance every new version is perfectly fine. You still have to deal with OS patching because your AMI will be trapped in a past era. Creating a process for copying your launch configuration with the latest patch level base AMI and replacing that in your ASG would be good to do regularly so you don’t spend an hour patching your OS when that AMI gets very old is recommended. Certainly easier than having some AMI baking process for every release you do.
|
|
#
¿
Apr 21, 2018 22:47
|
|
|
Volguus posted:Cool, thanks for the confirmation. All I need is to hold me until we can get a real devops guy on board. My only other worry about S3 is if I can make it private (that is, only me from my own AWS network to access it). Yes, make sure the bucket/object policies only allow users from your account to access the bucket/objects, add an instance profile that can make S3 API calls to your instances, and use the aws cli in your userdata script to fetch the objects which will utilize the instance profile (don’t curl/wget). Since you mentioned network based restrictions you can do that in a bucket policy to where the bucket can only be accessed by IPs you designate or only from inside your VPC using the VPC Endpoint feature. That protects you in the case of someone releasing an access key into the wild on accident but only if that lost access key doesn’t have the rights to change the bucket policy. TLDR only use temporary access keys and make sure your poo poo is properly least privilege restricted.
|
|
#
¿
Apr 22, 2018 00:37
|
|
|
jiffypop45 posted:Can you contact a solutions architect at AWS directly? That's their jobs but I don't know if they only do it for big enterprise contracts or not. Sales rep might be able to get them time with an SA but they won’t be producing anything production ready. They’ll look at your design and point out what the best strategies are and help overcome any hurdles (like helping minimize that EKS launch time) but the customer has to execute. Pro-serve does hands on keyboard work but those are typically long/large paid engagements.
|
|
#
¿
Apr 23, 2018 15:03
|
|
|
Are you going to Pro Serv or Solutions Architect? I've been the latter for most of my 3.5 years here and I'm never leaving. Pro Serv sounds like real work though. PM me if you know what org you are going into (Commercial, Partner, Specialist) if you want more insight.EkardNT posted:Also, lol @ working in C2S. You poor, poor, years out of date creature. Serious talk though, did you have to go through the SF86? I've been waiting almost 2 years to hear back now. I would have probably said the same thing last week but I logged into the BJS console for the first time yesterday and a sense of calm overcame me as I remembered what AWS was like 5 years ago. Retro AWS is good! Arzakon fucked around with this message at 15:54 on May 3, 2018 |
|
#
¿
May 3, 2018 15:52
|
|
|
FamDav posted:I like how the Chinese regions are often more up-to-date than Govcloud edit: I was wrong oops Arzakon fucked around with this message at 19:45 on May 3, 2018 |
|
#
¿
May 3, 2018 19:30
|
|
|
Just complain until you get a new TAM and be clear on what you want out of them. Some people just want a dude to read a QBR to them and help triage tickets but if you want someone with some technical specialty just ask.
|
|
#
¿
May 8, 2018 19:11
|
|
|
It is 100% worth a shot opening up a CS ticket to see if they can do a one time I was a dumbass refund or even half. If you don't want your work to know about it I'd avoid mentioning it to your SA. Definitely mention the steps you have taken to prevent it from happening again (turning on billing alerts, setting up a cloudwatch event to auto-turn off instances each night unless you add a specific tag, etc)
|
|
#
¿
May 10, 2018 21:10
|
|
|
Agrikk posted:Herd not pets. Thank you for your cultural sensitivity but vegans are still mad at you.
|
|
#
¿
May 17, 2018 22:32
|
|
|
If you are looking for how AWS fits into your world it is essentially just another place for virtual machines to go so learning about AWS is equivalent to learning about VMWare. SysOps will help you understand basic AWS functions from networking up to instances, how to build that using CloudFormation, and best practices for designing fault tolerant things.MJP posted:like to at least be prepared for a meteor destroying the entire industry where I work MJP posted:(terrestrial radio D: ) MJP posted:I am not a developer nor do I wish to join them Consider that you may be speaking to us from inside the meteor. Jokes aside, everything is code over here. We are all "developers" because everything is an API. All your infrastructure is a block of JSON (or YAML if you are a communist). No one will hire you because you can go into the console and start a Windows image and keep it online. If they will they won't pay you well and it will be a terrible place to work. Dozens of technologies like containers and serverless are reducing the need for people who care about operating systems. You can probably go down the Office 365 route and survive as a computer janitor forever but that sounds gross.
