|
I just took and passed my AWS solutions architect exam and wanted some advice on were to go from here. I work in networking primarily, I dont use AWS at all in my day to day work. But I had a lot of fun studying for the exam, and did some rinky dink stuff like building wordpress sites playing around with EC2, building home backup solutions for myself with S3 etc. I dont expect to get some high paying job using AWS based just on that cert but I also cant afford to take a pay cut for an entry level job that uses it. I'm also not a programmer that can take advantage of a lot of AWS services. Based on all of the above are any additional certs worth studying for? Or am I better off just trying to build stuff for myself and my organization? What a long winded post, I guess I just wanted to celebrate passing and to say how fun the exam was to study for.
|
#
¿
Dec 2, 2019 19:24
|
|
|
|
| # ¿ May 1, 2024 18:10 |
|
|
Docjowles posted:Words Thanks for the info and the kind words Doc. I'll try and apply the knowledge to projects at work that make sense, and if not just keep plugging away here and there on personal projects for fun.
|
|
#
¿
Dec 3, 2019 20:54
|
|
|
EDITED.
BaseballPCHiker fucked around with this message at 21:27 on Feb 2, 2022 |
|
#
¿
Jul 21, 2021 20:01
|
|
|
I feel like I'm missing something obvious here. Lets say I am looking to see who from my environment assumed a role. I know that an accesskeyID gets made when a principal does assume a role, and I can search for that accesskeyID to see API calls they made through CloudTrail. But how can I tell who assumed that role in the first place? Shouldnt I be able to tie accesskeyIDs made through STS to an AD user who logged in via the console? Or does that have to be done through the CLI? Or maybe Im just tired and not thinking straight after having a baby.
|
|
#
¿
Aug 31, 2021 17:46
|
|
|
Just wanted to give a hearty thanks for your posts. The links you provided gave me exactly what I needed and helped me make some queries in our SIEM tool to find exactly what we were looking for. I'm supposed to be one of our "AWS security pros" at the company and had a rough day yesterday misunderstanding some GuardDuty documentation. This was a nice win that helped restore some confidence, so thanks once again.
|
|
#
¿
Sep 1, 2021 14:28
|
|
|
Agrikk posted:When you get down to it, cloud poo poo is pretty amazing. Its incredible. The scale and complexity of things you can design, all remotely without touching any hardware, is mind boggling. The pace of change and complexity is equally amazing in my mind. I'm struggling right now to learn as much as I can about AWS core services for my job in InfoSec and I have a hard time keeping up.
|
|
#
¿
Sep 13, 2021 16:20
|
|
|
Are there jobs with AWS that just revolve around a single service? Like I eat and breath GuardDuty at my current position. I'm the go to person on our team with questions about findings, logs being read by GuardDuty, etc. I think I'd really enjoy doing work around that service most of the day. Helping orgs spin it up, or troubleshoot for example. Or would I be better off just working for some MSP doing that?
|
|
#
¿
Sep 14, 2021 17:37
|
|
|
12 rats tied together posted:Depends on the job, and the org, but if you had to pick only one service to fully understand it should be IAM (because it's the only hard part about all the other services). Yeah the other large part of my job is sorting through IAM policies. Just refer to AWS's handy & simple flow chart!  I would agree though, you should have a foundational level of knowledge in things like S3, IAM, EC2, VPCs, etc. If there is a service your company works with a lot in particular try to learn at least the fundamentals, in my case that would something like Glue or Lake Formation which I hate, but eh thems the breaks. Also as I get more and more involved I've accepted that I will just have to learn coding somewhat and have started learning python. Im not good at it, I dont particularly love it, but I am at the point where I can look at code now and understand what is trying to be accomplished. I'm pretty much a "copy and paste" coder right now which seems to be good enough.
|
|
#
¿
Sep 16, 2021 13:56
|
|
|
necrobobsledder posted:Similar happens with S3 object and bucket policies. Ugh, these are the worst and most painful for me to help with. I want to pull my hair out every single time.
