|
Is ENS the equivalent? https://www.alibabacloud.com/help/doc-detail/63837.htm?spm=a2c63.l28256.a3.1.4bc51c82bt5NKi
|
# ¿ Jul 8, 2019 20:55 |
|
|
# ¿ May 17, 2024 01:33 |
|
PierreTheMime posted:Is there any kind of general consensus on what a decent speed for some S3 operations is? My "transfer SFTP to S3" and "unzipping/untarring files" jobs run at ~60MB/s and 80MB/s respectively and I'm not sure to be satisfied with this or not. Are you doing the untarring in Lambda or on an EC2 instance?
|
# ¿ Jul 16, 2019 20:30 |
|
Thanks Ants posted:Thanks. If it needed confirming (having thought about this it was a question with an obvious answer) I've tested this in an Azure VNet with two IPsec tunnels, one to a site addressed as 10.1.0.0/16 and another 10.2.0.0/16 and I could add 10.1.250.0/24 to the second route without issue, and the route was listed in the effective routes for an interface in the VNet. As a follow-up to this, there's a bit of a caveat. You can't have your VNet gateway subnet sit within a subnet defined as a local network - e.g. you cannot use 10.1.180.0/29 as a gateway subnet and then have one of your local networks defined as 10.1.0.0/16. The exception to this is where you are using BGP with your VPN tunnels, in which case the only restriction on addressing is that you cannot advertise a route that exactly matches one of your VNets, but you can advertise a much larger route. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview#prefix
|
# ¿ Jul 22, 2019 20:22 |
|
deedee megadoodoo posted:Yeah, I guess that makes sense. I can probably pretty easily put in a lambda that triggers on policy creation to scan the policy for anything related to the specific services we're limiting access to. Then just generate an email to the user and to my team with the details of the policy if it's got dumb stuff in it. An explicit deny rule will always take precedence over anything else, maybe you can get creative with those.
|
# ¿ Aug 15, 2019 20:40 |
|
Cancelbot posted:London, or to use what I've head from other AWS people: LHR14. Holborn Viaduct?
|
# ¿ Sep 19, 2019 20:52 |
|
How about https://devblogs.microsoft.com/scripting/reverse-desired-state-configuration-how-it-works/
|
# ¿ Oct 19, 2019 12:34 |
|
Does this help you? https://aws.amazon.com/premiumsupport/knowledge-center/accessible-restricted-s3-website/
|
# ¿ Feb 5, 2020 23:01 |
|
Is this any use? https://www.microsoft.com/en-us/download/details.aspx?id=15011
|
# ¿ Feb 11, 2020 10:42 |
|
I'm trying to help our development team structure their AWS setup a bit better, and have been reading up on AWS Organizations and SSO since it started supporting SAML and SCIM from external directories rather than having to run a managed AD or an AD connector. Currently everything happens in one AWS account and the dev team handle their own account creation/revocation which isn't going to be an option as the team grows. From what I've read the way to go is: - Enable AWS Organisations and enable SSO in the master account, link to Azure AD and assign roles to AD groups - Create a new AWS account for each purpose (dev, test, prod, anything being developed for a third party so the account can be just passed over to them if required) - Don't use IAM accounts any more, use temporary IAM role accounts with CLI tools Is it recommended to create a new AWS account to use for the master account role in Organizations, and then invite the current AWS account as a member? I vaguely remember reading this somewhere but I can't find any reference to it in the AWS docs now. Will this all end in tears or is Organizations w/SSO a mature offering now? I know I am going to get a load of poo poo from the dev team the first time they're trying to follow some AWS docs and there's a disclaimer about it not working for SSO users (think the amount of Google stuff that doesn't work with G Suite accounts). If I need to hold off to have a smoother implementation experience then I can do that, it's already going to be enough of a struggle to stop this team doing whatever the gently caress they want but it's achievable if the end result is positive.
|
# ¿ Feb 27, 2020 21:47 |
|
I'm trying to convince our developers to move to AWS Organisations and put SSO in, authing against Azure AD. They seem to think that SSO is less secure because if you're already logged into Azure AD then you don't have to put a password in again to use AWS (I've already done a conditional access demo), so actually having all the accounts separate is better. The other push back I'm getting is that because they are only a small team that their manager is happy to create and turn off accounts as required. If were big enough to have a security team I'd get them to have a word. I'm also a bit confused at a software developer actively pushing back against automating a process (new starter when in the right group automatically pops up in AWS ready to be assigned permissions) but I think a part of it is empire building.