|
|
#
¿
Jun 14, 2018 15:35
|
|
|
Jeoh posted:What's up with the X1-series' lovely disk performance? I know it's supposed to be for in-memory applications, but it's also an awesome budget SQL server (R-series has too many cores so the licensing cost fucks ya). I mean, you're supposed to use RDS, but some of us are still stuck in medieval times. I assume you mean the EBS throughput on the small X1e series? Yeah that is pretty typical of any low-CPU count instance, and the ones that do have higher networking capacity probably don't meet your memory requirements? Unless you are saying you want more instance store SSDs for your SQL server then I salute how dedicated you are to bad ideas.
|
|
#
¿
Jun 18, 2018 19:25
|
|
|
Lumpy posted:
You probably do want an ALB, you just need to figure out which CloudWatch metric to monitor and scale based on that. If you make an AMI that will launch and respond on your ports without needing you to touch it, yes. You can bake all your stuff into the AMI, and/or use the instance user-data to bootstrap any actions you need to happen on launch to happen. If you want to use your own certificate you need to import it but then you will need to manage it yourself (ie: get a new cert when it expires). You could also do some old bullshit using a classic load balancer and terminating SSL on your instances but there is no benefit to this and just means you get to deal with updating the cert in your AMI instead of the load balancer. Ignore the renewing section of that blog you posted, you'll need to do this manually and upload the cert when it expires. You should probably just ditch the LetsEncrypt cert and use Certificate Manager so you don't ever have to do any of this. Or just stop being a scrub "EC2 User" and go serverless: https://medium.com/tooso/serving-tensorflow-predictions-with-python-and-aws-lambda-facb4ab87ddd Red Mike posted:I can cover the SSL part, although be aware that a load balancer for this might be a bit overkill. It sounds more like you've got an issue/not enough resources on your instance. If scaling up is an option, consider that first. If you just scale up you can't have it automatically drop back down and end up paying for peak performance all the time.
|
|
#
¿
Jul 16, 2018 21:02
|
|
|
Yeah it looks like the newer versions of TensorFlow are too big to package for Lambda and you have to spend some time trimming the fat. And if you want GPUs you are out of luck. If you want to be in with the cool kids you need to figure out EKS I guess. Or just launch EC2 because it does what you want it to.
|
|
#
¿
Jul 17, 2018 17:25
|
|
|
If this did change behind the scenes, it is possible this did not make it into any release announcement. If you have support you can ask them to check with the EC2 team to confirm if this was intended and berate them about changing things without notification if they did. Just testing with the CLI, I can see when I put in an invalid image ID anywhere in the list it throws: An error occurred (InvalidAMIID.Malformed) when calling the DescribeImages operation: Invalid id: "ami-poopbutt" So I assume that is what you are running into. As a workaround, if you feed it the list of images with filter(Name=image-ids,Values=ami-11111111,ami-22222222) instead of imageId(ami-11111111,ami-22222222) it looks like it is acting correctly whether there are bad values in the list or not and just returns a null list if you feed it only bad values.
|
|
#
¿
Nov 7, 2018 23:27
|
|
|
Include whatever library in the zip file for your Lambda and you can use it in your function. Instructions and randomly googled libraries... Node: https://docs.aws.amazon.com/lambda/latest/dg/nodejs-create-deployment-pkg.html https://www.npmjs.com/package/tiff2pdf Python: https://docs.aws.amazon.com/lambda/latest/dg/lambda-python-how-to-create-deployment-package.html https://pypi.org/project/img2pdf/ You'll get passed the S3 location of the new object in the event data, then you pull the object, convert it, and put it back. I haven't used those libraries but if whatever you use wants to write the file locally, you get 500mb in /tmp. Example of Lambda/S3 image processing: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html
|
|
#
¿
Dec 7, 2018 18:39
|
|
|
SAs don’t even need prior AWS experience although it doesn’t hurt, especially ramping up. TAM is similar.