|
|
#
¿
Sep 16, 2021 15:06
|
|
|
cage-free egghead posted:I'm trying to get out of end user support and into any sort of cloud stuff. Getting close to finishing the Cloud Computer bachelors at WGU and came across this little challenge as a way to get my feet wet with some stuff, plus have a talking point for interviews and such. I was a former network engineer, who was trying to break into security and then specifically cloud security. I made a lovely wordpress blog, but had cloudtrail, guardduty, shield, etc (all as cheaply done as possible) enabled so that I could show my work to an extent. It helped me land my current job, so I think its definitely useful.
|
|
#
¿
Dec 6, 2021 14:43
|
|
|
Is there like a big zip file of sanitized cloudtrail logs floating around online you can use as a teaching resource? Trying to get some of my team up to speed on reading the logs as they would relate to GuardDuty alerts and I am not finding much online aside from one off log examples.
|
|
#
¿
Dec 9, 2021 19:37
|
|
|
Has anyone heard any more specifics off of this announcement yet? https://aws.amazon.com/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/ Are they creating new GuardDuty alerts or just updating IOCs on the backend for the same type of alerts?
|
|
#
¿
Dec 16, 2021 16:06
|
|
|
BaseballPCHiker posted:Are they creating new GuardDuty alerts or just updating IOCs on the backend for the same type of alerts? Answering my own question. GuardDuty team is updating IOCs for existing alerts. Also this is just the crisis I needed to finally get GuardDuty enabled on all of our accounts! Yeah you read that right, GuardDuty was previously thought to be to expensive for this poo poo org.
|
|
#
¿
Dec 17, 2021 15:19
|
|
|
Hughmoris posted:Anyone have knowledge/experience with the AWS Certified Data Analytics – Specialty (DAS-C01) cert? My coworker just got it. Seemed to be heavily focused on various DB services and things like Athena, DataLake, etc. I cant say that I've ever seen it listed on any job postings though.
|
|
#
¿
Jan 26, 2022 21:54
|
|
|
Oh man speaking of Glue/Athena/etc. How cool is that new CloudTrail DataLake service! For my poo poo show of an org that will be a huge benefit. If I could only convince them to pay for it now.... EDIT: And while I'm at it. All the EKS alerts for GuardDuty are huge! Seriously nice work by that team and I hope more are in the pipeline.
|
|
#
¿
Feb 2, 2022 17:17
|
|
|
What are people doing here to manage and harden AMIs? Trying to push for us to at least patch the base AMIs at creation before they make it to production. Image builder seems like the go to but wondering what folks use.
|
|
#
¿
Apr 5, 2022 15:24
|
|
|
Any IAM experts here? Trying to settle an internal debate. Some dev has a secret in secrets manager saying with a policy of secretsmanager:ListSecrets open to principal: AWS:"*" and resource:"*". While this is bad, my coworker is saying that would limit the ListSecrets to that particular account, while I am arguing that this effectively allows anyone within AWS org to make a ListSecrets api call. I think he is thinking that the policy has to explicitly list other accounts with permissions for cross account access while I am arguing that the "*" is effectively doing that. So long as the trusted account has permissions to make ListSecrets call they could do so.
|
|
#
¿
Apr 14, 2022 13:09
|
|
|
Just-In-Timeberlake posted:Try it and tell them their secret if it works, make sure to take a picture of their face for posterity. I did try it! And nothing exciting. The resource policy doesnt allow for the use of the GetSecretValue api call. So you can see some data associated with key but nothing that useful, at least in my mind. Will tell them to fix and move on.
|
|
#
¿
Apr 14, 2022 17:26
|
|
|
Thank you, thank you, thank you. I looked at a ton of different docs around cross account access, resource access, etc, and the one you linked was exactly what I needed to see. You're right so long as the attacker/whoever explicitly grants themselves access they could access that resource. This definitely clears it up for me, thanks again!
|
|
#
¿
Apr 14, 2022 20:47
|
|
|
I feel like I'm fighting a dumb battle here. Is there any reason to restrict accounts to an availability zone via SCPs? I argued that we should be absolutely restricting what regions we operate in, but that AZ's should be open for developers to pick and choose from. And that one accounts AZ wont be another accounts AZ anyway so if this is some cute attempt to get lower latency between resources its a dumb way to go about it.
|
|
#
¿
May 31, 2022 20:56
|
|
|
Hughmoris posted:I'm ripping my hair out and need some AWS VPC help. Theres so much that could be going on here. Can you post some screenshots/code of your VPC setup?