|
# ¿ Apr 8, 2020 22:52 |
|
Is there an Azure equivalent of the Google Identity-Aware Proxy? I just want to put a service in Azure that exposes a web UI, and put that behind an Azure AD login as it's an internal-only service. Azure AD Application Proxy would work, but it would need to run on a separate Windows VM, and I can't see any sort of as-a-service version of it for workloads that are already in Azure.
|
# ¿ Jul 10, 2020 13:19 |
|
The Fool posted:Pretty sure they want you to integrate azure ad directly or use saml in that situation. It's less for the integrated sign-in and more because it prevents anybody from hitting the application until they have authenticated - I don't want to expose it to the world. With Azure AD Application Proxy (love these snappy product names), an on-prem app doesn't see a request until the user has been through authentication, so any glaring security issues are only able to be exploited by our own staff. It's not an application we develop so I have no control over linking it into our Azure AD, I just don't trust it enough to expose it to the Internet.
|
# ¿ Jul 11, 2020 21:56 |
|
I posted this in the printers thread, not sure if you saw it https://www.printnode.com/en
|
# ¿ Sep 14, 2020 20:46 |
|
Correct, but consider the amount of time it would take you to get 85TB back if you had to. Would a storage-only Snowball Edge fit your requirements? They are pretty cheap to hire and then you’ve got 100TB connected at up to 100Gbit to play with. Thanks Ants fucked around with this message at 01:53 on Jan 16, 2021 |
# ¿ Jan 16, 2021 01:51 |
|
Is there any way to get better logs out of SES when it's being used as an SMTP relay? Something like source IP, access key/IAM user, from and to address.
|
# ¿ Apr 9, 2021 09:47 |
|
How are the health checks done? Can you publish another service on the SIP endpoints and set the health checks to require both to return as healthy, then just shut the non-5060 service down when you want the load balancer to drain the endpoint?
|
# ¿ Apr 14, 2021 23:34 |
|
A VPN connection to AWS is two tunnels with asymmetric routing enabled - do you have both tunnels up and a bad route? Try bringing a tunnel down temporarily to see what happens.
|
# ¿ May 7, 2021 20:18 |
|
I had this video randomly appear on YouTube and just nope nope nope nope, whatever these people get paid is worth it https://youtu.be/AK47SC6kr_A
|
# ¿ Dec 4, 2021 19:39 |
|
The TfL data sets can be interesting to work with as well: https://tfl.gov.uk/info-for/open-data-users/our-open-data?intcmp=3671
|
# ¿ Feb 4, 2022 12:27 |
|
CloudFront in front of S3 using Amazon-generated certs is how I handle HTTP to HTTPS redirects, hosting static content (e.g. images for mail signatures), and redirects to other places (using the redirect feature in S3). Every couple of years when I remember I will go into the CloudFront distribution and change the security template it uses (the thing that decides what ciphers to support) to whatever the latest recommended one is.
|
# ¿ Apr 23, 2022 16:29 |
|
Or even a domain name dedicated to it.
|
# ¿ May 11, 2022 08:28 |
|
I've done SQL installed on a VM before where it was hosting a really badly written app that the developer weren't interested in making any changes to in order for it to be compatible with database products. If it's something being developed in-house then you need to make it in a way that is compatible with RDS etc.
|
# ¿ Jun 14, 2022 19:34 |
|
Ending SA shouldn't automatically result in having to scramble to do anything, it just means they have to hold on the release they're running
|
# ¿ Jun 14, 2022 22:51 |
|
$4000/year for software that makes your business run is incredibly good value. That's like a day a month of someone's time if they're on a salary of $80k, and instead of some minimum viable product that has a bus factor of 1, you get a solution with a support team behind it. If you have to have something built in house then would you be able to do it with something like AppSheet?
|
# ¿ Jul 13, 2022 22:59 |
|
I miss the early days of covid where vendors were desperately trying to get any sales engagement at all after all spending flatlined, so they'd invite you to webinars and chuck in Deliveroo/Just Eat vouchers. Synology paid me a £25 beer gift card to learn all about hybrid file shares.