|
|
#
¿
Dec 8, 2018 22:09
|
|
|
You mentioned hobbyist project so I'm assuming you aren't paying for their developer support level where you can open a ticket with them. In AWS, I'd turn on Developer level support, open a ticket, then turn it off when I'm done. Looks like that might cost $100 on GCP and it might not be pro-rated if you turn it on/off in the same month. I can't imagine them just detecting crypto mining off of CPU, and 100% CPU wouldn't be a problem in AWS. Are you still in a free trial period or are you giving them money? I guess I could see them heavy handed looking for free trial accounts running 100% and assuming they are crypto but that seems a bit lazy when they could be looking at network rules on the instance or the traffic itself to get the false positives down.
|
|
#
¿
Jan 3, 2019 19:17
|
|
|
It could be CPU usage all alone, but that just seems like a really dumb way for Google to make lots of support tickets like yours and I'd like to think they are smarter than that. Speculating on ways they could/should be doing it... Are the network rules on your instances allowing all traffic in/out? If you restrict to only what you need for SQL and remote access that might help you if they are checking for what the instances could be talking to because they might check for that. A better method would be inspecting DNS requests or IP addresses your instances are actually talking to and only suspending instances talking to know mining related destinations like AWS GuardDuty does but if you aren't mining and are certain you don't have malware/account compromise then that wouldn't be it.
|
|
#
¿
Jan 3, 2019 20:02
|
|
|
Scrapez posted:Anyone doing something similar to this? Assuming each server has X slots available for a call but the slots were eventually recycled at the end of the call, create a custom CloudWatch metric and have a script on each server to report "Free Slots". Trigger your scale up based off of the sum of Free Slots going below some number and scale down based off of some other number. The latter gets a bit complicated because you don't want to terminate an instance that still has active calls so you need to write a lifecycle hook and respond to that when the active calls falls to zero, or don't have any automated scale down termination and manage deprecating and terminating the instances yourself. Here is a blog post of someone triggering it based off of a Lambda function he has that queries active connections on his database. https://blog.powerupcloud.com/aws-autoscaling-based-on-database-query-custom-metrics-f396c16e5e6a
|
|
#
¿
Jan 3, 2019 21:49
|
|
|
Scrapez posted:Is this the above the proper way to say "execute the following commands on new instances with the tag Server Type and value kamailio? Have you looked into using user-data to execute the script on launch? You could bake the script into your AMI and just use the user-data to run the command, or put the whole script into the user-data. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html There is a UserData field in the Launch Configuration you are defining for your auto-scaling group so you don't have to use a CWE or apply it to specific tags. It will just run on anything launched by that ASG.
|
|
#
¿
Jan 21, 2019 21:45
|
|
|
Scrapez posted:I have successfully done it this way but was hoping to move it to a CloudWatch event as I'll have a subsequent Event that will need to happen when a new instance is launched as well. I thought it'd be better to have all the items together there for easier management. So you have an related action you also want to fire on the event so you need to have the CloudWatch Event for another target anyways? Seems reasonable to do it through SSM then. On to your question about SSM, is the entire script not specified as a document, and only your variables in the parameters? Not in a place where I can get hands on right now, but I think that is the way I remember it. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-doc-syntax.html
|
|
#
¿
Jan 22, 2019 06:38
|
|
|
You shouldn't have to do any setup on the instance if you are launching a linux that comes with it installed and you don't have wonky requirements like a proxy to reach the API. It does need an IAM role attached to it via instance profile to be able to poll the SSM service for commands to run. If the instance isn't appearing as a managed instance in the console then its likely the instance doesn't have permission to access the systems manager API. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html
|
|
#
¿
Jan 23, 2019 05:52
|
|
|
There isn't a great way to get an object into S3 from within CFN. One option would be to use a Lambda Custom Resource to drop the object in the S3 Bucket created in the CFN template. You essentially have to create another Lambda Function in the template, create the custom resource, which fires the Lambda Function to perform the put-object. If you are trying to look PRODUCTION READY you need to handle what the Custom Resource does on UPDATE (replace the file?), DELETE (delete the file, important for deleting the bucket). The custom resource code is probably more than all your other code but its what you do when you want to make AWS API calls that CFN can't do for you. If you can do it in 4096 characters you can put it inline in the CFN template, otherwise you have to stage it in S3. I'd love it, but I could see someone whining about it being overly complex. No matter what you do the first thing I'm looking at when I review your work is that your IAM and S3 Bucket policies are tight, really lock those thing down with resource level controls to show attention to detail.