|
|
#
¿
Jun 3, 2022 15:50
|
|
|
Sounds like your VPCs default route didnt have a way out to the internet.
|
|
#
¿
Jun 3, 2022 16:53
|
|
|
Agrikk posted:“I have three domain controllers sitting in three regions on AWS. Two database servers and a file server in my corp VPC. I have four web servers and two app servers (both in fixed pools )and an RDS MSSQL instance in My Prod VPC. How come it’s sooo expensive? The cloud was supposed to SaVe Me mOnEy!” Oh god this is my company to a T. I cant wait to hit a year and bounce so I dont have to pay back my sign on bonus. Why we as a 99% windows shop decided to go with AWS instead of Azure, and then just do a lift of shift of everything is beyond me.
|
|
#
¿
Jun 20, 2022 14:04
|
|
|
The Iron Rose posted:God yes. Terraform was revolutionary but it’s very quickly becoming too cumbersome to use. New and better abstractions are badly needed. This is me 100%, I just started playing with it a while ago. Being able to deploy a whole VPC with all the parameters I need for some poo poo vuln scanner I have to support has been a revelation. I started using it for a few things in my personal AWS account as well. But now you're telling me I am once again behind the times!?!
|
|
#
¿
Aug 19, 2022 16:56
|
|
|
Im always behind the times. Just learning Terraform and now I have to learn this Pulami poo poo! I just want to coast 20 years and retire already. Biggest spend at my company is ec2. I've seen instances that got spun up by a dev for some testing that were forgotten about that stay up running for months costing the company thousands. Scale that x2-300 and its a good chunk of change. Of course my company is dumb so no surprise there.
|
|
#
¿
Aug 24, 2022 15:58
|
|
|
For the life of me I cant get past this error. "An error occured (403) when calling the HeadObject operation: Forbidden" Workflow is basically s3 bucket event notifications -> SQS -> Lambda -> Elastic. The Lambda role has s3:GetObject, GetObjectAttributes, and ListBucket rights. The s3 bucket allows my Lambda to make GetObject, GetObjectAttributes to "arn:aws:s3:::aws-bucket/*" and ListBucket to "arn:aws:s3:::aws-bucket". I can confirm that the objects my lambda is trying to get are actually there, they exist and are in the bucket. I have no clue at this point and am about to pull my little remaining hair out.
|
|
#
¿
Sep 20, 2022 20:04
|
|
|
Docjowles posted:Is the lambda in a different AWS account than whatever writes the objects to the bucket? You might need to mess with object ownership settings, such as turning on “bucket owner enforced”. The Lambda is in a different account. That gives me an avenue to go down, thank you! Nukelear v.2 posted:If you feel pretty solid on the policy side, maybe your lambda isn't using the right creds. Log out a call to sts get_caller_identity to confirm. I feel like I've tripled checked the policy side. Will give that a shot as well, thank you!
|
|
#
¿
Sep 20, 2022 20:30
|
|
|
Just an update on my issue for people at the edge of their seats. It ended up being an KMS issue. The bucket I was trying to read from was using AWS managed SSE with the default KMS policy that entails. JehovahsWetness posted:Is the bucket using a custom KMS key for encryption? If it is then that key also needs to have a resource policy that also grants access to the other account's principal. You also won't get a KMS-specific error, just the regular forbidden error. Basically what JehovahsWetness said. I really wish their was a more KMS specific error message there.
|
|
#
¿
Sep 27, 2022 18:04
|
|
|
luminalflux posted:Cross-account access is an exercise in "why is my toddler crying" debugging. Especially with KMS-encrypted resources. Add config rules and SCPs to that list as well, fun times!!! I learned a lot at least having not had to do much dev work in the past cross account.
|
|
#
¿
Sep 30, 2022 16:06
|
|
|
In case anyone else is dumb like me, I just came across this and it is very helpful, especially since it can include SCPs that I always forget about : https://policysim.aws.amazon.com
|
|
#
¿
Dec 1, 2022 19:44
|
|
|
My company is going ape poo poo for QuickSight right now. They're investing substantial time in cost/billing dashboards for all of our teams in an effort to cut down costs. You know as opposed to rethinking our lift and shift of data centers to the cloud while doing literally nothing else then complaining about the costs when their oversized SQL server instances cost a ton. Jesus this company... Speaking of! I got tasked with tracking down Marketplace subscriptions, whose subscribing, why are they doing that, etc. And for the life of me I dont see any marketplace API calls in our CloudTrail. Looking at the reference I think I need to be searching for aws-marketplace:Subscribe but I cant find anything marketplace related. I verified our org CloudTrail doesnt have any exclusions. Are these API calls some weird one off that doesnt get written to CloudTrail or something?