|
# ¿ Jul 16, 2022 19:44 |
|
kalel posted:what an odd statement. that's the nature of a forum. a post invites posts which invite posts, ipso facto. if that doesn't work for you, start a diary They mean that you can't just smash a "like" button
|
# ¿ Jul 17, 2022 16:09 |
|
S3 File Gateway would work, if you just need to copy files out of S3 and to a volume then rclone will also do the job.
|
# ¿ Jul 25, 2022 21:16 |
|
- Don't migrate your VMs to EC2 and wonder why isn't giving you the savings that it was advertised as being able to bring
|
# ¿ Aug 22, 2022 21:48 |
|
Also I think it's important to know when the cloud isn't the right option. If you need to run an enterprise app that is going to eat 16 cores 24x7 and make billions of storage transactions, has strict requirements in terms of what OS runs and the memory settings you use etc. then buy the Dell servers and an FC SAN and run it it your own data centres. Not every app is right for the cloud, it's something that can be changed when you go back out to tender for the software next time around, but there's no point fighting and trying to run something in AWS that the people writing the application expect to be on-prem with 2ms latency to your MRI scanner or whatever.
|
# ¿ Aug 22, 2022 22:17 |
|
Isn’t it “ rather than ‘
|
# ¿ Sep 2, 2022 21:18 |
|
Can AWS employees still use Slack or is everybody being forced to use "Wickr" now?
|
# ¿ Nov 29, 2022 20:34 |
|
I wish the Azure DNS Private Resolver was cheaper
|
# ¿ Apr 27, 2023 07:58 |
|
It's unjustifiably expensive for what it is. It's a nice looking product though, hopefully someone else can have a go at competing (looking at you, Cloudflare). It would be nice if it didn't need a VPN link to work - I have sites where it would be very helpful to be able to chuck a couple of DNS servers into their gateway, tell the service what public IP my requests were coming from, and be able to return private DNS records along with acting as a resolver for the network with some basic malware domain filtering.
|
# ¿ Apr 27, 2023 21:24 |
|
Azure needs to become a registrar
|
# ¿ Apr 28, 2023 20:44 |
|
Pile Of Garbage posted:They don't even need to become a registrar themselves. They can just partner with one or more registrars and tightly-couple their systems with the real registrar. That's what Amazon does for many ccTLDs. e.g. for .au they're partnered with Gandi. Of course if your buy your domain entirely within the R53 console you'd be none the wiser: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/au.html Yeah it could all go through an API to Gandi if they wanted, I just want people to be able to buy domains and have the IAM features of Azure.
|
# ¿ Apr 28, 2023 20:52 |
|
Build the environment for the purpose of taking screenshots or video but then tear it all down when you're done.
|
# ¿ Aug 5, 2023 18:50 |
|
I've been dropped into a situation where someone has had their SES service suspended after AWS detected potential misuse. I'm 99% sure this is a "the horse is out the barn door" scenario and I am aware that email sucks, but is there any way to access a log of sent messages, the IP address making the request, how it was authenticated (e.g. access key used), subject line of the email, destination etc. or is that all logging that you have to configure yourself if you want access to the data? Assuming the answer to the above is "you're out of luck, build it yourself" is there a handy best practises guide that is worth paying attention to in terms of getting a good balance between what it being sent to Cloudwatch and the cost of doing so?
|
# ¿ Dec 28, 2023 21:33 |
|
Event publishing looks like it will do most of the work, the auto tags are pretty much what we're after and then it's just a case of having the information present itself back out again in a way that makes sense. Knowing what I know about the people using this service I think I'm going to push for them to move to a more managed platform that will do all this for them even if it costs a bit more than SES, they aren't really at the level where they can be consuming raw AWS services.
|
# ¿ Dec 28, 2023 23:33 |
|
FYI it's quite unlikely that AWS support would help you figure out if your CA was being used by anything, that's at least a Business tier support offering and more likely they put you in touch with a consultant. If it's just looking at the list of issued certs then they might help with that, but I would expect them to avoid saying anything like "those certs aren't being used and you can delete the CA".
|
# ¿ Jan 3, 2024 17:59 |
|
|
# ¿ May 17, 2024 01:33 |
|
I want to see the legal precedent be that chat bots are representatives of the company that uses them, and so the company is liable for any claim they make. It would at least stop people from using them.
|
# ¿ Mar 7, 2024 18:26 |