|
|
#
¿
Jan 26, 2019 07:05
|
|
|
Boris Galerkin posted:Does storing a parameter as a “secure string” in system manager: parameter store cost me anything? I seems like it’s free cause I don’t see any pricing, but “secret manager” says it costs $1 per secret or whatever so I don’t understand the difference here. Systems Manager is free including the Parameter Store feature. Secrets Manager has some built-in integrations with services like RDS but if you don't need those specific features just use Parameter Store.
|
|
#
¿
Feb 5, 2019 05:32
|
|
|
Boris Galerkin posted:Thanks. And just make sure, it’s ok to store things like say slack api tokens in parameter store right? Sure, take a look at granular permissions and general IAM strategy if a bunch of other people also use your AWS account who you don't want having access to that key but otherwise go hog wild.
|
|
#
¿
Feb 5, 2019 15:34
|
|
|
The Fool posted:Is there any documentation about what IP addresses the Workspaces traffic will be coming from? Yes and no. AWS lists its IP ranges by region and some services (but not workspaces). I assume Workspaces will fall into the "service": "EC2" category so you can restrict it those huge spaces. https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html Alternatively put your Workspaces in a VPC and give them internet access via a NAT instance and the traffic will be coming from the Elastic IP on the NAT instance and you can lock down traffic from that.
|
|
#
¿
Mar 21, 2019 00:12
|
|
|
Co-worker is an idiot but there is only 512mb of scratch space in tmp on each function invocation.
|
|
#
¿
Jun 22, 2019 19:36
|
|
|
Cancelbot posted:Awesome! Thanks for that as I've been very focused on having everything answered "right" but our TAM can't know everything, but he knows who to ask to find out and that's what I imagine they want to see. Don't focus on knowing stuff. At most, 2 of your interviewers will be spending only part of your interview on technical skills. If your interviewers aren't poo poo it won't be "recite this man page" and will instead focus on having you tell interesting technical stories from your background and digging into how well you actually know what you volunteered as something you know about. You might get some of the interviewers favorite networking/OS/database fundamental questions but if you don't know already cramming probably isn't going to get you there. Your stories are much more important and you need to be ready for follow-up questions on the scope of your role, actions you took, results you achieved, impact on your business, what you could have done differently, etc, etc. All of your interviewers will be assessing this. Good luck!
|
|
#
¿
Aug 27, 2019 00:30
|
|
|
Congrats and shout when you get tired of your pager and want to be a lazy Solutions Architect, Agrikk never returns my calls.
|
|
#
¿
Sep 11, 2019 01:54
|
|
|
Hughlander posted:I’m looking to having an aws public ip port be routed to a docked container on a node here. EIPs/Public IPs won't route to VPN networks directly. EIPs are attached to instances, which you could then configure as proxies to your host at home but you'll be paying some amount for that instance. Also data transfer out starts at .09/gb so if you are passing data not only between your app and users but also between home and proxy you could quickly become an indentured servant in Jeff's spaceship factory.
|
|
#
¿
Dec 9, 2019 23:00
|
|
|
Nomnom Cookie posted:I'm not an AWS certified professional certified community hero Send me your contact details because I can't nominate a community hero with just an SA username
|
|
#
¿
Mar 17, 2020 04:19
|
|
|
Nomnom Cookie posted:The last thing I want is people getting the impression that helpful is something I do on purpose. It raises expectations dramatically do you want a job i am hiring and you've already aced team fit
|
|
#
¿
Mar 17, 2020 05:56
|
|
|
Pile Of Garbage posted:OK but how do I delete those tags? You can try tossing it at support but it is unlikely there is anything to be done other than replace the resources completely.