|
|
#
¿
Jan 12, 2023 15:30
|
|
|
ACG is still worth it for their sandboxes, even if you end paying for other courses. I find it super helpful when Im trying to learn a new service.
|
|
#
¿
Jan 12, 2023 15:58
|
|
|
The Iron Rose posted:setting up a pihole in the cloud and make it HA with shared configs and blocklists using ASGs, spot instances, and EFS is usually my go to for the people I mentor. Add an ALB or NLB, monitoring with Cloudwatch, alerting and logging, and so on. Make it run in a container and use certbot and HTTPS for your internal domain. Restrict access to only your public IP of course so AWS doesn’t yell at you for running an open resolver, or set up a openVPN along with it with profiles for iPhone/android, computers, and so on. Configure DNS over HTTPS. Deploy your terraform and ansible with CI/CD using GitHub actions. This is a great idea! Going to work on that in an upcoming weekend. I still run pihole on an old raspberry pi b that I worry is not long for this earth.
|
|
#
¿
Jan 28, 2023 20:06
|
|
|
BaseballPCHiker posted:Speaking of! I got tasked with tracking down Marketplace subscriptions, whose subscribing, why are they doing that, etc. And for the life of me I dont see any marketplace API calls in our CloudTrail. Looking at the reference I think I need to be searching for aws-marketplace:Subscribe but I cant find anything marketplace related. I verified our org CloudTrail doesnt have any exclusions. Confirmed! Buying poo poo from marketplace is not captured by CloudTrail. You can kind of find it digging around in cost explorer.
|
|
#
¿
Feb 1, 2023 21:53
|
|
|
Anyone have that link for the alternate AWS status/health checks? It was called something like Honest or True AWS health report? Ringing any bells for anyone. Cant for the life of me remember what it was called, but it was always way more accurate than the official AWS health status page.
|
|
#
¿
Feb 21, 2023 15:34
|
|
|
That sounds right. Bummer, that worked pretty well. Any good alternatives?
|
|
#
¿
Feb 21, 2023 18:10
|
|
|
Does anyone know what will happen to existing ec2 instances running server2012 when that goes eol? Do they just get marked for deletion by AWS? Trying to come up with good sticks to scare folks into upgrading or migrating their poo poo before October.
|
|
#
¿
Jun 13, 2023 19:29
|
|
|
Thanks for all of the tips and links everyone! I was saddened to learn that we could just move these instances over to Azure and apparently we could keep running old poo poo for as long as our hearts desired. For now I'm keeping this info to myself while hoping that people get their poo poo together. Ive been in IT long enough to know better, but have also gotten much better at just getting a CYA email and letting this poo poo go when my shift is over for the day.
|
|
#
¿
Jun 22, 2023 02:11
|
|
|
Has anyone played around with EIC much yet? https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-ec2-instance-connect-ssh-rdp-public-ip-address/ Thinking that aside from some DB work teams in my org are doing this would be a great way to cut down on bastion hosts.
|
|
#
¿
Jun 22, 2023 17:00
|
|
|
|
| # ¿ May 1, 2024 18:10 |
|
|
Once again I am struggling with cross account permissions. I'm trying to create a Cloudformation Template that could be deployed in all of our accounts that will detect root user logins via EventBridge and targets a central SNS topic in another account. The central SNS topic has an access policy of allowing AWS: * to make sns: Publish on the condition that the PrincipalOrgID matches our AWS organization ID. No problems there as far as I can tell. The CFT I'm writing keeps failing with this error: code:code:I had thought this would be relatively straight forward. The idea was I could use this as a template and just update events that we wanted to alert on and publish to a central Org topic. But once again I am banging my head against the wall when it comes to cross account access. Am I missing something obvious or is there a better way to go about this?
|
|
#
¿
Sep 19, 2023 15:40
|
|