|
|
#
¿
Mar 17, 2020 15:22
|
|
|
Bhodi posted:Does anyone know if there's a MFA for the aws console that can be configured to allow push notifications? I'm getting *really* tired of typing in numbers from my phone. Microsoft Authenticator has kinda spoiled me. Not exactly, but Yubikeys are USB MFA tokens where you just press button in browser and it does the magic. They have an added benefit of spitting out long character strings if you hold them down so you'll get to spam Slack whenever you walk around holding your laptop unlocked while touching it. https://aws.amazon.com/blogs/security/use-yubikey-security-key-sign-into-aws-management-console/ They work for multiple accounts and even non-AWS stuff so you don't need a hundred of them. Thanks Ants posted:I'm trying to convince our developers to move to AWS Organisations and put SSO in, authing against Azure AD. Go look through all of your AWS accounts and find a former employee who still has an IAM user or maybe even some access keys then shame them. Or just find them doing something incredibly dumb like using root, root access keys, or just something else stupid that increases your risk and use that as an excuse to own policy for all of your orgs AWS accounts. Alternatively I will physically fight them for you.
|
|
#
¿
Apr 8, 2020 23:41
|
|
|
deedee megadoodoo posted:I'm working on a project to convert our AWS accounts to use SSO through Okta, but I'm having some trouble finding answers to some of our concerns. Mainly, all of the documentation I'm finding is for setting up a brand new AWS account to use SSO. We already have a bunch of IAM users defined across a half dozen AWS accounts. If we enable SSO is it going to break anything for those users or will they still be able to access their existing IAM accounts? Additionally, we currently map our IAM accounts to AD names so if IAM accounts are preserved will we need to destroy our IAM users in order to migrate them to SSO? Okta, and any other SSO provider, will be assuming a role or issuing a console link that has a policy attached via STS API calls. These are distinct from IAM Users, and the IAM users will continue to work unless explicitly removed. I haven't touched AWS SSO in a while so if you are integrating that with Okta instead of just using Okta/IAM it might be different, but probably isn't because AWS SSO users are distinct from IAM users. Also you should get rid of non-break-glass IAM users once you are happy with the SSO setup because *insert boring best practices lecture*
|
|
#
¿
Jun 8, 2020 23:56
|
|
|
Volguus posted:That's ok. Jeff will send his ? email and everything will be taken care of. Getting an e-mail nested 6 deep where its ?s all the way down and you don't have anyone to forward with another ? is the least fun game of hot potato I've ever played.
|
|
#
¿
Sep 18, 2020 17:32
|
|
|
Look for Associate Solution Architect or Associate Professional Services Consultant as well. AWS Tech U is the program my org uses when we want to hire lots of entry level talent. Good place to keep an eye out for opportunities if you don't have any IT work history but can demonstrate some depth in a few areas. These listings typically start as 1 year paid internships that hire directly into full time associate level roles.
|
|
#
¿
Sep 26, 2021 06:03
|
|
|
What are you doing now, where are you at in your career, and how far out in the backwoods are you? I only have a few thousand options that are all remote for you.
|
|
#
¿
Dec 4, 2021 02:01
|
|
|
|
| # ¿ May 11, 2024 15:34 |
|
|
For those of you looking to switch career paths into tech my group hires using Tech U for entry level talent, usually new grads or people with professional careers who are looking to switch into tech and have some fundamentals (can talk one of software development, compute, storage, databases at a 200-300 level). If you've built literally anything you are better than about half of candidates, if you get your SA Associate certification that is another leg up. If anyone is interested in more details shoot me a PM, I don't see our reqs listed but we are looking for Seattle and Austin, maybe New York at the moment.
|
|
#
¿
Dec 6, 2021 23:08
|
|